Newer Version Available

This content describes an older version of this product. View Latest

AccessLevel Class

Defines the different modes, such as system or user mode, that Apex database operations execute in.

Namespace

System

Usage

By default, Apex code runs in system mode, which means that it runs with substantially elevated permissions over the user running the code. In system mode, the object and field-level permissions of the current user are ignored, and the record sharing rules are controlled by the class sharing keywords. In user mode, the current user's object permissions, field-level security, and sharing rules are enforced.

Many of the DML methods of the System.Database and System.Search classes include an accessLevel parameter to specify the execution mode.

Example

If the user running this Apex code doesn't have write access to the Account object, the Database.insert() method returns an error.

1List<Account> toInsert = new List<Account>{new Account(Name = 'Exciting New Account')};
2
3List<Database.SaveResult> sr = Database.insert(toInsert, AccessLevel.USER_MODE);
4

In contrast, this example shows the method running in system mode. The success of the insert doesn't depend on whether the user running the Apex code has create access to the Account object.

1List<Account> toInsert = new List<Account>{new Account(Name = 'Exciting New Account')};
2
3List<Database.SaveResult> sr = Database.insert(toInsert, AccessLevel.SYSTEM_MODE);
4

AccessLevel Methods

The following are methods for AccessLevel.

withPermissionSetId(permissionSetId)(Developer Preview)

Supports database and search operations to be run with permissions specified in a permission set. Apex enforces field-level security (FLS) and object permissions as per the specified permission set, in addition to the running user’s permissions.

Feature is available as a developer preview. Feature isn’t generally available unless or until Salesforce announces its general availability in documentation or in press releases or public statements. All commands, parameters, and other features are subject to change or deprecation at any time, with or without notice. Don’t implement functionality developed with these commands or tools in a production environment. You can provide feedback and suggestions for the “Permission Sets with User Mode” feature in the Trailblazer Community.

Note

This feature is available in scratch orgs where the ApexUserModeWithPermset feature is enabled. If the feature isn’t enabled, Apex code with this feature can be compiled but not executed.

Signature

public System.AccessLevel withPermissionSetId(String permissionSetId)

Parameters

permissionSetId
Type: String
Permissions in the specified permission set are enforced while running user-mode DML operations, in addition to the running user’s permissions.

Return Value

Type: Access Level Class

Example

This example runs the AccessLevel.withPermissionSetId() method with the specified permission set and inserts a custom object.
1@isTest
2public with sharing class ElevateUserModeOperations_Test {
3    @isTest
4    static void objectCreatePermViaPermissionSet() {
5        Profile p = [SELECT Id FROM Profile WHERE Name='Minimum Access - Salesforce'];
6        User u = new User(Alias = 'standt', Email='standarduser@testorg.com',
7            EmailEncodingKey='UTF-8', LastName='Testing', LanguageLocaleKey='en_US',
8            LocaleSidKey='en_US', ProfileId = p.Id,
9            TimeZoneSidKey='America/Los_Angeles',
10            UserName='standarduser' + DateTime.now().getTime() + '@testorg.com');
11
12        System.runAs(u) {
13            try { 
14                Database.insert(new Account(name='foo'), AccessLevel.User_mode); 
15                Assert.fail(); 
16            } catch (SecurityException ex) { 
17                Assert.isTrue(ex.getMessage().contains('Account'));
18            }
19            //Get ID of previously created permission set named 'AllowCreateToAccount'
20            Id permissionSetId = [Select Id from PermissionSet 
21                where Name = 'AllowCreateToAccount' limit 1].Id;
22
23            Database.insert(new Account(name='foo'), AccessLevel.User_mode.withPermissionSetId(permissionSetId)); 
24
25            // The elevated access level in not persisted to subsequent operations
26            try { 
27                Database.insert(new Account(name='foo2'), AccessLevel.User_mode); 
28                Assert.fail(); 
29            } catch (SecurityException ex) { 
30                Assert.isTrue(ex.getMessage().contains('Account')); 
31            } 
32            
33        } 
34    } 
35}
36

AccessLevel Properties

The following are properties for AccessLevel.

SYSTEM_MODE

Execution mode in which the the object and field-level permissions of the current user are ignored, and the record sharing rules are controlled by the class sharing keywords.

Signature

public System.AccessLevel SYSTEM_MODE {get;}

Property Value

Type: System.AccessLevel

USER_MODE

Execution mode in which the object permissions, field-level security, and sharing rules of the current user are enforced.

Signature

public System.AccessLevel USER_MODE {get;}

Property Value

Type: System.AccessLevel