Configuration & Setup Flashcards
20%
Company Settings Options (list what they are)
1) Business Hours
2) Public Calendars & Resources (Resource calendar)
3) Company Information (licenses, etc.)
4) Data Protection & Privacy
5) Fiscal Years
6) Holiday Days
7) Language Settings
8) Currency Management
9) My Domain
Locales
- Where located?
- What does it control the language & format of?
- What level is it set at?
Company Information Page
Locale controls the language and format of
- date
- time
- address
- currency (only if single currency in use)
- name
- number fields
Default Locale set at org level, but user locale settings override
Company Defaults (where set?)
Company defaults are set on the Company Information page
New users use the company default settings
Language Support Levels
3 levels:
- fully supported (all features displayed in selected language) - currently 18
- end user (translations for setup, help, all STANDARD object field labels and pages) - currently 17
- platform (for CUSTOM stuff. possible to provide translations for customizations and standard fields, but not informational text or non-field label text - if no translation provided, falls back to English) - over 100
Translation Workbench used to apply translations. Addtl. languages beyond company default must be enabled in Language Settings before they can be selected. Any in use cannot be deactivated.
Org ID
15-character unique identifier found on the Company Information page
Different across environments (e.g., Development, Test, and Production)
Used for support, enabling features
User Licenses (what are they & where/how assigned & where to see which have been allocated)
Define baseline of features available to a user.
Each user must be assigned ONE license when being created.
See which have been allocated in Company Information page (total, used, and remaining)
Feature Licenses (what are they & where/how assigned & where to see which have been allocated)
Grant access to additional features not included in a standard license (e.g. Marketing, Knowledge, CRM content).
Assigned via checkboxes in user’s profile.
See which have been allocated in Company Information page (total, used, and remaining)
Permission Set Licenses (what are they & where/how assigned & where to see which have been allocated)
Gradually grant users access to tools & functions not included in their user licenses. Extend access without changing profiles.
Assigned via checkboxes in user’s profile.
See which have been allocated in Company Information page (total, used, and remaining)
Salesforce API (what is it, which editions, where to see limits/events & how they’re determined)
Application Programming Interface.
Allows access programatically instead of using the user interface. (E.g. bulk data loading tools like Data Loader, integration tools like Informatica, etc.)
Limits in 24-hour period are based on edition & number of user licenses.
Available for Developer, Unlimited, Performance, Enterprise editions. (“Can’t DUPE the API”)
See events in Company Information page.
Time Zone (where set?)
Org default set in Company Information page.
Users can change their own personal time zone.
Currencies (where set & what kinds)
Company Information page > Currency Locale
Single currency is default
Multi-currency must be enabled by a system administrator in the Company Information page. Irreversible change (“Advanced Currency Management”).
Currencies must be made active to use them.
Reporting & forecasting can be done in the record currency AND corporate currency.
Where can you input available currencies, set the Corporate Currency, and set exchange rates?
“Manage Currencies”
Where can you add new exchange rates values with a start date?
“Manage Dated Exchange Rates”
Business Hours and Holidays (what are they/where defined/how used)
When users are available to support customers and are the basis for computation of support processes hours.
Part of Company Settings.
Can be defined in case records.
Used in case escalation rules (holidays excluded)
Used in entitlement processes
Standard Fiscal Year
Follow Gregorian calendar (12 month structure)
Can start on the first day of ANY MONTH
Can be named for starting or ending year/month
Custom Fiscal Year
(and what it impacts)
“Fiscal Year” page
Defined using custom periods
Can be based on existing template or modified existing template
Irreversible to enable.
Impacts forecasts, reports, and quotas.
After enabling, all existing forecasts & quotas from the first period of that year forward will be deleted, but forecasts for periods before the first custom fiscal year are not deleted.
Data Storage (how used, exceptions, Enterprise limit)
Used by creating records
Most records use 2KB of storage, except:
- Person Account (4KB)
- Articles (4KB)
- Campaigns (8KB)
- Email Messages (according to the size of the email)
Enterprise Limit: 10GB plus 20MB per user license
File Storage (how used, Enterprise limit)
Used by storing files
- Attachments
- Documents tab
- Files tab
- Content
- Chatter (incl. user photos)
- Site.com assets
Enterprise Limit: 10GB plus 2GB per user license
Big Object
If used, up to 1 million big object records can be stored. Addtl. capacity purchasable. Usually used in write-once, read-many situations (archives, etc.)
Default Language (where it’s set)
Set on Company Information page and will be applied to new users.
Language Translation (name of the tool)
Translation Workbench - allows translations to be applied to custom fields, labels, and translations from managed packages and custom picklist values
Changing Display Language & Time Zone (user process)
My Settings > Personal > Language & Time Zone
Usage-Based Entitlement (what is it)
A limited resource that your org can use on a periodic basis
User Currency (what is it, where set, where can it be used)
Corporate Currency is defined; users may set their own in personal settings under Language & Time Zone on their Personal Information page.
Can be used in:
- reports
- quotes
- forecasts
- other records that use currency amounts
Exchange Rates (where set)
Manage Currencies page
Dated Exchange Rates (where set)
First, enable Advanced Currency Management
Then, Manage Dated Exchange Rates (tracks exchange rate at the date opportunities close)
Multi-Currency in Reports (two types)
Primary currency: default corporate currency OR currency selected for the record
Secondary currency: personal default currency (of user running report) OR currency specified in the report criteria
Storage Usage (where to find)
“Storage Usage” under Setup
What does the default locale configuration impact?
Format of Date, Time, Number, Phone Number, Name and Address fields
What do business hours and holidays impact?
Business hours and holidays are used in calculations to determine when to escalate a case or when an entitlement milestone is reached.
What are the options to define fiscal years?
Standard or custom fiscal years. Standard fiscal years are based on a monthly structure and can start on any month. Custom Fiscal years can use a different structure such as quarters.
What level of language support does Salesforce provide, and how is a user’s language setting controlled?
Salesforce offers a number of Fully Supported, End User and Platform Only languages. The language on the Company Settings page is applied to new users, but it can be overriden in My Settings.
What is the Salesforce API?
The API (Application Programming Interface) is a way of accessing Salesforce programmatically and is used by Data Loading and Integration tools.
What is the organization ID?
A unique 15 character identifier that identifies each Salesforce organization and is different in each environment.
What time zone is used for new users?
The time zone for new users is set using default time zone on the Company Settings page, but users can override it in My Settings.
Why would multi-currency be used?
Multi-currency is used to be able to add amounts in different currencies on records and be able to forecast and report using the corporate currency or record currency.
Why would advanced currency management be used?
Advanced currency management allows dated exchange rates to be recorded to track the amounts when opportunities were closed.
What are the types of licenses?
User, Feature, and Permission Set licenses.
How is storage managed in Salesforce?
Salesforce has two categories of storage, Data and File storage. Records use Data Storage and File Storage is used by Attachments, Documents, Files, Content and Chatter.
How can users set their correct time zones if the organization default is set to a different time zone?
Under My Settings, users can set their own time zones to override the organizational default.
Default Record Page View (two options, where set, overriding)
Full View OR Grouped View
Setup > Record Page Settings
To override a default view, Custom Lightning record page can be created for a specified object & activated using Lightning App Builder
User Interface Settings (name a few important ones)
Enable Hover Details (enables summary when hovering over a record link; fields displayed determined by compact page layout)
Enable Inline Editing (pencil icon will appear if a cell is editable while hovering over the cell)
Enable Enhanced Lists (sets inline editing to be available in list views)
Disable Navigation Bar Personalization in Lightning Experience (exactly what it sounds like)
Enable Printable List Views
Enable Salesforce Notification Banner
Compact Layout Settings (determines what)
Determines which fields are included in hover details (first 7)
Lightning Experience Navigation Bar (what can it contain)
Can contain most of the following:
- Standard Objects
- Custom Objects
- Lightning Component Tabs
- Web Tabs
- Utilities like Lightning Voice
- Lightning page tabs
- Canvas apps
- Visualforce tabs
Usually a horizontal navigation bar used to access the items and functionality in the app
App Navigation Bar (what is customizable?)
Horizontal bar within an app.
- Custom apps
- Interface (color & logo for each Lightning app)
- Navigation items (rearrangeable & utility bar in the footer can be enabled by adding a utility item to the app)
- App Access is assigned to user profiles
- Rename & remove items (except the ones added by admin by default)
Where do you view, create, and customize apps?
Setup > App Manager
How do you define access to an app?
Via the app’s visibility settings (user profiles) or permission sets.
Utility Bar (what does it do, where is it set, where does it display)
Allows access to common productivity tools
Set in Lightning App Builder.
Displays at the bottom of the screen (right or left)
Temporary Tabs (what are they, what can you do with them)
Used to access relevant items from the navigation bar; displayed with an asterisk *
Can be made permanent in the navigation bar via “Add to Nav Bar”
Lightning Experience App Launcher (what is it, how is it customized, how is app access & visibility determined)
Lets you switch between apps
Apps that appear can be changed via Setup > App Menu
App access depends on each app’s visibility settings & user permissions. (Profile or permission sets)
Apps can be made visible or hidden for all users
Apps can be dragged & sorted by users
Apps are large tiles under “All Apps” while other items show up under “All Items”
Where are themes set? Where don’t they work? How can you override them?
Setup > User Interface > Themes and Branding
Admins can choose from built-in themes or create a custom theme with brand logo, images, colors, and background.
Only one can be active at a time, they don’t apply to mobile, and apps can override a custom theme’s brand image & nav bar color with the app’s.
In-App Guidance (where located, what pages can they be assigned to, who can make them)
Setup > User Engagement > In-App Guidance
Interactive tour via step-by-step prompts
Can be assigned to a specific record type, on a specific page or app, or any page or app
Manage Prompts permission required & a myTrailhead subscription for more than 3 custom walkthroughs.
Direct links can be shared.
In-App Guidance (types)
Single prompt or walkthrough (multiple steps)
In-App Guidance (prompt types)
floating
docked
targeted
Guidance Center
Guides admins in setting up & enhancing the org and provides tailored recommendations.
How can lookup search results be made more relevant?
Via lookup filters, which restrict valid values & lookup dialog results for relationship fields, and dependent lookups, which include a lookup filter that references field(s) on the source object record.
Search Layout (where set up, what’s customizable)
Set up via Object Manager or Setup > Einstein Search > Search Layouts
Customizable:
- Fields in a record’s instant results preview
- Fields that can be filtered (shown as columns on search results page)
- Fields shown in a recommended result
- The secondary field in instant results (always the related account for contacts and opportunities)
Profile-specific layouts can be created for each object.
List View Button Layout (where set up, what’s customizable)
Can be edited in the Object Manager per object
Standard buttons can be selected or removed.
New custom list buttons can be created.
List view actions can be selected.
Einstein Search features are available in which editions?
In Lightning Experience in Essentials, Professional, Enterprise, Performance, and Unlimited Editions.
Search Manager (where set up, what’s it do)
Setup > Search Manager
View all searchable objects and the search status of each field.
Record List Display Types
Table/list view
Kanban view
Split view
List View Features
- Search Bar
- Show Charts
- Inline Editing
- Filters
- Import
- List Email
Where do you change List View Button Layout?
Object Manager > the object you want to change the view for
What are the steps to create a custom list view?
- Create and name a new list view or clone an existing list view (settings drop-down).
- Select the List View sharing.
- Add List View filters.
- Select the fields to display.
- Optionally create a list view chart.
- Use Sharing Settings to adjust visibility if required.
What is the Lightning App Builder? How is it accessed? What can it be used to customize?
Tool used to build & configure Lightning apps & custom pages.
It’s accessed via Setup > User Interface > Lightning App Builder
It can customize:
- Lightning Apps (can edit them directly)
- Lightning Pages (using the Pages menu)
- Visibility Rules (app, home, and record pages can be made dynamic by setting visibility rules for components)
- Component Visibility (based on standard & custom user permissions)
- Collapsible sections (via Accordion component)
What are the steps to create a custom home page?
- Create a new Home page or clone an existing Home page.
- Select a standard or custom template.
- Add components to the layout.
- Optionally set component visibility.
- Activate the Home page.
- Set as default for Org, App or App/Profile combination.
Where are the Home Page settings located? What are the options for assigning them?
Setup > Feature Settings > Home
Assigned as org default, app default, or via app & profile combinations.
What’s the Lightning Usage App?
Helps with monitoring adoption metrics & page performance.
- Activity
- Usage
What’s the Lightning Page Analysis tool?
Calculates page performance of a Record Page and IDs the components that have the most impact on page load time.
Accessible via Lightning App Builder.
What has to exist for a Lightning component or page in order to add it to the navigation bar of an app or the navigation menu of the Salesforce mobile app?
A tab! Setup > Tabs
What are the two types of actions?
Global actions (available in places like the home page, have no automatic relationship with any record)
Object-specific actions (allow creating a record related to the object for which the action is created)
Global Actions (where set up, what do they do, where accessible)
Setup > Global Actions
Can be added to any page that supports actions.
Allow creation of object records without any auto relationship
Available from home page, Chatter tab & groups, object pages, and custom Lightning app pages.
What are some things that Global Actions can perform?
- Create a Standard or Custom Object Record
- Log a call
- Send an email
- Display a Visualforce page
- Display a Custom Canvas
- Launch a Lightning Component
Where are global actions’ layouts customized?
Setup > User Interface > Global Actions > Publisher Layouts
Global Publisher Layouts can be assigned by profile.
What are Mass Quick Actions?
Performed on a Recently Viewed list, up to 100 records can be selected in a list view and have a mass update performed on them.
What are Dynamic Actions used for?
To control the visibility of Action buttons on a record page based on the values on the record.
What are Object-Specific Actions?
Actions used by users to create or update records in the context of a particular object. Records created are automatically associated with related records.
What must be done in order for an Object-Specific Action to display?
It needs to be added to the Publisher Actions section of the object’s page layout (in Object Manager), and “Override global publisher layout” must be ticked.
Where are object-specific actions’ layouts configured from?
Setup > Object Manager > (Object) > Buttons, Links, and Actions
What’s a Sandbox?
A separate environment that’s a copy of a production organization, used for development and testing.
There are different types, based on storage limit, initial data, and refresh interval, the availability of which depends on the org edition.
What are the four types of Sandbox?
Developer
Developer Pro
Partial Copy
Full Copy
What is deployment? What are the options available?
Moving developments or customizations from one organization (the source org) to another (the target org).
- Change sets (related sandbox/production orgs)
- Visual Studio Code (tools for development + deployment between orgs)
- Ant Migration Tool (local directory + Salesforce org)
- Salesforce CLI (command-line interface for metadata migration, allows interactive login)
- Workbench (retrieve or deploy metadata using package.xml file)
- Unmanaged Package (used to distribute open-source projects or application templates to any org)
Where can users perform record search?
Global searches most information;
List View Search looks for a record within a list view;
Lookup search allows searching of related records from a lookup field.
What do the User Interface Settings control?
General User Interface,
Sidebar (Classic Only) and
Calendar
What is the global layout? (actions)
The global layout is the set of actions that can be used if an action layout has not been overridden. The global layout can be customized, and multiple publisher layouts can be defined and assigned to different profiles.
What are some of the search settings that can be enabled or customized?
Search Optimization,
Recently Viewed Records,
Document Content Search,
Number of search results displayed,
Limit search to records owned by the user
What actions and features are available on a list view?
Edit, Delete and Follow records,
Sort,
Filter,
Create Printable View
What are the different types of search layouts?
Lightning Experience UI: List View, Search Filter Fields
Classic UI: Search Results, Lookup Dialog, Lookup Phone Dialog, Tab
Where can an app’s logo and navigation bar color be changed?
‘App Manager’ in Setup
Where can the apps that appear in the Lightning Experience App Launcher be changed?
‘App Menu’ in Setup
What can be used to create, customize, and assign home pages to different profiles in Lightning Experience?
Lightning App Builder
What types of custom components can be added to the home page layout?
Links, Images, HTML, and Visualforce
How can a user look for a company in a List View by keyword?
By using the List View Search Bar at the top of the List View.
Which users can view a list view created in Lightning Experience? (i.e., what are the options)
The creator, all users, or groups of users
What can be used to search records from within the Kanban view in Lightning Experience?
List View search bar
Which option can be selected from the List View Controls menu to share a custom list view with other users?
Sharing Settings
What can be customized to include Lightning Knowledge fields in global search results in Lightning Experience?
Search results layout of the Knowledge object
Which capability is available for list views in Lightning Experience to allow users to view opportunities that fall within a certain amount or probability range?
Filtering search results by number range
How can a Lightning component on a home page be made visible to only users from a certain country using the Lightning App Builder?
By setting a component visibility filter in the ‘Set Component Visibility’ section of the component’s properties
What are the six different areas of user setup & maintenance?
User Details
User License
Feature License
Resetting Passwords
Unlocking User Accounts
Localization
How do you create a new user in Salesforce? What are the five steps to fill in?
Setup > Users
Then, you set up/fill in:
- User Details
- User License & Feature License(s)
- Role
- Profile
- Localization
Then, an account verification link will be sent via email to the user. They’ll create a password & security question.
What are some restrictions related to usernames?
Usernames are unique across all Salesforce orgs globally and cannot be reused.
They must be in email format but do not need to be valid email addresses.
Is it required to assign a role to a user on creation?
Role is marked as required but does not need to be selected to create a new user.
What are the required fields when creating a new user?
Last Name
Alias
Email
Username
Nickname
User License
Profile
How can the email domains allowed in a user’s Email field be restricted?
Via Setup > User Management Settings > enable the Email Domain Allowlist toggle.
Then, in Setup > Users > Allowed Email Domains, you can specify the email domains that can be used.
What’s the default expire length on an account verification email link?
7 days
What happens on an admin-initiated email update?
The user is required to reset their password via a password reset link.
How do you add multiple users to an org? What are three considerations?
The “Add Multiple Users” button on the Manage Users screen.
- The username will be the same as the email address when adding a user with this method.
- All users will have the same license assigned.
- Individual records will need to be edited after creation to choose further details.
How can users be created in batch by the Data Loader?
- Required fields in the user record should be included in the import file.
- Use the insert operation. The user object fields should be mapped to columsn in the csv file.
- Proper picklist values should be used for Email Encoding Key, Locale, Language, TimeZone, and Currency fields.
- Activate & Generate password.
How do you delete a user record?
You can’t! User records are permanent and cannot be deleted. It’s possible, though not recommended, to reuse inactive user records.
Where can you see an org’s login history? What are five considerations related to it?
Identity > Login History
The status column will indicate success or reason for failure to login.
It can be viewed as a related list on a user record or for all users.
It shows up to 20,000 login records for the past 6 months.
It can be downloaded as a csv or gzip file.
API access logins will be included in All Logins option.
How can a user’s password be reset?
Either by the user themselves via the “forgot password” link on the login page
OR
By the administrator via a User record in setup. Multiple passwords can be reset at once. In the User record’s detail section, the admin can see how many failed login attempts the user has. The counter will reset to 0 if the user gets locked out.
How can an administrator resolve locked user accounts?
From a User record’s detail page.
- Unlock an account due to too many failed attempts to access.
- Unfreeze an account that has been frozen previously.
What does freezing users do? How and why? Does it release their license?
It prevents user access to the org, and is done via the User Record’s detail page.
Freezing a user record can be used when steps to deactivate a user are incomplete.
It is an immediate action that prevents them from logging in or having access. No emails or Chatter alerts will be sent.
It does not release their license; to do that, the user must be deactivated.
What does deactivating a user do?
It disables them from logging in and having access to Salesforce. They will no longer get email or Chatter alerts. Done via the user record.
A user cannot be deactivated if they’re the sole recipient of a Workflow Email Alert, Customer Portal Administrator, or User selected in a Custom Hierarchy Field.
Self Deactivation can be enabled to allow external Community and Chatter users to deactivate their own accounts (under User Management Settings).
What is Delegated Administration? What controls what admin privileges are granted?
The system admin can delegate certain administrated tasks to delegated administrators. A delegated group controls what admin privileges are granted.
What can users in a delegated administration group do?
- Manage users (create and edit users in specified roles)
- Assign profiles (assign users to specified profiles)
- Unlock and reset passwords (for users in specified roles)
- Manage permission sets
- Create public groups (and assign users to specified public groups)
- Manage specific custom objects
How can an admin log in as another user? (Where’s the setting to enable? Otherwise, what must be done?)
Setup > Security Controls > Login Access Policies
Check the box to enable the feature. If it’s not enabled, each user needs to Grant Account Login Access from the Personal Setup menu.
What are eight common user access issues? (Reasons why they can’t log in.)
- Password case sensitivity
- Login hours (the user may be trying to access the org outside of the login hours set by the System Admin)
- Inaccurate username
- Incorrect domain (trying to login using test.salesforce.com, used for sandbox, instead of login.salesforce.com)
- myDomain policy (user tries to log in with login.salesforce.com when myDomain is deployed and login policy restricts login.salesforce.com)
- Profile based IP restriction (IP restrictions may be in place, and the user is outside of set IPs)
- Unverified account (the new user has not verified their account via the “Verify Account” link within the allotted time)
- Locked out (the account may be locked from too many failed login attempts)
What are the four levels of security in Salesforce (plus examples of each)?
Organization Security Controls (e.g., Login Hours, IP Restrictions & Network Settings, Password Policies, Device Activation)
Objects (e.g., Profiles, Permission Sets)
Object Record (e.g., Org-Wide Defaults, Role Hierarchy, Sharing, Teams)
Fields on a Record (e.g., Field-Level Security, Page Layouts)
How can you see recent setup changes made to an org? How far back does it go?
Via the View Setup Audit Trail screen.
It shows the 20 most recent changes and stores history for the last 6 months (downloadable in .csv format).
What kinds of changes are tracked by Setup Audit Trail?
- Administration-related changes
- Customization changes
- Groups & Sharing
- Data Management
- Email deliverability and delivery
- Delegated administrators
- Notification types
- Apex
- Lightning components
What are four settings that administrators can configure to ensure users’ passwords are strong and secure?
- Password Policies
- Password Expiration
- Password Resets
- Login Attempts and Lockout Periods
What levels can password policies be set at?
Both at the organization level and the profile level. Profile Password Policies override the Org-Wide policies for that profile’s users.
What are the default password requirements for new orgs?
- Minimum 8 characters, including one alphabetic character and one number.
- The security question answer can’t contain the user’s password.
- When users change their password, they cannot reuse their last three passwords.
- 90 day expiration
What is single sign-on (SSO)? What does it need in order to implement it?
It allows users to log in to Salesforce and other applications using single user credentials with an external identity provider.
Needs either federated authentication via Security Assertion Markup Language (SAML) or delegated authentication.
What is multi-factor authentication? How is it enabled?
It Increases an org’s security by requiring a second level of authentication for every user login. Not required by default for SSO logins.
Setup > Session Settings > Make sure “Multi-Factor Authentication” is in the “High Assurance” column in the “Session Security Levels” section.
You can also enable it for all users of the org in the same place.
It can be enforced via profiles as well.
What are some org-wide session security settings that are configurable?
Session connection type (secure connection settings)
Timeout restrictions
IP address ranges (incl. locking to the IP address from which the session originated)
Caching settings
Clickjack protection
Session Security Levels (standard or high assurance)
Additional security protections…
What are some profile session security settings that are configurable?
(These will override org-wide settings)
Session timeout
Session security level
Login policies
What are the two different kinds of IP restrictions? At what levels can they be configured?
Login IP addresses - define the range of IPs from which a user can log in
Trusted IP addresses - define the range of IPs from which a user can log in without receiving a login challenge for verification of their identity.
Login IP addresses can be configured at a profile level.
Trusted IP addresses can be configured at an org-wide level (Network Access page in Setup).
Note: An activation code is sent for logins from devices/browsers that Salesforce doesn’t recognize, even if the IP is in range, or if the user has deleted browser cookies.
What are three things to consider when setting Login Hours for a profile?
- Login hours can be set only at the profile level.
- You can set the days & hours.
- If a user tries to log in outside these hours, they’re denied access.
What is the flow for login access checks?
<login>
Is login time outside of Login Hours for Profile? YES > Login denied
NO:
Is user's IP outside range defined for Profile? YES > Login denied
NO:
Is user's IP outside of trusted range defined for Org? YES? Activation Code sent > Entered correctly > Login successful
NO:
Login successful
</login>
When is device activation triggered? Where is it stored?
When a user logs in from an unrecognized browser or device and is logging in from outside a trusted IP range. It’s stored in browser cookies.
What is the priority order for device activation verification methods?
1) Salesforce Authenticator Mobile App
2) Built-In Authenticator
3) U2F Security Key
4) One-Time Password Generator
5) SMS Text Message
6) Email
What are login forensics? Where is it enabled? How do you see it?
Provides critical login info to admins, such as:
- Users who have suspicious login activity
- Users who logged in more than the average number of times
- The average number of logins per user per a specified time period
- Users who logged in during non-business hours
- Users who logged in using suspicious IP ranges
Setup > Event Manager > Login Event (enable storage)
There is no user interface; track events using API objects LoginEvent & Platform Event Metrics.
What is Security Health Check? How can you access it?
A score to help admins see how they measure up against security baselines. Setup > Health Check
What is myDomain?
A feature that allows the creation of a subdomain for the company’s Salesforce org. It’s required in order to activate other Salesforce features:
- Company branding
- Login management (helps)
- URL replacement
- Single Sign-On
What is one way to improve download times and org performance in myDomain?
Route myDomain through the Salesforce Edge Network, which routes requests to the closest Salesforce location where Salesforce Edge Network is deployed.
What are Enhanced Domains? Where are they set up? What are the qualifications for enabling them?
They enable the use of the company’s unique My Domain name on all URLs across the org, including Experience Cloud sites, Salesforce sites, etc.
Recommended for all orgs. Available in Hyperforce orgs and in orgs that have deployed My Domain that is routed via the Salesforce Edge Network.
Setup > My Domain
What does Enhanced Transaction Security do? Where is it set?
It’s used to intercept real-time events and apply appropriate actions to monitor and control user activity, like blocking or requiring MFA authentication, as well as what kind of notification is sent and to whom.
Security Policies tab.
What are Release Updates? Where are they accessed? What’s a consideration when updating?
Salesforce’s periodic updates.
Setup > Release Updates
Some updates can affect the existing customization of an org. Many have test runs to evaluate their impact before being enforced.
What is GDPR?
General Data Protection Regulation is an EU data protection law that regulates the processing, collection, storage, transfer, or use of personal data about EU individuals.
GDPR: Data Processor
Processes data on behalf of the data controller. This is Salesforce.
GDPR: Data Controller
Salesforce customer that is responsible for managing customer data.
GDPR: Data Subject
An individual data collected relates to, such as a Lead, Contact, or Person Account. Can also be a Salesforce end user.
What are the key principles of GDPR?
Secure
Consent
Accurate
Legitimate Purpose
Accountable
Data Deletion
What are the seven areas of Salesforce Security Control?
Field Access
Record Access
Object Access
Role Hierarchy
Sharing Rules
Manual Sharing
Public Groups
What determines object access & permissions?
Profiles determine which objects a user can access and what actions they can take on those objects.
What can the permissions on objects be set to?
Permissions on objects can be set to:
- Create
- Read
- Edit
- Delete
- View All/Modify All (grants access to all records of the object & overrides sharing settings)
What determines access to tabs and apps? What are the different settings & what do they mean?
Profiles!
“Default On” - The tab for the object will be in the nav bar if it’s part of the App selected.
“Default Off” - The tab will be available for the user to add by customizing tabs.
“Tab Hidden” - The tab will not be visible for the object.
What, exactly, do “object permissions” control?
Object permissions control what users can do with records they own within an object.
What do organization-wide defaults (OWD) determine in terms of access to data?
OWD determine users’ access to other users’ data for records they do not own. They do not grant more access than the object access granted in the user’s profile.
Increasing access takes effect immediately; decreasing access takes time for Salesforce to recalculate.
What are the access options for OWD on objects and what do they mean?
Public Read/Write/Transfer - Users can view, edit, and change ownership (only for leads and cases)
Public Read/Write - Users can view and edit other users’ records
Public Read Only - Users can view other users’ records but not edit
Private - Users cannot see others’ records unless they’re shared or if the user is above the record owner in the role hierarchy
Controlled by parent - Users can perform an action based on if they can perform the action on the parent object (e.g., contact actions are controlled by the actions available on an account)
What are the OWD sharing default options for Pricebook?
Use - All users can view pricebooks, add them to opps, and add products in the pricebook to opps
View Only - Users can view them, but only users with edit permission on opps or users that have been manually granted access can add pricebooks to opps
No Access - Users cannot see pricebooks and cannot add them to opps unless it’s been manually shared with them
What are the OWD sharing default options for Activities?
Private - Only the owner & users above the owner in the role hierarchy can edit & delete the activity. Users that have read access to the record related to the activity can view the activity.
Controlled by parent - Permissions are determined by the access the user has on the record or records related to the activity.
What are the OWD custom sharing default options for Campaigns & Campaign Members?
Campaign: Public Full Access - All users can view, edit, transfer, delete, and report on all Campaign records
Campaign Member: Controlled by Campaign - Only users who have access to the campaign can see the details of the campaign members related to the campaign.
Campaign Member: Controlled by Campaign Member - Users can only see the campaign members whose lead or contact records they already have access to.
What are the OWD sharing default options for Users?
Private: All users have read access to their own user record and those below them in the hierarchy.
Public Read Only: All users can see one another’s user detail pages. They can also see all users in lookups, list views, ownership changes, user operations, and search.
What are the OWD sharing default options for Personal calendars?
Hide Details - Others can see availability, but not information about the events
Hide Details and Add Events - Same as Hide Details but can insert events into other users’ calendars
Show Details - Others can see info about events in others’ calendars
Show Details and Add Events - Same as Show Details, but can insert events into other users’ calendars
What are two caveats about Record Access?
If a custom object is on the detail side of a master-detail relationship with a standard object, the OWD setting will be “Controlled by Parent” and cannot be changed.
User visibility will affect which users are displayed in the People tab of Chatter. If user visibility is set to Private, then users will not see any other users.
What are the differences between Restriction Rules and Scoping Rules?
What they do: Restriction Rules prevent access to certain records. Scoping Rules let users focus on a certain set of records and filter out the remaining. They do not change access.
Where they can be applied: Scoping rules are applied on Account, Contact, Lead, Opportunity, and Case, none of which are available for Restriction Rules. Both can be applied on all Custom Objects.
Where they can be used: Scoping Rules can only be used in List Views, Reports, and SOQL. Restriction Rules can be applied on all these and also on Lookups, Related Lists, Search, and SOSL.
What are the different levels of Record Access? What is the concept behind it?
The concept is to open up record access from more restrictive to less restrictive:
Object - First defined at the object level for a user profile for records the user owns (also permission sets)
Org-Wide Defaults - Opens access to records the user does NOT own
Sharing Rules - Open up record access to users when the OWD settings are set to anything more restrictive than Public Read/Write
Manual Sharing - Individual records can be manually shared
Restriction Rules - Allow certain users more granular access to specified records
Scoping Rules - Allow certain users more granular visibility to specified records
How is access to specific fields controlled? What are the options?
Field-Level Security
Note: It doesn’t prevent searching on the values in a field.
The options are “visible” and “read-only” based on profile.
What do field level security settings override?
Field properties if the field-level security setting is more restrictive
What is the role hierarchy? What is a limitation of it? Where is it accessed?
It is a data-access hierarchy that grants access to records to users that have a role above the record owner in the role hierarchy if the OWD setting is not already Public.
Note: Role hierarchy access does not override object access determined by profiles.
Manage Users > Roles
What are manager groups? What are they based on? Where can they be enabled?
They allow users to share records up or down their management chain. They’re based on the “Manager” field on the user detail page. They can be enabled on the Sharing Settings page.
What do Sharing Rules do? What can they be based on? What are the access options granted?
They allow record access (in addition to what’s granted by the OWD) to be extended based on role, territory, public group membership, or manager groups. They go across role & territory hierarchy, sharing records owned by a role with another at the same level. Object access is still required.
They can be based on record owner or record criteria.
The access options granted can be read only or read/write.
What does manual sharing do? Who can records be shared with?
It allows users to share records with other users on a one-off basis.
The “Sharing” button will only display if appropriate.
Records can be shared with other
Users
Roles (& Subordinates)
Territories (& Subordinates)
Public, Manager, or Manager Subordinate Groups
What should a user be in order to manually share a record?
Owner of the record
Above the owner in the role hierarchy
A user with “full” access
Administrator
How can you determine why a user has access to a record?
Via the “Sharing Hierarchy” button on the menu of a record.
How can you share reports and dashboards?
Via Enhanced Folder Sharing
With whom can folders be shared using Enhanced Folder Sharing?
Users, public groups, roles, or roles & subordinates
What are the three levels of access provided to a user, group, or role via Enhanced Folder Sharing, and what does each level do?
View (view reports & dashboards)
Edit (Viewer + save, delete, or rename a report or dashboard in the folder)
Manage (Editor + share or delete a folder, change the folder’s name, change the folder’s sharing setting)
Which user permissions determine access to reports & dashboards?
A combination of user permissions. Some might include:
- Run Reports
- Schedule Reports
- Report Builder
- Create and Customize Reports
- Create and Customize Dashboards
- Manage Reports in Public Folders
- Manage Dashboards in Public Folders
- Subscribe to Dashboards
What are public groups used for, and what can they contain? Who can create them?
They’re used for Sharing Rules, Folder access, Sharing Records, and adding Users to a Content Library.
They can contain specific users, users in particular roles or territories, users in roles & those below them in the hierarchy, and other public groups.
Only Administrators can create Public Groups.
Who can list views be shared with?
Users
Roles (& Subordinates)
Public Groups
Territories (& Subordinates)
What are permission sets?
Permission sets can be assigned to a user to extend the user’s settings and permissions granted by their profile. They can only be used to increase privileges, not remove them. Users can be assigned one or more permission sets.
What are the two categories of settings included in Profiles?
App settings (settings specific to apps & objects)
System settings (apply to all apps, such as security settings & overall data visibility)
What are some examples of Standard Profiles?
Standard User (Create, Read, Edit and Delete for most objects, Run Reports, View Org Setup, View but not manage campaigns, and Create but not review solutions)
Contract Manager (Standard User + Manage Contracts)
Minimum Access - Salesforce (Least-privilege access with Access Activities, Chatter Internal User, Lightning Console User, and View Help Link Permissions)
Marketing User (Standard User + Import Leads, Manage Campaigns, Create Email Templates, Manage Public Documents)
Solution Manager (Standard User + Review and Publish Solutions)
System Administrator (access to all functionality that doesn’t require an additional license. Configure & customize the application. Can View and Modify all Data, which overrides all sharing rules)
Which editions of Salesforce are Custom Profiles NOT available in?
Contact Manager and Group Editions
How can you ensure that only permissions accessible to the org are enabled when a profile is cloned?
User Management Settings > Restricted Profile Cloning (enable)
What are the types of settings that can be customized for each profile?
Settings are object based
Object Permissions can be set at the profile level and include: No Access, Read, Create, Edit, Delete and View All/Modify All
Allows access to certain Apps and Tabs
Determines which Page Layout a profile uses
What are the three general groups of permissions in a Salesforce org?
App permissions (what actions can be performed in different apps)
Custom permissions (must be enabled & are used to grant access to custom apps or processes)
System permissions (grant access to org-wide actions)
T/F: Any privilege that can be granted on a profile can be allocated through a permission set.
True!
What are Permission Set Groups used for?
To group permission sets together for assignment to a user. Permissions in a permission set group can be disabled or “muted” by adding a Muting Permission Set (only one allowed per group).
How can you analyze, report, and manage access & permissions within an organization?
User Access and Permissions Assistant
How does the Security Health Check work?
Security Health Check measures setting values in Password Policies, Network Access Config and Session Settings against baseline values and calculates a percentage score to indicate risk. 100% means all settings meet or exceed the standard.
When is identity verification invoked?
When a user logs in from an unrecognized (based on cookies) browser or device, and outside the trusted IP range
What can be enabled that helps the administrator spot suspicious login activity?
Login Forensics
What are the different risk categories associated with a Security Health Check in Salesforce?
High, Medium, Low, and Informational
What password requirements can an administrator set?
Minimum password length, complexity, password history enforcement, expiration period, minimum password lifetime
Where can session security settings be configured at the organization level and the profile level in an org?
On the ‘Session Settings’ page at the organization level and in a user profile at the profile level
How is the role hierarchy related to record access? What toggle must be enabled to make it work?
Users will have access to other users’ records if they have a role above the record owner in the role hierarchy and grant access through hierarchies is enabled.
What is the purpose of a public group?
It’s a way of grouping users, roles, and territories so that sharing settings and permissions can be granted efficiently.
Which sharing setting allows a user to manually share their own user record with other users of an organization?
‘Manual User Record Sharing’ checkbox on the ‘Sharing Settings’ page in Setup
Which organization-wide default sharing setting can be used for the Campaign Member object to allow all users to see only the campaign members associated with the campaigns they have access to?
Controlled by Campaign
Which access level for a report folder would allow a user to change the folder’s sharing setting?
Manage
Why would a user be freezed?
To prevent the user from logging in without deactivating them, allowing for changes to any customization where the user has been used (e.g. workflow email alerts)
What administration tasks can an administrator delegate?
Create and assign users in certain roles and profiles, assign permissions sets, public groups, reset passwords, manage specific custom objects
What field must be marked on the user record for users to be able to log in?
The “Active” checkbox
How would it be possible to check why a user is not able to log in?
Login history on user record, or Login History for all users will give information regarding a login attempt.
