Security & Access (13%) Flashcards
Only the users who have been assigned to the “Accounts Receivable” profile should be able to view and access the “Credit Status” field on the Account object via the detail page, reports, and the API. What is the best way for the admin to accomplish this? Choose 1
A.) Create two page layouts, one with the credit status field, the other without. Assign the first to the “Accounts Receivable” profile and the second to the other profiles.
B.) It is not possible to display a field for the only one profile.
C.) Use field-level security to set the “Visible” setting to not visible for all profiles except Accounts Receivable
D.) Set the Credit Status field to be not visible on the page layout for all profiles except Accounts Receivable
C.) Use field-level security to set the “Visible” setting to not visible for all profiles except Accounts Receivable
Field-level security can be used to set whether a field is visible or read-only by profile. It also allows defining field accessibility in places other than the detail page, i.e., whether users should be able to access a particular field via the detail page layouts and make the field visible on one and not on another, however when the requirement is related to field visibility for different types of users, using field-level security is more appropriate.
An admin wants to insert records using Data Loader, but he does not have access to his email where the security token has been sent. How can he proceed? Choose 1
A.) Raise a case to SFDC support
B.) Ensure that the IP address is not within the restricted IP range
C.) Add the IP address to the trusted IP range
D.) Uncheck “Use Security Token” in Data Loader settings
C.) Add the IP address to the trusted IP range
If the IP address has been added to the trusted IP range (Security Controls-> Network Access) then the security token is not required when using Data Loader
All users in an SFDC org have been assigned a profile that allows them to read, create, edit and delete records of most of the standard objects. The admin needs to provide access to a group of external users but would like to ensure that they have read-only access to all the major standard objects. What is the best way to accomplish this? Choose 1
A.) Assign the Read-Only standard profile and create a permission set to remove delete permission on all the objects
B.) Assign the Standard User profile but deselect the “Delete All” permission on the user records of external users
C.) Clone the Standard User profile to create a new custom profile which does not grant the delete permission
D.) Clone the standard “Read-Only” profile and assign it to the external users
D.) Clone the standard “Read-Only” profile and assign it to the external users
SFDC includes a number of standard profiles that can be readily used including a “Read-Only” profile which allows users to view but not edit the records of most of the standard objects. SFDC recommends cloning a standard profile and assigning users to the cloned profile as a best practice. This way, further modifications to access and permissions that are needed in the future can be made easy.
External users that are required to have read-only access can be assigned to the cloned Read-Only profile. On the other hand, a permission set can only be used to grant additional permissions to specific users and not remove or restrict access. Also, there is no “Delete All” permission on the user object.
All users have the Standard User profile assigned. The admin would now like all users to be able to read, create and edit contacts but only allow managers to delete contacts. What is the best way to handle this? Choose 1
A.) Add “Delete All” permission to the user records
B.) Create a new profile for managers and enable delete permission for contacts
C.) Modify the standard profile to remove delete permission on contacts and create a new profile for managers with delete permission
D.) Clone the standard profile and assign to all users. Remove delete permission on contacts in the cloned profile. Create a permission set that includes permission to delete contacts, and assign the permission set to manager
D.) Clone the standard profile and assign to all users. Remove delete permission on contacts in the cloned profile. Create a permission set that includes permission to delete contacts, and assign the permission set to manager
Standard profiles cannot be modified. Permission sets can be used to provide additional permissions to users.
An Account Executive is regularly working with a number of colleagues on opportunities. One of the colleagues should be able to view but not update the opportunities. What is the best way to give the other people he is working with the required access to the opportunities and track their role on the opportunity? Choose 1
A.) Create a sharing rule
B.) Create an Opportunity Team and set access for each user
C.) Use manual sharing to add the users to each opportunity
D.) Add the user to the role hierarchy below the account executive
B.) Create an Opportunity Team and set access for each user
Manual sharing can be used to add individual users and access but the role cannot be specified. Opportunity teams allows the role and access to be specified for each team member.
The Account object has two record types named “Prospect” and “Customer”. A user would like that when he clicks on the “New” button on the account page, the “Prospect” record type is selected automatically for creating the account record. What can be used to enable this? Choose 2 answers.
A.) Record type preference in User Settings
B.) Default record type settings in the user’s profile
C.) Default record type settings on the Account object
D.) Default record type settings in a permission set
A.) Record type preference in User Settings
B.) Default record type settings in the user’s profile
A default record type is set at the profile level. The option to automatically use the default record type is set in user settings. It is not possible to specify a default record type using a permission set.
A Company would not like their employees to access SFDC from home. How can this be achieved? Choose 1
A.) Enable “Trusted Login Only” setting
B.) Define Login IP Ranges for all profiles
C.) Define permission sets
D.) Define Trusted Login IP ranges
B.) Define Login IP Ranges for all profiles
Trusted IP ranges define a list of IP addresses from which users can log in without receiving a login challenge for verification but do not restrict logins from IP addresses outside the range. Login IP Ranges can be defined at the profile level. Users outside of the Login IP Range set on a profile will not be able to gain access to SFDC.
John needs a number of colleagues to have visibility and collaborate on a case related to an account he owns. What is the best way to allow them to have access to the case record? Choose 1
A.) Add the users to the case team
B.) Create a sharing rule
C.) Use manual sharing to grant access to each other
D.) Set the organization-wide sharing default to “Public Read-Only”
A.) Add the users to the case team
In this scenario, users require access to a single case record for collaboration. Creating a sharing rule to grant access to one record is not a good solution, regardless of whether it is possible to define the criteria for the sharing rule. A sharing rule is typically used to share multiple records with users in public groups, roles, or territories. A case team can be used to allow a group of users to work together on a case record. Access levels can be set to “read-only” or “read/write”. If the organization has set up predefined case teams, these case teams can be added the case instead of individual users. Setting the visibility to “Public Read-Only” will provide view access to all users, which would not meet the requirement.
An admin can define a sharing rule to share records with a public group. Which of the following can be included in a public group? Choose 3
A.) Users assigned to specific territories B.) Profiles C.) Roles D.) Permission Sets E.) Other public groups
A.) Users assigned to specific territories
C.) Roles
E.) Other public groups
Public groups can contain a combination of users, roles, users assigned to specific territories, other public groups and roles, and subordinates in the hierarchy. Profiles and permission sets cannot be included in a public group definition.
There is a request for the sales director to have certain records of the “Delivery” custom object shared with four of the nine sales managers. Only records that have the “Pending” value on the “Status” field should be shared with these sales managers. The org-wide default setting of the custom object is set to “Private” and the “Grant Access using Hierarchies” checkbox is deselected. No other user in the org should have access to these records if they do not already have access. How can this be achieved? Choose 1
A.) Create a sharing rule for the Delivery object to share records with a “Pending” status with the role associated with sales managers
B.) Enable “Grant Access Using hierarchies” For the Delivery Object.
C.) Create a sharing rule for the Delivery object to share the records with a “Pending” status with a public group that contains the sales managers who should have access.
D.) Update the org-wide default settings of the Delivery object to “Public Read Only”
C.) Create a sharing rule for the Delivery object to share the records with a “Pending” status with a public group that contains the sales managers who should have access.
Since the sharing rule required in this scenario is user-specific, and sharing rules cannot be created to share records with specific users, a public group containing the users must be created. Because only certain records need to be shared, the sharing rule should be based on criteria specified by the sales director. Granting access through org-wide default to the role hierarchy would open up access to more than just one user. Since more than a few users can be assigned to a role, a role should not be used in the sharing rule.
The admin needs to set up org-wide default settings for all the standard and custom objects. Which of the following is true regarding org-wide default settings? Choose 1
A.) “Public Read/Write/Transfer” setting is only available for Cases and Leads
B.) “Private” setting is only available for custom objects
C.) “Controlled by Parent” setting is only available for custom objects.
D.) “Public Read Only” is only available for standard objects
A.) “Public Read/Write/Transfer” setting is only available for Cases and Leads
Only Cases and Leads have org-wide default sharing options of “Public Read/Write/Transfer”. Custom objects can have “Private”, “Public Read Only”, “Public Read/Write”, and “Controlled by Parent”. Contacts and Orders also have the “Controlled by Parent” option.
SFDC has provided a number of auditing features, which can be useful in diagnosing potential or real security issues. Which of the following auditing features are available in SFDC? Choose 3
A.) Login History B.) eDiscovery logs C.) Debug logs D.) Field History Tracking E.) Setup Audit Trail
A.) Login History
D.) Field History Tracking
E.) Setup Audit Trail
Debug log is not an auditing tool; it is used by devs to check the running of code
There is no feature called eDiscovery logs in SFDC
In ABC Corp, different sales teams should not be able to have access or visibility to PriceBooks of other teams when adding them to opportunities. How can this be configured? choose 1
A.) Set the org-wide default sharing settings for Price Book to “Use”
B.) Set the org-wide default sharing setting for Price Book to “Private”
C.) Price Book access is controlled by Product sharing settings
D.) Set the org-wide default sharing settings for Price Book to “No Access” and add sharing to grant access to users that should have visibility to each Price Book.
D.) Set the org-wide default sharing settings for Price Book to “No Access” and add sharing to grant access to users that should have visibility to each Price Book.
The sharing settings available on Price Book are “Use”, “View Only”, and “No Access”. “Use” means any user can view and add the Price Book to an opportunity. “No Access” means that users cannot see PriceBooks or add them to opportunities unless sharing rules are used to give visibility.
Access wider than the default access can be granted to users by adding sharing form the Price Book detail page.
Which features can an admin use to control record sharing? Choose 3
A.) Profiles B.) Permission Sets C.) Role Hierarchy D.) Org wide default settings E.) Sharing rules
C.) Role Hierarchy
D.) Org wide default settings
E.) Sharing rules
The sales team of Cosmic Logistics uses Sales Cloud to manage team activities and support the operations of the global HR department. A custom HR application has been created in SFDC. The CTO of the company does not want the sales team to access the HR application and the tabs created for the HR application. Which security controls measures should the admin use for the requirement? Choose 2
A.) The sales team profile should not have object-level and field-level access for the objects in the HR application
B.) The “Visible” checkbox should be unchecked for the HR application in the sales team profile.
C.) The sharing settings for the objects in the HR application should be set to “Private” for the sales team profile.
D.) The HR application should be set to “Hidden” for the sales team profile
A.) The sales team profile should not have object-level and field-level access for the objects in the HR application
B.) The “Visible” checkbox should be unchecked for the HR application in the sales team profile.
The visibility of the HR application should be removed for the sales team profile by deselecting the “Visible” checkbox, which will ensure that the application is not visible and cannot be made visible in the app menu. To ensure that there is no access via any means such as reporting, the object-level and field-level access should also be removed.
There is not “hidden” setting in a profile that can be used to remove access to a custom application. Setting the sharing settings to “Private” would not prevent access to the application and tabs, as it controls access to records that are not owned by the users.
A user has reported that they do not see the “Contact Type” field on the contact detail page. What would the admin check first? Choose 1
A.) The contact page layout displayed for the profile assigned to the user
B.) The contact page layout assigned to the user
C.) The role assigned to the user
D.) Field level security assigned to the user
A.) The contact page layout displayed for the profile assigned to the user
Page layouts determine which fields are visible. Field level security determine which fields are visible on a page layout however it is configured at the profile level, not the user level.
In a private sharing model, will a manager be able to edit account records owned below them in the role hierarchy? Choose 1
A.) No, users in higher roles are only able to view records owned by users below them in the role hierarchy
B.) Yes, access is granted by default to users in a higher role for standard objects.
C.) Only if a sharing rule has been created
D.) Only if “Grant Access using Hierarchies” setting is checked
B.) Yes, access is granted by default to users in a higher role for standard objects.
Grant access using hierarchies is always checked for standard objects such as account and cannot be changed. Users in higher roles will inherit the record permissions of the users below them in the role hierarchy. Users at any role level can view, edit, and report on all data that’s owned by or shared with users below them in the role hierarchy.
An admin would like to absolutely deny login access to the company’s SFDC org if users are logging in outside the specified login hours and IP range. What are the different options that can be used? Choose 2
A.) Profile based IP restrictions
B.) Org-wide IP restrictions
C.) Profile-based login hour restrictions
D.) org-based login hour restrictions
A.) Profile based IP restrictions
C.) Profile-based login hour restrictions
Login hours and IP addresses can be restricted by profile, not organization.
Trusted IP ranges are defined at the organization level (network access). If users try to login from outside this range, they are sent an activation code; it does not absolutely restrict login access.
Which of the following are default password policy settings or requirements imposed by SFDC when a password is set? Choose3
A.) A password must contain at least 8 characters
B.) A password cannot contain the user’s username
C.) The last three passwords are stored and cannot be reused when users are changing the password
D.) Default password set by SFDC is Useralias123$
A.) A password must contain at least 8 characters
B.) A password cannot contain the user’s username
C.) The last three passwords are stored and cannot e reused when users are changing the password
If a user is assigned a profile that has read object access to accounts, what records will the user be able to see? Choose 2
A.) Only records owned by the user
B.) All account records
C.) Depends on the user’s role
D.) Depends on the sharing model
C.) Depends on the user’s role
D.) Depends on the sharing model
The question is referring to the account object, and the “Grant Access Using Hierarchies” cannot be disabled on standard objects, so access also depends on the user’s role as well as the sharing model.
Here are the possibilities:
Private -> Can only access records owned by the user
Public Read Only -> Can view all records in the system, regardless of ownership
Public Read/Write -> Can view and edit records in the system, regardless of ownership
Bob and Patrick are sales users and share the same custom sales profile. The sales profile allows create and edit of contacts but not delete. The sales manger would like Patrick to be able to create and edit contact records, however, Bob should also be able to delete contacts. How can the admin configure this most efficiently? Choose 1
A.) Set up the role hierarchy to meet this requirement
B.) Create a permission set and assign it to the users accordingly
C.) Create a new custom profile for Bob
D.) Two sales users cannot have different permissions on the Contact object
B.) Create a permission set and assign it to the users accordingly
Although two profiles could be created with different permissions to the Contact object, it is more efficient to create a permission set to give Bob the extra permissions and use one profile for sales users. Permission sets can grant object and field level permissions and extend profile permissions and access.
Sia is helping Jobelle on an opportunity and needs to view and update the details of the account, account contacts, and the opportunity record. The sharing settings on accounts and opportunities is set to Private. How should the admin meet this requirement? Choose 1
A.) Ask Jobelle to add Sia to the Opportunity Team
B.) Ask Jobelle to add Sia to the Account Team
C.) Create a sharing rule to give access to Sia
D.) Add Sia to the role hierarchy above Jobelle to give her visibility
B.) Ask Jobelle to add Sia to the Account Team
Account Team members can be given read or read/write access to an account as well as the related contacts. Access to opportunities and cases can be set to private, read, or read/write.
Opportunity team members can be given read or read/write access to an opportunity, but will only get read-only access to the related account and account contacts.
How can an admin ensure the security of the data sent and returned from their SFDC community site? Choose 1
A.) Use a third-party security technology to secure the community site and notify you when there is suspicious activity
B.) SFDC automatically ensures security for all community sites
C.) Manually monitor all site traffic going to the community site
D.) Require secure connections for the community site to redirect traffic from HTTP to HTTPS
D.) Require secure connections for the community site to redirect traffic from HTTP to HTTPS
Require secure connections for an SFDC Community site, which redirects all traffic from HHTP to HTTPS, ensures the confidentiality and integrity of the data going in and out of that site.
Flex Corp has offices in the US, Europe, and Asia. A Sales Director should have access to the German, French, and UK accounts which are all under the European region. The Global Sales Director should have access to the HQ accounts, US accounts, and Asia accounts but not the European accounts. How can this be set up? Choose 1
A.) Deselect “Grant Access Using hierarchies” option for the account object in sharing settings
B.) Create the role hierarchy so the Global Sales Director is not at the top of the hierarchy
C.) Create a sharing rule on Accounts
D.) Change the sharing setting of Accounts to “Private”
B.) Create the role hierarchy so the Global Sales Director is not at the top of the hierarchy
It would be possible to create multiple criteria-based sharing rules (eg - one for each region), however, using the role hierarchy as described is a simpler solution and uses the standard role hierarchy features to provide access to the required accounts.
“Grant Access Using Hierarchies” will grant record access to users above the record owner in the hierarchy. Since it cannot be disabled for standard objects such as Accounts, the hierarchy will have to be set up in such a way that the Global Sales Director role is not at the top of the hierarchy, otherwise, the Global Sales Director will have visibility into all accounts.
For any customer centric organization, the opportunity or deal record data are sensitive. A sales manager has requested the admin to monitor some of the important fields that are getting changed by multiple teams from time to time during the sales lifecycle. Which security option can the admin choose to achieve this? Choose 1
A.) Enable field history tracking for the opportunity object and create a report
B.) Provide the “View All Data” permission to the sales manager to allow seeing all changes
C.) Enable org-wide default sharing settings for the opportunity object to set it to sales manager level
D.0 Provide the “View All” permission to the sales manager to allow seeing all changes.
A.) Enable field history tracking for the opportunity object and create a report
The admin can select certain fields to track and display the field history in the History related list of an object.
The Opportunity field history report can be used to view information about the change history of the opportunity fields that are tracked, including old and new values and the dates edits were made.
Which of the following are organizational-level security access controls? Choose 3
A.) Multi-Factor Authentication B.) Permission sets C.) Platform encryption D.) Password policies E.) Trusted IP ranges
A.) Multi-Factor Authentication
D.) Password policies
E.) Trusted IP ranges
An organization has a read-only opportunity sharing model. It also users Enterprise Territory Management and has an active territory model with the following territories: Japan, United States, France, and Argentina. The VP of Sales would like the reps in Japan and France to have read/write access to the opportunities owned by reps in the United States. How can the SFDC admin configure the system to meet this requirement? Choose 1
A.) Create a sharing rule that shares the opportunities owned by US reps with a public group consisting of members in the Japan and France territories.
B.) Create two sharing rules based on users assigned to territories
C.) Change the org-wide default setting of opportunities to “Public Read/Write”
D.) Ask United States reps to manually share their opportunities with reps in Japan and France.
A.) Create a sharing rule that shares the opportunities owned by US reps with a public group consisting of members in the Japan and France territories.
Changing the org-wide default setting to “Public Read/Write” is not a viable option since all users who have access to opportunities will be able to modify all of them. Asking the reps to manually share records is not practical as it will consume too much time for each rep to do so. Although two sharing rules based on users assigned to territories would work, the most efficient solution is to first create a public group and add the japan and France territories to it. Doing so will make the reps in the Japan and France territories members of the group. A sharing rule can then be configured that shares the US-owned opportunities with the public group (consisting of members in the Japan and France territory)
Cosmic Solutions has recently set up “My Domain” for their SFDC org. What are some of the things that an admin can do to make sure that its deployment is successful? Choose 3
A.) Update all applicable URLs
B.) Communicate the change of the subdomain only after deployment
C.) Test tabs and links to see if they display the new subdomain
D.) Deploy the new subdomain when there is high traffic to make sure everyone can access the new subdomain
E.) Log in using the My Domain subdomain name
A.) Update all applicable URLs
C.) Test tabs and links to see if they display the new subdomain
E.) Log in using the My Domain subdomain name
The My Domain feature allows the use of a subdomain for a SFDC org to better manage login and authentication. The company name can be included in the URL, for example, https://companyname.my.salesforce.com
Before deploying a new My Domain subdomain, it needs to be tested for login problems by using the new subdomain name to log in. Tabs and links within the SFDC org also need to be checked. Application URL and hard-coded references need to be updated before deployment. The upcoming change should be announced much earlier than the date of deployment.
Harold is being moved from a service support role to a sales role in the same company. What changes would an admin do to ensure Harold’s user account would have the necessary permissions and would be able to view the information required for his new role in his new department? Choose 2
A.) Create a new user record for Harold
B.) Use an old sales user record and replace the details with Harold’s information
C.) Change the role in the User settings
D.) Change the profile in the User settings
C.) Change the role in the User settings
D.) Change the profile in the User settings
The admin could change the user’s role and profile details, thereby changing the permissions and record visibility for the user. It is not a good practice to reuse or recycle user records as this would impact the data integrity of the system audit fields and record ownership.
An admin wishes to delegate the responsibility of resetting passwords and creating new users to her assistant. The admin does not wish to give her assistant full admin rights. What is the most appropriate solution in this case? Choose 1
A.) Assign the user to a delegated group that has selected user admin permission
B.) Create a custom profile and give only limited access to create users and reset passwords
C.) Create a custom profile and give admin permission to it
D.) Open a case with SFDC for this type of profile creation
A.) Assign the user to a delegated group that has selected user admin permission
Users in delegated group can be assigned permissions to create users at a certain level of the role hierarchy, assign certain profiles, assign certain permission sets, and administer certain custom objects. Assigning users to a delegated admin group can be done by the organization’s system admin alone. Creating and assigning a custom profile for a single person which could possibly be for a temporary purpose is not a best practice for extending permissions.
What options does an admin have regarding setting the page displayed after a user logs out of SFDC? Choose 3
A.) Display the “Home” page of a custom appication in SFDC
B.) Display the standard SFDC login page
C.) Display a custom single sign-on page
D.) Display a custom logout page
E.) Display the ‘Setup” page for the SFDC org.
B.) Display the standard SFDC login page
C.) Display a custom single sign-on page
D.) Display a custom logout page
An admin can set the page displayed after a user logs out of SFDC. A custom logout page URL is set in Setup by navigating to “Session Settings” under “Security Controls”. if none is provided, the default is “htts://login.salesforce.com” unless My Domain is enabled. If My Domain is enabled, the default is “https://customdomain.my.salesforce.com”
A user has reported that they are not able to view information on the Health Check page. What could be the problem? Choose 2
A.) The user does not have “Customize Application” permission
B.) The user does not have “View Setup and Configuration” permission
C.) The user does not have “Manage Login Access Policies” and “Manage Password Policies” permissions
D.) The user does not have “View Health Check” permission
B.) The user does not have “View Setup and Configuration” permission
D.) The user does not have “View Health Check” permission
To view the Health Check page, only the “View Health Check” and “View Setup and Configuration” permissions are required. Enabling the “View Health Check” permission automatically enables the “View Setup and Configuration” permission if it isn’t already enabled.
