5. Salesforce Security

Questions and Answers

What is the primary role of a user license in Salesforce?

It assigns a user’s profile permissions directly.

It dictates the maximum feature access a user can have. (correct)

It allows users to create new orgs.

It determines the maximum data storage for a user.

Which user license allows maximum access to all Salesforce products?

Basic User License

Custom User License

Salesforce Platform License

Salesforce User License (correct)

How can an organization verify its total and consumed user licenses?

By checking the User Access Logs.

By accessing the App Exchange.

By navigating to Setup > Company Settings > Company Information. (correct)

By emailing Salesforce support.

What can a user with a Salesforce Platform license access?

Accounts and Contacts, but not most standard objects.

What happens if an organization needs more user licenses after the initial purchase?

They can purchase additional licenses in groups or individually.

What is the main function of the permissions granted through a user's profile?

To define which features a user can actually access.

What limitation applies to free environments like Trailhead Playground regarding user licenses?

They cannot add any additional licenses.

Which of the following statements is true regarding user licenses?

Only one user can hold a specific type of user license at a time.

What does org level security primarily deal with?

Controlling access and authentication to a Salesforce org

Which of the following settings controls the times that users can log in to Salesforce?

Login Hours

What is the function of Trusted IP Ranges in Salesforce?

To allow logins without additional verification from specific IPs

How can password settings be configured in Salesforce?

On an org-wide level or individual profiles

What happens if a user attempts to log in outside their designated Login Hours?

The user cannot log in until the next available hour

What is Multi-Factor Authentication (MFA) primarily used for?

To provide an additional layer of security beyond username and password

Which of the following is NOT a part of org level security in Salesforce?

User Profile Management

How are IP Ranges set in Salesforce?

Using either IPv4 or IPv6 format

To enforce MFA for all users in the organization, you can enable which setting?

Require multi-factor authentication for all User Interface logins

Which of the following options controls how often a user's password must be reset?

Password Policies

What is the consequence of too many incorrect login attempts?

Account will be locked out

What does the 'End Time' need to be set to prevent a user from logging in on a given day?

12:00 AM

What additional authentication methods can be used for MFA?

Using a one-time passcode or approval request

What is the primary purpose of field level security in Salesforce?

To control user access to fields at the individual level

Which access level allows a user to only view, but not edit, a field?

Read

Which configuration is NOT possible in field level security?

Give edit permissions on formula fields

What resource can be used to adjust field level security settings for existing fields?

Set Field-Level Security button

How can users gain access to records in Salesforce?

Utilizing both record ownership and the sharing model

If a user has no access to a field, what can they do?

Do nothing with the field

Which of the following fields has fixed access that cannot be changed?

Created Date

What does Read and Edit access allow a user to do?

View and modify the values of the fields

What impact does field level security have on object level and record level security?

It does not affect object or record security

Which of the following describes the role of a profile in field level security?

Profiles define permissions for specific users on fields

If a profile has the 'Visible' checkbox selected but not 'Read-Only', what level of access is granted?

Read and edit access

What type of fields cannot have edit access granted due to their nature?

Auto number fields

What does the 'Edit Read Only Fields' permission allow users to do?

Edit fields that are configured as read-only

To which fields does the read-only limitation NOT apply?

Required fields

What determines the maximum capabilities of a user in Salesforce?

User license

What is the primary difference between a permission set license and a feature license?

Feature licenses require no configuration, while permission set licenses do.

Which statement about user licenses is true?

User licenses determine access to profiles and permission sets.

How does a permission set license operate within Salesforce?

It sets a maximum on what a user can do.

What do user interface profile settings primarily control?

Visible apps and tabs for users

Which of the following is NOT a possible tab setting for a profile?

Always Visible

What is required for a user to perform actions allowed by a permission set license?

Being assigned a relevant permission set

What does the 'Customize Application' permission allow users to do?

Make changes in Setup

Which of the following is NOT a function of a user profile in Salesforce?

Grants access to specific features without a license

When cloning a profile to create a custom profile, which aspect remains unchanged?

The user license required

What type of licenses allows a user to perform operations their user license does not permit?

Permission set and feature licenses

Which is a characteristic of feature licenses?

Grant access directly upon selection

Which standard profile provides the maximum access allowed by the Salesforce user license?

System Administrator

Which of the following is an example of a feature license in Salesforce?

Flow User

Which profile allows for the creation and running of reports but does not grant access to all records?

Standard User

Which of the following statements is true about managing licenses in Salesforce?

Both permission set and feature licenses can be assigned independently.

What is the purpose of the 'Manage Users' permission?

To create and edit user records

Why might companies prefer basic user licenses?

Basic licenses have lower costs associated with them.

Which setting allows a tab to display in an app but not in the App Launcher?

Default Off

What is the recommended approach when creating a custom profile?

Clone a similar standard or custom profile

What can be viewed under Setup > Company Settings > Company Information?

Available licenses for your organization

Which of the following correctly describes profiles in Salesforce?

Profiles dictate access to the organization and interface.

Which of the following profiles provides no access to any objects?

Minimum Access - Salesforce

Which profile grants read-only access to User Setup options?

Standard User

Feature licenses typically relate to which of the following?

Specific functional capabilities

What distinguishes administrative profile settings from general permissions?

They control configuration changes to the Salesforce org

Which of the following statements is correct regarding permission set licenses?

They can allow access to additional products.

In which scenario might the standard interface be preferred over the enhanced one?

When editing multiple objects' permissions at once

Which type of security setting should we explore after reviewing user interface settings?

Org Level Security

What is a primary characteristic of a user's profile in Salesforce?

Profiles provide the base set of permissions.

Which of the following statements about permission sets is accurate?

Permission sets can only add access, not remove it.

What happens if you try to assign a permission set that exceeds a user's license?

An error will occur indicating the issue.

What is the maximum number of muting permission sets that a permission set group can have?

One

What action must a user perform to change the ownership of a record?

Use the Change Owner action on the record page

How do permission sets primarily enhance user management?

They allow for the easy assignment of multiple permissions.

What is true about the relationship between permission sets and profiles?

Profiles determine minimum access that can be changed by permission sets.

What occurs if a user with MFA enabled attempts to log in from a Trusted IP Range?

They will be prompted for additional authentication.

Which statement about queues is true?

Every member of a queue has full access to the records owned by that queue.

What is the primary function of object level security in Salesforce?

To control access to standard and custom objects.

What is the most restrictive setting in the sharing model?

Organization Wide Defaults (OWD)

What is the purpose of creating a permission set group?

To assign multiple permission sets without individual assignment.

Why is record level security significant?

It determines access permissions for specific records within an object.

Which permissions can a permission set not control?

Org level security permissions.

Which permission allows a user to edit, delete, and view all records of an object?

Modify All

Which of the following permissions automatically grants the least access to a user?

Create

Which best describes how muting permission sets function?

They can disable permissions granted by the permission sets in the group.

What are Organization Wide Defaults (OWDs)?

Settings governing default access to records of an object for all users

Why might the 'View All Data' permission be considered especially powerful?

It grants the same view access as the 'View All' permission on every object.

What is one benefit of using permission sets over profiles?

Permission sets offer flexibility and ease of use.

Which of the following is NOT an access level for Organization Wide Defaults?

Limited Access

What must a user have in order to own a record?

Read access to the corresponding object

How are object level security permissions usually governed in Salesforce?

Through profiles and permission sets.

Custom permission sets that are not associated with a license can be assigned to which users?

Any user without restrictions.

Which standard profile has the highest level of access across both standard and custom objects in Salesforce?

System Administrator

How can a user return ownership of a record to a queue?

By changing the owner back to the queue

When can a permission set not provide additional access?

When it conflicts with the profile permissions.

How are permissions organized within a permission set interface?

Behind category links.

Which of the following permissions does NOT respect record level security?

Modify All

What is the significance of the 'Controlled By Parent' setting?

It requires permissions on a parent record to access child records.

Which option describes permission sets correctly?

They can be assigned to multiple users at once in groups.

What will happen if a user lacks 'Read' access on an object?

They cannot view any records of that object.

Which of the following is true regarding the 'Public Read/Write/Transfer' option?

Users have both edit access and can change record owners.

What is the primary function of a queue in a sharing model?

To enable shared grouping of users for workload distribution

What does the 'Modify All Data' permission allow a user to do?

Read, create, edit, delete, view all, and modify all records on every object.

How does strong org level security benefit a Salesforce environment?

It protects against unauthorized access from outside threats.

What happens when a user claims ownership of a record from a queue?

They gain full access to that record and can change ownership.

How are Organization Wide Defaults (OWD) set up in a Salesforce org?

By navigating to the Sharing Settings page

When editing user permissions for object access, which method is restricted in standard profiles?

Modifying object permissions.

What does the setting 'Have a user 'Modify All' permission enable them to do?

Read, edit, delete, share, and change the owner of any record of the object.

Under what circumstances should the Organization Wide Default (OWD) be set to 'Public Read Only'?

When at least one user should not have read or edit access.

What is the main purpose of Organization Wide Defaults (OWDs)?

To provide a default level of record access for every user.

What is indicated by the 'View All' permission on an object?

Users can access all records of that object regardless of sharing settings.

How can an organization enforce usage of MFA?

By mandating it for all users from late 2023.

How does the role hierarchy affect record access in Salesforce?

Subordinates automatically inherit the record access of their superiors.

Which option describes the relationship between role hierarchy and sharing in Salesforce?

Role hierarchy allows for full record access propagation when enabled.

What is a public group in Salesforce?

A collection of users created to provide record access through sharing tools.

What is NOT a function of the role hierarchy?

Modifying user roles within the company hierarchy.

When is the 'Grant Access Using Hierarchies' checkbox important?

When users need to inherit access based on their role.

Why might default OWD settings be problematic?

Many standard objects have the most permissive OWD, which can lead to security risks.

Which of the following statements is true about 'View All', 'Modify All', 'View All Data', and 'Modify All Data' permissions?

They grant users full control over records without hierarchy influence.

What should you do if all users in the organization need access to an object?

Set the OWD to 'Public Read/Write'.

What is the main purpose of restriction rules in Salesforce?

To configure user access to records based on specified criteria.

When creating a public group, which option can be utilized to streamline management?

Allow delegated administration groups to manage members.

How can custom objects differ from standard objects in terms of sharing settings?

Custom objects can have the 'Grant Access Using Hierarchies' option modified.

How does a user's access to tasks and events typically get determined in Salesforce?

By their access to the parent record if it exists.

What does a custom permission allow a user to do?

Control a user's access to specific customizations within Salesforce.

Which setting allows the sharing of records among different levels in a hierarchy?

Role-based sharing.

What must be done after creating and granting a custom permission in Salesforce?

Reference the permission in validation rules and formulas.

Which of the following is NOT a benefit of custom permissions?

They allow integration with external application permissions.

What is a potential strategy for establishing interdependencies between custom permissions?

Link a permission requiring two or more other permissions.

Which method can developers use to check custom permissions in Apex?

FeatureManagement.checkPermission() method.

What happens if a user lacks a custom permission required for an action in Salesforce?

They must seek manager approval for the action.

In what scenario would restriction rules be beneficial in Salesforce?

To limit access to specific contracts regardless of account access.

How can custom permissions integrate with Lightning App Builder?

They can control visibility settings for components.

Which objects can support manual sharing?

Lead, Opportunity, and Custom Objects

What criterion must be met for a user to manually share a record?

User must have 'Full Access' to the record

What happens when the owner of a record changes after it has been manually shared?

All manual sharing access is removed

Under which condition can you not manually share a record?

When the object has 'Public Read/Write' OWD

Who can create and implement restriction rules?

Any Salesforce user with the right access

How do restriction rules affect user access to records?

They remove access to records based on criteria

What is the maximum number of restriction rules that can be created per object in Trailhead Playground and Developer Edition?

Two

What determines which records a restriction rule applies to?

Field-value criteria set on the object or parent object

Why can't restriction rules grant users access to records?

They only remove access already held

Which permission allows users to bypass restriction rules?

All of the above

What action should a user take to access manual sharing on a record?

Select the 'Sharing' action

What is the function of the 'Grant Access Using Hierarchies' checkbox in public groups?

It allows record access given to the group members to also be extended to users above them in the hierarchy.

What can trigger an error when accessing a record with restriction rules?

The user has recently viewed the record

What access options exist when manually sharing a record?

View only or view and edit

What are the two types of sharing rules in Salesforce?

Owner-based and criteria-based sharing rules.

Why can public groups not own records?

Records can only be owned by individual users.

What is a consequence of having multiple restriction rules on a single object?

Only one rule will be invoked

How are sharing rules created in Salesforce?

From the Sharing Settings page in Setup.

What happens if the criteria for a sharing rule are no longer met?

Access to the record is permanently revoked.

Which statement about criteria-based sharing rules is true?

They allow access based on predefined field values.

What level of access can sharing rules provide for records, aside from Campaign objects?

Read/Write

Which Salesforce object types support sharing rules?

Custom objects and some standard objects.

If 'Controlled By Parent' is set for an object, what impact does it have on sharing rules?

It prevents the creation of sharing rules for that object.

What is the capacity of manual sharing in Salesforce?

Permit users with full access to grant limited access to others.

In what way do public groups assist in managing record access?

They simplify sharing access by grouping users.

What is one limitation of sharing rules mentioned in the content?

They cannot extend access beyond role-based permissions.

How does manual sharing differ from other sharing methods?

It requires users to have full access to the record to share it.

Study Notes

User Licenses

• User licenses determine the maximum features a user can access in Salesforce.
• Each org has a set number of licenses, purchased individually or in groups.
• Free orgs (e.g., Trailhead Playgrounds, Developer Edition) have limited licenses.
• Salesforce licenses provide full access to all org features.
• Salesforce Platform licenses are limited to specific features (e.g., Accounts, Contacts, reports).
• Licenses are assigned to users via the User License picklist.
• Permissions in profiles and permission sets determine user capabilities, not licenses.
• Companies use the least expensive license that meets requirements.

Extending User Licenses

• Permission Set License: Expands user permissions beyond their base license.
• Feature License: Grants extra permissions for specific Salesforce features.
• Permission set licenses often relate to add-on products (e.g., Field Service, Commerce Cloud) and products' specific functionalities.
• Feature licenses target specific aspects like Flows, Knowledge, or Marketing.
• Feature licenses are assigned to users via checkboxes.
• Permission Set Licenses require a linked permission set.

Profiles

• Profiles define a user's basic permissions.
• Orgs come with standard profiles and allow custom profiles.
• Profiles control user interface access (apps, tabs, record views).
• Profiles categorize permissions for the org (org, objects, fields), user interface (apps, tabs), and general administration.
• Profiles control actions like import/export, reporting and dashboards, standard object operations.
• Use existing profiles as a starting point when creating custom ones.
• Standard profiles include Minimum Access - Salesforce, Standard User, System Administrator.

Permission Sets

• Permission sets grant additional permissions beyond profiles.
• Standard permission sets are tied to licenses.
• Custom permission sets can be tied to licenses or not.
• Permission sets add permissions; they do not remove them, even when multiple sets exist.
• Permission set groups can assign multiple permission sets efficiently.
• Muting permission sets within groups allows disabling specific permissions without removing from the set.

Org Level Security

• Org level security controls access and authentication to the Salesforce org.
• Password settings enforce password requirements (length, complexity, reset frequency).
• Login Hours and Login IP Ranges restrict login times and locations.
• Multi-Factor Authentication (MFA) adds security beyond username/password.
• Trusted IP Ranges allow login from unrecognized devices without additional verification.
• Device Activation requires verification for unrecognized login attempts.

Object Level Security

• Object level security controls user actions on specific Salesforce objects.
• Permissions include Read, Create, Edit, Delete, View All, Modify All.
• View All Data grants View All on all objects.
• Modify All Data grants full access across all objects.
• Security is managed through profiles and permission sets.
• Access to custom objects is only possible with custom profiles or permission sets.

Field Level Security

• Field level security controls user access to specific fields on objects.
• Access levels include: no access, read, read/edit.
• Security is configured per field and per profile.
• Settings for required, auto-number, and formula fields are predetermined.

Record Level Security

• Record-level security determines which records a user can access.
• Users can have full access to records they own or access based on other security configurations.
• Access is determined by record ownership and through various sharing model tools.

Queues

• Queues are groups of users to share record ownership and tasks.
• Queues are effective for distributing workloads among users.
• Members can claim and release records' ownership as needed.

Organization Wide Defaults (OWD)

• OWDs are default record sharing permissions for all users on each object.
• Common levels are Private, Public Read Only, and Public Read/Write.
• OWD settings are assigned on an object-by-object basis affecting all users.

Role Hierarchy

• The role hierarchy represents company structure in Salesforce.
• Users inherit access from those below them in the hierarchy.
• Role-based sharing propagates record access vertically.
• Access granted through hierarchies doesn't affect users in other roles or branches.

Public Groups

• Public groups organize users for record sharing or other actions.
• Members can be individuals, role holders, or members of other public groups.
• Public groups often contain all logged-in users (e.g., All Internal Users).
• Record access granted to a group typically propagates through the role hierarchy.

Sharing Rules

• Sharing rules are defined conditions that allow granting access to records based on specific criteria.
• They can be owner-based (access based on owner) or criteria-based (access based on criteria).
• They are used to extend access beyond OWDs and role-based sharing.
• Sharing rules can't be used on objects controlled by parent.

Manual Sharing

• Allows users with full access to (manually) share records with others.
• Access levels include read or read/edit access.
• Ideal for one-time record access requirements.
• Access is often tied to roles and objects.

Restriction Rules

• Restriction rules remove record access based on criteria.
• Applicable to custom objects or specific standard objects.
• Criteria include field values and custom permissions.
• Useful for restricting access to specific objects under particular conditions.

Custom Permissions

• Custom permissions allow controlling user access to specific features or actions in Salesforce.
• Create custom control user access to features in Salesforce.
• Enforce specific conditions depending on user access and criteria.
• Useful in adding granular control to custom implementations and operations.

Description

Test your knowledge about user licenses in Salesforce. This quiz covers various aspects, including the roles, types, and limitations of user licenses within the Salesforce ecosystem. Challenge yourself to see how much you know about managing user access and licensing requirements.