Did you know it is better to write SOQL using WITH USER_MODE instead of WITH SECURITY_ENFORCED?
What I like more is that WITH USER_MODE reports all FLS errors while WITH SECURITY_ENFORCED returns only the first error and the resulting QueryException has getInaccessibleFields() to get the full set of access errors.
The equivalent parameter in other contexts:
๐ Database.query( queryString, AccessLevel.USER_MODE )
๐ Database.insert( recordsToInsert, allOrNone, AccessLevel.USER_MODE )
๐ insert as user aRecord
For insert as user, we get the set of fields via DMLException.getDmlFieldNames() and for Database.method(), via SaveResult.getErrors().getFields().
References:
๐ https://lnkd.in/gqJCCQsc
๐ https://lnkd.in/gUj2zH-v
Other thoughts:
๐ง WITH SECURITY_ENFORCED seems to be on its way to being deprecated.
๐ง USER_MODE enforces security on all fields including WHERE/ORDER BY and polymorphic relationships.
๐ง WITH USER_MODE can be applied to DML operations, which saves us from having to add extra logic such as Schema.describe checks or stripInaccessible().
๐ง If you need partial data then you will still use stripInaccessible(). Check out this article ๐ https://lnkd.in/gDB2MJ7T
๐ง Migrating to USER_MODE will not just be search/replace: we will have to handle DML exceptions, queries that just filtered non-accessible fields now will fail, and I have yet to check tools such as PMD, linters or Checkmarx are updated for USER_MODE.
Thanks to Aditya Mohandasan ๐ , who pointed out a new feature: AccessLevel.withPermissionSetId(), which enforces permissions of the specified permission set on top of the running user's permission
๐ https://lnkd.in/gPUmyUDW

