When are additional code-level security checks required beyond permission sets?
Answer
Additional code-level security checks are required beyond permission sets in these scenarios: 1. **"Without Sharing" Classes**: These don't enforce sharing rules, so explicit access control logic is needed to ensure only authorized users can perform operations. 2. **Sensitive Fields in SOQL Queries**: Even with `WITH SECURITY_ENFORCED`, manual checks like `isAccessible()` are required for fields in `WHERE` or `ORDER BY` clauses. 3. **Custom Sharing Logic**: When using Apex sharing or modifying access control configurations, ensure proper permissions are enforced. 4. **Generic Helper Methods**: CRUD/FLS checks must still be applied when handling both custom and standard fields. 5. **External Integrations**: Secure data transfer and proper authentication mechanisms are necessary for external endpoints. 6. **Modifying User Permissions**: Operations that change user permissions, profiles, or sharing rules require specific access control checks to prevent unauthorized changes.
When are additional code-level security checks required beyond permission sets?
Recommended Answer Update
Additional code-level security checks are required beyond permission sets in these scenarios: 1. **"Without Sharing" Classes**: These don't enforce sharing rules, so explicit access control logic is needed to ensure only authorized users can perform operations. 2. **Sensitive Fields in SOQL Queries**: Even with `WITH USER_MODE`, manual checks like `isAccessible()` may be required for fields in `WHERE` or `ORDER BY` clauses depending on your security requirements. 3. **Custom Sharing Logic**: When using Apex sharing or modifying access control configurations, ensure proper permissions are enforced. 4. **Generic Helper Methods**: CRUD/FLS checks must still be applied when handling both custom and standard fields. 5. **External Integrations**: Secure data transfer and proper authentication mechanisms are necessary for external endpoints. 6. **Modifying User Permissions**: Operations that change user permissions, profiles, or sharing rules require specific access control checks to prevent unauthorized changes.
Reasoning
The primary change needed relates to the security approaches guidelines which prioritize modern features over legacy approaches. The FAQ mentioned `WITH SECURITY_ENFORCED` which is older syntax, but the guidelines specify to lead with `WITH USER_MODE` for SOQL queries as the modern approach. I updated point 2 to reference `WITH USER_MODE` and adjusted the language to be less prescriptive about manual checks being "required" since modern approaches handle this automatically in many cases. I selected ApexCRUDViolation because the FAQ discusses CRUD/FLS checks in point 4 and generic helper methods requiring proper permission validation. ApexSharingViolations relates directly to points 1 and 3 which discuss "without sharing" classes and custom sharing logic requiring explicit access control. ApexInsecureEndpoint connects to point 5 about external integrations requiring secure data transfer and authentication mechanisms. ApexSuggestUsingNamedCred also relates to point 5 regarding external integrations and proper authentication mechanisms for external endpoints.