Enforce Sharing Rules
Sharing rules are distinct from, and can co-exist with object-level and field-level permissions. While with sharing is the default sharing mode, Salesforce recommends that you use keyword declarations on all your classes to make your code easier to maintain. For more information, see Use the with sharing, without sharing, and inherited sharing Keywords.
This example has two classes, the first class (CWith) enforces sharing rules while the second class (CWithout) doesn’t. The CWithout class calls a method from the first, which runs with sharing rules enforced. The CWithout class contains an inner class, in which code executes under the same sharing context as the caller. It also contains a class that extends it, which inherits its without sharing setting.
1public with sharing class CWith {
2 // All code in this class operates with enforced sharing rules.
3
4 Account a = [SELECT . . . ];
5
6 public static void m() { . . . }
7
8 static {
9 . . .
10 }
11
12 {
13 . . .
14 }
15
16 public void c() {
17 . . .
18 }
19}
20
21public without sharing class CWithout {
22 // All code in this class ignores sharing rules and operates
23 // as if the context user has the Modify All Data permission.
24 Account a = [SELECT . . . ];
25 . . .
26
27 public static void m() {
28 . . .
29
30 // This call into CWith operates with enforced sharing rules
31 // for the context user. When the call finishes, the code execution
32 // returns to without sharing mode.
33 CWith.m();
34 }
35
36
37 public class CInner {
38 // All code in this class executes with the same sharing context
39 // as the code that calls it.
40 // Inner classes are separate from outer classes.
41 . . .
42
43 // Again, this call into CWith operates with enforced sharing rules
44 // for the context user, regardless of the class that initially called this inner class.
45 // When the call finishes, the code execution returns to the sharing mode that was used to call this inner class.
46 CWith.m();
47 }
48
49 public class CInnerWithOut extends CWithout {
50 // All code in this class ignores sharing rules because
51 // this class extends a parent class that ignores sharing rules.
52 }
53}Enforcing the current user's sharing rules can impact:
- SOQL and SOSL queries. A query can return fewer rows than it would operating in system context.
- DML operations. An operation can fail because the current user doesn't have the correct permissions. For example, if the user specifies a foreign key value that exists in the organization, but which the current user doesn’t have access to, then the DML operation fails.
Versioned Behavior Changes
In API version 67.0 and later, classes without an explicit sharing declaration are run in the current user context. In API version 66.0 and earlier, for classes without an explicit sharing declaration, the current sharing rule remains in effect.