I'm writing a managed package, and I'm using a number of fields that are controlled by the system and written to from apex.
Of course, I can restrict access to the fields via a profile, but I don't know how this works with System Administrators in the client's org.
My question is:
If I mark a field in my Managed Package as readonly to a system administrator profile, and subsequently deploy that profile when installing the package in a Client's org:
Will the system administrator be able to write to that field?
Additionally: Will the client org be able to write their own apex to write to that field?
How do you guys deal with this?
I'm seeing two issues (one in your question and one raised by @sfdcfox):
For the custom roll-up field, you can combat this by putting a trigger on the CHILD (rolled-up) object and one on the PARENT (holding the field) object. You would definitely need to worry about recursion, so plan on having a class with a static boolean to avoid that, but it can be done. Then, any time someone edits that field, it just resets to its proper value.
For the issue sfdcfox raised, that's a use-case for custom settings. I like to make a List setting with the following fields: ValueBoolean__c, ValueText__c, etc. Then just store whatever you want in a key-value fashion.