FAQ-000149 - CRUD/FLS Bypass Justification and System Objects / Generic sObject and Dynamic SOQL Challenges

When using a generic sObject in Salesforce and proper CRUD checks cannot be implemented, here are some alternatives: 1. **Use Database methods with `AccessLevel.USER_MODE`**: For queries and DML operations, use `Database.query()` with `AccessLevel.USER_MODE` to automatically enforce CRUD/FLS permissions. 2. **Use `WITH USER_MODE` in SOQL queries**: This clause automatically enforces CRUD/FLS checks for all fields and objects in the query, providing comprehensive security enforcement. 3. **Use `Schema.getGlobalDescribe()`**: Validate object and field accessibility by retrieving their descriptions and performing explicit checks with methods like `isAccessible()`, `isUpdateable()`, or `isCreateable()`. 4. **Use `stripInaccessible`**: This method filters out fields or objects that the user cannot access, ensuring compliance with security settings. These approaches help maintain security while working with generic sObjects.

The FAQ content is generally accurate but needs updates to prioritize modern security features over legacy approaches according to the security guidelines. The main issues addressed: 1. **Security approach prioritization**: Added modern USER_MODE approaches (Database methods with AccessLevel.USER_MODE and WITH USER_MODE in SOQL) as the first two options, as these automatically enforce permissions with less code complexity. 2. **Outdated content**: The original answer mentioned WITH SECURITY_ENFORCED, which is deprecated and should be replaced with WITH USER_MODE. This aligns with the AvoidSecurityEnforcedOldApiVersion rule. 3. **Preserved existing content**: All original approaches (Schema.getGlobalDescribe() and stripInaccessible) were maintained as they remain valid security methods. 4. **Structure improvement**: Reordered the alternatives to lead with modern approaches while keeping the same level of detail and explanation. Rule associations: - **ApexCRUDViolation**: This FAQ directly addresses CRUD/FLS bypass scenarios and provides alternatives when standard CRUD checks cannot be implemented with generic sObjects. The FAQ teaches developers how to maintain CRUD compliance in challenging scenarios. - **AvoidSecurityEnforcedOldApiVersion**: The original answer recommended WITH SECURITY_ENFORCED, which is flagged by this rule as outdated. The updated answer replaces it with the modern WITH USER_MODE approach.