FAQ-001577 - SOQL Security and User Mode Implementation / Sharing vs Security Enforcement

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
If my class is declared `with sharing`, do I still need to add `WITH SECURITY_ENFORCED` to my SOQL queries?
Answer
Yes, even if a class is declared `with sharing`, you still need to add `WITH SECURITY_ENFORCED` to your SOQL queries to enforce CRUD/FLS checks. However, keep in mind that `WITH SECURITY_ENFORCED` only applies to fields in the SELECT or FROM clauses. For fields in WHERE or ORDER BY clauses, you must perform manual checks like `isAccessible()` to ensure data security.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCRUDViolationApexSharingViolations
Question
If my class is declared `with sharing`, do I still need to add `WITH SECURITY_ENFORCED` to my SOQL queries?
Recommended Answer Update
Yes, even if a class is declared `with sharing`, you still need to add `WITH SECURITY_ENFORCED` to your SOQL queries to enforce CRUD/FLS checks. However, keep in mind that `WITH SECURITY_ENFORCED` only applies to fields in the SELECT clause. For fields in WHERE or ORDER BY clauses, you must perform manual checks like `isAccessible()` to ensure data security. Note: Modern alternatives like `WITH USER_MODE` automatically enforce both sharing rules and CRUD/FLS permissions in a single declaration, requiring less code than separate `with sharing` and `WITH SECURITY_ENFORCED` approaches.
Reasoning
The original answer contains a technical inaccuracy that needed correction. It states that `WITH SECURITY_ENFORCED` applies to fields in both SELECT and FROM clauses, but `WITH SECURITY_ENFORCED` actually only applies to fields in the SELECT clause - the FROM clause specifies objects, not fields, and CRUD permissions are checked at the object level automatically when using this keyword. I also added information about the modern `WITH USER_MODE` approach per the security approaches guidelines, which prioritize modern features while preserving existing valid approaches. This addition provides users with awareness of current best practices without invalidating the existing approach. For ApexCRUDViolation: This rule is directly relevant because the FAQ discusses enforcing CRUD/FLS checks in SOQL queries, which is exactly what this rule detects violations for. The FAQ content about `WITH SECURITY_ENFORCED` and manual `isAccessible()` checks directly relates to preventing CRUD violations that this rule identifies. For ApexSharingViolations: This rule is relevant because the FAQ discusses the `with sharing` keyword and its relationship to data security enforcement. The FAQ explains that `with sharing` alone is insufficient for complete security, which aligns with what this rule helps detect - improper sharing configurations that could lead to data access violations.
Reasoning References
Recommended Related Articles