When is it appropriate for a flow to run in system context, and how must this be handled to pass security review?
Answer
If it is mandatory to run the flow in privileged mode, than make a subflow and run that privilege operation on elevated mode and rest of the flow run in User mode/Safe mode.
Provide clear justification for using system context
When is it appropriate for a flow to run in system context, and how must this be handled to pass security review?
Recommended Answer Update
When it's mandatory to run a flow in privileged mode, create a subflow and run that privileged operation in elevated mode while the rest of the flow runs in User mode. This approach minimizes the security risk by limiting system context to only the operations that truly require it.
Valid use cases for system context include:
- System maintenance operations
- Data migration processes
- Cross-object updates where sharing rules would prevent necessary operations
- Background processes that need to access all records regardless of user permissions
Always document the business justification for using system context and ensure it's the minimum necessary to accomplish the required functionality.
Reasoning
The original answer contains the core best practice (using subflows to minimize system context) but lacks important context that would help pass security review. I've improved the answer by: 1) Adding clarity about why this approach minimizes security risk, 2) Providing specific examples of valid use cases for system context, and 3) Adding guidance about documentation requirements that security reviewers expect. The rule PreventPassingUserDataIntoElementWithoutSharing is directly related because it addresses the security concerns of running flows without proper sharing enforcement. The FAQ discusses when flows should run in system context and how to handle it securely, which directly relates to this rule's purpose of preventing user data from being passed into elements that bypass sharing rules.