Why is a permission set required to create logs?

[MorganMarchese]

We have 5,000 Salesforce Users, and new employees onboarded/offboarded regularly. Ideally, I am trying to avoid assigning a permission set to every user just to allow them to create logs. Since Apex runs in System context, and LWC, Flow, PB, and Apex all call the same Logger classes, why is a permission set required for a user to be able to create logs?

Unless Nebula has specifically built in FLS checks, the only thing I can think of is sharing. If it's sharing, does Nebula have any mechanism to bypass this requirement at a core level by calling a without sharing class? If not, is there a particular reason why this wouldn't be considered for future?

As I'm sure you'll agree - logging is super important, so any gatekeeper to successful logging like requiring a permission set is troubling to me.

Thanks so much for your efforts, look forward to hearing your thoughts on this

[jongpie]

Hi @MorganMarchese - at the moment, the "Log Creator" permission set is not strictly needed. At one point, I did have FLS checks built-in, but I removed them exactly for this reasons you outlined (logging is super important, and the FLS check was an unnecessary gatekeeper).

However, Salesforce may (re-)introduce a change that will make this permission set required - in the Spring '20 release, Salesforce add a release update that requires users have explicit access to Apex classes if they are called from Flow. As part of the Winter '22 release, this can be disabled, so the "Log Creator" permission set is not currently required. However, I am continuing to maintain the "Log Creator" permission set - as far as I'm aware, in the Summer '22 release, Salesforce is again going to require explicit access to Apex classes for any methods invoked via Flow, so I want to make sure that Nebula Logger includes a way to grant the access if/when needed.

Hope this helps!