FAQ-000129 - Batch Processing Security / Sharing Context and Permissions

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
When is it acceptable for batch processes to bypass user permissions for business logic requirements?
Answer
Batch processes can bypass user permissions for business logic requirements in specific scenarios, such as: - Creating roll-up summaries or aggregates that do not directly expose data. - Modifying custom objects or fields like logs or system metadata that are not directly accessible to users via CRUD or FLS. - Accessing objects from high-privileged methods that non-admin users cannot access. These use cases should be properly documented as part of the AppExchange security review submission.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCRUDViolationApexSharingViolations
Question
When is it acceptable for batch processes to bypass user permissions for business logic requirements?
Recommended Answer Update
Batch processes can bypass user permissions for business logic requirements in specific scenarios, such as: - Creating roll-up summaries or aggregates that don't directly expose data. - Modifying custom objects or fields like logs or system metadata that aren't directly accessible to users via CRUD or FLS. - Accessing objects from high-privileged methods that non-admin users can't access. These use cases should be properly documented as part of the AppExchange security review submission.
Reasoning
The FAQ content is accurate and well-structured, addressing legitimate scenarios where batch processes may need elevated permissions. Minor wording improvements were made for clarity and consistency: 'do not' changed to 'don't', 'are not' to 'aren't', and 'cannot' to 'can't' to maintain a conversational tone as specified in the guidelines. The technical content aligns with security best practices and doesn't conflict with any available security rules. For ApexCRUDViolation: This rule is directly relevant because the FAQ discusses scenarios where batch processes might bypass CRUD permissions, which is exactly what this rule detects. The FAQ content about 'Modifying custom objects or fields like logs or system metadata that are not directly accessible to users via CRUD or FLS' specifically relates to CRUD permission handling that this rule monitors. For ApexSharingViolations: This rule is relevant because the FAQ discusses batch processes bypassing user permissions in general, including sharing context. The FAQ's mention of 'Accessing objects from high-privileged methods that non-admin users cannot access' relates to sharing violations that this rule would detect, as it monitors for code that doesn't respect sharing rules.
Reasoning References
Recommended Related Articles