When to add apex class permissions to a profile

The apex class permissions are a bit confusing to me. For example, classes used by page controllers do not need to be added to the profile.

Can anyone give a complete list of scenarios on when you need to add apex classes to a profile?


Permission checking against pages and classes is extremely simple. The only elements that require permission is the top-level element in a request. There are exactly two scenarios where permissions are required: top-level Visualforce pages, and top-level service classes.

A top level Visualforce page is one that is directly requested by the browser. This includes pages that are navigated to by a tab, or included in an iframe. Pages that are included directly, including template pages (via composition) and included pages (via include) do not require permission. Pages acquired by getContent or getContentAsPDF do require permission, since they are separate contexts. The controller is also invoked through a Visualforce context, so long as the page has permission, any of that classes functions which are accessed by actionFunction calls, actionPoller calls, or even @RemoteAction annotations, are also granted access.

A top level service class is a class that houses a function that uses the webservice keyword, or the @RestResource annotation. If the class extends a class, that parent class does not need permission, nor does a parent class with such an annotation or permission automatically grant access to its children. Classes called from the top-level class do not need access, either. For the Ajax Toolkit, using sforce.apex.execute requires that the function have the webservice attribute, and is thus never executed in Visualforce context, even if called from a Visualforce page. It instead falls under this paragraph in regards to service functions.

ExecuteAnonymous requires sufficient privileges (Modify All Data) that the user calling it will have access to any code they try to run, unless those classes or methods are private or protected. It appears that classes without profile permission are effectively private (e.g. compilation will fail) during executeAnonymous compilation for a user without Author Apex.

Source : Link , Question Author : NSjonas , Answer Author : sfdcfox

Leave a Comment