FAQ-001494 - Permission Set Security / Permission Validation and Querying

Permission sets are directly tied to Field-Level Security (FLS) requirements in the AppExchange Security Review. Apps must enforce CRUD (Create, Read, Update, Delete) and FLS for all standard and custom objects and fields, especially for sensitive data like financial or medical information. Modern approaches like `WITH USER_MODE` in SOQL queries and `AccessLevel.USER_MODE` in Database methods automatically enforce these permissions. While CRUD/FLS is automatically enforced when using the SOAP/REST API, it isn't automatically applied in some cases, like JavaScript remoting or when using `WITH SYSTEM_MODE`. Developers need to ensure that permission sets and FLS are correctly configured and validated in their code to meet security standards.

The original answer was accurate but could be improved to highlight modern security enforcement approaches. I updated the text to lead with modern features (`WITH USER_MODE` and `AccessLevel.USER_MODE`) while preserving all existing information about SOAP/REST API automatic enforcement and JavaScript remoting exceptions. I also clarified the contrast by mentioning `WITH SYSTEM_MODE` as an example where permissions aren't automatically enforced. The ApexCRUDViolation rule directly relates to the FAQ's discussion of CRUD and FLS enforcement requirements - this rule detects when Apex code violates CRUD permissions by not properly checking object and field accessibility before database operations. The ApexSharingViolations rule is also relevant as it detects when sharing rules are not properly enforced, which ties into the broader permission and security enforcement topics covered in this FAQ about permission sets and security requirements.