Security and Access - Admin Flashcards
Employee moving from one role to another. How can admin ensure necessary permissions and correct available information?
Change the role in the User settings AND change the profile in the User Settings.
System admin set client organization-wide default sharing setting of the Account object to ‘Private’. Company uses Enterprise Territory Management and has an active territory model with following territories: Canada, Northeast, Southwest, CA. Account records owned by users in CA territory need to be shared with all users in Northeast. How solution should be used to accomplish this?
A sharing rule based on record ownership should be created to share the account records.
Criteria-based sharing rule would not meet the requirement. A permission set cannot be used to share records. Setting default access level of account records in a particular territory would not give record access to users who are assigned to a different territory.
Salesforce has provided a number of auditing features, which can be useful in diagnosing potential or real security issues. What are available features:
Login History, Field History Tracking (possible to track field history of custom objects and some standard objects, 18mt retention via org and 24mths via API), Setup Audit Trail (track recent setup changes in org, shows 20 most recent download up to six months)
Admin wants to give another user the ability to assign one type of permission set designated for certain roles. How can this be accomplished?
Make the user a delegated admin and enable the delegated admin to assign the designated permission set.
Sales mgr requested the admin to monitor some of the important fields that are getting changed by multiple teams during sales cycle. What security option can admin choose?
Enable field history tracking for opportunity object and create a report.
Admin needs to identify and fix potential vulnerabilities in security settings which are at high risk in order to remediate them. If default Salesforce Baseline Standard is used for health check, which of the following are high risk security settings?
Maximum password length AND number of expired certificates.
Minimum password length is medium risk. Days until certification expiration is an information security setting.
Salesforce org has a security health score check of 75%. Which grade does this score correspond to in Salesforce?
90%+ Excellent 80-89% Very Good 70-79% Good 55-69% Poor 54% and Below Very Poor
Admin asked to list types of record-level sharing available in Salesforce. Which of the following is related to record-level sharing?
Organization-Wide Defaults
Sharing Rules
Roles
Profiles and permission sets define object level permissions (e.g. create/read/edit/delete) and not record-level access.
In ABC Corp, different sales teams should not have access or visibility to Price Books of other teams when adding them to opportunities. How can this be configured?
Set org-wide default sharing setting for Price Book to ‘No Access’ and add sharing to grant access to users that should have visibility to each Price Book.
Sharing settings available on Price Book are ‘Use’, ‘View Only’, ‘NoAccess’ Access wider than the default access can be granted to users by adding sharing from the Price Book detail page.
Company has a Sales & Marketing email template folder, which contains subfolders that store email templates. What is the most efficient way to share templates with intern that needs to modify all email templates in both subfolders?
Grant Edit access to the Sales & Marketing email template folder.
It’s not possible to share individual email templates. Sharing folder grants access to all subfolders. With regard to email template folders and any subfolders, there are three types of sharing options: View, Edit, Manage
Client makes custom object ‘Digital Marketing Contract’ to store customer contracts related to services like search engine optimization, newsletter campaigns, online promotions, etc. Custom profile created called ‘Marketing Team’ for users in marketing team. Custom profile allows these users to view, edit, create digital marketing contracts in SF. Only senior marketing users should be able to delete contracts. How can admin set up this requirement?
Assign Marketing Team profile to the senior users, create a permission set to grant the ‘Delete’ permission.
User left phone at home which usually used for two-factor authentication. What can the admin do?
Generate a temporary verification code.
Admin needs to set up org-wide default settings for all standard and custom objects. Which of the following is true regarding org-wide default settings?
Public Read/Write/Transfer setting is only available for Cases and Leads.
Custom objects can have ‘Private’, ‘Public Read Only’, ‘Public Read/Write’ and ‘Controlled by Parent’. Contacts and Orders also have the ‘Controlled by Parent’ option.
Record-Level Security
Sharing rules can never be stricter than the org-wide sharing defaults. Roles are used to create a sharing hierarchy among users.
Org-wide Sharing Defaults (OWD) are used to restrict access to records. Roles open up access vertically and not horizontally. A criteria based sharing rule (sharing records based on role) could be used to open up record access horizontally across role hierarchy.
Client would like SF users to see only the campaign members whose lead or contact records they can access in SF. What can admin do?
Modify the org-wide sharing default setting for the Campaign object to ‘Controlled by Lead or Contact’.
Client launches new product, and Admin needs to ensure that the after-ales support for this new product follows a specific life-cycle and can be managed efficiently. How can he ensure that cases that are opened for the new product are only visible and routed to a certain group of support engineers?
Use a new support process, record type, page layout, and queue.
New support process can be used to define the case status values for the new product and define the specific lifecycle of the case. It can be assigned to a record type and associated to a new page layout for the product. A queue can be used to assign the cases only to a specific support group.
What do profiles control access to?
Which record types are available to users, which fields are read only, and which Apex classes and Visualforce pages users can be access.
Profiles don’t control record level sharing - that can control object and field level security.
Client has created a Performance Review App and would like to ensure that only the manager of a staff member and managers further up the chain in the same department have visibility to review of a staff member. The role hierarchy does not follow the org structure. How can this be configured?
Ensure that the ‘Grant Access Using Hierarchies’ checkbox is deselected. Ensure ‘Manager Groups’ setting is selected on the Sharing Settings page. Create a sharing rule to share Performance Reviews with the user’s manager group.
If ‘Grant Access Using Hierarchies’ checkbox is selected, user with higher role in the role hierarchy would be able to see the performance review even if he is not that person’s manager.
Client developed new recruitment application in SF for supporting global recruitment team. Admin wants to give access to this new application to the users from the HR and recruitment team who have not used SF before and do not need access to any other apps. Best option?
Create a new profile by cloning an existing profile and modify it to only include permissions to the app.
If a user is assigned a profile that has read object access to accounts, what records will the user be able to see?
Depends on the sharing model and the user’s role.
Object access in a profile determines which objects can be seen but not which records. Sharing model will determine which account records the user will see. A user would be able to see only records owned by them if the sharing model was private.
Admin wants to make the org more secure with network-based security. When should she use network-based security?
When (1) she wants to make it difficult to use stolen credentials. (2) When she wants to limit where people can login. (3) When she wants to limit when people can login.
NBS allows limits to be set where users can login from and at what times. Covers both ip range restrictions and profile based ip restrictions and login hours. User authentication determines who can log in.
A Company would not like their employees to access SF from home. How can this be achieved?
Define Login IP Ranges for all profiles.
Trusted IP Ranges define a list of IP addresses from which users can log in without receiving a login challenge for verification but do not restrict logins from IP addresses outside the range. Login IP ranges can be defined at the profile level. Users outside the Login IP Range set on a profile will not be able to gain access to Salesforce.
Which of the following can be stored and accessed in folders via tabs in Salesforce Classic?
Folders store Reports, Documents, Dashboards.
Tabs can be used to access reports, dashboards, and documents. Email template folders can be accessed by navigating to ‘Email Templates’ in Setup. Mail merge templates can be created by navigating to ‘Mail Merge Templates’ in Setup.
John needs a number of colleagues to have visibility and collaborate on a case related to an account he owns. What is the best way to allow them to have access to the case record?
Add the users to the case team.
Creating a sharing rule to grant access to one record is not a good solution, regardless of whether it is possible to define the criteria for the sharing rule. A sharing rule is typically used to share multiple records with users in public groups, roles or territories. A case team can be used to allow a group of users to work together on a case record.
Which of the following are org-level security access controls?
Password policies, trusted IP ranges, and two-factor authentication.
Password policies can be defined at the profile and organization levels to implement restrictions which make passwords more secure. Trusted IP ranges allow users to bypass the verification step when logging in from a different IP address from the one that is cached in the browser the first time the user logs in. Two-factor authentication increases an org’s security by requiring a second level of authentication for every user login.
Organization Security Controls
Passwords, IP restrictions, Identity Confirmation, Network Settings
Sales manager wants to add a PPT file to a new Content Library but not make it visible to other sales users until a later time, what should the Sales Manager do?
Add the file to the library but not add any members.
To access a file in a library, users need to be members of the library (either individual users or part of a public group). If the sales users will need to have access to the file at a later date, the file can be added to the library and then add the sales public group as members with the appropriate permission at a later date. When users are added as members to a library, permissions must be added at the same time so it is not an option to add members without assigning permissions.
An admin is told to look through the login forensics to spot any suspicious attempts to gain access to the org. Which of the following can login forensics provide?
The average number of logins per user per a specified time period. Who logged in during non-business hours. Who logged in more than the average number of times.
What is true regarding using subfolders to organize reports and dashboards in Lightning Experience?
A hierarchy of subfolders can be created to represent a logical structure. Folder sharing is at the root level.
Subfolders can be used to organize reports and dashboards into a logical structure. Folder sharing is at the root level, not subfolder level. Subfolders can be created in user created folders, but not in the Public or Private folder.
A user is assigned a profile that allows create, edit and delete permissions on leads. Org-wide setting for leads has been set to private. A role hierarchy has been set up and the user has been assigned a role that has subordinate roles below it in the hierarchy. What will the user’s access be to leads owned by other users?
The profile setting will not override the sharing setting to give access to records. The user will have access to leads owned by other users granted via the role hierarchy.
In private sharing model, the user will have access to their own records and access to any records owned by users below them in the hierarchy.
Org has a read-only opportunity sharing model. It also uses Enterprise Territory Management and has an active territory model for: Japan, US, France, and Argentina. The VP of Sales would like the reps in Japan and France to have read/write access to the opportunities owned by reps in the US. How can admin meet this requirement?
Create a sharing rule that shares the opportunities owned by US reps with a public group consisting of members in the Japan and France territories.
Two sharing rules based on users assigned to territories would work, but most efficient solution is to first create a public group and add Japan/France territories to it.