Sharing Architecture Flashcards

Question 1

Q

Name the 7 layers of the Sharing Architecture

Answer

A

Profiles and Permission Sets
Org-Wide Defaults
Role Hierarchy
Sharing Rules
Manual Sharing
Team Access
Territory Hierarchy Access

Question 2

Q

Which security components provide object-level security (and determines what types of data users see and whether they can edit, create, or delete records?)

Answer

A

Profiles and Permission Sets

Question 3

Q

What do the “View All” and “Modify All” object permissions do?

Answer

A

Ignore sharing rules and settings, allowing administrators to quickly grant access associated with a given object across the organization.

Question 4

Q

What is the preferable alternatives to the “View All Data” and “Modify All Data” administrative permissions?

Answer

A

The object permission of “View All” and “Modify All” which can be set via permission set or on the profile

Question 5

Q

Which security components provide field-level security?

Answer

A

Profiles and Permission Sets

Question 6

Q

What access does a user higher in a hierarchy (role or territory) have?

Answer

A

Users higher in a hierarchy (role or territory) inherit the same data access as their subordinates for standard objects. Managers gain as much access as their subordinates. If the subordinate has read-only access, so will the manager. This access applies to records owned by users, as well as records shared with them

Question 7

Q

What is a best practice if a single user owns more than 10,000 records?

Answer

A

The user record of the owner should not hold a role in the role hierarchy
If the owner’s user record must hold a role, the role should be at the top of the hierarchy in its own branch of the role hierarchy

Question 8

Q

What is the purpose of Organization-Wide defaults?

Answer

A

Specifies the default level of access users have to each other’s records.

Question 9

Q

What is the only way to restrict user access to a record?

Answer

A

Organization-wide defaults

Question 10

Q

What are the setting options for Organization-wide defaults?

Answer

A

Private
Controlled by parent
Public Read Only
Public Read/Write
Public Full Access

Question 11

Q

Which setting on Organization-wide defaults can only be set for custom objects?

Answer

A

Grant Access Using Hierarchies (defaulted to checked)

Question 12

Q

What is an option that will prevent managers from inheriting access?

Answer

A

Do not set the Grant Access Using Hierarchies (which can be found in the organization-wide default settings).

Question 13

Q

What is typically the max number of allowed roles per organization?

Answer

A

500, however this number can be increased by Salesforce up to a maximum of 10,000

Question 14

Q

What is the max number (as a best practice) to limit your non-portal roles at?

Question 15

Q

What is the max number (as a best practice) to limit your portal roles at?

Question 16

Q

What is the best practice for the max number of branches in the hierarchy?

Answer

A

Keep the role hierarchy to no more than 10 levels of branches

Question 17

Q

What type of security component can be used if managers want to be able to see and do whatever their subordinates can see and do?

Answer

A

Role Hierarchy

Question 18

Q

What type of security component can be used to have reporting roll up in a hierarchical fashion so that anyone higher in the hierarchy sees more data than those below them?

Answer

A

Role Hierarchy

Question 19

Q

If different business units don’t need to see each other’s data, which type of security component can be used?

Answer

A

Having a hierarchy in which you can define separate branches allows you to segregate visibility within business units, while still rolling visibility up to the executive levels above those units

Question 20

Q

How can you setup data access so that people who all play the same role should not necessarily see each other’s data?

Answer

A

Having hierarchical roles allows you to define a “leaf” node in which all data is essentially private, and still roll that data up to a parent role that can see all

Question 21

Q

What are public groups?

Answer

A

A collection of individual users, roles, territories, and so on, that all have a function in common

Question 22

Q

If you do decide to nest groups, what level would be the ‘max’ in terms of best practice

Answer

A

Do not nest more than 5 levels

Question 23

Q

What is the max number of public groups in an organization (as a best practice)

Question 24

Q

What would you do if you need to provide access to an arbitrary group of people?

Answer

A

Use a public group to collect them, and then use other sharing tools to give the group the necessary access. Group membership alone doesn’t provide data access.

Question 25

Q

Which security component allows for exceptions to organization-wide default settings and the role hierarchy so that you can give additional users access to records they don’t own?

Answer

A

Ownership-based Sharing rules.

Note that Ownership-based sharing rules are based on the record owner only.

Question 26

Q

Do contact ownership-based sharing rules apply to private contacts?

Question 27

Q

If you have a person in Service that needs access to see some Sales data, but they live in different branches of the hierarchy, what would you do?

Answer

A

Create a ownership-based sharing rule between roles on different branches

Question 28

Q

How can you provide data access to peers who hold the same role/territory?

Answer

A

Use ownership-based sharing rules

Question 29

Q

How can you provide data access to other groupings of users (public groups, portal roles, territories)?

Answer

A

Use ownership-based sharing rules as follows: the members of the groupings who own the records can be shared with the members of other groupings

Question 30

Q

What are criteria-based Sharing Rules?

Answer

A

Criteria-based sharing rules provide access to records based on the record’s field values (criteria). If the criteria are met (one or many field values), then a share record is created for the rule. Record ownership is not a consideration

Question 31

Q

As best practice, what should the number of criteria-sharing rules per object be?

Answer

A

However this can be increased by Salesforce

Question 32

Q

How can you provide data access to users or groups based on the value of a field on the record?

Answer

A

Use criteria-based sharing rules

Question 33

Q

How can a user give access (read only or read/write) of the current record to other users, groups or roles?

Answer

A

Through manual sharing.

Question 34

Q

What happens to manual sharing when the record owner changes ?

Answer

A

The manual sharing is removed

Question 35

Q

What happens when manual sharing access doesn’t grant additional access beyond the object’s organization-wide sharing default access level?

Answer

A

The manual sharing is removed

Question 36

Q

When creating a team member (on Account, Opportunity or Case), how many records are created

Answer

A

It creates two records, a team record and an associated share record. If you create team members programmatically you have to manage both the team record and associated share record.

Question 37

Q

If you need multiple teams on a record (Account, Opportunity or Case) what can you do?

Answer

A

Consider territory management or programmatic sharing

Question 38

Q

Can you create custom fields, validation rules or triggers on the team object?

Answer

A

No, it’s not a first-class object :)

Question 39

Q

How can a user give access (read-only or read/write) for an account or opportunity to a single group of users?

Answer

A

Setup a team on the Account or Opportunity

Question 40

Q

Can you share account records If you have teams that are managed externally (ex the teams are in an external commission or territory management system)?

Answer

A

It is possible that integration can be used to manage the account team. There are cases when territory management in an external system can align to a team solution within Salesforce

Question 41

Q

How can you manage having multiple owners of an account?

Answer

A

Manage it through the account team

Question 42

Q

How can you have a single group of users require either read-only or read/write access to an opportunity record?

Answer

A

Use Opportunity Teams

Question 43

Q

On which objects can you create a Territory Hierarchy on?

Answer

A

Only on Account, Opportunity and master/detail children of Accounts and Opportunities

Question 44

Q

What can you do when you need an additional hierarchical structure (different from the role hierarchy)?

Answer

A

Setup Territory Hierarchy

Question 45

Q

What can you do when a single user needs to hold multiple levels in the hierarchy?

Answer

A

Setup Territory Hierarchy

Question 46

Q

Which hierarchies do you need to maintain when you have territories setup?

Answer

A

Territory Hierarchy and Role Hierarchy

Question 47

Q

How can you provide data access to an account within a territory (not based on ownership) to a grouping of users?

Answer

A

Use Account Territory Sharing Rules. It applies only to accounts and when territory management is enabled

Question 48

Q

What is programmatic sharing?

Answer

A

Formally Apex Managed sharing allows you to use code (apex or other) to build sophisticated and dynamic sharing settings when a data access requirement cannot be met by any other means

Question 49

Q

If there is no declarative sharing method to share data, what can you do?

Answer

A

Use programmatic sharing rules

Question 50

Q

If there is an existing, external system of truth for user access assignments, how can you setup the same sharing rules within Salesforce?

Answer

A

Use programmatic sharing rules to drive access and be integrated with Salesforce

Question 51

Q

If you have very large data volumes and have poor performance when using native sharing components, what is the alternative?

Answer

A

Use programmatic sharing

Question 52

Q

How can you share team functionality on custom objects?

Answer

A

Use programmatic sharing

Question 53

Q

How can you turn off implicit sharing?

Answer

A

Implicit sharing is automatic, you can neither turn it off or turn it on. It is native to the application

Question 54

Q

What is parent implicit sharing?

Answer

A

Parent implicit sharing is providing access to parent records (account only) when a user has access to children opportunities, cases or contacts for that account

Salesforce has a data access policy that states if a user can see a contact (or opportunity, case, or order), then the user implicitly sees the associated account

Question 55

Q

What is child implicit sharing?

Answer

A

Child implicit sharing is providing access to an accounts child records to the account owner. This access is defined at the owner’s role in the role hierarchy.

Question 56

Q

Which objects do child implicit sharing apply to only

Answer

A

Contact, opportunity and case.

Question 57

Q

What access levels can be provided for child implicit sharing?

Answer

A

View, Edit and No access can be setup for the children objects when the role is created

Question 58

Q

Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System

Two in a box: a sales manager of one geographic coverage area also wants access to another geographic coverage area in order to assist

Answer

A

Ownership-based Sharing Rule: An ownership-based sharing rule works here because these are edge cases and not the norm. It is also acceptable if the ownership-based sharing rule provides more access than is truly necessary because this is a manager - a trusted individual

Question 59

Q

Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System

Country-based operations users need access to all country sales data

Answer

A

Ownership-based Sharing Rule: A very common use of a sharing rule is when a different department (other than sales) needs access to sales data

Question 60

Q

Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System

At least 80% of the time, there is a “core 4” team on an account (Account Executive, Inside Sales Rep, Sales Consultant, Technical Sales Rep). The system of record for the account team assignment is external to SFDC. There is always only one team to an account.

Answer

A

Teams (Account and Opportunity) : Since there is always only one team per account, even if there are many different members with different roles, the account team functionality satisfies this requirement

Question 61

Q

Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System

Managers of the team should have the same access as their subordinates

Answer

A

Role Hierarchy: The role hierarchy solves this by allowing managers to have access to the data of their subordinates

Question 62

Q

Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System

The assigned account team should not be modifiable

Answer

A

Use Teams (Account and Opportunity): This is not actually accomplished with the account team functionality, however, it also shouldn’t prevent you from still using account teams. There are multiple ways of locking down the teams, however, for this case, removing the account team page layout is used.

Question 63

Q

Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System

There needs to be “buddy” functionality so that when someone is sick or on vacation, someone without standard access to an account or opportunity can be accessed and covered during the time off

Answer

A

Use Teams (Account and Opportunity): A “buddy” can simply be a role on the team that accomplishes this requirement. However, the challenge comes from a previous requirement where the teams should not be modifiable. The only solution is to have a set group of people who can modify teams within SFDC to create the buddy role when necessary

Question 64

Q

Provide a solution for the following requirement/challenge when the team assignment is managed externally via a Customer Master System

When a deal requires a custom solution, additional people (who are not necessarily in the sales organization) need to have access to the deal

Answer

A

Use Teams (Account and Opportunity): A pretty standard usage of the Opportunity Team accomplished by manually adding a new member to the Opportunity Team (via related list). Can also be accomplished via a trigger if you always know who should be added. In this case, it is opportunity by opportunity

Answer 61

A

Use Territory Management: The best way to think of this is having two branches of a hierarchy that may be structured very differently. What justifies territory management is that there are two levels of these two different branches (both levels with members = the opportunity team for that business unit) who need access to the account. Although you could have accomplished this with a Teaming concept, that was too granular. The sales segmentation was not at an account level but in a hierarchy.

Answer 62

A

Use Territory Management: Because this is a group of users (or a team) and each business development team could be different by account, and since territory management was needed for another reason, then the likely best approach is to build out sub-territories that represent these business development teams

Answer 63

A

Use Teams (Account and Opportunity): The key portion of the requirement is “one of basis”. This means it is done on an account by account basis so account teams provide that natively

Answer 64

A

Use Ownership-based Sharing Rules: This is a situation where across the board, for a given business unit, a group of users needs to see everything. This could be accomplished with a sharing rule for a role the group belongs to, a branch of the role hierarchy the group belongs to (role and subordinates) or even a public group

Answer 65

A

Use Role Hierarchy: The role hierarchy solves this by allowing managers to have access to the data of their subordinates

Answer 66

A

It is not recommended because it will cause unnecessary sharing activity.

Answer 67

A

Delegated Admin
My Teams filters
Folder-based access

Answer 68

A

Yes, however, if you can satisfy your access requirements within the territory hierarchy (like overlays), it is better to do it there than to use teams. You are already maintaining two hierarchies (role and territory), so in trying to keep things as simple as possible, only implement teams if no other sharing component will satisfy the requirement

Answer 69

A

The user record of the owner should not hold a role in the role hierarchy. If the owner’s user record must hold a role, the role should be at the top of the hierarchy in is own branch of the role hierarchy

Answer 70

A

Salesforce creates a sharing row for her as the record owner in the Account Sharing table

Answer 71

A

Salesforce will add a sharing row for Frank (row cause = Manual) in the Account Sharing table

Answer 72

A

Salesforce will add a sharing row that gives the Strategy group access to Maria’s Acme account record (row cause = Rule)

Brainscape's Knowledge GenomeTM

Sharing Architecture Flashcards

From a Guide to Sharing Architecture

Brainscape's Knowledge Genome^TM