Sign in Subscribe
By Tomasz Teodorowicz

Configuration Is Still Logic: The Dangerous Myth of "Low Risk" No-Code

The Most Expensive Misunderstanding in Salesforce

There is a pervasive lie in the Salesforce ecosystem that costs companies thousands of dollars in technical debt every year. It’s the belief that:

“It’s just configuration, so it’s low risk.”

We see it all the time. A developer writes five lines of Apex, and it triggers a mandatory code review, unit tests with 75% coverage, and a rigorous QA cycle. An Admin builds a complex Record-Triggered Flow, adds three Validation Rules, and creates a new Record Type—and it gets deployed with a quick "click-through" test.

Because it has a user interface, we treat it as harmless. Because it involves dropdowns instead of syntax, we treat it as safe.

This is a failure of mindset. Configuration is executable logic.

The Illusion of Safety

Why do we lower our guard for configuration? Because Salesforce has done an incredible job of making it look friendly.

Configuration feels safe because it doesn’t look like traditional software engineering. There are no semicolons to miss, no compilation errors to debug (mostly), and no deployment pipelines to break in the traditional sense.

But functionally, the only difference between Apex and Configuration is who wrote it and where it lives. It still blocks data, changes system behavior, alters security, and triggers automation.

When we treat configuration as "just settings," we assume:

  • Less testing is needed.
  • Peer review is optional.
  • Rollback is easy.

None of this is true. A bad Flow can lock up your Org just as effectively as a bad Trigger.

Where Configuration Failures Hide

If we accept that configuration is logic, we need to hunt for defects in the same way we hunt for bugs in code. Here are the three most common hiding spots for "no-code" disasters.

1. Record Types as Logic Switches

Record Types are not just about Page Layouts. They are fundamental logic switches that dictate the behavior of the application.

They control Picklist values, drive Process Builder/Flow criteria, and determine which Validation Rules fire. The failure mode here is usually a silent regression.

You add a new Record Type for a specific business unit. You forget that an existing Flow runs on "All" Record Types but relies on a Picklist value that isn't available on your new one.

  • The Result: The Flow fails silently or errors out for the new users.
  • The Fix: Treat every Record Type creation as a logic branch that requires regression testing on existing processes.

2. Validation Rules: The Hidden Blockers

Validation Rules are simple boolean logic, yet they cause disproportionate chaos during data loads and integrations.

The problem is that testers often only test the Happy Path (user enters data -> passes) or the direct Negative Path (user enters wrong data -> error message appears).

We forget the Context.

  • Does this rule block the Integration User who updates the record via API?
  • Does it break a legacy workflow that updates the field in the background?
  • Does it respect the ISCHANGED() condition, or does it prevent editing unrelated fields on old records?

A Validation Rule is a global gatekeeper. If you don't test it against your automated processes, you are effectively locking the doors while the cleaning crew is still inside.

3. The Flow "Soup"

Flows accumulate. In a mature Org, you rarely have just one piece of automation on the Opportunity object. You have a "Before-Save" Flow, an "After-Save" Flow, a legacy Process Builder, and perhaps an Entitlement Process.

Each one is "simple" in isolation. Together, they form a distributed system where the Order of Execution decides the winner.

  • Flow A sets the "Status" to Closed.
  • Flow B sees "Closed" and updates the "Close Date."
  • Validation Rule C triggers because "Close Date" changed.

The interaction is rarely tested because testers usually focus on the new Flow. But in Production, all Flows run together.

The QA Mindset Shift

We need to stop using the term "No-Code" as a synonym for "No-Risk."

Strong Salesforce QA treats configuration with the same respect—and suspicion—as custom code.

  • Require Reviews: A complex Flow should be peer-reviewed just like an Apex class. Is it bulkified? Does it handle null values?
  • Test Negative Paths: Don't just check if the Validation Rule fires. Check if it fires when it shouldn't.
  • Test Bulk Behavior: What happens if I update 50 records at once? Does the Flow hit a governor limit?

The Real Risk

The most dangerous bugs in Salesforce are not the ones that throw a "GACK" or a crash report.

The most dangerous bugs are the ones that silently change behavior because a configuration change had unintended side effects.

Configuration is powerful. It drives the business. It automates the mundane. But let’s be clear:

No-code does not mean no-risk. It means no excuses.

QA Takeaways

  1. Map the Dependencies: Before testing a config change, ask: "What other automation runs on this object?"
  2. Audit the Context: distinct tests for UI Users, API Users, and System Admin users are mandatory for Validation Rules.
  3. Respect the Record Type: Never assume a change on one Record Type is isolated. Verify the impact on the others.

Have you ever seen a "simple" Validation Rule bring down an integration? Share your story below.

Subscribe to Salesforce Tester

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe