FAQ-000393 - Community and Experience Cloud Security / Data Access and Record Security

To handle object accessibility checks in Experience Cloud sites, follow these recommended practices: 1. **Enforce CRUD and FLS Checks**: Use `WITH USER_MODE` in SOQL queries or `AccessLevel.USER_MODE` with Database methods to automatically enforce field-level security. Alternatively, use the `isAccessible()` method to verify field-level security and ensure only accessible fields are queried or displayed. 2. **Guest User Considerations**: - Omit CRUD/FLS checks only if secure guidelines are followed, such as excluding unused fields from queries and avoiding sensitive fields in the UI or client-side code. 3. **Guest User Sharing Rules**: Define explicit access to records for guest users, as they won't have visibility without these rules. 4. **Avoid Manual or Apex Sharing**: These practices are not supported or recommended for guest users. 5. **Automate Record Reassignment**: Reassign records created by guest users to a default owner, as guest user ownership is restricted. These steps help ensure secure and compliant object accessibility in your Experience Cloud sites.

The main improvement needed is to modernize the security approach guidance per the FAQ review guidelines. The original content focused solely on manual security checks using `isAccessible()` method, but modern Salesforce development should prioritize the newer `WITH USER_MODE` and `AccessLevel.USER_MODE` approaches that automatically enforce permissions with less code. I updated point 1 to lead with these modern approaches while preserving the existing manual approach as an alternative, maintaining all original information without removal. For the security rules selected: - ApexCRUDViolation: This rule directly relates to the FAQ's core topic of handling CRUD (Create, Read, Update, Delete) and FLS (Field-Level Security) checks. The FAQ explicitly discusses "CRUD and FLS Checks" and "field-level security" verification, which are exactly what this rule detects violations for. - ApexSharingViolations: This rule relates to the FAQ content about sharing rules and record access. The FAQ discusses "Guest User Sharing Rules" and advises to "Avoid Manual or Apex Sharing" practices, which directly corresponds to sharing violations that this rule would identify.