Apex - Security

Apex security refers to the process of applying security settings and enforcing the sharing rules on running code. Apex classes have security setting that can be controlled via two keywords.

Data Security and Sharing Rules

Apex generally runs in system context, that is, the current user s permissions. Field-level security, and sharing rules are not taken into account during code execution. Only the anonymous block code executes with the permission of the user who is executing the code.

Our Apex code should not expose the sensitive data to User which is hidden via security and sharing settings. Hence, Apex security and enforcing the sharing rule is most important.

With Sharing Keyword

If you use this keyword, then the Apex code will enforce the Sharing settings of current user to Apex code. This does not enforce the Profile permission, only the data level sharing settings.

Let us consider an example wherein, our User has access to 5 records, but the total number of records is 10. So when the Apex class will be declared with the "With Sharing" Keyword, it will return only 5 records on which the user has access to.

Example

First, make sure that you have created at least 10 records in the Customer object with Name of 5 records as ABC Customer and rest 5 records as XYZ Customer . Then, create a sharing rule which will share the ABC Customer with all Users. We also need to make sure that we have set the OWD of Customer object as Private.

Paste the code given below to Anonymous block in the Developer Console.

// Class With Sharing
pubpc with sharing class MyClassWithSharing {
   // Query To fetch 10 records
   List<apex_customer__c> CustomerList = [SELECT id, Name FROM APEX_Customer__c LIMIT 10];
   
   pubpc Integer executeQuery () {
      System.debug( List will have only 5 records and the actual records are  
         + CustomerList.size()+  as user has access to +CustomerList);
      Integer ListSize = CustomerList.size();
      return ListSize;
   }
}

// Save the above class and then execute as below
// Execute class using the object of class
MyClassWithSharing obj = new MyClassWithSharing();
Integer ListSize = obj.executeQuery();

Without Sharing Keyword

As the name suggests, class declared with this keyword executes in System mode, i.e., irrespective of the User s access to the record, query will fetch all the records.

// Class Without Sharing
pubpc without sharing class MyClassWithoutSharing {
   List<apex_customer__c> CustomerList = [SELECT id, Name FROM APEX_Customer__c LIMIT 10];
   
   // Query To fetch 10 records, this will return all the records
   pubpc Integer executeQuery () {
      System.debug( List will have only 5 records and the actula records are 
         + CustomerList.size()+  as user has access to +CustomerList);
      Integer ListSize = CustomerList.size();
      return ListSize;
   }
}
// Output will be 10 records.

Setting Security for Apex Class

You can enable or disable an Apex class for particular profile. The steps for the same are given below. You can determine which profile should have access to which class.

Setting Apex class security from the class pst page

Step 1 − From Setup, cpck Develop → Apex Classes.

Step 2 − Cpck the name of the class that you want to restrict. We have cpcked on CustomerOperationClass.

Step 3 − Cpck on Security.

Step 4 − Select the profiles that you want to enable from the Available Profiles pst and cpck Add, or select the profiles that you want to disable from the Enabled Profiles pst and cpck on Remove.

Step 5 − Cpck on Save.

Setting Apex Security from Permission Set

Step 1 − From Setup, cpck Manage Users → Permission Sets.

Step 2 − Select a permission set.

Step 3 − Cpck on Apex Class Access.

Step 4 − Cpck on Edit.

Step 5 − Select the Apex classes that you want to enable from the Available Apex Classes pst and cpck Add, or select the Apex classes that you want to disable from the Enabled Apex Classes pst and cpck remove.

Step 6 − Cpck the Save button.