WITH SECURITY_ENFORCED and Security.stripInaccessible in a single SOQL

apexfield-level-securitySecuritystripinaccessiblewith-sharing

Premise: I followed WITH SECURITY_ENFORCED, Security.stripInaccessible and comparison before designing my Apex class for querrying a few records.

Doubt:
I implemented my SOQL as

Security.stripInaccessible(AccessType.READABLE,
        [SELECT Id, Name FROM CustObj__c WHERE Name IN: custObjNameListJSON WITH SECURITY_ENFORCED]).getRecords();

So, I just wanted to know implementing both 'WITH SECURITY_ENFORCED' and 'Security.stripInaccessible' in a single SOQL is a bit too extra for the system or should both be applied if I have to check for Object and field level security.

With comparison I understood that stripInaccessible does NOT respect for sharing rule while WITH SECURITY_ENFORCED will throw error at the time of inaccesible field, so should we always use the combination or will it be extra effort for the system.

Note: I already have with sharing in my class.

Best Answer

You don't need both. If you use WITH SECURITY_ENFORCED, you'll get an exception thrown if any fields are not readable by the user, while with Security.stripInaccessible, you'll simply remove any values that the user shouldn't see.

In other words, use the former if your code cannot proceed without retrieving the fields, or use the latter if you want to still proceed with whatever data the user can see.

Note that neither of these functions apply to Record Level Security; using with sharing or inherited sharing will ensure that users cannot query records they should not be able to see.

Related Solutions

[SalesForce] Enforce Field-Level Security Permissions for SOQL Queries WITH SECURITY_ENFORCED (Confused )

Currently if you include a field in a SQOL query that a user doesn't have access, the field is returned and can be used by the code, thus exposing the data to someone that should not have access to it.

This new clause is a blunt way to ensure your code isn't provided access to fields that an admin may have specifically restricted access to via the profile. It does this by throwing an exception if there are any fields in the query that the context user doesn't have access to.

This feature is tailored to Apex developers who have minimal development experience with security and to applications where graceful degradation on permissions errors isn’t required.

You may want to use the isAccessible or similar fields to provide a better experience to your users, but that requires more logic and error handling. I highly doubt they'd be deprecated as they give the developer much more control when handling FLS.

If a field is hidden, the exception will bubble up to whatever the calling code is.
e.g. If it's a controller on a page, and you have the pageMessages on your VF page, then the exception will be shown there.

[SalesForce] How to troubleshoot Exception thrown when using WITH SECURITY_ENFORCED

I'd recommend using the stripInaccessible method to figure out exactly what field isn't accessible.

Change your query to not use WITH SECURITY ENFORCED and pass the query into the stripInaccessible method. You will get a SObjectAccessDecision that contains the removed field names. (code below mostly taken from documentation).

SObjectAccessDecision securityDecision = 
         Security.stripInaccessible(AccessType.READABLE,
                 [SELECT Name, BudgetedCost, ActualCost FROM Campaign]
                 );

// Get the removed field names - these are the fields they don't have read access to.
System.debug(securityDecision.getRemovedFields().get('Campaign')); // put sobject here

Edit: In Summer 20 notes, there's a mention that you can use stripInaccessible method to enforce field and object-level security for relationship fields. This seems to imply it didn't work before on relationships (or perhaps was unpredictable) which may explain why it might not have worked for you.

Best Answer

Related Solutions

[SalesForce] Enforce Field-Level Security Permissions for SOQL Queries WITH SECURITY_ENFORCED (Confused )

[SalesForce] How to troubleshoot Exception thrown when using WITH SECURITY_ENFORCED

Related Topic