Sharing Architecture Flashcards
From a Guide to Sharing Architecture
Name the 7 layers of the Sharing Architecture
- Profiles and Permission Sets
- Org-Wide Defaults
- Role Hierarchy
- Sharing Rules
- Manual Sharing
- Team Access
- Territory Hierarchy Access
Which security components provide object-level security (and determines what types of data users see and whether they can edit, create, or delete records?)
Profiles and Permission Sets
What do the “View All” and “Modify All” object permissions do?
Ignore sharing rules and settings, allowing administrators to quickly grant access associated with a given object across the organization.
What is the preferable alternatives to the “View All Data” and “Modify All Data” administrative permissions?
The object permission of “View All” and “Modify All” which can be set via permission set or on the profile
Which security components provide field-level security?
Profiles and Permission Sets
What access does a user higher in a hierarchy (role or territory) have?
Users higher in a hierarchy (role or territory) inherit the same data access as their subordinates for standard objects. Managers gain as much access as their subordinates. If the subordinate has read-only access, so will the manager. This access applies to records owned by users, as well as records shared with them
What is a best practice if a single user owns more than 10,000 records?
- The user record of the owner should not hold a role in the role hierarchy
- If the owner’s user record must hold a role, the role should be at the top of the hierarchy in its own branch of the role hierarchy
What is the purpose of Organization-Wide defaults?
Specifies the default level of access users have to each other’s records.
What is the only way to restrict user access to a record?
Organization-wide defaults
What are the setting options for Organization-wide defaults?
- Private
- Controlled by parent
- Public Read Only
- Public Read/Write
- Public Full Access
Which setting on Organization-wide defaults can only be set for custom objects?
Grant Access Using Hierarchies (defaulted to checked)
What is an option that will prevent managers from inheriting access?
Do not set the Grant Access Using Hierarchies (which can be found in the organization-wide default settings).
What is typically the max number of allowed roles per organization?
500, however this number can be increased by Salesforce up to a maximum of 10,000
What is the max number (as a best practice) to limit your non-portal roles at?
25,000
What is the max number (as a best practice) to limit your portal roles at?
100,000
What is the best practice for the max number of branches in the hierarchy?
Keep the role hierarchy to no more than 10 levels of branches
What type of security component can be used if managers want to be able to see and do whatever their subordinates can see and do?
Role Hierarchy
What type of security component can be used to have reporting roll up in a hierarchical fashion so that anyone higher in the hierarchy sees more data than those below them?
Role Hierarchy
If different business units don’t need to see each other’s data, which type of security component can be used?
Having a hierarchy in which you can define separate branches allows you to segregate visibility within business units, while still rolling visibility up to the executive levels above those units
How can you setup data access so that people who all play the same role should not necessarily see each other’s data?
Having hierarchical roles allows you to define a “leaf” node in which all data is essentially private, and still roll that data up to a parent role that can see all
What are public groups?
A collection of individual users, roles, territories, and so on, that all have a function in common
If you do decide to nest groups, what level would be the ‘max’ in terms of best practice
Do not nest more than 5 levels
What is the max number of public groups in an organization (as a best practice)
100,000
What would you do if you need to provide access to an arbitrary group of people?
Use a public group to collect them, and then use other sharing tools to give the group the necessary access. Group membership alone doesn’t provide data access.