Overview
This rule detects Flows that do not define any user access restrictions neither by profile nor by permission set. When a Flow has no access controls configured, it becomes available for invocation by all users, which is rarely the intended behavior.
Code Reviews classifies this as a Warning, since unrestricted access does not necessarily break functionality but introduces security, governance, and data integrity risks. Flows should explicitly define who is allowed to run them to ensure only the right users can trigger sensitive or business critical automation.
Why This Matters
Flows are powerful automation tools that can update records, perform business logic, and interact with sensitive data. Without proper access restrictions:
Any user may unintentionally or maliciously invoke the Flow
Sensitive business logic may run in unintended contexts
Data may be exposed or modified by users who should not have access
Debugging becomes more difficult when unauthorised users run automation
It becomes unclear who the intended audience for the Flow actually is
Applying explicit access restrictions not only protects data and processes, but also makes your automation architecture easier to understand and maintain.
What Triggers This Rule
This rule flags any Flow that:
Does not specify a profile restriction
Does not specify a permission set restriction
The rule triggers regardless of the Flow type (Screen Flow, Autolaunched, Record Triggered, etc.), as access control is a recommended best practice for all Flows that can be manually invoked or indirectly accessed.
Even if a Flow is not intended for broad use, omitting restrictions leaves it accessible to all users, prompting Code Reviews to surface this risk.
Recommended Approach
To ensure proper governance and prevent unintended usage:
Define profile based access restrictions
Limit access to only the user profiles that require the Flow.
Use permission sets for more granular control
This supports scalable rolebased access without over customizing profiles.
Review all Flows for appropriate audience targeting
Ensure each Flow explicitly states who can run it—and why.
Document reasoning for access choices
Helps future maintainers understand why certain users have or don’t have access.
Summary
Flows without access restrictions are available to all users, creating potential security and data integrity risks. This rule warns when no profile or permission set restrictions are defined, encouraging developers to apply clear access controls. Restricting Flow access is a best practice that safeguards business logic, prevents accidental execution, and keeps automation easy to govern and maintain.