FAQ-001488 - Permission Set Security / Permission Validation and Querying

Field-Level Security (FLS) checks are still required in certain scenarios even with proper permission sets configured: 1. **Dynamic SOQL queries** - When building queries dynamically or when you need granular field access control beyond what permission sets provide 2. **Legacy API versions** - Code using older API versions that don't support modern security enforcement features 3. **Mixed security contexts** - When your code runs in different contexts where permission set validation alone may not be sufficient 4. **Defensive programming** - As an additional security layer when handling sensitive data fields For modern implementations, prefer `WITH USER_MODE` in SOQL queries and `AccessLevel.USER_MODE` for Database methods, as these automatically enforce both CRUD and FLS permissions with less code. When explicit FLS checks are needed, verify field accessibility using `Schema.DescribeFieldResult.isAccessible()` before accessing field data.

The original answer contained significant outdated and potentially misleading security guidance. The main issues were: (1) It incorrectly stated that FLS checks are never required when permission sets are configured, which contradicts modern Salesforce security best practices, (2) It oversimplified the relationship between permission sets and FLS enforcement, and (3) It failed to address legitimate scenarios where explicit FLS checks remain necessary. The updated answer preserves the structure while correcting these security misconceptions and providing accurate guidance about when FLS checks are still required. I selected ApexCRUDViolation because this FAQ directly discusses field-level security enforcement scenarios, and this rule specifically detects when code lacks proper CRUD/FLS validation - exactly what the FAQ is trying to help developers understand and implement correctly.