Inherited sharing question in nested inner classes

The sharing documentation Using the with sharing, without sharing, and inherited sharing Keywords says:

  • The sharing setting of the class where the method is defined is applied, not of the class where the method is called. For example, if a method is defined in a class declared with with sharing is called by a class declared with without sharing, the method executes with sharing rules enforced.
  • Both inner classes and outer classes can be declared as with sharing. The sharing setting applies to all code contained in the class, including initialization code, constructors, and methods.
  • Inner classes do not inherit the sharing setting from their container class.

I have an awkward case where I have inherited sharing inner classes called from with sharing and without sharing inner classes of a different outer class. See a Clean way to vary sharing at runtime in Apex? for that code. The aim is for the with sharing and without sharing to be respected and by my reading of the documentation it should be based on the last bullet point above.

Do you agree? Right now I have some confusing test results…

(A related question is Sharing rules and Inner classes.)


I assume that a “Default Internal Access” setting of “Private” is ignored in Apex without sharing code but at present my test does not support that assumption.


inherited sharing behaves identically to not using a sharing mode at all, except when used as a top-level entry point (e.g. a Visualforce or Aura controller, RestResource, etc), in which case the context of the call will be with sharing.

If you care about Security Reviews, you should probably use inherited sharing on all classes that do not specify with sharing or without sharing. Aside from that, inner classes, utility classes, and other non-top-level-execution-context classes can omit the inherited sharing keyword, and it will automatically execute in the currently configured sharing mode.

I answered your other question that demonstrates how I would get into a certain sharing mode using a minimal amount of code, most of which is boilerplate at that point.

The documentation makes a good argument for using inherited sharing as opposed to no sharing mode at all:

Apex without a sharing declaration is insecure by default. Designing Apex classes that can run in either with sharing or without sharing mode at runtime is an advanced technique. Such a technique can be difficult to distinguish from one where a specific sharing declaration is accidentally omitted. An explicit inherited sharing declaration makes the intent clear, avoiding ambiguity arising from an omitted declaration or false positives from security analysis tooling.

Using inherited sharing makes it clear that the higher-level sharing mode will be respected; the code becomes self-documenting while still respecting your decision on using the calling context’s sharing mode.

Source : Link , Question Author : Keith C , Answer Author : sfdcfox

Leave a Comment