Declarative Sharing 1 of 3 Flashcards
List declarative settings found to control object and field level security
profiled and permsets to grant CRUD permissions to users
using profiles - defines how users access objects and data, what they can do w/in applications. One profile is assigned to each user in SF
FLS - specified in profiles or permsets allowing view or edit to standard or custom fields
PermSets - collection of settings and permissions that extend users functional access w/out changing their profiles
Access Restrictions - profile can be use to restrict users access to object and fields FLS used to restrict user access to fields
Limitations - permission in standard profiles cannot be edited. A permset can not be used to restrict users access.
Declarative Platform Security Features include:
Explicit Sharing:
OWD
Sharing Rules
Manual Sharing
Administrative settings in Roles and Profiles
Implicit Sharing:
between accounts and child records and for various groups of portal users
Data Encryption: Classic and Shield Platform are the 2 declarative options available for data encryption
Explicit Sharing includes
OWD
Sharing Rules
Manual Sharing
Administrative settings in Roles and Profiles
Implicit Sharing includes
between accounts and child records and for various groups of portal users
Data Encryption: Classic and Shield Platform are the 2 declarative options available for data encryption
List all Platform Security Features
OWD Role Hierarchy Sharing Rules Manual Sharing Profiles Permission Sets Implicit Sharing user & Admin Permissions Field level security shield platform encryption external data source custom permission
An Account Team …
allows a group of users to access and work together on an account record, make it easy to track collaboration on the record
An opportunity team …
allows user access to work together on an opp. give user access and makes it easier to track their roles
Team setup includes
team roles and access levels
What can be used to limit a users access who should not be able to delete the records of a particular object?
Profile
hint: Key work ‘delete’ ie ‘D’ in CRUD
What can be used to restrict users access to view and edit specific field?
Field Level Security
How does Salesforce provide implicit sharing between accounts and child records?
Access to an accounts child record grants implicit read only access to that account. Access to an account grants access to the child records, but the access level depends on the account’s owners role
Which type of team allows a group of sales users to work together on a particular opportunity record?
Opportunity Team
Which action allows account team members to view other members access level
team member access
What should a solution architect recommend if only one user in an organization requires access to a visualforce page?
permset can be created allowing access to the page and assigned to the user
Which declarative options are available to grant explicit record access to users with a specific role who are unable to access records due to OWD setting
Role hierarchy and sharing rules
While defining an account team, which access levels will be available for an account if the OWD default sharing setting for the object has been set to “private’?
Read Only and Read/Write
In order to allow a group of support reps and support manager to work together on certain cases, what should be created?
case team
Which object can be customized to allow users to specify custom information about account team members?
Account team member
Explain the difference between a Profile and a permission set?
Profiles can be used to allow or limit access to DATA, permission sets only grant additional access and do not restrict access access to specific users
Object and field-level security settings can be implemented in Salesforce through the use of ?
profiles and permission sets
Declarative feature used to assign multiple permission sets to a user?
Permission set group
Permission set groups provide the these additional features.
- ) multiple groups can be assigned to a user
- ) permissions can be disabled or muted via a muting permission set (only 1 allowed per permset group)
- ) within a user setting page on the object level settings there is Enable and Muted check boxes to set each CRUD setting to muted.
- ) Updates in a permission set propagate to all permission set groups that include the permission set.
What defines how users access objects and data, and what they can do within the application. When you create users, you assign a profile to each one.
Profiles
salesforce article on profiles:
https://help.salesforce.com/articleView?id=admin_userprofiles.htm&type=5
collection of settings and permissions that give users access to various tools and functions. The settings and permissions in permission sets are also found in profiles, but permission sets extend users’ functional access without changing their profiles.
Permission sets
Salesforce article on permsets:
https://help.salesforce.com/articleView?id=perm_sets_overview.htm&type=5
streamlines permissions assignment and management by bundling permission sets together based on user job functions. Users assigned the permission set group receive the combined permissions of all the permission sets in the group
permission set group
Salesforce article on permission set groups:
https://help.salesforce.com/articleView?id=perm_set_groups.htm&type=5
How can you remove individual permissions form a group
muting feature
Settings let you restrict users’ access to view and edit specific fields.
Field-level security
page layouts can be added to determine which fields a user sees, the most restrictive always applies.
salesforce article on Field level security:
https://help.salesforce.com/articleView?id=admin_fls.htm&type=5
Access can be restrict access to …
Detail and edit pages Related lists List views Reports Connect Offline Email and mail merge templates Custom links The partner portal The Salesforce Customer Portal Synchronized data Imported data
Field level security can be applied two ways
multiple fields on a single permisison set or profile
single field on all profiles
What approach reduces the number of page layouts for you to maintain.
use field level security to restrict users access to fields then use page layouts to organize detail and edit pages within tabs.
Modify All Data and View All data
allows the user to make changes to all data within the SF Organization or view all the data. View all data adheres to the OWD settings.
Reference Article:
User profile permission descriptions:
https://help.salesforce.com/articleView?id=000332385&type=1&mode=1
Admin Permissions Security Admin Permissions User Management Permissions Data Permissions Import and Export Permissions Report and Dashboard Permissions Developer Permissions Chatter and Communities Permissions User Interface Permissions Object Permissions
This permission allows the user to view the reports tab, run reports and view dashboards based on reports
User permissions section = ‘Run Reports’
This permission allow for the creations, updating and deletion of reports.
System permissions in the Enhanced profile user interface
Administrative permission in the standard interface
Create and Customize Reports
Use Case:
user should be able to edit a custom field A on a custom object record during their login session on the first day of each month
custom object should FLS should be set as:
- No Access of custom field A
- Temporary edit access to custom field A
- Create a flow to be used by an employees manger to activate the permission set for the employees session on the first day of each month
What type of sharing automatically grantes ‘Read Only’ access to parent account associated with the case which is manually shared with a user.
implicit sharing
Case is manually shared which
automatically extends ‘Read Only’ access to its related account.
What type of sharing automatically grants ‘Read Only’ access to parent account associated with the case which is manually shared with a user.
implicit sharing
Case is manually shared which
automatically extends ‘Read Only’ access to its related account.
Implicit Sharing - Child defined
allows record owners access to view and edit contacts and cases related to account records owned by them.
If a user has access to a parent account, they also have access to the associated child records.
Permission assigned on the user record or within a profile which provide access to all the data in the organization
View All Data
Sharing type which is lost when the owner of a record changes
Manual Sharing
How can user gain access to a record owned by a user higher in the role hierarchy
Criteria-Based Sharing Rule
What setting prevents users from selecting a record type upon creation of a record
On Profile set the record type to - Master -
when this record type is assigned, users can’t set a record type while creating a record
As opposed, when any custom record type(s) is selected on the profile the user can selected only those type set on the profile.
Page layouts can only be assigned through _____ and are not able to be set through permission sets
page layouts
Security on encrypted fields can be accomplished through
Field Level security or
a combination of validation rules and page layout settings can be used to prevent users form editing encrypted fields
What permissions bypass field level security on encrypted fields
combination of Modify All Data, Customize Application and Deploy Apex.
What security setting will allow the body of attachments that are uploaded
Shield platform encryption
Only users with read access can search and view the body content
What security setting will allow the body of attachments that are uploaded
Shield platform encryption
Only users with read access can search and view the body content
https://shieldlearningmap.com/
Which setting restrict the times a certain user can log in and login from certain locations
Login Hours and Login IP Ranges set on the profile
Which security permission is used to set CRUD access to external objects
Writable External objects setting on profiles
Allows the ability to define access checks that can be assigned to users via permission sets and profiles (i.e. provides access to custom processes or apps)
Custom Permissions.
Access to a button on a VF pages
validation rule bypass by using the custom permission name ($Permission.ExampleCustomPermName = False && rest of the validation rule
Key Points about File sharing
Sharing Settings
Private / Files home, publish to your private library, Make private, delete posts that includes the file
Privately Shared / specific ppl or group, posted to private group, shared via link, posted to feed on record, published in shared libarary
Company / feed all users can see, to a profile, to a record, to a public group
Actions which can be performed on a file View/Preview (owner, Collaborator, viewer) Download (owner, Collaborator, viewer) Share (owner, Collaborator, viewer) Attach to Post (owner, Collaborator, viewer) New Version (owner, Collaborator) Edit Details (owner, Collaborator) Change Permissions (owner, Collaborator) Make private (owner) restrict access (owner) delete (owner)
determine which actions a user can perform on any of the object’s
records to which they have access.
Read, Create, Edit and Delete (CRUD)
prevent certain users from seeing sensitive or confidential
information contained in records they can see
Field level security
determines which records a user can see for a particular object
Record-level access (i.e. Sharing)
can be accomplished through OWD Role Hierarchy territory hierarchy sharing rules teams manual sharing programmatic sharing
Record access calculations only when configuration changes occur so that
the calculated results persist to facilitate rapid scanning and minimize the number of database table joins necessary to determine record access at run time.
What are the four types of access grants in salesforce
Explicit grants
group membership grants
inherited grants
implicit grants
Salesforce uses explicit grants when
user/queue becomes an owner
sharing rule shares record to user/queue
assignment rule shared record to user/queue
territory assignment rule shares to a territory
manual share record to user/personal or public group/ queue/ role or territory
user becomes part of team for account, oppty, or case
programmatic customization shares to user/ personal or public group. queue, role or territory
Grant which occur when a user , personal or public group, queue, role or territory is a member of a group that has explicit access to a record.
Group membership grants
example: explicit grants example group access to Acme record, and a user is a member of the example group, user’s membership in the example group grants the user access to the Acme record
Grants which occur when a user/ personal or public group, queue, role, or territory inherits access through a role or territory hierarchy, or is a member of a group that inherits access through a group hierarchy
Inherited grants
Grants which occur when non-configurable record-sharing behaviors are built in to Salesforce grant access to certain parent and child records
Implicit Grants
Example Default logic (or built in sharing , users cna view a parent account record if they have access to its child oppty, case or contact record and if a user has access to a parent account record, they also have access to its child oppty, case and contact records
What are the three type of tables which store access grants
Object record tables
Object sharing tables
Group Maintenance table
Table that store the records of a specific object and indicate which user, group, or queue owns each record
Object record tables
Tables that store the data that supports explicit an implicit grants (most object in SF)
Object Sharing tables
In what instances do object not have their own sharing table
- master-detail relationship. master object controls access to the detail object
- Both OWD settings (internal and external) are public read/write
- Object is a type that doesn’t support object sharing tables, such as activities or files. They have own access control mechanism
Tables that store the data supporting group membership and inherited access grants.
Group maintenance tables
grants are established in advance when you crate or change the group (or role, or territory) membership information
Which grant tables determine a users access to data when they are searching, querying, or pulling up report or list views
Object Sharing tables - access grants to individuals and groups
Group Maintenance tables - list of users or groups that belong to each group
