5. Security and Access

Questions and Answers

What is the primary function of a user license in Salesforce?

• It grants instant access to all Salesforce features.
• It defines the maximum features a user can access within Salesforce. (correct)
• It determines the specific data that users can view.
• It automatically assigns permissions to a user.

Which type of Salesforce license allows access to standard and custom objects/applications?

• Permission Set License
• Feature License
• Salesforce License (correct)
• Salesforce Platform License

What do feature licenses in Salesforce directly provide?

• Automatic assignment of profiles.
• Access to specific features bypassing limitations set by user licenses. (correct)
• Permissions to view all standard objects.
• Access to additional user accounts.

How do permission set licenses differ from feature licenses?

Permission set licenses require associated permission sets for access. (D)

What is the consequence of a user license determining maximum feature access?

Actual access is granted through profiles and permission sets. (A)

To what extent can a Salesforce Platform License be used?

It permits use of custom objects/apps and limited standard objects. (C)

What is recommended for companies when assigning user licenses?

To select the most basic license that fulfills employee needs. (A)

What role do permission sets play in user access management in Salesforce?

They define the maximum permissions a user can have. (A)

What is the primary purpose of a user's profile in Salesforce?

To define the foundational level of permissions for feature access. (C)

How do permission sets relate to user profiles?

They provide additional permissions beyond what profiles allow. (A)

Which component is crucial for protecting Salesforce against unauthorized access?

Org Level Security (C)

What combination of permissions does object level security control?

Access and operations on standard and custom objects. (A)

What limitations do field level security settings impose?

They restrict user visibility and edit capability for fields. (A)

What access levels are defined by Organization Wide Defaults (OWDs)?

Private, Public Read Only, and Public Read/Write. (D)

How can users mute permissions in permission set groups?

By disabling specific permissions within a group. (D)

Which statement correctly defines record level security in Salesforce?

It determines which actions can be performed on all records. (A)

What is the main function of roles in the Salesforce sharing model?

To represent the organizational hierarchy for sharing records. (D)

What happens if a user does not have the necessary object permissions?

They won't be able to perform any actions on data related to that object. (D)

Which statement about standard profiles in Salesforce is correct?

They must be cloned for any customization. (C)

How do Organization-Wide Defaults (OWDs) influence data access in Salesforce?

They set the least restrictive access level for records on an object-by-object basis. (C)

What does muting a permission set do?

Disables specific permissions temporarily. (D)

Which of the following is true about multi-factor authentication (MFA) in Salesforce?

It will be mandated in all Salesforce environments in 2023. (A)

What role does the Role Hierarchy play in record sharing?

It propagates record access vertically while restricting lateral sharing. (D)

What purpose do Public Groups serve in Salesforce?

They assist in sharing records by grouping users with similar needs. (D)

What are Sharing Rules and how do they enhance record access?

They provide access to users based on ownership or record field values. (B)

When is Manual Sharing typically employed?

For temporary sharing needs on a case-by-case basis. (B)

What are Restriction Rules used for in Salesforce?

To enforce data security by removing access based on criteria. (B)

How do Custom Permissions extend the Salesforce security model?

By allowing administrators to create unique permissions for specific needs. (A)

What impact do trusted IP ranges have on user access in Salesforce?

They allow logging in from specified addresses without additional verification. (D)

What result does setting Organization-Wide Defaults to 'Public Read Only' have?

Users can view all records, but cannot edit them. (A)

What is the main feature of role-based sharing in Salesforce?

It enables users to inherit record access from their subordinates. (B)

Which of the following best describes the purpose of Public Groups?

They facilitate record access through sharing rules and can include various member types. (B)

What are Sharing Rules used for in Salesforce?

They are used to apply record access based on ownership or field criteria. (B)

What is a key characteristic of Manual Sharing?

It is user-driven and ideal for occasional, one-off access needs. (C)

What does a Restriction Rule do in Salesforce?

It removes access to records that do not meet specific criteria. (D)

What is the function of Custom Permissions in Salesforce?

To control access to specific custom operations and customizations. (D)

How does the Role Hierarchy limit record sharing in Salesforce?

It only allows sharing to subordinates under a manager's role. (D)

What types of objects do Sharing Rules support?

Both custom and standard objects. (A)

What is a Queue in Salesforce primarily used for?

To group users who can share ownership of a record. (B)

Which statement best represents the function of User Licenses?

They determine the maximum features and functionalities a user can access in Salesforce. (A)

How do Profiles and Permission Sets differ in managing user permissions?

Profiles are mandatory, while Permission Sets are optional adjustments. (D)

Which of the following is NOT a characteristic of Restriction Rules?

They grant higher access privileges to certain users. (B)

What aspect of sharing does the 'Grant Access Using Hierarchies' checkbox influence?

It determines if record access propagates up the role hierarchy. (C)

What type of sharing access do criteria-based Sharing Rules provide?

Read or read/write access depending on criteria. (D)

What is the primary function of Organization-Wide Defaults (OWDs) in Salesforce?

To set the default level of record access for all users (B)

How does the Role Hierarchy in Salesforce affect record access?

Record access is inherited vertically among users (C)

What is a key difference between Owner-based sharing rules and criteria-based sharing rules?

Criteria-based rules grant access based on record field values (B)

Which type of sharing allows users to grant access to records on a case-by-case basis?

Manual Sharing (C)

How do Profiles and Permission Sets differ in terms of user access?

Profiles limit access while permission sets add additional permissions (D)

What is the purpose of a custom permission in Salesforce?

To control access to customizations or operations not covered by existing permissions (B)

What does a feature license do compared to a permission set license?

Directly grants access to specific Salesforce features (B)

Which statement about Object Level Security is true?

It controls access to standard and custom objects (C)

What is the impact of field level security in Salesforce?

It allows administrators to control visibility and edit access to individual fields (A)

How are Public Groups used in Salesforce?

To allow collection of users that can be granted record access through sharing (B)

When using queues in Salesforce, what is their primary purpose?

To collectively distribute ownership of records among a group of users (A)

What is the role of a Permission Set License?

To expand the possible permissions a user can have beyond their user license (B)

What is a significant limitation of the sharing model in Salesforce?

Sharing only propagates vertically in the Role Hierarchy (B)

Flashcards

What is a User License?

A user license determines the maximum feature access that a user can have within Salesforce. You need one to log in.

What is a Salesforce License?

A Salesforce License offers the most access: standard features and custom objects. It's the most powerful.

What is a Salesforce Platform License?

It grants access to custom objects/applications, Account and Contact objects, reports, dashboards, but not most standard apps or objects.

How do user licenses affect actual user access?

User licenses limit access potential, but actual access is granted by profiles and permission sets.

What are Feature Licenses?

Feature licenses grant access to specific features (e.g., Flow, Marketing) directly, bypassing license limitations.

What are Permission Set Licenses?

Permission set licenses give access to add-on products (e.g., Field Service, Analytics), but require associated permission sets for actual use.

What's the key difference between Feature and Permission Set Licenses?

Feature licenses enable direct access, while permission set licenses require associated permission sets for users to actually use the features.

Companies use the most basic license that meets their requirements.

Companies are encouraged to use the most basic license that fits an employee's requirements to save costs.

User License

Determines the maximum feature access a user can have in Salesforce.

Organization-Wide Defaults (OWDs)

Default sharing rules set at an organizational level, determining initial access to records.

Role Hierarchy

A hierarchical structure organizing users into a tree-like structure, allowing access to inherit from superiors.

Public Groups

A collection of users designed to grant record access through sharing tools, avoiding individual user assignments.

Sharing Rules

Conditional rules that grant record access based on ownership or field criteria, extending access beyond OWDs.

Manual Sharing

Allows users with full record access to manually share records with other users, providing flexibility for one-off access.

Restriction Rules

Filters that override existing record-level security by removing access to records that don't meet specified criteria.

Custom Permissions

Permissions created to control access to customizations or specific operations not controlled by standard permissions.

Queues

Groups of users who can take ownership of a record, distributing workload and ensuring shared access.

Salesforce Record Level Security

The process of configuring user permissions to restrict access to specific objects or records within Salesforce.

Object Level Security

Determines the level of access users have to objects and data based on their roles and permissions.

Access Propagation

The principle that roles in a hierarchy inherit access from their subordinates.

Field-Level Security

Control access to specific data within an object

Profiles

Used to define the level of access granted to users based on their roles and responsibilities.

Permission Sets

A collection of permissions and settings that can be assigned to users to extend their capabilities.

What are Salesforce Profiles?

Profiles are the foundation of permissions in Salesforce, determining what features a user can access and what actions they can perform. Each user must have exactly one profile.

What are Permission Sets?

Permission sets grant additional permissions to users beyond their profile, allowing them to access more features and perform additional actions.

How do you customize Profiles?

Standard profiles have limited customization options and custom profiles should be created by cloning and customizing existing profiles.

What's a best practice for assigning Profiles?

Assign one profile to all users with the same job function and use permission sets for exceptions to provide tailored access.

Can Profile permissions be revoked?

Permissions set through profiles cannot be revoked by other methods, making them the most foundational level of permissions.

Can Permission Sets be grouped?

Permission sets can be grouped together to provide a bundle of permissions for specific tasks or roles.

Can Permission Sets remove permissions?

Permission sets can only add permissions, they cannot remove permissions from a user's profile.

How are Permission Sets muted?

Muting permission sets within a permission set group disables those permissions, providing flexibility in granting temporary access.

What is Org Level Security?

Org level security controls access to a Salesforce org through login restrictions, such as password policies and multi-factor authentication.

What are Password Policies?

Password policies ensure strong passwords by enforcing length, complexity, and reset frequency, enhancing security.

What are Login Hours?

Login hours restrict login times to specific periods, limiting access to the org during non-business hours.

What are Login IP Ranges?

Login IP ranges limit logins to specific IP addresses, enhancing security by preventing access from unauthorized locations.

What is Object Level Security?

Object level security controls access to standard and custom objects, determining what actions users can perform on those objects.

What is Record Level Security?

Record level security determines which specific records a user can access and what actions they can perform on those records.

What are Organization Wide Defaults (OWDs)?

Organization Wide Defaults (OWDs) define the baseline access level for records across the org, providing the most restrictive layer of sharing control.

How does the Role Hierarchy work?

This allows users in the hierarchy to inherit the access permissions of their subordinates. However, it only flows upwards, not sideways or downwards.

What are Public Groups beneficial for?

They are collections of users that grant access to records using sharing rules or manually. They simplify granting access to groups of users.

What are Owner-based Sharing Rules?

They grant access based on who owns a record. They can grant read or read/write access to records.

What are Criteria-based Sharing Rules?

They grant access based on the values of record fields. They can grant read or read/write access when values match the set criteria.

How does Manual Sharing work?

Allows individual users with full access to grant read or read/edit permission to other users on a specific record.

What are Custom Permissions?

They help control user access to customizations and specific operations, enabling more tailored and granular access control.

What is the difference between a Feature License and a Permission Set License?

It grants direct access to a feature like Marketing or Knowledge, while a _____________ licenses expands possible permissions but requires granting specific access through a permission set.

What is the difference between a Profile and a Permission Set?

They are the fundamental group of permissions for each user. Users have exactly one profile, while permission sets are used to provide additional permissions.

What does Object Level Security control?

Determines the actions a user can perform on accessible records, like creating, editing, or deleting.

What does Field Level Security control?

It regulates user access to specific fields, allowing or denying visibility and edit capabilities.

What is the importance of implementing strong Org Level Security?

It protects sensitive business data from unauthorized access by controlling access and authentication.

What isMulti-Factor Authentication (MFA)?

It's a security measure that requires at least two verification factors from users.

What are Queues used for?

It allows a group of users to take ownership of a record, helping distribute workloads.

What is a Restriction Rule?

A filter that removes a user's access to records that don't match the given criteria, regardless of whether they would otherwise have access.

What are Public Groups?

A collection of users created to simplify record sharing using sharing rules and manual sharing.

What are Sharing Rules?

A condition that grants record access to specified users based on the record owner or specific field values.

What is the Role Hierarchy?

The representation of a company's organizational hierarchy in Salesforce, used for propagating record access.

What is Manual Sharing?

It allows users with full access to a record to grant other users access on a case-by-case basis.

What are Trusted IP Ranges?

Sets of IP addresses that users can log in from using unrecognized devices without needing to provide additional verification.

Why is a User License important?

It's essential for login and sets the boundaries for profiles and permission sets, effectively controlling their maximum capability within Salesforce.

Study Notes

User Licenses and Permissions

• User licenses define the maximum features accessible within Salesforce.
• A license is required for login.
• Types include Salesforce License (most access) and Platform License (limited access).
• License assignment is made when creating/editing a user record.
• License dictates possible access; actual access is determined by profiles & permission sets.

Extending User Access

• Feature Licenses: Grant specific feature access beyond the user's base license.
• Permission Set Licenses: Allow access to add-on products (e.g., Field Service) but require associated permission sets for feature access.
• Feature licenses grant direct access; permission set licenses require a permission set.
• Both enable access to features without needing a more expensive license.

Profiles

• Profiles define features and operations accessible to users.
• Each user has exactly one profile.
• Manage org access, user interface, objects, fields, and administrative settings.
• Standard profiles have limited customization; custom profiles are created by cloning and customizing.
• Permissions assigned via profiles cannot be revoked by other means.

Permission Sets

• Permission sets grant additional permissions besides the profile.
• Control user interface, objects, and fields (standard and custom).
• Permission sets can be grouped together.
• Muting option within a permission set group can disable permissions.
• Users can have multiple permission sets for temporary or specific needs.

Organization-Level Security

• Org-level security controls access to the Salesforce organization.
• Components include password policies, login hours, login IP ranges, MFA, and trusted IP ranges.
• Strong org security protects against unauthorized access.
• MFA is mandated by Salesforce in late 2023.

Object Level Security

• Object-level security controls access to standard and custom objects.
• Determines actions users can take on these objects (Read, Create, Edit, Delete, etc.).
• View All/Modify All permissions override record-level security.
• Permissions required for object actions regardless of record/field permissions.

Field Level Security

• Field-level security controls user access to specific fields on records.
• Access levels include No access, Read, and Read/Edit.
• Managed via profiles, permission sets, and field creation settings.
• Protects sensitive information with granular data visibility.

Record Level Security

• Record-level security controls access to specific records.
• Permissions include Read, Edit, Transfer, Delete, and Share.
• Each record has an owner with full access.
• Sharing models (OWDs, Roles, Groups, Sharing Rules, Manual Sharing) determine access for non-owners.

Organization-Wide Defaults (OWDs)

• OWDs define default record access for all users in an organization.
• Access levels include Private, Public Read Only, and Public Read/Write.
• Set on an object-by-object basis, affecting master-detail relationships.
• OWDs are the most restrictive element of the sharing model.

Role Hierarchy

• A representation of the company's organizational structure.
• Users in higher roles inherit record access from lower roles.
• Key element for record-level security, propagating full record access vertically.
• Control with "Grant Access Using Hierarchies" checkbox on Sharing Settings.

Public Groups

• Public groups are collections of users for targeted sharing.
• Members can be users, roles, roles and subordinates, and other groups.
• Access propagation through the role hierarchy can be controlled.
• Useful for shared report/dashboard access.

Sharing Rules

• Rules grant record access based on ownership or field criteria.
• Types include owner-based and criteria-based.
• Supported for custom and standard objects (except Campaigns).
• Access granted through sharing rules propagates up the role hierarchy.

Manual Sharing

• Allows users with full record access to share with others (read or read/edit).
• User-driven, ideal for one-time sharing.
• Access revoked when record owner changes.

Restriction Rules

• Filters that remove access to records that don't meet criteria.
• User-based and record-based filtering for custom/external objects.
• Restriction rules remove access, they don't grant access.

Custom Permissions

• Permissions created for specific customizations or operations.
• Granular control over customizations.
• Created in Setup, assigned in profiles/permission sets.

Queues

• Queues are user groups for record ownership or distribution.
• Members have full record access and can take ownership.

Quiz Questions and Answers

(summarized):

• User Licenses: Defines maximum features; base security setting, dictates possible access.
• OWDs: Default level record access; determines initial record access.
• Role Hierarchy: Inherits record access; vertical propagation of access.
• Public Groups: Collections of users for access control; easier bulk sharing.
• Sharing Rules: Conditions for record access; expands OWDs/Role Hierarchy.
• Manual Sharing: User-driven record sharing; provides one-time access.
• Restriction Rules: Removes access; filters based on criteria.
• Custom Permissions: Tailored permissions for customizations; granular control.
• Feature/Permission Set Licenses: Feature licenses grant specific access, permission set licenses grant access to add-on products.
• Profiles/Permission Sets: Profiles grant base access; permission sets add extra access; cannot remove base access with permission sets.

Essay Questions (summarized):

• Combination of OWDs, Role Hierarchy, and Sharing Rules: Integrated approach for record level security in Salesforce; provides diverse access level settings.
• Profiles vs. Permission Sets: Profiles provide baseline access while permission sets add extra access based on need; explain muting permission sets for efficiency.
• Org Level Security: Components like password policies, login hours, trusted IP addresses, MFA; provides necessary authentication and restriction to protect data from unauthorized access.
• Object/Field Level Security: Encourages a layered approach for access control.
• Sharing Model: Sharing model with its components (OWDs, Rules, Roles, Hierarchy, Queues, etc.); discusses its limitations.

Glossary of Key Terms (summarized):

(Each term is defined concisely as in the provided glossary).