FAQ-001564 - Reporting and Dashboard Security / Data Visibility and Access Control

To ensure that reports and dashboards in your application correctly enforce user data visibility, you should: 1. **Adhere to CRUD and FLS Settings**: Ensure that the application respects the organization's Create, Read, Update, and Delete (CRUD) permissions and Field-Level Security (FLS) settings for both standard and custom objects. Use `WITH USER_MODE` in SOQL queries or `AccessLevel.USER_MODE` in Database methods to automatically enforce these permissions. 2. **Respect Access Restrictions**: Design the application to align with the access restrictions set by the organization, ensuring that users only see data they are authorized to access. 3. **Handle Limited Access Gracefully**: Implement mechanisms to handle scenarios where user access is restricted, ensuring the application behaves appropriately. 4. **Custom Authorization Model**: If you use a custom authorization model, verify that it enforces data visibility in conjunction with Salesforce's sharing, CRUD, and FLS settings. By following these strategies, you can ensure that your reports and dashboards enforce user data visibility effectively.

The original FAQ content is accurate and well-structured, but can be enhanced to align with modern security approaches. The primary improvement is to add specific modern techniques (WITH USER_MODE and AccessLevel.USER_MODE) to point 1, as these automatically enforce CRUD and FLS permissions while requiring less code than legacy manual validation approaches. This follows the security approaches guidelines to prioritize modern features while maintaining all existing information. The two security rules selected are directly relevant: ApexCRUDViolation relates to the FAQ's emphasis on CRUD permissions enforcement, which is explicitly mentioned in point 1 where the FAQ discusses ensuring applications respect Create, Read, Update, and Delete permissions. ApexSharingViolations relates to the FAQ's discussion of access restrictions and custom authorization models in points 2 and 4, which deal with data visibility and sharing enforcement that this rule helps detect violations of.