With Sharing and Without Sharing in Apex

In this blog, we will discuss the difference between ‘with sharing’ and ‘without sharing’ in Apex. They are both keywords that specify whether sharing rules will be enforced or not. In Salesforce, security plays a key role. To maintain it, Salesforce uses sharing rules that define which users can view or update specific records.

When writing Apex classes, we need to specify whether the class should follow the sharing rules or ignore them. To do that, we use two keywords: with sharing and without sharing.

In Salesforce, security applies in four different layers, which are as follows:

1. Organisation level
2. Object level
3. Field level
4. Record level

Data Security Model

At the organisation level, Salesforce defines who can access the environment, when they can log in, and what password policies apply. You can also set IP ranges to ensure users log in only from trusted locations, and define login hours to control the specific times or days when users can access Salesforce

Object-level security defines whether a user has permission to view or manage that object. It can be done via Profiles and Permission Set.

Field Level Security defines whether the user has access to the object, and we want to provide or restrict access to some additional fields. This can be done via Profile and Permission Set.

Finally, we have Record Level Security. If a user already has access to an object and its fields, they can manage the records they own. But when we need to grant or restrict access to records that the user doesn’t own, Record Level Security comes into play.

In Salesforce, there are five ways to share records. It starts with setting up org-wide defaults to keep data as secure as possible. From there, access can be opened up using Role Hierarchy, Sharing Rules, and Manual Sharing. The Role Hierarchy ensures that a user can access all the records owned by their subordinates.

Sharing Rules are used when you want to share records based on ownership or specific criteria. Manual Sharing, on the other hand, lets you share individual records with other users. You can do this using the Sharing button available on the record’s detail page.

With sharing and without sharing in Apex

To understand these keywords better, let’s look at a simple scenario. We have two users — Test Admin 1 and Test Admin 2. Both have the same profile and license, which is System Administrator and Salesforce, respectively. For this example, we’ll use the Account object, which is a standard object.

We’ve also created a Lightning Web Component that displays a list of Account records. To demonstrate how sharing works, there’s an Apex controller that fetches Account records using a SOQL query.

As shown below, we have set up the Account OWD to Private. It denotes user can only be able to access their own record, and records that are owned by other users will not be visible to them.

Scenario 1

We’ve set our Apex class to ‘with sharing’, which means it respects the current user’s sharing rules.

public with sharing class AccountController {

@AuraEnabled(cacheable=true)
public static List<Account> getAccountRecord(){
List<Account> accList = [SELECT Id,Name, CreatedBy.Name, Owner.Name, Industry, AnnualRevenue,Phone FROM Account ];
return accList;
}
}

Currently, we have 1 record each with both users, with Test Admin 1 and Test Admin 2. Hence, our class is running with sharing, each user can only see their own record.

Test Admin 2

Test Admin 1

Scenario 2

We have kept our Apex class sharing as ‘without sharing’, which will ignore the user sharing rules, and all records will be visible.

public without sharing class AccountController {

@AuraEnabled(cacheable=true)
public static List<Account> getAccountRecord(){
List<Account> accList = [SELECT Id,Name, CreatedBy.Name, Owner.Name, Industry, AnnualRevenue,Phone FROM Account];
return accList;
}
}

Here, as shown below, we have 19 records in total in our Salesforce org.

Now that we have implemented ‘without sharing’, it is expected to see a total of 19 records with Test Admin 1 and Test Admin 2.

Test Admin 2

Test Admin 1

Each user can see an equal count of data in the LWC Component because the apex class is fetching the account without enforcing the sharing rules of the current user.

Scenario 3

In this case, we’ve removed the keyword, which means the class doesn’t explicitly use ‘with sharing’ or ‘without sharing’. By default, Salesforce applies sharing rules in this scenario.

When an @AuraEnabled method is called from a Lightning Web Component, the default sharing mode is with sharing. As we saw earlier, using without sharing allowed users to see all records regardless of ownership. But here, the user will only see the records they own.

Apex class

public class AccountController {

@AuraEnabled(cacheable=true)
public static List<Account> getAccountRecord(){
List<Account> accList = [SELECT Id,Name, CreatedBy.Name, Owner.Name, Industry, AnnualRevenue,Phone FROM Account];
return accList;
}
}

Also read – Top Flow Features in Salesforce Winter ’26 Release

Test Admin 1

Test Admin 2

Best Practices

1. It’s always recommended to specify the sharing declaration for a class because if we don’t, then the class will be insecure.
2. ‘With sharing’ and ‘without sharing’ are only to enforce the record level.  It will not enforce the Object and field-level access.
3. We have to explicitly enforce the current user permission for the Object and field level (CRUD). Apex generally runs in the system context, so the current user’s permissions and field-level security (FLS) aren’t taken into account during code execution.
4. The default sharing mode of asynchronous apex will be without-sharing.

Things to remember

1. Apex triggers can’t have an explicit sharing declaration and run as ‘without sharing’.
2. The apex method will always enforce sharing where it is defined and not from where it is called. That means if a method is defined in Apex class A and called from Apex class B. It will apply the sharing of Class A, not B.
3. Inner classes don’t inherit sharing from their outer class. Both can have their own sharing setting.
4. For asynchronous Apex (such as Queueable, Batch, or Future methods), classes defined with inherited sharing will always run in ‘with sharing’ mode. This is because each asynchronous execution is treated as a new entry point, and the sharing context is not carried over (not serialised).
5. If a code is running from an anonymous window, it will always run in ‘with-sharing’ mode.

Looking to learn Salesforce Flow. Check out the complete Salesforce Flow Mastery Course here

FAQs

1. What is inherited sharing?

This is the keyword we use when we want to inherit the sharing of the class which calls it. This is the mechanism where sharing is called at run-time.

2. What about triggers? Do they enforce sharing rules?

Trigger always runs in ‘without sharing’ mode and doesn’t enforce the sharing rule.

3. What is the default sharing mode of the Apex Rest Service?

The default sharing mode of the Apex Rest Service is ‘without sharing’.

Looking to learn Salesforce Flow? Check out the complete Salesforce Flow Mastery Course here

Conclusion

Understanding these keywords in Apex is important because they help make your classes more secure by enforcing the current user’s sharing rules. In this blog, we discussed what ‘with sharing’ and ‘without sharing’ mean. Using ‘with sharing’ ensures that your Apex classes follow the record visibility defined by Salesforce’s security model, keeping sensitive data protected. On the other hand, ‘without sharing’ gives flexibility for admin-level operations or background processes where unrestricted access is needed.

Get a complete Roadmap to Learn Salesforce Admin and Development 👇