Mastering Flow Execution Contexts: A Guide for Salesforce Developers/Administrators

In Salesforce, the execution context of a flow defines the permissions and access level under which the flow actions are executed. Similar to Apex code, flows can operate in different contexts, namely User Context and System Context.

User Context: When a flow runs in the user context, its access to Salesforce data is determined by the profile, permission sets, and sharing settings (record level) of the user who initiated the flow. This means that the flow can only interact with records, objects, and fields that the user has the necessary permissions for.

System Context: Flows running in system context behave differently. In this context, object and field-level permissions are not taken into account. Only record-level access is considered, whether they run with or without sharing.

• System Context with Sharing: In this mode, the flow respects Salesforce's sharing settings, such as org-wide defaults, role hierarchies, sharing rules, manual sharing, teams, and territories. It considers these settings when determining what data is accessible. However, it doesn’t respect object permissions, field-level access, or other permissions of the running user.
• System Context without Sharing: In this mode, the flow doesn't consider sharing settings. It essentially has access to all data regardless of sharing rules and permissions. However, it still respects the permissions of the running user for a limited set of actions and operations.

The default context of a flow is determined by its type:

Record-triggered, platform event-triggered, and scheduled-triggered flows: These flows run in system context without sharing.

Screen Flow and Autolaunched Flow: For these types of flows, we can change the context. Here are the possibilities:

1. User or System Context – Depending on How the Flow is Launched: By default, a flow runs in user context or system context, depending on how the flow is launched. The context is considered from the invoking flow. Common methods of launching flows and their default contexts include: Apex: The context depends on the code in the Apex class that launches the flow. Experience Cloud Site: User context. Embedded Visual Component (Aura or Visualforce): User context. Custom Button or Link: User context. Direct Link: User context. Flow Action: User context. Lightning Page: User context. Rest API: User context. Web Tab: User context.
2. System Context (with Sharing) to Enforce Record Level Access: The flow can access all objects and fields but restricts record access according to the running user’s record sharing.
3. System Context without Sharing: The flow can access all objects, fields, and records, ignoring record sharing.

Notes For Screen Flows: There are components (lookup, address, dependent picklist, file upload, dynamic forms for flows, or any component that goes to the database to retrieve data) in screen flows that will run while respecting the running user’s permissions even though the screen flow is set to run in system context.

Notes For Autolaunched Flows: They inherit the context of their caller (except Apex) by default. If an autolaunched flow is invoked from Apex, the flow will always run in system mode without sharing, regardless of which mode the flow is set up to run as.

Why This Article is Important: This article is crucial for Salesforce developers as it clarifies a key concept in Salesforce development. Understanding flow execution contexts is essential for building secure and efficient automation solutions. By grasping these concepts, developers can ensure that their solutions comply with security best practices and meet organizational requirements. This knowledge empowers developers to make informed decisions when designing flows, leading to better performance and user experience.

Conclusion:

Understanding flow execution contexts in Salesforce is essential for building efficient and secure automation solutions. By grasping the nuances of user context and system context, Salesforce developers can ensure that their flows behave as expected and adhere to the organization's security and data access policies.

Additionally, understanding how different flow types default to specific contexts and how to change the context based on the method of flow invocation is key to creating versatile and effective automation solutions in Salesforce.

As a Final Word, mastering flow execution contexts empowers Salesforce developers to build robust, flexible, and secure automation solutions that meet the unique needs of their organizations.