Apex scripts generally run in the system context, that is, current user’s profile-based permissions, field-level security, and sharing rules are not taken into account during script execution.

     Because these rules are not the enforced, developers who use Apex must take care that they do not inadvertently expose sensitive data that would normally be hidden from users by profile-based permissions, field-level security, or organization-wide defaults. They should be particularly careful with Web services, which can be restricted by profile, but execute in system context once they are initiated.

·        Use the with sharing keywords when declaring the class to enforce the sharing rules that apply to the current user.

·        Use the without sharing keywords when declaring the class to ensure that the sharing rules for the current user are not enforced.

Enforcing the current user’s sharing rules can impact:

·        SOQL and SOSL queries. A query may return fewer rows than it would operating in system context.

·        DML operations. An operation may fail because the current user does not have the correct permissions. For example, if the user specifies a foreign key value that exists in the organization, but which the current user does not have access to.

*Note: If a class is not declared as either with or without sharing, the current sharing rules remain in effect. This means that if the class is called by a class that has sharing enforced, then sharing is enforced for the called class.