Why do we have this concept in salesforce?
In salesforce there are many restrictions put on user in different ways, like OWD, Profiles, Field-Level Security, Object permissions, Sharing Rules, Role Hierarchy etc. But these restrictions do not apply to System Administrator. System admin has access to all records that are in system irrespective of owner or sharing rules or access to any object or field. An apex classes can be executed by any user in salesforce. An apex class can be triggered from a Visualforce Page, Visualforce Components, Lightning Components, Process Builder, Flow and many more ways. Class in salesforce can be executed in 3 modes in salesforce
- with sharing
- without sharing
- inherited sharing
Use the with sharing or without sharing keywords on a class to specify whether sharing rules must be enforced. Use the inherited sharing keyword on an Apex class to run the class in the sharing mode of the class that called it.
with sharing (User Mode)
If with sharing is specified while writing a class, then all the sharing rules of the current user will be considered. You must explicitly specify this keyword. Apex class executes in system context and it has access to all objects, fields. If with sharing keyword is mentioned, then all sharing rules and restrictions that are assigned to current user are considered.
Syntax:
/*
* Secured way to execute a class
* User mode.
*/
public with sharing class A_Class_Name{
// Class business logic
}
Note:
- With sharing must be specified explicitly.
- Object permissions, field-level security, sharing rules aren’t applied for the current user if with sharing is not specified.
- The only exceptions to this rule are Apex code that is executed with the executeAnonymous call and Chatter in Apex.
without sharing (System Mode)
You can specify without sharing keywords when declaring a class to ensure that the sharing rules for the current user are not enforced.
Syntax:
/*
* Insecured way to execute a class
* System mode.
*/
public without sharing class A_Class_Name{
// Class business logic
}
OR
/*
* Insecured way to execute a class
* System mode.
*/
public class A_Class_Name{
// Class business logic
}
Note:
- You need not specify without sharing keyword if you want to execute the class as without sharing.
- System will take without sharing as default mode if nothing is specified while writing a code.
inherited sharing
An apex class without sharing is more insecure as any user can see all data. Designing a apex class that can be run in either with sharing or without sharing mode at runtime is a new advanced technique in salesforce. Such a technique can be difficult to distinguish from one where a specific sharing declaration is accidentally omitted (if ignore then it will be without sharing by default). An explicit inherited sharing declaration makes the intent clear, avoiding ambiguity arising from an omitted declaration or false positives from security analysis tooling.
Syntax:
/*
* Secured way to execute a class
if no mode is specified
*
Default will be User mode.
*/
public inherited sharing class InheritedSharingClass{
// Class business logic
}
Using inherited sharing enables you to pass AppExchange Security Review and ensure that your privileged Apex code is not used in unexpected or insecure ways. An Apex class with inherited sharing runs as with sharing when used as:
- An Aura component controller
- A Visualforce controller
- An Apex REST service
- Any other entry point to an Apex transaction
So, what is the difference between a class with sharing and a class which is not specified with any sharing type? When a class is called, and if class sharing type is not specified, then it runs in system mode. However, if inherited is mentioned then that class runs in user mode.
Note:
- Inherited sharing is more useful when executing a common class which is called from a class with sharing and a class without sharing. Which ever is the calling class, that classes sharing mode will be applied in inherited sharing class.
- Inherited considers User mode as default mode of executing.
Generic notes:
- The sharing setting of the class where the method is defined is applied, not of the class where the method is called. For example, if a method is defined in a class declared with ‘with sharing’ is called by a class declared with without sharing, the method executes with sharing rules enforced.
- If the class is called by another class that has sharing enforced, then sharing is enforced for the called class.
- If there is a scenario of Inner class and outer class, then both classes must be explicitly specified with appropriate sharing mode.
- Inner classes do not inherit the sharing setting from their container class.
- Classes inherit this setting from a parent class when one class extends or implements another.
Resource:
Salesforce: Using the with sharing, without sharing, and inherited sharing Keywords
Akhil Kulkarni 
Thank you for the details on user mode and system mode. Really helpful with the Salesforce certification!
LikeLike