ISVforce Guide

ISVforce Guide: Build and Distribute AppExchange Solutions
Get Ready to Distribute on AppExchange
Use Managed Packages to Develop Your AppExchange Solution
Manage Orgs with Environment Hub
Architectural Considerations for Group and Professional Editions
Security Requirements for AppExchange Partners and Solutions
Security Policy Requirements
Prevent Secure Coding Violations
Load JavaScript Files from Third-Party Endpoints
Load Third-Party CSS in Lightning Components
Use CSS Outside Components
Running JavaScript in the Salesforce Domain
Expose Secret Data When Debugging
Store Sensitive Data Insecurely
Using Software That Has Known Vulnerabilities
Use Sample Code in Production
Bypass Object-Level and Field-Level Access Settings
Bypass Sharing Rules in Apex
SOQL Injection Due to Insecure Database Query Construction
Cross-Site Request Forgery
Open Redirects
Lightning LockerService Disabled
Insufficient Escaping in Lightning Components
Asynchronous Code in Components
Secure Communication
Secure Your B2C Commerce Solution
Secure Your Tableau Accelerator
Secure Your Agentforce Solution
Pass the AppExchange Security Review
Manage Your AppExchange Listings
Sell on AppExchange with Checkout
Report Orders to Salesforce with the Channel Order App
Provide Free Trials of Your AppExchange Solution
OEM User License Guide
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Bypass Sharing Rules in Apex

Respect profile-based permissions, field-level security, sharing rules, and org-wide defaults in your Apex code.

The Salesforce Platform makes extensive use of data-sharing rules. Each object can have unique permissions that indicate which users and profiles can read, create, edit, and delete records of that object type. These restrictions are enforced when your code uses a standard controller.

However, a custom Apex class or Visualforce page doesn’t intrinsically respect built-in profile permissions, field-level security restrictions, or sharing rules. By default, an Apex class can read and update all data within an org.

In your Apex code, don’t expose sensitive data that is otherwise hidden from users. Respect profile-based permissions, field-level security, sharing rules, and org-wide defaults.

Follow these general rules for correctly enforcing sharing.

  • Declare with sharing on all global classes or classes containing @NamespaceAccessible methods. Don’t omit a sharing declaration or use without sharing on these entrypoints to your solution.
  • For controller classes that aren’t global or marked @NamespaceAccessible, either declare the class as with inherited sharing or with sharing. Don’t omit a sharing declaration or use without sharing on these entrypoints to your solution.
  • Declare all classes that directly perform data access operations as with sharing. If no class in your solution is marked without sharing, then with inherited sharing can also be used.

However, there are some notable exceptions. Don’t follow the general rules when:

  • You’re building a site or community and want to deny guest user access to data.
  • You’re accessing custom objects belonging to your namespace with a bespoke security policy. In this case, document the policy as part of your AppExchange security review submission documents. This exception doesn’t apply to standard objects. The org admin solely owns the security policy for standard objects.

Apex Example

In this Apex code, the with sharing keyword isn’t added to class header. By default, sharing rules aren’t enforced.
1public class maincontroller {
2   @AuraEnabled public static String saveJobApplication(String vacId, String userId) {
3      ...
4   }
5}

In this Apex code, the with sharing keyword is used. Sharing rules are enforced. 

1public with sharing class maincontroller {
2   @AuraEnabled public static String saveJobApplication(String vacId, String userId) {
3       ...
4   }
5}

To learn more about sharing rules enforcement, check out the Secure Server-Side Development module on Trailhead.