Security Flashcards
What controls access to applications and objects (including fields and record types)?
Profiles and Permission sets
What are the 4 capabilities available on an object via a profile?
Create
Read
Edit
Delete
What controls access to specific records?
OWD, sharing rules
What level of access can be granted at the record level?
Read or Read/Write
Do profile object permissions override the org’s sharing model or role hierarchy?
No, even with full CRED access – an object could not be edited/deleted if OWD is Read Only
What two settings are the exception when it comes to profile not being able to override sharing settings?
View All
Modify All
*these will override sharing settings and grant full access
What determines access to tabs and apps?
Profiles
What does ‘Default On’ mean for a tab?
It will be visible in the selected app
What does ‘Default Off’ mean for a tab?
It will be available to choose by user while they are customizing tabs
What does ‘Default Hidden’ mean?
Tab will not be visible for the object
What are six standard profiles?
Standard User Read Only System Administrator Marketing User Solution Manager Contract Manager
Can you assign permission sets via a user list view?
Yes
What is the purpose of permission sets?
To grant additional access to specific users so that profiles do not need to be altered/created
Can the OWD grant more access than object access defined in a user’s profile?
No
What two objects does the ‘Public/Read /Write/Transfer’ default apply to?
Leads and Cases
What is the purpose of OWD?
- The only mechanism that restricts access
- establishes default access to records NOT owned by the user
What does ‘Controlled by Parent’ mean?
Users can perform an action on a contact or order based on access on the parent object.
What does ‘Price Book: Use’ mean?
All users can view price books, add price books to opps, and add products in the price books to opps
What does ‘Price Book: View Only’ mean?
users can view price books – but only users with ‘Edit’ permission on opps or users that have been manually granted access can add price books to opps.
What does ‘Price Book: No Access’ mean?
Users do not have visibility to price books and cannot add them to opps unless it has been manually shared with them
What does ‘Activity: Private’ mean?
Only the owner of the activity and users above them in role hierarchy can edit and delete activity. Users that have read access to the record that is related to the activity can view it.
What does ‘Activity: Controlled by Parent’ mean?
Activity permissions are determined by the access the user has on the record related to the activity
What does ‘Campaign: Public Full Access’ mean?
Users can view, edit, transfer, delete, and report on all Campaign records
What does ‘Campaign Member: Controlled by Campaign’
Only users who access to the campaign are able to see the details of the campaign members related to the campaign
What does ‘Campaign Member: Controlled by Lead or Contact’ mean?
Only users have access to the lead or contact records of campaign members are able to see the campaign members.
What does ‘User: Private’ mean?
All users have read access to their own user record and those below them in the hierarchy
What does ‘User: Public Read Only’ mean?
All users can see one another’s user detail pages. They can also see all users in the lookups, list views, ownership changes, user operations, and search.
What access setting is applied to custom objects on the detail side of a master-detail relationship with a standard object (and cannot be changed)?
‘Controlled by Parent’
Can the role hierarchy provide additional access than what is granted by OWD (when setting is more restrictive than Public Read/Write)
Yes, it would allow a manager above a user to edit a record when OWD is set to Private or Public Read Only
Does role hierarchy override object access?
No, even if should be able to edit via the role hierarchy, this could be prohibited by profile
What objects can have exact access specified during Role setup/edit? What are the levels? Under what condition are they displayed?
- Contact, Opportunity, and Case
- No Access, View Access, or Edit Access
- These options will NOT appear if OWD is Public Read/Write (because it wouldn’t matter anymore)
What do Manager Groups do?
- allows users to share access up or down the management chain
- uses the ‘Manager’ field on the user’s detail page
- user can choose to share records with Manager Groups or Manager Subordinate Groups
- users can also share records with a manager group manually, sharing rule, or apex managed sharing.
- can be enabled in Setup > Sharing Settings
What objects can use a queue?
- Cases
- Contact Requests
- Leads
- Orders
- Service Contracts
- Knowledge Article Versions
- Custom objects
What can groups and queues consist of?
- (other) Public Groups
- Users
- Roles
- Roles and Subs
- Territories
- Territories and Subs
Who can be specified in sharing rules?
- Role
- Public Group
- Territory membership
- Manager Group
What are the two ways to evaluate in how a sharing rule is evaluated?
- Record Ownership
2. Record Criteria
How are records shared using manual sharing?
using the ‘Sharing’ button
Can records be manually shared in LE?
No, only Classic
What objects can be manually shared?
Accounts, Contacts, Leads, Users, Cases, and custom objects
What are the different groups you can manually share with?
- Users
- Roles
- Roles and Subs
- Territories
- Territories and Subs
- Public Groups
- Manager Groups
Can someone who is not the record owner manually share a record?
yes, can also be above the owner in role hierarchy, have full access, or be an admin
How do you ensure that a User record is not manually shared?
Uncheck ‘Manual User Record Sharing’ on the Sharing Settings page
Where is Field-Level Security set?
Profiles or Permission sets
Does Field-Level Security override the ‘Modify All Data’ or ‘View All Data’ permissions?
Yes
Where will the user not see a field they are making not visible?
- record detail/edit pages
- related lists
- list views
- reports
- email and merge templates
Due to field visibility consisting of page layout and FLS, how are contradictions handled?
The most restrictive setting always wins
Does FLS prevent searching on values?
No, but the record will be returned in the search results WITHOUT the protected field(s)
What are the two fields for FLS
Visible checkbox
Read only checkbox
Where do you specify which Apex classes and Visualforce pages a user can access?
Profile
An organization uses private sharing model. Marcus is a sales representative of the organization who needs to share an account record owned by him with his co-worker Sam.
Marcus can simply share the account record with Sam by manually using the ‘Sharing’ button on the record.
Rachel is a Salesforce admin who needs to ensure that all users with the sales rep role are able to edit opportunities in the org that uses a ‘Public Read Only’ model.
A sharing rule can be created for this requirement. A sharing rule can be used to share an object’s records with users belonging to a certain role. Records can be shared based on ownership or criteria.
Users of an organization should not be able to view account records owned by others. A public group of managers should be able to view all account records.
The OWD for Account can be set to Private. A sharing rule can be used to grant access to a public group.
Records of a custom object named ‘Vehicle’ should only be accessed by support users and their supervisors. Supports users should be able to view and edit all ‘Vehicle’ records
Access to the ‘Vehicle’ custom object can be enabled only for the profiles of support users and their supervisors. The OWD can be set to ‘Public Read/Write’ to ensure that users are able to view/edit each other’s records.
The OWD setting for a custom object has been as private. An admin needs to ensure that users above others in the role hierarchy are able to access records owned by them.
Ensure ‘Grant Access Using Hierarchies’ option has been enabled for the object
A single user requires the permission to view and edit records of a certain custom object.
A permission set can be used to grant additional access to a user. A new custom profile would be unnecessary for this use case.
An org would like to allow its marketing department to be able to see only the details of the campaign members whose contact or lead records they have access to.
The OWD setting of ‘Controlled by Lead or Contact’ on the Campaign Member object would allow all users to see only the campaign members whose contact or lead records they have access to in SF.
Users of an org are currently only able to see campaign members whose lead or contact records they have access to. However, the Marketing Director would like them to access campaign member records only if they have access to the related campaign. Also, users who belong to a certain public group require access to all campaign members regardless of the default access.
The OWD setting of ‘Controlled by Campaign’ can be used for the Campaign Member object to allow users to only be able to see cm’s if they have access to the campaign associated with them. Since the CM object would inherit sharing rules from the Campaign object, a campaign sharing rule can be created to give the public group access to all the campaigns, which would give access to all the related cm records.
What are permission sets?
A group of permissions and settings that can be assigned to one or more users. They are used to grant additional access.
What does field-level security control?
Controls if a field is visible or read only at the profile level
What takes longer opening up access or restricting it via OWD?
Opening happens immediately
Restricting takes time to calculate
What should be used to grant a single user additional access to an object in salesforce?
permission set
What OWD would be used to ensure that users cannot access account records not owned by them
Private
