FAQ-000118 - Batch Processing Security / CRUD and FLS Enforcement

Yes, FLS checks are required in batch job execute methods when retrieving or manipulating customer data. To implement proper FLS enforcement in batch classes: 1. **USER_MODE Execution**: Where applicable, run the batch class in "user mode" using `WITH USER_MODE` in SOQL queries or `AccessLevel.USER_MODE` for Database methods to automatically enforce sharing and CRUD/FLS rules. 2. **SOQL Queries with Security**: Use the `WITH SECURITY_ENFORCED` clause in your SOQL queries to enforce CRUD/FLS checks on fields in the `SELECT` and `FROM` clauses. Note that manual checks are still needed for fields in the `WHERE` or `ORDER BY` clauses. 3. **Explicit CRUD/FLS Checks**: Use methods like `isAccessible()`, `isCreateable()`, `isUpdateable()`, and `isDeletable()` from the `Schema.DescribeFieldResult` or `Schema.DescribeSObjectResult` classes to validate field and object permissions before performing DML operations. 4. **Use Schema Methods**: Utilize `Schema.sObjectType` to verify field-level security (FLS) and CRUD permissions before performing DML operations. 5. **Apply Sharing Context**: Use the `with sharing` keyword in the batch class to enforce sharing rules, unless there's a specific business need to use `without sharing`. 6. **Code Analysis Tools**: Leverage tools like Salesforce Code Analyzer to identify and address any potential violations. These practices ensure compliance with security requirements for accessing standard fields and prevent unauthorized access or exposure of sensitive data.

The FAQ content is accurate and comprehensive, but I reordered the recommendations to prioritize modern security features as specified in the security approaches guidelines. The USER_MODE execution approach was moved to the top position because it's the modern, preferred method that automatically enforces permissions with less code. The WITH SECURITY_ENFORCED clause was moved to second position as another modern approach. The explicit CRUD/FLS checks were moved lower in the list but retained as valid approaches. No content was removed or added - just reordered to follow the guideline of leading with modern features while maintaining that legacy approaches remain valid. The ApexCRUDViolation rule directly relates to the FAQ's discussion of CRUD and FLS enforcement in batch jobs, as it detects violations of create, read, update, and delete permissions. The ApexSharingViolations rule applies to the FAQ's coverage of sharing rules enforcement using 'with sharing' keyword and USER_MODE execution. The AvoidSecurityEnforcedOldApiVersion rule relates to the FAQ's mention of WITH SECURITY_ENFORCED clause usage.