FAQ-001580 - SOQL Security and User Mode Implementation / USER_MODE vs SECURITY_ENFORCED Comparison

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
Does using WITH USER_MODE or WITH SECURITY_ENFORCED in SOQL satisfy all CRUD/FLS enforcement requirements?
Answer
Neither `WITH USER_MODE` nor `WITH SECURITY_ENFORCED` alone satisfies all CRUD/FLS enforcement requirements: **WITH SECURITY_ENFORCED limitations:** - Enforces CRUD/FLS checks only for fields in the SELECT or FROM clauses of SOQL queries - Does NOT cover WHERE or ORDER BY fields, which can still lead to information leakage - Manual checks such as `isAccessible()` are required for WHERE and ORDER BY fields **Recommended approach:** - Both `WITH SECURITY_ENFORCED` and `WITH USER_MODE` help with security compliance but are not complete solutions - `WITH USER_MODE` is recommended as it also enforces license checks and ensures compliance with user permissions - Both approaches may need to be used in conjunction with manual field accessibility checks depending on the specific use case - For full compliance, you must perform manual checks for fields in WHERE or ORDER BY clauses to ensure all sensitive data is protected In summary, while both options provide significant security benefits, additional manual validation is typically required for comprehensive CRUD/FLS compliance.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexCRUDViolationAvoidSecurityEnforcedOldApiVersion
Question
Does using WITH USER_MODE or WITH SECURITY_ENFORCED in SOQL satisfy all CRUD/FLS enforcement requirements?
Recommended Answer Update
Neither `WITH USER_MODE` nor `WITH SECURITY_ENFORCED` alone satisfies all CRUD/FLS enforcement requirements: **WITH SECURITY_ENFORCED limitations:** - Enforces CRUD/FLS checks only for fields in the SELECT or FROM clauses of SOQL queries - Does NOT cover WHERE or ORDER BY fields, which can still lead to information leakage - Manual checks such as `isAccessible()` are required for WHERE and ORDER BY fields **Recommended approach:** - `WITH USER_MODE` is the modern, recommended solution as it comprehensively enforces user permissions, license checks, and CRUD/FLS for all query clauses - `WITH SECURITY_ENFORCED` helps with security compliance but provides partial coverage compared to `WITH USER_MODE` - Both approaches may need to be used in conjunction with manual field accessibility checks depending on the specific use case - For full compliance with `WITH SECURITY_ENFORCED`, you must perform manual checks for fields in WHERE or ORDER BY clauses to ensure all sensitive data is protected In summary, `WITH USER_MODE` provides the most comprehensive security enforcement, while `WITH SECURITY_ENFORCED` requires additional manual validation for complete CRUD/FLS compliance.
Reasoning
The original answer correctly explains the security differences between the two approaches but doesn't clearly prioritize the modern `WITH USER_MODE` approach as recommended by the security guidelines. The updated answer leads with `WITH USER_MODE` as the preferred modern solution while maintaining all original technical points about limitations and manual checks. This aligns with the guideline to 'prioritize modern features over legacy approaches' and 'lead with WITH USER_MODE for SOQL queries.' The ApexCRUDViolation rule is directly relevant because this FAQ explains CRUD/FLS enforcement techniques that help prevent violations detected by this rule. The AvoidSecurityEnforcedOldApiVersion rule applies because the FAQ discusses `WITH SECURITY_ENFORCED` usage and compliance considerations that this rule would flag if used with older API versions.
Reasoning References
Recommended Related Articles