Security and Access - Admin Flashcards

1
Q

Employee moving from one role to another. How can admin ensure necessary permissions and correct available information?

A

Change the role in the User settings AND change the profile in the User Settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

System admin set client organization-wide default sharing setting of the Account object to ‘Private’. Company uses Enterprise Territory Management and has an active territory model with following territories: Canada, Northeast, Southwest, CA. Account records owned by users in CA territory need to be shared with all users in Northeast. How solution should be used to accomplish this?

A

A sharing rule based on record ownership should be created to share the account records.

Criteria-based sharing rule would not meet the requirement. A permission set cannot be used to share records. Setting default access level of account records in a particular territory would not give record access to users who are assigned to a different territory.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Salesforce has provided a number of auditing features, which can be useful in diagnosing potential or real security issues. What are available features:

A

Login History, Field History Tracking (possible to track field history of custom objects and some standard objects, 18mt retention via org and 24mths via API), Setup Audit Trail (track recent setup changes in org, shows 20 most recent download up to six months)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Admin wants to give another user the ability to assign one type of permission set designated for certain roles. How can this be accomplished?

A

Make the user a delegated admin and enable the delegated admin to assign the designated permission set.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Sales mgr requested the admin to monitor some of the important fields that are getting changed by multiple teams during sales cycle. What security option can admin choose?

A

Enable field history tracking for opportunity object and create a report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Admin needs to identify and fix potential vulnerabilities in security settings which are at high risk in order to remediate them. If default Salesforce Baseline Standard is used for health check, which of the following are high risk security settings?

A

Maximum password length AND number of expired certificates.

Minimum password length is medium risk. Days until certification expiration is an information security setting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Salesforce org has a security health score check of 75%. Which grade does this score correspond to in Salesforce?

A
90%+ Excellent
80-89% Very Good
70-79% Good
55-69% Poor
54% and Below Very Poor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Admin asked to list types of record-level sharing available in Salesforce. Which of the following is related to record-level sharing?

A

Organization-Wide Defaults
Sharing Rules
Roles

Profiles and permission sets define object level permissions (e.g. create/read/edit/delete) and not record-level access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In ABC Corp, different sales teams should not have access or visibility to Price Books of other teams when adding them to opportunities. How can this be configured?

A

Set org-wide default sharing setting for Price Book to ‘No Access’ and add sharing to grant access to users that should have visibility to each Price Book.

Sharing settings available on Price Book are ‘Use’, ‘View Only’, ‘NoAccess’ Access wider than the default access can be granted to users by adding sharing from the Price Book detail page.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Company has a Sales & Marketing email template folder, which contains subfolders that store email templates. What is the most efficient way to share templates with intern that needs to modify all email templates in both subfolders?

A

Grant Edit access to the Sales & Marketing email template folder.

It’s not possible to share individual email templates. Sharing folder grants access to all subfolders. With regard to email template folders and any subfolders, there are three types of sharing options: View, Edit, Manage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Client makes custom object ‘Digital Marketing Contract’ to store customer contracts related to services like search engine optimization, newsletter campaigns, online promotions, etc. Custom profile created called ‘Marketing Team’ for users in marketing team. Custom profile allows these users to view, edit, create digital marketing contracts in SF. Only senior marketing users should be able to delete contracts. How can admin set up this requirement?

A

Assign Marketing Team profile to the senior users, create a permission set to grant the ‘Delete’ permission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

User left phone at home which usually used for two-factor authentication. What can the admin do?

A

Generate a temporary verification code.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Admin needs to set up org-wide default settings for all standard and custom objects. Which of the following is true regarding org-wide default settings?

A

Public Read/Write/Transfer setting is only available for Cases and Leads.

Custom objects can have ‘Private’, ‘Public Read Only’, ‘Public Read/Write’ and ‘Controlled by Parent’. Contacts and Orders also have the ‘Controlled by Parent’ option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Record-Level Security

A

Sharing rules can never be stricter than the org-wide sharing defaults. Roles are used to create a sharing hierarchy among users.

Org-wide Sharing Defaults (OWD) are used to restrict access to records. Roles open up access vertically and not horizontally. A criteria based sharing rule (sharing records based on role) could be used to open up record access horizontally across role hierarchy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Client would like SF users to see only the campaign members whose lead or contact records they can access in SF. What can admin do?

A

Modify the org-wide sharing default setting for the Campaign object to ‘Controlled by Lead or Contact’.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Client launches new product, and Admin needs to ensure that the after-ales support for this new product follows a specific life-cycle and can be managed efficiently. How can he ensure that cases that are opened for the new product are only visible and routed to a certain group of support engineers?

A

Use a new support process, record type, page layout, and queue.

New support process can be used to define the case status values for the new product and define the specific lifecycle of the case. It can be assigned to a record type and associated to a new page layout for the product. A queue can be used to assign the cases only to a specific support group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What do profiles control access to?

A

Which record types are available to users, which fields are read only, and which Apex classes and Visualforce pages users can be access.

Profiles don’t control record level sharing - that can control object and field level security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Client has created a Performance Review App and would like to ensure that only the manager of a staff member and managers further up the chain in the same department have visibility to review of a staff member. The role hierarchy does not follow the org structure. How can this be configured?

A

Ensure that the ‘Grant Access Using Hierarchies’ checkbox is deselected. Ensure ‘Manager Groups’ setting is selected on the Sharing Settings page. Create a sharing rule to share Performance Reviews with the user’s manager group.

If ‘Grant Access Using Hierarchies’ checkbox is selected, user with higher role in the role hierarchy would be able to see the performance review even if he is not that person’s manager.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Client developed new recruitment application in SF for supporting global recruitment team. Admin wants to give access to this new application to the users from the HR and recruitment team who have not used SF before and do not need access to any other apps. Best option?

A

Create a new profile by cloning an existing profile and modify it to only include permissions to the app.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

If a user is assigned a profile that has read object access to accounts, what records will the user be able to see?

A

Depends on the sharing model and the user’s role.

Object access in a profile determines which objects can be seen but not which records. Sharing model will determine which account records the user will see. A user would be able to see only records owned by them if the sharing model was private.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Admin wants to make the org more secure with network-based security. When should she use network-based security?

A

When (1) she wants to make it difficult to use stolen credentials. (2) When she wants to limit where people can login. (3) When she wants to limit when people can login.

NBS allows limits to be set where users can login from and at what times. Covers both ip range restrictions and profile based ip restrictions and login hours. User authentication determines who can log in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

A Company would not like their employees to access SF from home. How can this be achieved?

A

Define Login IP Ranges for all profiles.

Trusted IP Ranges define a list of IP addresses from which users can log in without receiving a login challenge for verification but do not restrict logins from IP addresses outside the range. Login IP ranges can be defined at the profile level. Users outside the Login IP Range set on a profile will not be able to gain access to Salesforce.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following can be stored and accessed in folders via tabs in Salesforce Classic?

A

Folders store Reports, Documents, Dashboards.

Tabs can be used to access reports, dashboards, and documents. Email template folders can be accessed by navigating to ‘Email Templates’ in Setup. Mail merge templates can be created by navigating to ‘Mail Merge Templates’ in Setup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

John needs a number of colleagues to have visibility and collaborate on a case related to an account he owns. What is the best way to allow them to have access to the case record?

A

Add the users to the case team.

Creating a sharing rule to grant access to one record is not a good solution, regardless of whether it is possible to define the criteria for the sharing rule. A sharing rule is typically used to share multiple records with users in public groups, roles or territories. A case team can be used to allow a group of users to work together on a case record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Which of the following are org-level security access controls?

A

Password policies, trusted IP ranges, and two-factor authentication.

Password policies can be defined at the profile and organization levels to implement restrictions which make passwords more secure. Trusted IP ranges allow users to bypass the verification step when logging in from a different IP address from the one that is cached in the browser the first time the user logs in. Two-factor authentication increases an org’s security by requiring a second level of authentication for every user login.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Organization Security Controls

A

Passwords, IP restrictions, Identity Confirmation, Network Settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Sales manager wants to add a PPT file to a new Content Library but not make it visible to other sales users until a later time, what should the Sales Manager do?

A

Add the file to the library but not add any members.

To access a file in a library, users need to be members of the library (either individual users or part of a public group). If the sales users will need to have access to the file at a later date, the file can be added to the library and then add the sales public group as members with the appropriate permission at a later date. When users are added as members to a library, permissions must be added at the same time so it is not an option to add members without assigning permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

An admin is told to look through the login forensics to spot any suspicious attempts to gain access to the org. Which of the following can login forensics provide?

A

The average number of logins per user per a specified time period. Who logged in during non-business hours. Who logged in more than the average number of times.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is true regarding using subfolders to organize reports and dashboards in Lightning Experience?

A

A hierarchy of subfolders can be created to represent a logical structure. Folder sharing is at the root level.

Subfolders can be used to organize reports and dashboards into a logical structure. Folder sharing is at the root level, not subfolder level. Subfolders can be created in user created folders, but not in the Public or Private folder.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

A user is assigned a profile that allows create, edit and delete permissions on leads. Org-wide setting for leads has been set to private. A role hierarchy has been set up and the user has been assigned a role that has subordinate roles below it in the hierarchy. What will the user’s access be to leads owned by other users?

A

The profile setting will not override the sharing setting to give access to records. The user will have access to leads owned by other users granted via the role hierarchy.

In private sharing model, the user will have access to their own records and access to any records owned by users below them in the hierarchy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Org has a read-only opportunity sharing model. It also uses Enterprise Territory Management and has an active territory model for: Japan, US, France, and Argentina. The VP of Sales would like the reps in Japan and France to have read/write access to the opportunities owned by reps in the US. How can admin meet this requirement?

A

Create a sharing rule that shares the opportunities owned by US reps with a public group consisting of members in the Japan and France territories.

Two sharing rules based on users assigned to territories would work, but most efficient solution is to first create a public group and add Japan/France territories to it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Description field on the Account object should be read-only for users that are assigned to specific profiles. How can this be achieved?

A

Set field-level security for the users’ profiles. Modify the page layout assigned to the profiles of the users - fields can be read-only on page layout.

33
Q

Field-Level Security

A

Can be set for a profile to control which fields are read-only and/or editable. Fields can be read-only on a page layout.

34
Q

Permission Set

A

Can be used to extend users’ access without modifying their profile. Can only be assigned to individual users and not profiles. Can grant object and field level permissions and extend profile permissions and access.

35
Q

Admin can define a sharing rule to share records with a public group. Which of the following can be included in a public group?

A

Roles. Users assigned to specific territories. Other public groups. Subordinates in the hierarchy.

Profiles and permission sets cannot be included in a public group definition.

36
Q

A user has reported that they do not have visibility to the Contacts tab. What would you check?

A

The profile assigned to the user. Profiles determine what users can see and what they can do in the Application.

37
Q

Admin wants to control login access to the organization’s SF org. What are the different options that can be used?

A

Profile based IP restrictions and profile based login hour restrictions (can’t restrict by org).

Trusted UP ranges are defined at the org level (Network Access).

38
Q

Trusted IP Ranges

A

If users try to login from outside this range, they are sent an activation code but it does not restrict login access.

39
Q

Sales team uses Sales Cloud to manage team activities and support the operations of the global HR dept. A custom HR application has been created - the CTO of the company doesn’t want the sales team to have access to the app and tabs created for the HR app. Which security control measures should the admin use for the requirement?

A

The sales team profile should not have object-level and field-level access for the objects in HR app. The Visible checkbox should be unchecked for the HR app in the sales team profile.

There is no Hidden setting in a profile that can be used to remove access to a custom application. Setting the sharing setting to Private would not prevent access to the application and tabs, as it controls access to records that are not owned by users.

40
Q

Setting Sharing Setting to Private

A

won’t prevent access to the application and tabs, as it controls access to records that are not owned by the users.

41
Q

Bob and Patrick are sales users that share the same custom sales profile. Sales profile allows create and edit of contacts but not delete. Sales manager wants Patrick to be able to create and edit records, but Bob should also be able to delete. How can admin configure this?

A

Create a permission set and assign it to the users accordingly.

42
Q

Which of the following are org-level security access controls?

A

Two-Factor Authentication. Password policies. Trusted IP Ranges.

43
Q

Robin is a Salesforce Admin. He has been asked to explain what can be controlled in profiles. Which of the following can be controlled through profiles?

A

Page Layouts. Object Permissions. Field Level Security.

Roles and License types are set on the User record. Object permissions, page layouts, and field-level security are all set on the profile.

44
Q

What is true regarding the Security Health Check?

A

Values are compared against the Salesforce baseline standard. Settings are grouped into High Risk, Medium Risk, Low Risk, and Informational.

Health Check score is a measure of how the settings in Session Settings, Password Policies, and Network Access Settings meet the Salesforce baseline standard values. A higher score indicates more values are at lower risk setting and closer to standard.

45
Q

Users of an org require edit access to all contacts associated with accounts they own. In many cases, some of the related contact records are owned by the account owner and some are owned by other users. Which org-wide default sharing setting can be used for the Contact object to meet this requirement:

A

Controlled by Parent

46
Q

Controlled by Parent Sharing Setting

A

Sharing setting should be used for the Contact object since it would grant account owners edit access to all related contacts regardless of who owns the contacts.

47
Q

Public Read/Write Sharing Setting

A

Using this setting would grant read/write access to all contacts for all users.

48
Q

Private Sharing Setting

A

If the sharing setting is set to private, a criteria-based sharing rule would need to be used to give access based on the owner of the contact account.

49
Q

Public Read Only Sharing Setting

A

This will only give view access but not edit access.

50
Q

Admin setting up a new org for a company with over 300 employees that will require setup of several roles and profiles. Which statement regarding profiles and roles is correct?

A

The role hierarchy determines record access in a private data sharing model.

Profiles determine what parts of the application a user can see and the permissions on objects. The role hierarchy determins record access.

51
Q

Role > Record

A

Profile > Permissions

52
Q

In a private sharing model, will a manager be able to edit account records owned by a user below them in the role hierarchy?

A

Yes, access is granted by default to users in a higher role for standard objects. Users at any role level can view, edit, and report on all data that’s owned by or shared with users below them in the role hierarchy.

53
Q

Michelle needs to share certain records with status = pending to be shared with sales managers. The org-wide default setting of the custom object is set to ‘Private’ and the ‘Grant Access Using Hierarchies’ checkbox is deselected. No other user in the org should have access if they don’t already. How can this be achieved?

A

Create a sharing rule for the delivery object to share the records with a public group that contains the sales manager who have access.

54
Q

What options are available to set the length of time after which the system logs out inactive users?

A

Session timeout can be set at the profile level and organization level.

55
Q

Salesforce Admin wants to insert records using Data Loader, but he does not have access to his email where the security token has been sent. How can he proceed?

A

Add the IP address to the trusted IP ranges.

56
Q

Opportunity Teams

A

Only the owner of the opportunity or users above the owner in the role hierarchy can manage opportunity team members.

57
Q

Admin wishes to delegate responsibility of resetting passwords and creating new users to his assistant who has limited knowledge of Salesforce. Admin doesn’t want to give him full admin rights. Solution?

A

Assign the user to a delegated group that has user administration permission. Ability to assigned permissions to create users at a certain level of the role hierarchy, assign certain profiles, assign certain permission sets and administer certain custom objects.

58
Q

Only the users who have been assigned to the Accounts Receivable profile should be able to view and access the Credit Status field on the Account object via the detail page, reports, and API. Solution?

A

Use field-level security to set the Visible setting to not visible for all profiles except Accounts Receivable.

59
Q

How can an admin reduce customization to change permissions for different groups of users more effectively?

A

Don’t create custom profile every time a user requires additional access or permission. Create permission sets to extend permissions for individuals or small groups of users as required.

60
Q

Sales manager asks the admin how she can share dashboards and reports with select users. What is true regarding the sharing of Reports and Dashboards?

A

For a user to view a report or dashboard, the folder needs to be shared with the user.

61
Q

Password Policies

A

Password Policies Settings can be maintained for each profile or at the org level.

62
Q

Which features can a Salesforce Admin use to control recording sharing?

A

Sharing Rules, Organization Wide Default Settings, Role Hierarchy.

63
Q

What options does an admin have regarding the page displayed after a user logs out of SF?

A

Display a custom single sign-on page. Display a custom logout page. Display the standard Salesforce login page.

64
Q

In a private sharing model, if the admin needs to make some exceptions to give access to records, what features can you use?

A

Sharing Rules. Account Teams. Manual Sharing.

65
Q

Arthus is helping Zaina on an opportunity and needs to view and update the details of the account, account contacts and the opportunity record. The sharing setting on accounts and opportunities is set to Private. Solution?

A

Ask Zaina to add Arthur to the Account Team.

66
Q

What is true regarding using subfolders to organize reports and dashboards in Lightning Experience?

A

A hierarchy of subfolders can be created to represent a logical structure. Folder sharing is at the root level.

67
Q

A user has reported that they are not able to view information on the Health Check page. What could be the problem?

A

The user does not have ‘View Setup and Configuration’ permission. The user does not have ‘View Health Check’ permission

68
Q

What are the default password policy settings or requirements imposed by Salesforce when a password is set?

A

A password cannot contain the user’s username. A password must contain at least eight characters. The last three passwords are stored and cannot be reused when users are changing the password.

69
Q

What is true regarding the addition of an identity verification method to a user’s account?

A

An email confirmation is sent to the user if a new identity vertification method (e.g. mobile phone) is added. Added method if not blocked, and if the user didn’t add it they need to contact their Salesforce Admin.

70
Q

Admin is told that users with the Sales profile should no longer have access to several fields on a custom object. The admin employs field level security for these fields. What is true regarding field level security?

A

Fields can be set to read-only by profile. If a field is hidden using field level security, it does not appear in page layouts, search layouts, related lists, list views and reports.

71
Q

A user has reported that they do not see the ‘Contact Type’ field on the contact detail page. What would the admin check first?

A

The contact page layout displayed for the profile assigned to the user. Page layouts determine which fields are visible on a page layout.

72
Q

In a private sharing model, how can users at the same level of the role hierarchy have access to each other’s data?

A

Sharing rules can be added to grant access.

73
Q

What object settings can be controlled from a Profile?

A

Object permissions and field permissions. Tab settings. Record types and page layout assignments.

74
Q

Which of the following are valid identity verification methods?

A

Using the verification code in an email that is sent to the address associated with the account. Using the Salesforce Authenticator mobile app to verify the account activity.

75
Q

The Account object has two record types named ‘Prospect’ and ‘Customer’. A user would like that when he clicks on the ‘New’ button on the account page, the Prospect record type is selected automatically for creating the account record. What can be used to enable this?

A

Default record type settings in the user’s profile. Record type preference in User Settings.

76
Q

What does the login forensics report show?

A

The average number of logins per user per a specified time period. Who logged in during non-business hours. Who logged in more than the average number of times.

77
Q

Standard Read Only Profile

A

Salesforce includes a number of standard profiles which cannot be modified, including a Read Only profile which allows users to view but not edit the records of most of the standard objects.

78
Q

How can an admin ensure the security of the data sent to and returned from their Salesforce community site?

A

Require secure connections for the community site to redirect traffic from HTTP and HTTPS.