Tag Archives: Field Level Security

Enforce Field-Level Security Permissions for SOQL Queries

  • Using WITH SECURITY_ENFORCED clause we can enforce Field-Level Security Permissions on SOQL SELECT queries, including subqueries and cross-object relationships.
  • The WITH SECURITY_ENFORCED clause is only available in Apex. Using WITH SECURITY_ENFORCED in Apex classes or triggers with an API version earlier than 45.0 is not recommended.
  • If fields or objects referenced in the SELECT clause using WITH SECURITY_ENFORCED are inaccessible to the user, an exception is thrown, and no data is returned.

Example:

If the Contact Email & Phone fields permission is not accessible to the user, it will throw an exception insufficient permissions and no data will return.

SELECT Id, Name, (SELECT Email, Phone FROM Contacts) FROM Account WITH SECURITY_ENFORCED

If the Account Website filed permission is not accessible to the user, it will throw an exception insufficient permissions and no data will return.

SELECT Id, Name, Website FROM Account WITH SECURITY_ENFORCED

Check Profile Based Field Level Security Using Apex

For Specific Profile :

List<FieldPermissions> fpList = [SELECT SobjectType, Field, PermissionsRead, PermissionsEdit, Parent.ProfileId FROM FieldPermissions WHERE SobjectType = 'Account' and Field='Account.Customer_Priority__c' AND Parent.ProfileId IN (SELECT Id FROM PermissionSet WHERE PermissionSet.Profile.Name = 'System Administrator')];
if(!fpList.isEmpty()){
    Boolean hasReadPermission = fpList[0].PermissionsRead;
    Boolean hasEditPermission = fpList[0].PermissionsEdit;
    system.debug('Read Permission - ' + hasReadPermission);
    system.debug('Edit Permission - ' + hasEditPermission);
}

For Current User :

List<FieldPermissions> fpList = [SELECT SobjectType, Field, PermissionsRead, PermissionsEdit, Parent.ProfileId FROM FieldPermissions WHERE SobjectType = 'Account' and Field='Account.Customer_Priority__c' AND Parent.ProfileId=:Userinfo.getProfileId()];
if(!fpList.isEmpty()){
    Boolean hasReadPermission = fpList[0].PermissionsRead;
    Boolean hasEditPermission = fpList[0].PermissionsEdit;
    system.debug('Read Permission - ' + hasReadPermission);
    system.debug('Edit Permission - ' + hasEditPermission);
}