Filter SOQL Queries Using WITH SECURITY_ENFORCED (Beta)

Apex generally runs in system context; that is, the current user's permissions, field-level security, and sharing rules aren’t taken into account during code execution. Although performing field- and object-level security checks was possible in earlier releases, this clause technical complexity in query operations. 

Using WITH SECURITY_ENFORCED clause enable checking for field- and object-level security permissions on SOQL queries, including subqueries and cross-object relationships.

Example 1

If field access for either LastName or Description is hidden, this query throws an exception indicating insufficient permissions.

   List act1 = [SELECT Id, (SELECT LastName FROM Contacts),

                 (SELECT Description FROM Opportunities)

                 FROM Account WITH SECURITY_ENFORCED]

Example 2

If field access for Website is hidden, this query throws an exception indicating insufficient permissions.

   List<Account> act2 = [SELECT Id, parent.Name, parent.Website 

                        FROM Account WITH SECURITY_ENFORCED]

Example 3

If field access for Type is hidden, this aggregate function query throws an exception indicating insufficient permissions.

    List<AggregateResult> agr1 = [SELECT GROUPING(Type) 

                                 FROM Opportunity WITH SECURITY_ENFORCED 

                                 GROUP BY Type]

Note

The WITH SECURITY_ENFORCED clause is only available in Apex. Using WITH SECURITY_ENFORCED in Apex classes or triggers with an API version earlier than 45.0 is not recommended.