When performing static or dynamic SOQL
queries, should WITH SECURITY_ENFORCED
now be replaced with WITH USER_MODE
? Under what conditions, if any, should WITH SECURITY_ENFORCED
still be used given there is also WITH SYSTEM_MODE
?
If I attempt to replace SECURITY_ENFORCED
with USER_MODE
, the Salesforce Extensions in VSCode produce the warning:
Validate CRUD permission before SOQL/DML operation (rule: Security-ApexCRUDViolation)
Is this just a case of the VSCode Extension not being updated yet? (Or that USER_MODE
is still in beta?)
The Apex Developer Guide talks about USER_MODE
here:
Salesforce's dreamhouse-lwc sample application uses USER_MODE
in at least one of their controllers.
Best Answer
We are recommending developers use
WITH USER_MODE
and avoid using theWITH SECURITY_ENFORCED
In fact, at some time in the future, we may likely retire
WITH SECURITY_ENFORCED
The
WITH USER_MODE
supports lots of new innovations like restriction rules, scoping rules, and any other security operations for data access and CRUD/FLS that may be added by the platform in the future, so it's sort of future-proof. It also handles complex security use cases better.Also, it supports SOSL and polymorphic queries and performs far better than using the
WITH SECURITY_ENFORCED
.The
WITH USER_MODE
can handle CRUD/FLS for fields in where clause in SOQL or for areas used in relationship query or polymorphic lookup.You can find more information about why you should prefer
WITH USER_MODE
and avoidWITH SECURITY_ENFORCED
in the latest talk at TrailblazerDX 2023 conference, and the link to view the talk is shared below.https://www.salesforce.com/plus/experience/trailblazerdx_2023/series/Developers_for_TrailblazerDX_2023/episode/episode-s1e1