Apex Developer Guide
jEnforce Object and Field Permissions
Apex generally runs in user context by default, meaning that the current user’s
permissions and field-level security (FLS) are enforced during code execution. To ignore the
FLS and object permissions of the current user, you must explicitly set a database operation
or query to run in system mode. For fine-grained control, you can check the current user’s
permissions for an object or a field, and then perform a specific DML operation or a query
only if the user has sufficient permissions.
Set an Access Mode for Database Operations
You can run database operations and SOQL queries in either user mode or system mode. See Set an Access Mode for Database Operations.
Check Field-Level Permissions
You can also enforce object-level and field-level permissions in your code by explicitly calling the access control methods of the Schema.DescribeSObjectResult and the Schema.DescribeFieldResult classes. See Enforce Security with Field and SObject Describe Methods.
Considerations
- Object-level and field-level permissions are distinct from sharing rules, which enforce specific record access. They can coexist. If sharing rules are defined in Salesforce, you can enforce them at the class level by declaring the class with the with sharing keyword. See Use the with sharing, without sharing, and inherited sharing Keywords. If you call the Schema.DescribeSObjectResult and Schema.DescribeFieldResult access control methods, the verification of object and field-level permissions is performed in addition to the sharing rules that are in effect. Sometimes, the access level granted by a sharing rule can conflict with an object-level or field-level permission. In that case, object-level and field-level permissions take precedence over sharing rules.
- Orgs with Experience Cloud sites enabled provide various settings to hide a user’s personal information from other users. See Manage Personal User Information Visibility and Share Personal Contact Information Within Experience Cloud Sites. These settings aren’t enforced in Apex, even with security features such as the WITH USER_MODE clause or the stripInaccessible method. To hide specific fields on the User object in Apex, follow the example code outlined in Comply with a User’s Personal Information Visibility Settings.
- Automated Process users can’t perform Object and FLS checks in custom code unless appropriate permission sets are explicitly applied to those users.