Enforce Security with the stripInaccessible Method
The field- and object-level data protection is accessed through the Security and SObjectAccessDecision classes. The access check is based on the field-level permission of the current user in the context of the specified operation—create, read, update, or upsert. The Security.stripInaccessible() method checks the source records for fields that don’t meet the field-level security check for the current user. The method also checks the source records for lookup or master-detail relationship fields to which the current user doesn’t have access. The method creates a return list of sObjects that is identical to the source records, except that the fields that are inaccessible to the current user are removed. The sObjects returned by the getRecords method contain records in the same order as the sObjects in the sourceRecords parameter of the stripInaccessible method.
The Security.stripInaccessible() method takes a permission set ID as a parameter and enforces field-level and object-level access as per the specified permission set, in addition to the running user’s permissions.
To identify inaccessible fields that were removed, you can use the SObject.isSet() method. For example, the return list contains the Contact object and the custom field social_security_number__c is inaccessible to the user. Because this custom field fails the field-level access check, the field isn’t set and isSet returns false.
SObjectAccessDecision securityDecision = Security.stripInaccessible(AccessType.READABLE, sourceRecords);
Contact c = securityDecision.getRecords()[0];
System.debug(c.isSet('social_security_number__c')); // prints "false"
To enforce object and field permissions on the User object and hide a user’s personal information from other users in orgs with Experience Cloud sites, see Enforcing Object and Field Permissions.
The following are some examples where the stripInaccessible method can be used.
Example
SObjectAccessDecision securityDecision =
Security.stripInaccessible(AccessType.READABLE,
[SELECT Name, BudgetedCost, ActualCost FROM Campaign] );
// Construct the output table
if (securityDecision.getRemovedFields().get('Campaign').contains('ActualCost')) {
for (Campaign c : securityDecision.getRecords()) {
//System.debug Output: Name, BudgetedCost
}
} else {
for (Campaign c : securityDecision.getRecords()) {
//System.debug Output: Name, BudgetedCost, ActualCost
}
}
Example
List<Account> accountsWithContacts =
[SELECT Id, Name, Phone,
(SELECT Id, LastName, Phone FROM Account.Contacts)
FROM Account];
// Strip fields that are not readable
SObjectAccessDecision decision = Security.stripInaccessible(
AccessType.READABLE,
accountsWithContacts);
// Print stripped records
for (Integer i = 0; i < accountsWithContacts.size(); i++)
{
System.debug('Insecure record access: '+accountsWithContacts[i]);
System.debug('Secure record access: '+decision.getRecords()[i]);
}
// Print modified indexes
System.debug('Records modified by stripInaccessible: '+decision.getModifiedIndexes());
// Print removed fields
System.debug('Fields removed by stripInaccessible: '+decision.getRemovedFields());
Example
List<Account> newAccounts = new List<Account>();
Account a = new Account(Name='Acme Corporation');
Account b = new Account(Name='Blaze Comics', Rating=’Warm’);
newAccounts.add(a);
newAccounts.add(b);
SObjectAccessDecision securityDecision = Security.stripInaccessible(
AccessType.CREATABLE, newAccounts);
// No exceptions are thrown and no rating is set
insert securityDecision.getRecords();
System.debug(securityDecision.getRemovedFields().get('Account')); // Prints "Rating"
System.debug(securityDecision.getModifiedIndexes()); // Prints "1"
Example
String jsonInput =
'[' +
'{' +
'"Name": "InGen",' +
'"AnnualRevenue": "100"' +
'},' +
'{' +
'"Name": "Octan"' +
'}' +
']';
List<Account> accounts = (List<Account>)JSON.deserializeStrict(jsonInput, List<Account>.class);
SObjectAccessDecision securityDecision = Security.stripInaccessible(
AccessType.UPDATABLE, accounts);
// Secure update
update securityDecision.getRecords(); // Doesn’t update AnnualRevenue field
System.debug(String.join(securityDecision.getRemovedFields().get('Account'), ', ')); // Prints "AnnualRevenue"
System.debug(String.join(securityDecision.getModifiedIndexes(), ', ')); // Prints "0”
Example
// Account__c is a lookup from MyCustomObject__c to Account
@IsTest
public class TestCustomObjectLookupStripped {
@IsTest static void caseCustomObjectStripped() {
Account a = new Account(Name='foo');
insert a;
List<MyCustomObject__c> records = new List<MyCustomObject__c>{
new MyCustomObject__c(Name='Custom0', Account__c=a.id)
};
insert records;
records = [SELECT Id, Account__c FROM MyCustomObject__c];
SObjectAccessDecision securityDecision = Security.stripInaccessible
(AccessType.READABLE, records);
// Verify stripped records
System.assertEquals(1, securityDecision.getRecords().size());
for (SObject strippedRecord : securityDecision.getRecords()) {
System.debug('Id should be set as Id fields are ignored: ' +
strippedRecord.isSet('Id')); // prints true
System.debug('Lookup field FLS is not READABLE to running user,
should not be set: ' +
strippedRecord.isSet('Account__c')); // prints false
}
}
}