Salesforce Sharing and Visibility
Terms in this set (73)
What is used to specify the objects and fields users can access?
Permission sets and Profiles
What is used to specify the individual records that users can view and edit?
OWD, Roles, and Sharing rules
(T/F) A user can have many profiles
(T/F) A user can have many permission sets
(T/F) Every Record is owned by a user
False. Records can be owned by Queues as well
Does role hierarchy override OWD settings?
Yes. Role hierarchy ensures that users higher in the hierarchy always have access to the same data as people lower in the hierarchy regardless of OWD.
Difference between Profiles/Permission Sets and Roles
Roles primarily control record level access while Profiles and Permission sets control Object and field level access
(T/F) A Role hierarchy is an example of a Sharing rule
True. Sharing rules are used to give additional users access to records
Difference between Profiles and Permission Sets
Permission sets extend users' functional access without changing their profiles
If users have "Master" record type in their profile and one custom record type in their permission sets, which record type is a new record associated with?
Custom record type and user cannot select Master. Permission set overrides profile in this case.
How will you move record type assignments in permission sets to production
Record types in permission sets aren't supported in Change Sets and must be moved manually
What will happen if a permission set does not have an associated license?
All of the permission set's enabled settings and permissions must be allowed by the user's license or the assignment will fail.
You added the "Use Identity connect" permission to a permission set then assigned the permission set to a user. However, the assignment failed. Why?
The user did not have the identity connect permission set license. Some permissions require users to have permission set licenses before a user can have those permissions
(T/F) View All and Modify All Object permissions (set in Profiles or permission sets) override sharing rules
True. All other object level CRUD permissions however respect sharing rules meaning the sharing rule prevails
(T/F) View All data and Modify All Data permissions override all sharing rules
Is Org wide default (OWD) a single setting that applies to all standard objects?
No. OWD can be set separately for each object
Can role hierarchy grant more access than a user has through profile permissions
No. Role hierarchy can override OWD but cannot give more access than a user's profile
(T/F) Role Hierarchy extends access vertically while sharing rules extend access horizontally
(T/F) In a Salesforce Org there can be many role hierarchies
What wins when object level settings (profiles/permission sets) conflict with record level settings (roles, sharing rules)?
The most restrictive settings
What is a Queue?
A Queue is a group level access. Records can be assigned to a queue and users who are members of the queue can access them
What are the basic tenets of role hierarchy?
Each user can have only one role. Users higher in the hierarchy inherit the same level of access that users assigned to subordinate roles have.
What are the 2 types of sharing rules?
Ownership based and Criteria based
what are some ways to secure record access so it does not roll up to people higher in the hierarchy?
1) Create custom object and disable granting access using role hierarchy 2) encrypt sensitive fields
In Salesforce every record must have an owner. What actions can the owner of a record perform that might be of concern from a security standpoint?
Record owners can delete records they own. They can also share records they own with other users.
(T/F) The option to prevent roll up of visibility for records owned by users in the hierarchy is not available for Standard Objects.
How to prevent roll up of visibility for records for standard objects
Create a user at the very top of the role hierarchy that owns a majority of the records or assign the records to a user that is not in the role hierarchy.
Name two types of parent child relationships
Master-Detail and Lookup
What is parallel sharing rule recalculation?
When this is turned on, sharing rules are processed asynchronously and split into multiple simultaneous execution threads based on load
Define Deferral process for sharing maintenance
it essentially "turns off" processing of group maintenance operations (sharing rule processing should also be turned off) so that role and sharing changes can be made...then it can be turned back on to allow processing group maintenance
Define granular locking feature
By default the force platform locks the entire group membership table when Salesforce makes changes to roles and groups. When granular locking is enabled the system deploys additional logic to allow multiple updates to process simultaneously.
Generally speaking which operations can occur in parallel with granular locking turned on?
Rule of thumb: Territory operations, User operations (creation, provisioning), can occur simultaneously with role changes but multiple role related operations inside a single role hierarchy will still experience lockout issues.
(T/F) Deferring organizational maintenance and sharing rules recalculation will require recalculating sharing rules for all objects
What is Salesforce CRM content?
Content includes all file types including audio, video, web pages, and docs
Is Salesforce CRM content available to anyone with a Salesforce license?
No. Need Salesforce CRM content license. However, it can be turned on with limited features for non licensed users
What is one way to restrict access to a button an a custom Visual Force Page to some users
By defining Access Checks in Apex
How many external objects are allowed in an Org
What would be an example of implicit sharing or built-in sharing in Salesforce?
Ability to view a parent account record if they have access to its child opportunity
(T/F) Activities and Files have their own object sharing tables
False. Activities and Files have their own access control mechanisms
(T/F) A queue in Salesforce is a system defined group
What is one important purpose of the system groups Role, Roles and Subordinates?
The main purpose is so that Salesforce can access a single group to determine sharing instead of multiple groups...hence indirect members.
What is one difference between account teams/opportunity teams and public groups?
Account/Opportunity teams allow designating roles to users that are part of the team like sales rep, sales tech etc. These roles are different from the role of the user in a hierarchy and relate to their value/role with respect to a particular opportunity...also things like opportunity splits for sharing commission are possible. These features make teams different from public groups
Is a communities license required to use communities (formerly portal)
No. Enterprise, Performance, and Unlimited orgs have the ability to create up to 100 communities without any additional licenses.
How are Share groups and Sharing sets different from permission sets and sharing rules?
Share groups and Sharing sets are for high volume portal users (who are not in the role hierarchy)...allow records owned by the portal users to be shared with internal and external users
(T/F) Creating a public group with territory and sharing a report/dashboard with a territory are no longer available in Enterprise Territory management 2.0
True...only available in legacy territory management
What is one purpose of territory management?
To assign accounts to territories based on rules automatically and provide additional access based on territories.
What is a territory?
A territory is a flexible collection of accounts and users where the users have at least read access to the accounts regardless of who owns the account.
What is a territory hierarchy?
Territories exist in a hierarchy which you can set up with as many nested levels as you wish. The territory hierarchies do not have to be focused on geographies
When should you use collaborative forecasts and when should customizable forecasts be preferred?
Collaborative forecasts do not support territory management. Customizable forecasts roll up multiple categories into a single category
(T/F) A territory can have inherited account assignment rules meaning that the rules were created somewhere higher in the territory hierarchy and so impact the given territory
(T/F) An account may be assigned to multiple territories
If there are more than one users assigned to a territory who would be the default owner of an opportunity assigned to the territory?
(T/F) If the user creating the opportunity is a standard user, Salesforce automatically assigns a territory to a new opportunity only if the user and account have exactly one territory in common
(T/F) The opportunity owner can manually assign the opportunity to any territory that he or she has in common with the account.
(T/F) An opportunity can be associated with multiple territories
(T/F) Melissa manually assigns an account to a territory. Opportunities associated with that account will also automatically be assigned the new territory
(T/F) Melissa changes the account associated with an opportunity. The opportunity's territory will now reflect the territory of the new account
(T/F) Melissa transfers an opportunity to a new owner. The opportunity will now reflect the territory of the new owner
What is opportunity confinement?
Allows opportunities to stay in the same territory when account assignment rules are run.
Does restoring an account (undeleting) trigger account assignment rules?
When account assignment rules cause an opportunity to be reassigned to a new territory what happens?
The opportunity stays with the current owner and the owner is added as an inactive user in the new territory unless there is only one user in the territory or one forecast manager (in that case the opportunity moves to that user or forecast manager)
What happens when you need to share an object record that is not included in the list of objects assigned by the Territory Management assignment rules?
Use manual territory access grants to share just about any standard and custom object.
(T/F) All objects have a system generated sharing object used to control programmatic sharing thru Apex
Name two ways to achieve dynamic sharing based on data attributes
Using Apex triggers or criteria based sharing
(T/F) If row cause (cause of sharing) is not set in Apex managed sharing, it defaults to "manual" and will be deleted when the record owner changes
How would you protect Apex managed sharing from being deleted by the platform due to record owner changes or other reasons
Use proper Apex sharing reasons instead of defaulting (system deletes whatever defaults to manual in the sharing reason)
How would you design a password authentication solution that makes it very difficult for brute force attacks to gain access to stored passwords?
By using hash (MD5 or SHA-1) plus salt (add random bytes) plus pessimal functions like bcrypt to further slow down hackers
What keyword is used to enforce platform sharing rules in Apex code?
(T/F) Custom sharing reasons may be defined for apex managed sharing of standard and custom objects
False. Custom sharing reasons may only be defined for custom objects
What is an easy way to enforce CRUD/FLS while using Apex code?
Perform operations in VisualForce and operate directly on Sobjects and fields (standard objects)
How would you ensure access levels are maintained while using Apex code that does not operate on standard objects and fields?
You can call the isAccessible, isCreateable, or isUpdateable methods of Schema.DescribeSObjectResult
Jane has access to a contact and hence to the parent account via parent implicit share. The parent account has 300,000 contacts. Could this scenario result in Unable_to_lock_row error when Jane's supervisor changes ownership of the contact Jane has to someone else?
Yes....if someone tries to add a new contact for the same account while Salesforce recalculates Jane's access to the account by checking if she has access to any of the other 300K contacts (if not Salesforce will delete the parent implicit share that gives Jane access to the account.
What Apex class can be used to encrypt and decrypt messages or fields
Apex Crypto Class
YOU MIGHT ALSO LIKE...
10.1 Securing an application
SalesForce Roles, Profile, Permission Set, Sharing Rules, OWD
4. Security and Access = 15%
Salesforce Sharing and Visibility Designer (SU 17)
THIS SET IS OFTEN IN FOLDERS WITH...
Salesforce Certified Sharing and Visibility Designer
Salesforce Certified Sharing and Visibility Designer - All Combined
Salesforce Certified Sharing and Visibility Designer (05/2018)
Sharing and Visibility Designer