Ensure proper sharing behaviour on classes that access data or expose it data in views or APIs.

Lorenzo Frattini avatar
Written by Lorenzo Frattini
Updated over a week ago


Because Apex generally runs in system context, permissions, field-level security, and sharing rules aren't taken into account during code execution. This might put applications at risk of inadvertently exposing sensitive data.


  • Apex classes that perform direct or indirect database access

  • Apex web services

  • Apex classes that expose any REST resources (via Apex REST annotations)

  • Apex classes that are used as controllers by Visualforce pages, components

  • Apex classes that are used by Lightning controllers


  • This rule will not trigger on test classes

See Also

Did this answer your question?