Anonymous Apex

Current user

Sharing is enforced by default, unless disabled by applying the without sharing keyword to the enclosing class.

CRUD and FLS are enforced by default, but only against the code entered directly into the Execute Anonymous window. The code will fail to compile if the user does not have access to the objects or fields referenced.

Note that checking is only performed by the platform at compilation time; if the code calls a pre-existing Apex class, there is no enforcement within that class and any other class it calls.

See Note 2.

Apex Controller Action Method

Note: Used only by Visualforce pages

Current user

Sharing is not enforced by default; the developer needs to apply the with sharing keyword to the enclosing class.

CRUD and FLS are not enforced by default; the developer needs to enforce this in code.

Any member variable declared on the Apex Controller that is not static or marked with the transient keyword will be included in View State.

Visualforce automatically maintains this between interactions on the page. Use it carefully, as large View State sizes can cause performance degradation for the page. Developer Console has an excellent View State browser tool.

Apex Controller Remote and Aura Actions

Note: Remote Action methods are used by Visualforce and Aura Action methods are used by Lightning Components

Current user

Sharing is not enforced by default; the developer needs to apply the with sharing keyword to the enclosing class. It is required for Salesforce security review.

CRUD and FLS are not enforced by default; the developer needs to check this in code.

Remote Action and Aura Action Apex methods are already static, as stated previously; any static data is not retained in Apex. Thus, there is no state retained between remote action calls made by the client JavaScript. Typically, in these cases, the state of the task the user is performing is maintained on the page itself via the client-side state. As a result of not having to manage the state for the developer, these types of methods are much faster than the action methods described in the preceding section.

Apex Trigger and Apex Async Trigger

Current user

Sharing is not enforced by default; the developer needs to apply the with sharing keyword in the outermost Apex class (if present, for example, Apex Controller).

Triggers invoked through the Salesforce UIs or APIs run without sharing implicitly; if you need to apply with sharing, move your trigger code into an Apex class and call that from the trigger code.

CRUD and FLS are not enforced by default; the developer needs to enforce this in the code.

Static variables are shared between Apex Trigger invocations within an execution context. This allows some caching of commonly used information and/or recursive trigger protection to be implemented if needed.

Batch Apex

User who submitted the job.

Sharing is not enforced by default; the developer needs to apply the with sharing keyword to the enclosing class.

CRUD and FLS are not enforced by default; the developer needs to enforce this in the code.

Batch Apex splits work into distinct execution contexts, driven by splitting up the data into scopes (typically, 200).

If the Database.Stateful interface is implemented,the class member variable values of the implementing Apex class are retained between each invocation. The transient keyword also applies here.

The final keyword can be used to retain the initial member variable values throughout the job's execution.

Platform event subscription

System user (See Note 3)

See Note 1.

See Note 2.

Package post install script

System user (See Note 3)

See Note 1.

See Note 2.

Queueable

User who submitted the work

See Note 1.

See Note 2.

Apex scheduler

User who scheduled the job

See Note 2.

Inbound messaging

Based on inbound message configuration

See Note 1.

See Note 2.

Invocable method

Current user

See Note 1.

See Note 2.

Apex REST API

Current user

See Note 1.

See Note 2.

Apex Web Service

Current user

See Note 1.

See Note 2.