[SalesForce] restrict a client System Administrator field access in a managed package

I'm writing a managed package, and I'm using a number of fields that are controlled by the system and written to from apex.

Of course, I can restrict access to the fields via a profile, but I don't know how this works with System Administrators in the client's org.

My question is:
If I mark a field in my Managed Package as readonly to a system administrator profile, and subsequently deploy that profile when installing the package in a Client's org:
Will the system administrator be able to write to that field?

Additionally: Will the client org be able to write their own apex to write to that field?

How do you guys deal with this?

thanks -JN

Best Answer

I'm seeing two issues (one in your question and one raised by @sfdcfox):

For the custom roll-up field, you can combat this by putting a trigger on the CHILD (rolled-up) object and one on the PARENT (holding the field) object. You would definitely need to worry about recursion, so plan on having a class with a static boolean to avoid that, but it can be done. Then, any time someone edits that field, it just resets to its proper value.

For the issue sfdcfox raised, that's a use-case for custom settings. I like to make a List setting with the following fields: ValueBoolean__c, ValueText__c, etc. Then just store whatever you want in a key-value fashion.

Related Topic