Security

Question 1

What is the bluntest way to prevent a user from seeing, creating, editing or deleting any instance of a particular type of object, such as a lead or opportunity?

Answer 1

Object-level security (also known as object permissions) via Permission sets and Profiles

Question 2

How can you hide whole tabs and objects from particular users, so that they don’t even know that type of data exists?

Answer 2

Use Object-level security (also known as object permissions) via Permission sets and Profiles

Question 3

Describe Profiles as defined in Salesforce

Answer 3

Profiles are typically defined by a user’s job function (ex, system administrator or sales representative). A profile can be assigned to many users, but a user can be assigned to only one profile

Question 4

What do Permission Sets do?

Answer 4

Permission sets are used to grant additional permissions and access settings to users. It’s easy to manage user’s permissions and access with permission sets, because you can assign multiple permission sets to a single user

Question 5

What are the 3 steps in setting up record-level security?

Answer 5

1. Determine the organization-wide sharing settings for each object,
2. Define a hierarchy for your users
3. Create sharing rules

Question 6

What is the consequence if you disable a permission or remove an access setting in a profile and any permission sets that are assigned to a user?

Answer 6

The permission or access setting is disabled for all other users assigned to the profile or permission sets

Question 7

What is the consequence if a permission or access setting is enabled in the user’s profile and you assign them a different profile, or if you remove a permission set from the user?

Answer 7

The user may lose other permissions or access settings associated with the profile or permission sets

Question 8

What are the following permissions used for:

• View All
• Modify All

Answer 8

it’s used for delegation of object permissions

Question 9

What are the following permissions used for:

• View All Data
• Modify All Data

Answer 9

It’s used to manage all data in an organization; for example, data cleansing ,deduplication, mass deletion, mass transferring, and managing record approvals

Question 10

What is the following permission use for:

- View All Users

Answer 10

It’s used for viewing all users in the organization. Grants Read access to all users, so that you can see their user record details, see them in searches, list views, and so on.

Question 11

Who would typically need the following permissions:

• View All
• Modify All

Answer 11

Delegated administrators who manage records for specific objects

Question 12

Who would typically need the following permissions:

• View All Data
• Modify All Data

Answer 12

Administrators of an entire organization

Question 13

Who would typically need the following permission:

- View All Users

Answer 13

Users who view all users in the organization, especially if the organization-wide default for the user object is Private. Administrators with the “Manage Users” permission are automatically granted the “View All Users” permission

Question 14

There are 4 Salesforce Standard objects for which “View All” and “Modify All” are not available. Which 4 are those?

Answer 14

Ideas
Price books
Article Types
Products

Question 15

Who is the target audience for permissions that respect sharing?

Answer 15

End-users

Question 16

Who is the target audience for permissions that override sharing?

Answer 16

Delegated Data Administrators

Question 17

Where are permissions that respect sharing managed?

Answer 17

CRED object permissions
and
Sharing Settings

Question 18

Where are permissions that override sharing managed?

Answer 18

“View All” and “Modify All”

Question 19

For permissions that respect sharing, do you have the ability to approve records, or edit and unlock records in an approval process?

Answer 19

No

Question 20

For permissions that override sharing, do you have the ability to approve records, or edit and unlock records in an approval process?

Answer 20

It’s available on all objects with “Modify All” access

Question 21

For permissions that respect sharing, how can you report on all records

Answer 21

If you have a sharing rule that states: the records owned by the public group “Entire Organization” are shared with the specified group, with Read-Only access

Question 22

Which permission that overrides sharing will provide you with the ability to report on all records?

Answer 22

If you have “View All” available on the object

Question 23

Can you edit multiple profiles at the same time?

Answer 23

If enhanced profile list views are enabled for your organization, you can change permissions in up to 200 profiles directly from the list view, without accessing individual profile pages

Question 24

Is it possible to edit all contacts associated with an account you own even if you don’t own the contacts themselves?

Answer 24

Yes, you can set contact access so that users in a role can edit all contacts associated with accounts that they own

Question 25

If a user does not have the “View Encrypted Data” permission, can they still edit the encrypted field?

Answer 25

Yes

Question 26

How can you restrict edit access to an encrypted field?

Answer 26

Use validation rules, field-level security settings, or page layout settings to prevent users from editing encrypted fields

Question 27

Can you create criteria-based sharing rules with Apex?

Answer 27

No. You also cannot test criteria-based sharing with Apex

Question 28

Can high-volume portal users be included in sharing rules?

Answer 28

No, because they don’t have roles and can’t be in public groups

Question 29

What is the limit of criteria-based sharing rules per object?

Answer 29

50

Question 30

How can an admin prevent users outside of he Sales Department from accessing the Leads object?

A. Create, read, update, delete restrictions
B. Field level security restrictions
C. Sharing settings
D. All of the above

Answer 30

A. Create, read, update, delete restrictions

Question 31

How can an admin give a regional Sales team access to a subset of opportunity records?

A. Create, read, update, delete restrictions
B. Field level security restrictions
C. Sharing settings
D. All of the above

Answer 31

C. Sharing settings

Question 32

How can an admin give only the HR department access to the Salary field on the User object?

A. Create, read, update, delete restrictions
B. Field level security restrictions
C. Sharing settings
D. All of the above

Answer 32

B. Field level security restrictions

Question 33

Which of the following automatically enforces CRUD/FLS settings?

A. Custom Visualforce pages with standard controller
B. Apex controllers
C. Apex Triggers
D. Apex Webservice

Answer 33

A. Custom Visualforce pages with standard controller

Question 34

When does the platform bypass admin-configured authorization settings by default?

A. When you call executeanonoymous() API
B. When you access the standard Accounts tab
C. In a custom Apex Trigger
D. When you have a custom Visualforce page with a standard controller

Answer 34

C. In a custom Apex Trigger

Question 35

If Salesforce is secure software, why is application security important to Force.com developers?

A. As a platform, Salesforce releases some security control to developers to provide maximum flexibility to meet business needs

B. Application security is not important, developers do not need to learn anything about security

C. Security is only the responsibility of Salesforce administrators

D. All the above

E. None of the above

Answer 35

A. As a platform, Salesforce releases some security control to developers to provide maximum flexibility to meet business needs

Question 36

Why is application security of increased importance to developers releasing products to AppExchange?

A. AppExchange products reach many customers, so issues are replicated across many environments

B. The AppExchange listing process requires a mandatory security assessment with zero security findings

C. Customer trust is of utmost importance to Salesforce, and it is essential for AppExchange partners to maintain this trust

D. All the above

E. None of the above

Answer 36

D. All the above

Question 37

What is typically involved in setting up Record-level access

Answer 37

• Organization-wide defaults
• Role hierarchy
• Territory hierarchy
• Sharing Rules
• Teams
• Manual sharing
• Programmatic sharing

Question 38

When can you use Custom Metadata Types to store authentication data and other secrets?

Answer 38

You can use “Protected Custom Metadata Types”. Within a namespaced managed package, protected custom metadata types are suitable for storing authentication data and other secrets. Custom metadata types can also be updated via the metadata API in the organization that created the type, and can be read (but not updated) at run time via SOQL code within an apex class in the same namespace as the metadata type.

Secrets which are common across all users of the package (such as an API key) needs to be stored in Managed Protected Custom Metadata Types. Secrets should never be hard-coded in the package code or displayed to the user.

Question 39

How can you assure Custom Settings that is included in a managed package can only be accessed programatically via Apex code within the package?

Answer 39

Set the visibility of the Custom Setting Definition to “Protected” and include it in a managed package. This is useful for secrets that need to be generated at install time or initialized by an admin user.

Question 40

Can custom settings be updated at run-time in your Apex class?

Answer 40

Yes, but it cannot be updated via the Metadata API

Question 41

Can custom metadata types be updated at runtime in your Apex class?

Answer 41

No, but it can be updated via the Metadata API

Question 42

What does the Apex Crypto class provide?

Answer 42

Algorithms for creating digests, MACs, signatures and AES encryption. When using the crypto functions to implement AES encryption, keys must be generated randomly and stored securely in a Protected Custom Setting or Protected Custom Metadata type. Never hardcode the key within an Apex class

Question 43

How are Encrypted Custom fields encrypted?

Answer 43

Via 128-bit keys and using the AES algorithm

Question 44

How does an XSS attack work?

Answer 44

XSS attacks occur when user supplied input is reflected in the HTML of a web page. Due to poor separation between code context and user data, the user input is executed as code

Question 45

What can you do to prevent SOQL Injection?

Answer 45

Avoid using dynamic SOQL queries. Instead use static queries and binding variables.

Question 46

If you must use dynamic SOQL, how can you prevent SOQL Injection?

Answer 46

Use the escapeSingleQuotes method to sanitize user-supplied input. This method adds the escape character () to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands

Question 47

What are the three main encoding functions that developers can use to neutralize potential XSS threats

Answer 47

HTMLENCODE
JSENCODE
JSINHTMLENCODE

Question 48

If the value is going to be parsed by the JavaScript parser, should you use:
A. HTMLENCODE
B. JSENCODE
C. JSINHTMLENCODE

Answer 48

B. JSENCODE

Question 49

If the value is going to be parsed by the HTML parser, should you use:
A. HTMLENCODE
B. JSENCODE
C. JSINHTMLENCODE

Answer 49

A. HTMLENCODE

Question 50

If it’s a combination of both JavaScript parser and HTML parser, what should you use?
A. HTMLENCODE
B. JSENCODE
C. JSINHTMLENCODE

Answer 50

You can use C. JSINHTMLENCODE or a combination of A and B as follows; JSENCODE(HTMLENCODE())

Question 51

What does the escape=”false” attribute do in HTMLENCODE() functions?

Answer 51

It disables the built-in platform HTML encoding. The developer has to wrap the merge field with HTMLENCODE to ensure the value is rendered as text and not code