Controller Class Security

Like other Apex classes, you can specify whether a user can execute methods in a custom controller or controller extension class based on the user's profile.

Note

If you have installed a managed package in your organization, you can set security only for the Apex classes in that package that are declared as global, or for classes that contain methods declared as webService.

If users have the “Author Apex” permission, they can access all Apex classes in the associated organization, regardless of the security setting for individual classes.

Permission for an Apex class is checked at the top level only. For example, if class A calls class B, and a user profile has access only to class A but not class B, the user can still execute the code in class A. Likewise, if a Visualforce page uses a custom component with an associated controller, security is only checked for the controller associated with the page. The controller associated with the custom component executes regardless of permissions.

To set Apex class security from the class list page:

1. From Setup, click Develop | Apex Classes.
2. Next to the name of the class that you want to restrict, click Security.
3. Select the profiles that you want to enable from the Available Profiles list and click Add, or select the profiles that you want to disable from the Enabled Profiles list and click Remove.
4. Click Save.

To set Apex class security from the class detail page:

1. From Setup, click Develop | Apex Classes.
2. Click the name of the class that you want to restrict.
3. Click Security.
4. Select the profiles that you want to enable from the Available Profiles list and click Add, or select the profiles that you want to disable from the Enabled Profiles list and click Remove.
5. Click Save.