Sharing Architecture Flashcards
From a Guide to Sharing Architecture
Name the 7 layers of the Sharing Architecture
- Profiles and Permission Sets
- Org-Wide Defaults
- Role Hierarchy
- Sharing Rules
- Manual Sharing
- Team Access
- Territory Hierarchy Access
Which security components provide object-level security (and determines what types of data users see and whether they can edit, create, or delete records?)
Profiles and Permission Sets
What do the “View All” and “Modify All” object permissions do?
Ignore sharing rules and settings, allowing administrators to quickly grant access associated with a given object across the organization.
What is the preferable alternatives to the “View All Data” and “Modify All Data” administrative permissions?
The object permission of “View All” and “Modify All” which can be set via permission set or on the profile
Which security components provide field-level security?
Profiles and Permission Sets
What access does a user higher in a hierarchy (role or territory) have?
Users higher in a hierarchy (role or territory) inherit the same data access as their subordinates for standard objects. Managers gain as much access as their subordinates. If the subordinate has read-only access, so will the manager. This access applies to records owned by users, as well as records shared with them
What is a best practice if a single user owns more than 10,000 records?
- The user record of the owner should not hold a role in the role hierarchy
- If the owner’s user record must hold a role, the role should be at the top of the hierarchy in its own branch of the role hierarchy
What is the purpose of Organization-Wide defaults?
Specifies the default level of access users have to each other’s records.
What is the only way to restrict user access to a record?
Organization-wide defaults
What are the setting options for Organization-wide defaults?
- Private
- Controlled by parent
- Public Read Only
- Public Read/Write
- Public Full Access
Which setting on Organization-wide defaults can only be set for custom objects?
Grant Access Using Hierarchies (defaulted to checked)
What is an option that will prevent managers from inheriting access?
Do not set the Grant Access Using Hierarchies (which can be found in the organization-wide default settings).
What is typically the max number of allowed roles per organization?
500, however this number can be increased by Salesforce up to a maximum of 10,000
What is the max number (as a best practice) to limit your non-portal roles at?
25,000
What is the max number (as a best practice) to limit your portal roles at?
100,000
What is the best practice for the max number of branches in the hierarchy?
Keep the role hierarchy to no more than 10 levels of branches
What type of security component can be used if managers want to be able to see and do whatever their subordinates can see and do?
Role Hierarchy
What type of security component can be used to have reporting roll up in a hierarchical fashion so that anyone higher in the hierarchy sees more data than those below them?
Role Hierarchy
If different business units don’t need to see each other’s data, which type of security component can be used?
Having a hierarchy in which you can define separate branches allows you to segregate visibility within business units, while still rolling visibility up to the executive levels above those units
How can you setup data access so that people who all play the same role should not necessarily see each other’s data?
Having hierarchical roles allows you to define a “leaf” node in which all data is essentially private, and still roll that data up to a parent role that can see all
What are public groups?
A collection of individual users, roles, territories, and so on, that all have a function in common
If you do decide to nest groups, what level would be the ‘max’ in terms of best practice
Do not nest more than 5 levels
What is the max number of public groups in an organization (as a best practice)
100,000
What would you do if you need to provide access to an arbitrary group of people?
Use a public group to collect them, and then use other sharing tools to give the group the necessary access. Group membership alone doesn’t provide data access.
Which security component allows for exceptions to organization-wide default settings and the role hierarchy so that you can give additional users access to records they don’t own?
Ownership-based Sharing rules.
Note that Ownership-based sharing rules are based on the record owner only.
Do contact ownership-based sharing rules apply to private contacts?
No
If you have a person in Service that needs access to see some Sales data, but they live in different branches of the hierarchy, what would you do?
Create a ownership-based sharing rule between roles on different branches
How can you provide data access to peers who hold the same role/territory?
Use ownership-based sharing rules
How can you provide data access to other groupings of users (public groups, portal roles, territories)?
Use ownership-based sharing rules as follows: the members of the groupings who own the records can be shared with the members of other groupings
What are criteria-based Sharing Rules?
Criteria-based sharing rules provide access to records based on the record’s field values (criteria). If the criteria are met (one or many field values), then a share record is created for the rule. Record ownership is not a consideration
As best practice, what should the number of criteria-sharing rules per object be?
- However this can be increased by Salesforce
How can you provide data access to users or groups based on the value of a field on the record?
Use criteria-based sharing rules
How can a user give access (read only or read/write) of the current record to other users, groups or roles?
Through manual sharing.
What happens to manual sharing when the record owner changes ?
The manual sharing is removed
What happens when manual sharing access doesn’t grant additional access beyond the object’s organization-wide sharing default access level?
The manual sharing is removed
When creating a team member (on Account, Opportunity or Case), how many records are created
It creates two records, a team record and an associated share record. If you create team members programmatically you have to manage both the team record and associated share record.
If you need multiple teams on a record (Account, Opportunity or Case) what can you do?
Consider territory management or programmatic sharing
Can you create custom fields, validation rules or triggers on the team object?
No, it’s not a first-class object :)
How can a user give access (read-only or read/write) for an account or opportunity to a single group of users?
Setup a team on the Account or Opportunity
Can you share account records If you have teams that are managed externally (ex the teams are in an external commission or territory management system)?
It is possible that integration can be used to manage the account team. There are cases when territory management in an external system can align to a team solution within Salesforce
How can you manage having multiple owners of an account?
Manage it through the account team
How can you have a single group of users require either read-only or read/write access to an opportunity record?
Use Opportunity Teams
On which objects can you create a Territory Hierarchy on?
Only on Account, Opportunity and master/detail children of Accounts and Opportunities
What can you do when you need an additional hierarchical structure (different from the role hierarchy)?
Setup Territory Hierarchy
What can you do when a single user needs to hold multiple levels in the hierarchy?
Setup Territory Hierarchy
Which hierarchies do you need to maintain when you have territories setup?
Territory Hierarchy and Role Hierarchy
How can you provide data access to an account within a territory (not based on ownership) to a grouping of users?
Use Account Territory Sharing Rules. It applies only to accounts and when territory management is enabled
What is programmatic sharing?
Formally Apex Managed sharing allows you to use code (apex or other) to build sophisticated and dynamic sharing settings when a data access requirement cannot be met by any other means
If there is no declarative sharing method to share data, what can you do?
Use programmatic sharing rules
If there is an existing, external system of truth for user access assignments, how can you setup the same sharing rules within Salesforce?
Use programmatic sharing rules to drive access and be integrated with Salesforce
If you have very large data volumes and have poor performance when using native sharing components, what is the alternative?
Use programmatic sharing
How can you share team functionality on custom objects?
Use programmatic sharing
How can you turn off implicit sharing?
Implicit sharing is automatic, you can neither turn it off or turn it on. It is native to the application
What is parent implicit sharing?
Parent implicit sharing is providing access to parent records (account only) when a user has access to children opportunities, cases or contacts for that account
Salesforce has a data access policy that states if a user can see a contact (or opportunity, case, or order), then the user implicitly sees the associated account
What is child implicit sharing?
Child implicit sharing is providing access to an accounts child records to the account owner. This access is defined at the owner’s role in the role hierarchy.
Which objects do child implicit sharing apply to only
Contact, opportunity and case.
What access levels can be provided for child implicit sharing?
View, Edit and No access can be setup for the children objects when the role is created
Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System
Two in a box: a sales manager of one geographic coverage area also wants access to another geographic coverage area in order to assist
Ownership-based Sharing Rule: An ownership-based sharing rule works here because these are edge cases and not the norm. It is also acceptable if the ownership-based sharing rule provides more access than is truly necessary because this is a manager - a trusted individual
Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System
Country-based operations users need access to all country sales data
Ownership-based Sharing Rule: A very common use of a sharing rule is when a different department (other than sales) needs access to sales data
Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System
At least 80% of the time, there is a “core 4” team on an account (Account Executive, Inside Sales Rep, Sales Consultant, Technical Sales Rep). The system of record for the account team assignment is external to SFDC. There is always only one team to an account.
Teams (Account and Opportunity) : Since there is always only one team per account, even if there are many different members with different roles, the account team functionality satisfies this requirement
Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System
Managers of the team should have the same access as their subordinates
Role Hierarchy: The role hierarchy solves this by allowing managers to have access to the data of their subordinates
Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System
The assigned account team should not be modifiable
Use Teams (Account and Opportunity): This is not actually accomplished with the account team functionality, however, it also shouldn’t prevent you from still using account teams. There are multiple ways of locking down the teams, however, for this case, removing the account team page layout is used.
Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System
There needs to be “buddy” functionality so that when someone is sick or on vacation, someone without standard access to an account or opportunity can be accessed and covered during the time off
Use Teams (Account and Opportunity): A “buddy” can simply be a role on the team that accomplishes this requirement. However, the challenge comes from a previous requirement where the teams should not be modifiable. The only solution is to have a set group of people who can modify teams within SFDC to create the buddy role when necessary
Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System
When a deal requires a custom solution, additional people (who are not necessarily in the sales organization) need to have access to the deal
Use Teams (Account and Opportunity): A pretty standard usage of the Opportunity Team accomplished by manually adding a new member to the Opportunity Team (via related list). Can also be accomplished via a trigger if you always know who should be added. In this case, it is opportunity by opportunity
Provide a solution for the following requirement/challenge when there is out-of-box Territory Management
Two different opportunity teams from two distinct business units (Retails Sales and Remarketing) need access to the same account record. They should share contacts and be aware of all activities on the account. These two business units have their own hierarchy and rollups.
Use Territory Management: The best way to think of this is having two branches of a hierarchy that may be structured very differently. What justifies territory management is that there are two levels of these two different branches (both levels with members = the opportunity team for that business unit) who need access to the account. Although you could have accomplished this with a Teaming concept, that was too granular. The sales segmentation was not at an account level but in a hierarchy.
Provide a solution for the following requirement/challenge when there is out-of-box Territory Management
There is a separate group of business developers who are assigned and need access to specific accounts for a specific opportunity team (a territory). The business developers are shared resources for the opportunity teams which mean each business developer may be assigned to one or more accounts for one or more opportunity teams.
Use Territory Management: Because this is a group of users (or a team) and each business development team could be different by account, and since territory management was needed for another reason, then the likely best approach is to build out sub-territories that represent these business development teams
Provide a solution for the following requirement/challenge when there is out-of-box Territory Management
There are non-commission based sales supporting roles who need access to accounts on a one off basis
Use Teams (Account and Opportunity): The key portion of the requirement is “one of basis”. This means it is done on an account by account basis so account teams provide that natively
Provide a solution for the following requirement/challenge when there is out-of-box Territory Management
The credit department needs access to all accounts for a given business unit
Use Ownership-based Sharing Rules: This is a situation where across the board, for a given business unit, a group of users needs to see everything. This could be accomplished with a sharing rule for a role the group belongs to, a branch of the role hierarchy the group belongs to (role and subordinates) or even a public group
Provide a solution for the following requirement/challenge when there is out-of-box Territory Management
Managers should have the same access as their subordinates
Use Role Hierarchy: The role hierarchy solves this by allowing managers to have access to the data of their subordinates
Can your role hierarchy and your territory hierarchy be identical?
It is not recommended because it will cause unnecessary sharing activity.
Some functionality is only available via the role hierarchy (name 3)
Delegated Admin
My Teams filters
Folder-based access
If you have territory management configured, can you still use Teams?
Yes, however, if you can satisfy your access requirements within the territory hierarchy (like overlays), it is better to do it there than to use teams. You are already maintaining two hierarchies (role and territory), so in trying to keep things as simple as possible, only implement teams if no other sharing component will satisfy the requirement
What should you do if you have a single user that owns more than 10,000 records?
The user record of the owner should not hold a role in the role hierarchy. If the owner’s user record must hold a role, the role should be at the top of the hierarchy in is own branch of the role hierarchy
If Maria (a Sales Executive), creates an account record for a company called “Acme”, what type of sharing record will Salesforce create?
Salesforce creates a sharing row for her as the record owner in the Account Sharing table
If Maria (a Sales Executive) and the owner of the Acme account record shares the record with Frank (a sales executive), what type of sharing record will Salesforce create?
Salesforce will add a sharing row for Frank (row cause = Manual) in the Account Sharing table
If an administrator creates a sharing rule that shares the Sales Executive’s records with the Strategy group, giving them Read Only access. Maria belongs to the Sales Executive team and is the owner of the Acme account. What type of sharing record will Salesforce create for the strategy group?
Salesforce will add a sharing row that gives the Strategy group access to Maria’s Acme account record (row cause = Rule)
