Salesforce Certified Sharing and Visibility Designer – All Combined – Flashcards
Unlock all answers in this set
Unlock answersquestion
Who can see a Private file?
answer
File owner and users with the Modify All or View All Data permissions. *If file is in a Private library, only file owner has access.
question
Who can see a Privately Shared file?
answer
Only the file owner, users with "Modify All Data" or "View all Data" permission, and specific file viewers can find and view this file.
question
When does a File have a Sharing Setting of Private?
answer
1. Upload it in Files Home 2. Publish it to your Private Library 3. Sync a file in your Salesforce Files Sync folder 4. Stop sharing it with everyone (Make Private) 5. Delete posts that include the file and the file isn't shared anywhere else
question
When does a File have a Sharing Setting of Privately Shared?
answer
1. Only shared with specific people or a private group 2. Posted to a private group 3. Shared via link 4. Posted to a feed on a record 5. Published to a shared library
question
When does a File have a Sharing Setting of Your Company?
answer
1. Posted to a feed that all users can see, a profile, a record, or a public group
question
Which permissions does a File Viewer have?
answer
1. View or Preview 2. Download 3. Share 4. Attach a File to a Post 5. Sync a File
question
Which permissions does a File Collaborator have?
answer
1. View or Preview 2. Download 3. Share 4. Attach a File to a Post 5. Sync a File 6. Upload New Version 7. Edit Details 8. Change Permission
question
T/F Do records have viewer permission for files posted to their feeds?
answer
True
question
Which permission is needed to sync files?
answer
Sync Files
question
Who can grant access to a record?
answer
1. The record owner 2. A user in a role above the owner in the hierarchy 3. Any user granted Full Access to the record 4. An administrator
question
To whom can you grant access to a record?
answer
1. Managers Group 2. Manager Subordinates Groups 3. Public Groups 4. Personal Groups 5. Users 6. Roles 7. Roles and Subordinates 8. Roles and Internal Subordinates 9. Roles and Internal and Portal Subordinates 10. Territories 11. Territories and Subordinates
question
T/F You can share an opportunity or case to users without Read access on the Account and where you do not have the ability to share the Account.
answer
False
question
What are the three key components of the ownership-based architecture?
answer
1. Owner field for all records 2. Object share tables 3. Group membership tables
question
Which fields does a row in an object share table contain?
answer
1. ID of the record being shared 2. ID of the user or group being granted access 3. Level of access 4. Reason the access is being granted
question
How many sharing records are created when a group of 5 users is granted access?
answer
One. A single sharing record is created for groups in the object share table.
question
Describe the process followed when a user requests access to a record.
answer
1. First, it checks whether a profile, permission set, or OWD setting already gives the user the level of access requested. 2. If the user does not have that level of access, the system queries the object share table to see if there is a row in which the record's ID and user's ID appears. 3. Next, it queries the group membership table to identify all groups that could provide access to the user. 4. It then scans the object share table again to see if there is a row in which any of these groups has already been granted access. 5. Finally, it compares the level of access granted directly to the user with the levels of access granted to the groups the user belongs to, giving the user the least restrictive level of access.
question
What are role groups?
answer
Role groups gives users assigned to a role access to records owned by or shared to members of subordinate roles, and records shared to the subordinate roles themselves.
question
What security tactic should you employ if you don't want anyone including the record owner, to be able to delete or share the record?
answer
Create a "dummy" or "integration" user to own the data, then use sharing rules or apex to share data to the appropriate groups.
question
What functions are granted with the Manage Salesforce CRM Content permission?
answer
1. Create, edit, and delete libraries 2. Edit library permission *inclusive of the other CRM Content user permissions
question
What functions are granted with the Manage Content permission?
answer
1. Create, edit, and delete library permissions
question
What functions are granted with the Manage Content Properties permission?
answer
1. Create, edit, and delete custom fields CRM Content
question
What functions are granted with the Manage record types and layouts for Files permission?
answer
1. Create, edit, and delete record types in CRM Content 2. Create, edit, and delete page layouts in CRM Content
question
What is a library permission?
answer
A group of privileges assigned to each CRM Content library member. It determines which tasks a member can perform in a particular library. *A user can have a different library permission in each of their libraries.
question
How do you create a library permission?
answer
Setup > Content Permissions > Add a Library Permission
question
What permissions does the Manage Library privilege grant?
answer
Perform any action in the library. *Required to edit libraries' name and description, add or remove library members, or delete a library
question
What permissions does the Add Content privilege grant?
answer
Publish new content to the library, upload new content versions, or restore archived (deleted) content. Content authors can also change any tags associated with their content and archive or delete their own content.
question
What permission does the Deliver Content privilege grant?
answer
Create a content delivery using any files in the library.
question
What permissions does the Attach or Share Content within Chatter privilege grant?
answer
Make content from this library accessible in Chatter. Within Chatter, select a file from the library and attach it to a post or share it.
question
What are the org-wide default options for content-delivery password protection?
answer
1. Password protection is optional and defaults to OFF 2. Password protection is optional and defaults to ON 3. Password protection is required
question
How many content-delivery views are allowed within a 24-hour period?
answer
20,000
question
How much bandwidth is allocated to content deliveries within a 24-hour period?
answer
10 GB
question
Which file type of content delivery are not supported for online views?
answer
Any document over 25 MB is not supported.
question
T/F Customer Portal and Partner Portal users can create content deliveries?
answer
False
question
What are your options when restricting the record types available in the library?
answer
1. Allow content with any record type to be linked to this library *Enable content published in other libraries to be shared to the library with the record type restrictions 2. Do not apply record type restrictions to existing content *Select if you do not want to receive warnings regarding existing content. You will not be notified that if existing content uses record types that are now restricted.
question
What happens when there are no record types in common between a user profile and a library?
answer
The default record type of the library becomes available to the users with that user profile who are sharing files with the library.
question
What are the available library tagging rules?
answer
1. Open Tagging - no restrictions 2. Guided Tagging - contributors may enter any tag they would like, but a list of suggested tags are offered. 3. Restricted Tagging - contributors must select from a list of suggested tags
question
What can a Portal user without a Salesforce CRM Content feature do with Content?
answer
Download, rate, comment on, and subscribe to content if they have the "View Content on Portals" user permission. Content delivery unavailable.
question
What can a Portal user with a Salesforce CRM Content feature do with Content?
answer
1. Access all CRM Content features granted by their library permission(s), including contributing content, moving and sharing content among libraries, and deleting content. 2. View CRM Content reports Content delivery feature unavailable.
question
Why would you need to use a custom permission?
answer
Although permission sets and profile settings include access settings to many things (like objects, fields, etc.), they don't include access for some custom processes and apps. Use custom settings when standard functionality isn't enough.
question
What are custom permissions?
answer
They let you define access checks that can be assigned to users via permission sets or profiles.
question
What is an example of a custom permission?
answer
You can define access checks in Apex that make a button a VF page available only if a user has the appropriate custom permission.
question
What is an external object?
answer
They are similar to custom objects, except they map to data that's stored outside of Salesforce. They enable your users to to search and interact with external data.
question
What are the four types of Access Grants?
answer
1. Explicit Grants 2. Group Membership Grants 3. Inherited Grants 4. Implicit Grants
question
What is an Explicit Grant?
answer
Records are shared directly to users or groups (Ex: - A user or queue becomes the owner of a record. - A sharing rule shares the record to a public group, queue, role, or territory - An assignment rule shares a record to a user)
question
What is a Group Membership Grant?
answer
A grant that occurs when a user, public group, queue, role, or territory is a member of a group that has explicit access to the record.
question
What is an Inherited Grant?
answer
A grant that occurs when a user, group, queue, role, or territory inherits access through a role or territory hierarchy.
question
What is an Implicit Grant?
answer
A grant that occurs when a built-in record sharing behavior provides access to a record. (Ex: - Users can view a parent record if they have access to its child opportunity. - If a User has access to a parent account record, they also have access to its child opportunity, case, and contact records.
question
Which three tables does Salesforce use to store access grants?
answer
1. Object Record Tables 2. Object Sharing Tables 3. Group Maintenance Tables
question
What information do the Object Sharing Tables contain?
answer
The tables store data that supports explicit and implicit grants. Each object has its own Object Sharing Table unless it is a detail in a master-detail relationship.
question
What information do the Group Maintenance Tables contain?
answer
The tables store data supporting group membership and inherited access grants (Ex: If the Object Sharing Table grants access to a specific User, Salesforce checks the Group Maintenance Table to determine which users inherit access from Bob and grants these users access to the record.
question
What do sharing rows do?
answer
Grant users or groups access to a specific record.
question
What do sharing rows include?
answer
1) Record ID 2) User or Group ID 3) Level of Access 4) Row Cause
question
What are the three system-defined groups in Group Maintenance Tables?
answer
1) Roles 2) RolesandSubordintates 3) RolesandInternalSubordinates
question
T/F Removing someone from an Account Team removes them from the Opportunity Team?
answer
False
question
Which fields does the Account Team contain?
answer
1) Account Access 2) Case Access 3) Contact Access 4) Opportunity Access 5) Team Member 6) Team Role
question
Which permissions do you need to create custom list views?
answer
1) Read access on the object 2) Create and Customize List Views
question
Which permission do you need to create, edit, or delete public list views?
answer
1) Manage Public List Views
question
To what can you share a report folder?
answer
1) User 2) User Group 3) Role 4) Role and Subordinate
question
Which access levels can be granted for a report folder?
answer
1) Viewer 2) Editor 3) Manager
question
What is the difference in report folder permissions between Editor and Manager?
answer
Managers can do everything Editors can do AND control who has access to the folder, delete it, and change its properties.
question
If you have access to an account's child record, what permission does that grant you to the account?
answer
Read Only
question
If you have access to an account, what permission does that grant you to its children (Contacts, Cases, Opportunities)?
answer
Depends on the account owner's role
question
What are the three Communities User Licenses?
answer
1) Customer Community 2) Customer Community Plus 3) Partner Community
question
What is the Customer Community license best used for?
answer
B2C with large number of external users (up to 10 million users)
question
What is the Customer Community Plus license best used for?
answer
B2B for support and non-sale scenarios (up to 1 million users)
question
What is the Partner Community license best used for?
answer
B2B that need access to sales data (up to 1 million users)
question
What is a sharing set?
answer
Grants HVC access to any account or contact that matches the user's contact or account. Also supports indirect lookups
question
What is a share group?
answer
Because HVC don't have roles, share groups are used to specify the other external users that should have access to HVC owned records.
question
Term for an owner of more than 10,000 Records?
answer
Ownership Data Skew
question
What issues are caused by Ownership Data Skew?
answer
Changing the owner of that account or moving those users in the hierarchy requires the system to recalculate all the sharing and inheritance for all the data under the account.
question
What is a workaround to ownership data skew?
answer
You can minimize possible performance impacts by not assigning the user(s) to a role.
question
Recommendations for data skew issues when you must have a small group or single owner
answer
• Place them in a separate role at the top of the hierarchy • Not move them out of that top-level role • Keep them out of public groups that could be used as the source for sharing rules
question
Tuning Group Membership for Performance
answer
Understand the performance characteristics of the various group maintenance operations that you are performing and always test substantial configuration changes in a sandbox environment so you know what to expect in production.
question
Group Membership Tuning 1
answer
• Identify user and group updates that are complex, such as user role and portal account ownership changes, or updates that involve a large amount of associated data. Allow for additional time to process these changes.
question
Group Membership Tuning 2
answer
• When making changes to the hierarchy, process changes to the bottom (leaf) nodes first, then move upward to avoid duplicate processing.
question
Group Membership Tuning 3
answer
• Limit the number of records of an object owned by a single user to 10,000.
question
Group Membership Tuning 4
answer
• Run group maintenance operations single threaded to prevent locking. Investigate whether the use of granular locking will allow some of your operations to run simultaneously.
question
Granular Locking
answer
By default, the Force.com platform locks the entire group membership table to protect data integrity when Salesforce makes changes to roles and groups. This locking makes it impossible to process group changes in multiple threads to increase throughput on updates.
question
Group Membership Tuning 4
answer
• Tune your updates for maximum throughput by experimenting with batch sizes and using the bulk API, where possible.
question
Group Membership Tuning 5
answer
• Remove redundant paths of access, such as sharing rules that provide access to people who already have it through the hierarchy.
question
Parent Child Data Skew
answer
A common configuration that can lead to poor performance is the association of a large number of child records (10,000 or more) with a single parent account. Parent-child data skew can cause serious performance problems in the maintenance of implicit sharing.
question
Data Relationship Tuning 1
answer
• Use a Public Read Only or Read/Write organization-wide default sharing model for all non-confidential data.
question
Data Relationship Tuning 2
answer
• To avoid creating implicit shares, configure child objects to be Controlled by Parent wherever this configuration meets security requirements.
question
Data Relationship Tuning 3
answer
• Configure parent-child relationships with no more than 10,000 children to one parent record.
question
Data Relationship Tuning 4
answer
• If you are encountering only occasional locking errors, see if the addition of retry logic is sufficient to solve the problem.
question
Data Relationship Tuning 5
answer
• Sequence operations on parent and child objects by ParentID and ensure that different threads are operating on unique sets of records.
question
Data Relationship Tuning 6
answer
• Tune your updates for maximum throughput by working with batch sizes, timeout values, the Bulk API, and other performance-optimizing techniques
question
Community User Limits
answer
Partner or Customer Community Plus 1 million. Customer 10 million
question
Apex Sharing Reason Best Practice
answer
When writing apex sharing code, don't use Manual as the sharing reason, otherwise everything gets wiped out on an owner change.
question
Files: Private Sharing Setting
answer
The file is private. It hasn't been shared with anyone else besides the owner. The file owner and users with "Modify All Data" permission can find and view this file. However, if the file is in a private library, only the file owner has access to it.
question
Files: Private Sharing Setting 2
answer
A file is private when you: Upload it in Files home, Publish it to your private library, Sync a file in your Salesforce Files Sync folder, Stop sharing it with everyone (Make Private), Delete posts that include the file and the file isn't shared
question
Files: Privately Shared Sharing Setting
answer
The file has only been shared with specific people, groups, or via link. It's not available to all users in your company. Only the file owner, users with "Modify All Data" or "View all Data" permission, and specific file viewers can find and view this file.
question
Files: Privately Shared Sharing Setting 2
answer
A file is privately shared when it's: Only shared with specific people or a private group, Posted to a private group, Shared via link, Posted to a feed on a record, Published to a shared library
question
Files: Your Company Sharing Setting
answer
All users in your company can find and view this file. A file is shared with your company when it's posted to a feed that all users can see, a profile, a record, or a public group.
question
Record Ownership Background
answer
Record ownership is at the core of Salesforce's record access capabilities, which allow you to specify which users or types of users should be able to access specific records or types of records.
question
Ownership Use Case: Solo Work
answer
For many assignments, employees work independently for their individual customers and have their progress monitored by their team's manager. Configuring access at the role level is ideal for this use case because the role hierarchy configures record access vertically.
question
Ownership Use Case: Ad hoc collaboration
answer
Every organization must both protect sensitive data and allow its users to collaborate so they can quickly solve problems for their customers. The record ownership model clarifies which user is responsible for keeping each record accurate and secure, and allows record owners to share
question
Ownership use case: Structured collaboration
answer
As companies grow and need to allocate responsibilities for processes and functions across many business units, the members of their organization need to share data across these business units more and more often. A company's customer service team needs business
question
How Ownership Drives Record Access "Under the Hood"
answer
All of the data sharing capabilities of the Force. com platform are supported by three key components of the ownership-based sharing architecture. An Owner field for all records, except detail records in master-
question
Sharing Strategies for Maximum Security 1
answer
If you set a custom object's organization-wide default to Private and deselect "Grant Access Using Hierarchies" for that object, then without additional sharing, only record owners and administrators can access the object's records.
question
Sharing Strategies for maximum security 2
answer
If you, as an administrator, don't want anyone else, including a record owner, to be able to delete or share the record, you might need to create a "dummy" or "integration" user to own the data, then use sharing rules or Apex code to share the data to the appropriate groups and
question
Account Team Security
answer
Page layout and field-level security settings determine which fields are visible and editable.
question
Sharing between accounts and child records
answer
Access to a parent account—If you have access to an account's child record, you have implicit Read Only access to that account. Access to child records—If you have access to a parent account, you have access to the associated child records. The
question
Sharing behavior for portal users
answer
Account and case access—An account's portal user has Read Only access to the parent account and to all of the account's contacts. Management access to data owned by Service Cloud portal users—Since Service Cloud portal users don't have roles, portal account owners can't
question
Implicit Sharing: Boss
answer
Access to records owned by or shared to portal users for internal users
question
Shared to the role of the account owner. Also supports inheritance within portal roles
answer
Implicit Sharing: Portal
question
Access to portal account and all associated contacts for all portal users under that account. Shared to the lowest role under the portal account
answer
Implicit Sharing: Community
question
Access to data owned by Community users under a portal for internal users who are members of the portal share group. All members of the share group gain access to every record owned by every Community portal user.
answer
Implicit Sharing: Community Parent
question
Access to the parent accounts of child records shared through the Community portal share group for internal users who are members. Maintains the ability to see the parent account when internal users are given access to account children owned by Community portal users
answer
Community (footnote)
question
To allow portal users to scale into the millions, Community users have a streamlined sharing model that does not rely on roles or groups, and functions similarly to calendar events and activities. Community users are provisioned with the Service Cloud Portal or Authenticated
answer
Partner Roles
question
Partner users at a given role level are always able to view and edit all data owned by or shared with users below them in the hierarchy, regardless of your organization's sharing model. Use administrative reports to manage your partner roles.
answer
Portal Groups
question
All Partner Portal Users group: Contains all partner portal users in your organization. All Internal Users group: Contains all Salesforce users in your organization
answer
Roles and Internal Subordinates sharing rule category
question
Allows you to create sharing rules in which you can choose specific Salesforce users in your organization by role plus all of the users in roles below that role, excluding any partner portal roles
answer
Partner Portal Role Hierarchy
question
A portal user role hierarchy is created for an account and its contacts when you enable the first partner portal user on that account. The account is added to the role hierarchy beneath the user that owns the account. Whenever you enable a contact as a partner portal user, he or she is automatically assigned.
answer
Accounts with different portal types
question
Accounts with different portal types have a separate role hierarchy for each portal. Role names include the portal type with which they are associated.
answer
Partner Users
question
All users in a partner user role have read access to all contacts under their partner account even when the contact sharing model is private. Partner users have read-write access to tasks associated with any object they can access. They also have read access to events associated with any object they can access.
answer
Reporting on Portal Roles
question
To view the roles assigned to your partner portal users, create a custom report, choose Administrative Reports, select Users as the data type, and add Role to your report columns.
answer
Deletion of Partner Portal Roles
question
When you delete partner portal roles, the roles are renamed to maintain the hierarchy. For example, if the Manager role is deleted from a three-role hierarchy of Executive, Manager, and User, then the Executive role is renamed to Manager but its ID remains the same. When you create a
answer
Partner Portal Super User Access
question
Users can be assigned super user access to give them access to data owned by other users belonging to the same role or those below in the hierarchy. For example, a Partner Manager with super user access can see data owned by other users in the Partner Manager role and the Partner User roles.
answer
Sharing Sets
question
A sharing set grants high-volume users access to any record associated with an account or contact that matches the user's account or contact. You can also grant access to records via access mapping in a sharing set, which supports indirect lookups from the user and target record to the account or
answer
Share Groups
question
High-volume users are limited-access users intended for organizations with many thousands to millions of external users. Unlike other external users, high-volume users don't have roles, which eliminates performance issues associated with role hierarchy calculations. Because high-volume community users are
answer
Original Territory Management
question
Salesforce's original territory management feature lets you grant users access to accounts based on criteria such as postal code, industry, revenue, or a custom field relevant to your business.
answer
Enterprise Territory Management
question
Enterprise Territory Management builds upon the original feature by introducing territory types, territory models, and territory model states. These components let you create and preview multiple territory structures and strategies before you activate
answer
Enterprise Territory Management 2.0 Features
question
Multiple Territories/Hierarchy. Collaborative Forecasting (based on Role Hierarchy, not Territory Hierarchy). Territory Hierarchy Deep Clone. Rule Sharing among multiple Territories. Audit Trail. User Role in Territory
answer
Inherited Account Assignment Rules
question
When you add parent territories to the territory hierarchy, it's also a good idea to add inherited account assignment rules to those territories. If you follow this practice, you can both prevent the rules engine from having to evaluate entire branches of your territory hierarchy and
answer
Re-parent from the Bottom Up
question
When modifying your territory hierarchy, re-parent each node of the territory from the bottom up to avoid having to recalculate access for the same territories.
answer
Programmatic Territory Sharing
question
When any object in Salesforce is shared to a territory, the access granted to that object is based on the territory group the object was shared to, and traverses both the territory and role hierarchies. This process allows customers to architect the matrixed visibility of the Salesforce Territory
answer
Integrating with an assignment engine external to Salesforce
question
Configure a workflow rule to detect when a record owner is changed, and use an outbound message to trigger your assignment engine to take appropriate action.
answer
Sensitive Data Definition
question
Sensitive data is also called personally-identifying information (PII) or high business impact (HBI) data. What is considered sensitive data varies greatly from state to state and country to country. Various compliance standards, such as the Payment Card Industry (PCI) compliance
answer
Sensitive Data Includes
question
Passwords. Passphrases. Encryption keys. OAuth tokens. Purchase instruments, such as credit card numbers. Personal contact information such as names, phone numbers, email addresses, account usernames, physical addresses,
answer
Group Sharing Core Principles
question
Moving users from one group to another trigger organization wide group membership locks, so highly dynamic groups can have a negative impact on performance. The use case which will provide peak performance includes a group of users who share the same visibility and
answer
Security and Code
question
External service integration points, VisualForce controllers and triggers all have the potential for bypassing existing security configurations.
answer
why doesn't Apex enforce platform security at all times
question
Enforcing sharing rules at compile time is impractical, as that would require recompiling code (with the associated possibility of compile time errors) for each user. Enforcing security at runtime would be potentially very costly in terms of performance,
answer
Security Boundaries
question
When and where security gets enforced using code
answer
"With Sharing"
question
Sharing rules are implemented as part of the query system. When a class is defined "With Sharing", queries and searches will only return objects that are accessible to the user. But when it comes to Apex, that's about all you can count on. If your class is defined Without sharing, queries and searches will ignore sharing rules. And
answer
"With Sharing" 2
question
There is no guarantee that a class declared as with sharing doesn't call code that operates as without sharing. Class-level security is always still necessary. In addition, all SOQL or SOSL queries that use PriceBook2 ignore the with sharing keyword. All PriceBook records are returned, regardless of the applied sharing rules.
answer
Apex: System Context
question
Apex generally runs in system context; that is, the current user's permissions, field-level security, and sharing rules aren't taken into account during code execution.
answer
The only exceptions to this rule are Apex code that is executed with the executeAnonymous call and Chatter in Apex.
question
Apex Managed Sharing
answer
Apex Managed Sharing allows you to use Apex Code to build sophisticated and dynamic sharing settings that aren't otherwise possible. For example, a developer can use Apex Managed Sharing to write a trigger that will automatically share a custom object record with a user that
question
isAccessible()
answer
calling isAccessible() or any field-level access checks on a field automatically checks that the user has the corresponding CRUD access to the object type.
question
Apex web services do not have a VisualForce layer to automatically enforce CRUD/FLS and always need to call isAccessible() on all SObject fields before returning
answer
Schema.DescribeSObjectResult
question
For example, you can call the isAccessible, isCreateable, or isUpdateable methods of Schema.DescribeSObjectResult to verify whether the current user has read, create, or update access to an sObject, respectively. Similarly, schema.DescribeFieldResult exposes these access control methods that you can call to
answer
Managing Group Membership Locks for Success
question
Many organizations have user driven group membership changes which can compete with your business critical operations. Since these changes cannot be throttled, business process should be implemented to perform significant changes during
answer
Group Membership Lock Events
question
Role creation. Role deletion.. Moving a role in the hierarchy. Adding a user to a territory. Removing a user from a territory. Moving a territory in the hierarchy. Territory deletion. Territory creation
answer
Customers can lessen the chance of locking errors by:
question
Scheduling separate group maintenance processes carefully so they don't overlap
answer
Implementing retry logic in integrations and other automated group maintenance processes to recover from a failure to acquire a lock Using the granular locking
question
Single Thread
answer
single thread performance is the amount of work completed by some software that runs as a single stream of instructions in a certain amount of time.
question
SF Compliance
answer
Salesforce.com's services are certified as compliant with some of the most rigorous, industry-accepted security, privacy, and reliability standards. We are certified and audited to standards as a service provider with the ISO/IEC 27001:2005 standard (including ISO 27001), SAS 70 Type II (now SSAE No. 16),
question
SF Database Security
answer
When a user establishes a connection, Force.com assigns the session a client hash value. Along with forming and executing each application request, Force.com confirms that the user context (an organization ID, or "orgID") accompanies each request and includes it in the WHERE clause of all SQL statements to
question
Encrypted Custom Fields
answer
encrypted custom fields do have some restrictions that might be important to your use case; they cannot be an external ID and do not have default values, and they are not searchable or available for use in filters such as list views, reports, roll-up summary fields, and rule filters.
question
Encryption Keys
answer
Force.com automatically encrypts this data using AES 128. It then uses key splitting to separate the keying material between application server and database so that no single salesforce.com administrator can recover both parts of the key.
question
Apex Crypto Class
answer
As per the Crypto Class documentation in the Apex Developer's Guide, the Apex Crypto class provides a number of cryptographic functions for creating digests, message authentication codes, and signatures, as well as functions for encrypting and decrypting information
question
Viewing Encrypted Data
answer
Only users with the permission "View Encrypted Data" can see data in encrypted custom text fields.
question
Implementing Classic Encryption
answer
Encrypted fields are encrypted with 128-bit master keys and use the Advanced Encryption Standard (AES) algorithm. You can archive, delete, and import your master encryption key. To enable master encryption key management, contact Salesforce. You can use encrypted fields in
question
Encrypted Text Field Restrictions
answer
Cannot be unique, have an external ID, or have default values. For leads are not available for mapping to other objects. Are limited to 175 characters because of the encryption algorithm. Are not available for use in filters such as list views,
question
Encrypted Text Fields 2
answer
Encrypted fields are editable regardless of whether the user has the "View Encrypted Data" permission. Use validation rules, field-level security settings, or page layout settings to prevent users from editing encrypted fields. You can still validate the values of encrypted fields
question
Encrypted Text Fields 3
answer
Encrypted field data is not always masked in the debug log. Encrypted field data is masked if the Apex request originates from an Apex Web service, a trigger, a workflow, an inline Visualforce page (a page embedded in a page layout), or a Visualforce email template. In other cases,
question
Encrypted Text Fields 4
answer
Existing custom fields cannot be converted into encrypted fields nor can encrypted fields be converted into another data type. To encrypt the values of an existing (unencrypted) field, export the data, create an encrypted custom field to store that data, and import that data into the new encrypted field.
question
When to use encrypted fields
answer
Use encrypted custom fields only when government regulations require it because they involve more processing and have search-related limitations.
question
Shield Platform Encryption
answer
Shield Platform Encryption gives your data a whole new layer of security while preserving critical platform functionality. It enables you to encrypt sensitive data at rest, and not just when transmitted over a network, so your company can confidently comply with privacy policies,
question
Shield Platform Encryption 2
answer
Shield Platform Encryption builds on the data encryption options that Salesforce offers out of the box. Data stored in many standard and custom fields and in files and attachments is encrypted using an advanced HSM-based key derivation system, so it is protected even when other
question
What are the 3 key components of record ownership?
answer
* Owner field (except on detail records) * Object Share Tables * Group Membership Tables
question
Territory Management Objects/Decision Point
answer
Territory Management natively supports assignments for only accounts and opportunities. To assign additional types of object records such as leads, orders, or custom object records you must make significant customizations to your organization.
question
Territory Management LDV/Decision Point
answer
Organization B frequently realigns its 400,000 accounts. This number might seem large, but Salesforce has customers who realign over 60 million accounts. For the Salesforce Territory Management decision tree, consider that an organization with more than 200,000 accounts has large
question
Team-Based Territory Management
answer
Team-based territory management uses accounts and sales teams to define responsibilities across a sales organization. Team-based territory management works as an alternative to the Territory Management feature when territory assignments affect only accounts and
question
Public Group-Based Territory Management
answer
Public group-based territory management uses Salesforce public groups to define teams associated with accounts, opportunities, leads, and other types of records. You can nest public groups to establish a record access hierarchy separate from your role hierarchy, but your forecasts
question
Criteria-Based Territory Management
answer
Criteria-based sharing territory management uses criteria-based sharing rules to define responsibilities across a sales organization. Because of the limited number of criteria-based sharing rules available per object, only use criteria-based territory management if your organization is small.
question
Territory Models
answer
Only one model can be in the Active state at one time in your organization, and you can only activate a model that is in the Planning state. After activating a model, you cannot reset it to Planning state: you can only set it to Archived state.
question
Platform Encryption Best Practice: Number Fields
answer
Don't use Currency and Number fields for sensitive data. You can often keep private, sensitive, or regulated data safe without encrypting associated Currency or Number fields. Encrypting these fields could have broad functional consequences across the platform, such as disruptions to roll-up summary reports, report timeframes, and calculations, so they are not encryptable.
question
Platform Encryption Keys
answer
Encrypt your data using the most current key. When you generate a new tenant secret, any new data is encrypted using this key. However, existing sensitive data remains encrypted using previous keys. In this situation, Salesforce strongly recommends re-encrypting these fields using the latest key. Contact Salesforce for help with this.
question
What is a territory type?
answer
Allows you to organize territories by key characteristics. Every territory must have a territory type. Do not appear in territory hierarchy.
question
What is a Territory Model?
answer
A territory model represents a complete territory system. Modeling allows you to create and preview multiple territory structures and user/account assignments before activating the model.
question
What is a Territory Hierarchy?
answer
The territory hierarchy displays the territory structure. You can create, edit, and delete territories; run assignment rules, assign territories to opportunities, activate or archive the model.
question
What is the Territory Model State?
answer
The territory model state indicates whether a territory is in the planning stage, in active use, or archived.
question
What actions can you take on an archived territory?
answer
Admins can view hierarchy and rule assignments. The territory no longer provides account access. Note: Only active models can be archived, and archived models cannot be reactivated. When you archive or delete a territory, the Territory field on the opportunity becomes blank.
question
What does the Manage Territories permission grant?
answer
1) Create territory models and all related records 2) View and manage territory models in all states: Planning, Active, and Archived 3) Activate, archive, delete, or clone territory models 4) View territory info on territory-assigned account records for territories in models in all states
question
Which territory functionality is accessible with the View Setup and Configuration permission?
answer
1) View the Salesforce Setup tree 2) View the territory model in Active state 3) View the name of all account records assigned to territories in the Active territory model 4) View territory info on territory-assigned account records for territories in models in the Active state
question
How can you assign territories to opportunities?
answer
Filter-based opportunity assignment allows you to use a simple job to assign territories to opportunities.
question
T/F Enterprise Territory Management can be enabled with Customizable Forecasting?
answer
False
question
T/F Enterprise Territory Management can be enabled with Collaborative Forecasting?
answer
True (but they are not integrated to work with one another.)
question
What are the default access levels for accounts in territories?
answer
1) View accounts assigned to a territory 2) View and edit accounts assigned to a territory 3) View, edit, transfer, and delete accounts assigned to a territory
question
What are the default access levels for opportunities in territories?
answer
1) Not access opportunities the user does not own that are associated with accounts in a territory 2) View all opportunities associated with accounts in the territory 3) View and edit all opportunities associated with accounts in the territory, regardless of who owns the opportunities
question
What are the default access level for cases in territories?
answer
1) No access to cases the user does not own that are associated with accounts in the territory 2) View all cases associated with accounts in the territory 3) View and edit all cases associated with accounts in the territory, regardless of who owns the opportunities
question
How many territory models can you create?
answer
1) Developer - 4 2) Enterprise - 2 3) Performance - 4 4) Unlimited - 4
question
How many territories can a territory model have?
answer
1,000
question
How can accounts be assigned to a territory?
answer
1) Manually 2) Rules to automate assignment
question
What is the best practice for assigning a rule to a territory and its child territory?
answer
Do not assign the rule separately to the child territory. Instead, select Apply to Child Territories.
question
T/F You assign more than one territory to an Account from an Account Record?
answer
True
question
How many assignment rules can a single territory have?
answer
15
question
How are manual territory assignments controlled for opportunities?
answer
They are controlled by users' sharing access to the opportunity's assigned (parent) account
question
Who can manually assign an opportunity to a territory?
answer
1) Any user with sharing access to an opportunity may assign the opportunity to ANY territory. 2) A user with sharing access to an opportunity's parent account may only assign the opportunity to a territory that is also assigned to the parent account.
question
How do you exclude an Opportunity from filter-based territory assignment?
answer
1) On the Opportunity record, select Exclude from the territory assignment filter logic 2) View the API
question
What is a territory role?
answer
Territory roles allow you to keep track of user functions within territories.
question
T/F Users must have the same territory role across territories?
answer
False
question
What is the best way to view territories assigned to an account?
answer
Add the Assigned Territories Related List to the Account page layout
question
What is the best way to view the users assigned to territories for a given account?
answer
Add the Users in Assigned Territories Related List to the Account page layout
question
What is the best way to view the Territory assigned to a given Opportunity?
answer
Add the Territory field to the Opportunity page layout.
question
What actions can you take in Territory 1.0, but not in Enterprise Territory Management 2.0?
answer
1) Integrate with Customizable Forecasting 2) Share a report/dashboard folder with a territory 3) Create a public group with territory
question
What actions can you take in Enterprise Territory Management 2.0, but not in Territory Management 1.0?
answer
1) Multiple Territories/Hierarchies 2) Run Territories on Territory Tree/List View Page 3) Territory Type/Priority 4) Territory Models 5) Integration with Collaborative Forecasting 6) Separation of Rule Execution versus Deployment 7) Territory Hierarchy Deep Clone 8) Rule Sharing among multiple Territories 9) Audit Trail 10) Metadata API Support 11) User Role in Territory 12) Trigger on User to Territory Association Object
question
What are the best practices for using role hierarchy and territory hierarchy in conjunction?
answer
Remember that access provided by territory managements rolls up through the role hierarchy. Do not duplicate the role hierarchy. Instead, use the role hierarchy for management relationships, reporting rollups, approvals and other hierarchically structured workflows. Use territories to expand access to opportunities and accounts.
question
What should you do when you add parent territories?
answer
It's a good idea to add inherited account assignment rules.
question
What is the best way to re-parent territories?
answer
From the bottom up (so that you do not have to recalculate access for the same territories)
question
How can you improve the performance of certain territory related locking operations?
answer
Enable granular locking, which attempts to lock only the modified portions of the table. This can improve performance of the following items: 1) Adding/deleting/transferring user from a territory 2) Re-parent a territory 3) Create or delete a territory within a hierarchy 4) Adding or removing a forecast manager
question
Which territory related locking operations will not be improved by enabling granular locking?
answer
1) Modifying access levels 2) Making manual assignments to an account 3) Adding, deleting, or updating rules 4) Previewing account assignment 5) Assigning an object or removing an object from a territory
question
What should you consider if you have an existing system for managing territories or a complex and large set of territories?
answer
You should consider integrating an external source of truth
question
How can you architect a territory system for peak performance?
answer
1) Use inherited criteria whenever possible 2) If standard account assignment rules aren't flexible enough, consider using formula fields in the account assignment rule 3) Make your direct and inherited assignment rules as restrictive as possible
question
Which permission is needed to sync files?
answer
Sync Files
question
Who can grant access to a record?
answer
1. The record owner 2. A user in a role above the owner in the hierarchy 3. Any user granted Full Access to the record 4. An administrator
question
To whom can you grant access to a record?
answer
1. Managers Group 2. Manager Subordinates Groups 3. Public Groups 4. Personal Groups 5. Users 6. Roles 7. Roles and Subordinates 8. Roles and Internal Subordinates 9. Roles and Internal and Portal Subordinates 10. Territories 11. Territories and Subordinates
question
T/F You can share an opportunity or case to users without Read access on the Account and where you do not have the ability to share the Account.
answer
False
question
What are the three key components of the ownership-based architecture?
answer
1. Owner field for all records 2. Object share tables 3. Group membership tables
question
Which fields does a row in an object share table contain?
answer
1. ID of the record being shared 2. ID of the user or group being granted access 3. Level of access 4. Reason the access is being granted
question
How many sharing records are created when a group of 5 users is granted access?
answer
One. A single sharing record is created for groups in the object share table.
question
Describe the process followed when a user requests access to a record.
answer
1. First, it checks whether a profile, permission set, or OWD setting already gives the user the level of access requested. 2. If the user does not have that level of access, the system queries the object share table to see if there is a row in which the record's ID and user's ID appears. 3. Next, it queries the group membership table to identify all groups that could provide access to the user. 4. It then scans the object share table again to see if there is a row in which any of these groups has already been granted access. 5. Finally, it compares the level of access granted directly to the user with the levels of access granted to the groups the user belongs to, giving the user the least restrictive level of access.
question
What are role groups?
answer
Role groups gives users assigned to a role access to records owned by or shared to members of subordinate roles, and records shared to the subordinate roles themselves.
question
What security tactic should you employ if you don't want anyone including the record owner, to be able to delete or share the record?
answer
Create a "dummy" or "integration" user to own the data, then use sharing rules or apex to share data to the appropriate groups.
question
Why would you need to use a custom permission?
answer
Although permission sets and profile settings include access settings to many things (like objects, fields, etc.), they don't include access for some custom processes and apps. Use custom settings when standard functionality isn't enough.
question
What are custom permissions?
answer
They let you define access checks that can be assigned to users via permission sets or profiles.
question
What is an example of a custom permission?
answer
You can define access checks in Apex that make a button a VF page available only if a user has the appropriate custom permission.
question
What is an external object?
answer
They are similar to custom objects, except they map to data that's stored outside of Salesforce. They enable your users to to search and interact with external data.
question
What are the four types of Access Grants?
answer
1. Explicit Grants 2. Group Membership Grants 3. Inherited Grants 4. Implicit Grants
question
What is an Explicit Grant?
answer
Records are shared directly to users or groups (Ex: - A user or queue becomes the owner of a record. - A sharing rule shares the record to a public group, queue, role, or territory - An assignment rule shares a record to a user)
question
What is a Group Membership Grant?
answer
A grant that occurs when a user, public group, queue, role, or territory is a member of a group that has explicit access to the record.
question
What is an Inherited Grant?
answer
A grant that occurs when a user, group, queue, role, or territory inherits access through a role or territory hierarchy.
question
What is an Implicit Grant?
answer
A grant that occurs when a built-in record sharing behavior provides access to a record. (Ex: - Users can view a parent record if they have access to its child opportunity. - If a User has access to a parent account record, they also have access to its child opportunity, case, and contact records.
question
Which three tables does Salesforce use to store access grants?
answer
1. Object Record Tables 2. Object Sharing Tables 3. Group Maintenance Tables
question
What information do the Object Sharing Tables contain?
answer
The tables store data that supports explicit and implicit grants. Each object has its own Object Sharing Table unless it is a detail in a master-detail relationship.
question
What information do the Group Maintenance Tables contain?
answer
The tables store data supporting group membership and inherited access grants (Ex: If the Object Sharing Table grants access to a specific User, Salesforce checks the Group Maintenance Table to determine which users inherit access from Bob and grants these users access to the record.
question
What do sharing rows do?
answer
Grant users or groups access to a specific record.
question
What do sharing rows include?
answer
1) Record ID 2) User or Group ID 3) Level of Access 4) Row Cause
question
What are the three system-defined groups in Group Maintenance Tables?
answer
1) Roles 2) RolesandSubordintates 3) RolesandInternalSubordinates
question
T/F Removing someone from an Account Team removes them from the Opportunity Team?
answer
False
question
Which fields does the Account Team contain?
answer
1) Account Access 2) Case Access 3) Contact Access 4) Opportunity Access 5) Team Member 6) Team Role
question
Which permissions do you need to create custom list views?
answer
1) Read access on the object 2) Create and Customize List Views
question
Which permission do you need to create, edit, or delete public list views?
answer
1) Manage Public List Views
question
To what can you share a report folder?
answer
1) User 2) User Group 3) Role 4) Role and Subordinate
question
Which access levels can be granted for a report folder?
answer
1) Viewer 2) Editor 3) Manager
question
What is the difference in report folder permissions between Editor and Manager?
answer
Managers can do everything Editors can do AND control who has access to the folder, delete it, and change its properties.
question
If you have access to an account's child record, what permission does that grant you to the account?
answer
Read Only
question
If you have access to an account, what permission does that grant you to its children (Contacts, Cases, Opportunities)?
answer
Depends on the account owner's role
question
What are the three Communities User Licenses?
answer
1) Customer Community 2) Customer Community Plus 3) Partner Community
question
What is the Customer Community license best used for?
answer
B2C with large number of external users (up to 10 million users)
question
What is the Customer Community Plus license best used for?
answer
B2B for support and non-sale scenarios (up to 1 million users)
question
What is the Partner Community license best used for?
answer
B2B that need access to sales data (up to 1 million users)
question
What is a sharing set?
answer
Grants HVC access to any account or contact that matches the user's contact or account. Also supports indirect lookups
question
What is a share group?
answer
Because HVC don't have roles, share groups are used to specify the other external users that should have access to HVC owned records.
question
What is the name of the share table where MyCustomObject is the name of a custom object?
answer
MyCustomObject__Share
question
T/F Objects on the detail side of a Master-Detail object do not have a sharing table?
answer
True
question
Which three types of sharing are supported through the Share Table?
answer
1) Apex sharing 2) User managed sharing 3) Force.com sharing
question
Which properties does a Share Table have?
answer
1) Access Level: Edit, Read, All 2) Parent ID: Id of the object 3) RowCause: Reason why the user or group is being granted access 4) UserOrGroupID: the user or group ID to which you are granting access
question
What is Apex managed sharing?
answer
Apex managed sharing enables developers to programmatically manipulate sharing to support their application's behavior through Apex or the SOAP API. (Maintained across record ownership changes.)
question
What is an Apex sharing reason?
answer
A method to track why a record is shared with a user or group.
question
What two things make up an Apex sharing reason?
answer
1) Label, which displays the reason 2) Name, which is used when referencing the reason through the API and Apex
question
What format would the Apex Sharing Reason have where the name is MyReasonName?
answer
MyReasonName__c
question
How would the Apex Sharing Reason MyReasonName be referenced for an object CustomObject?
answer
Schema.CustomObject__Share.rowCause.MyReasonName__c
question
How would an apex sharing reason called Recruiter for a custom object Job be called?
answer
Schema.Job__Share.rowCause.Recruiter__c
question
How do you prevent Apex managed sharing from being deleted when an owner is changed?
answer
Set the row case to value other than "Manual" using (the default) using Apex Sharing Reasons. (ONLY FOR CUSTOM OBJECTS; OTHERWISE USE AN OUTBOUND MESSAGE)
question
What does Apex running in the system context mean?
answer
The current user's permissions, FLS, and sharing rules are not taken into consideration during code execution.
question
What is the exception to Apex running into the system context?
answer
Apex code executed with the executeAnonymous call and Chatter are not executed in system context. (It executes using the full permissions of the current user.)
question
What is the best way to avoid accidentally revealing secured info through Apex classes?
answer
Use the "With Sharing" keyword to enforce sharing rules
question
Why might you not want to specify "With Sharing" on an Apex class?
answer
1) Enforcing sharing rules at compile time is impractical 2) Enforcing security at runtime could become costly in terms of performance 3) There are some useful scenarios where it's valuable to bypass security
question
T/F The "With Sharing" keyword enforces the user's permission, FLS, and sharing rules?
answer
False. "With Sharing" only enforces sharing rules.
question
T/F A class declared as "with sharing" will never call code that operates as "without sharing".
answer
False. If an inner class is declared as "Without Sharing", it will execute without enforcing the sharing rules that apply to the context user.
question
What happens to manually shared records when the owner is changed?
answer
User managed sharing is removed when the record owner changes.
question
T/F Custom sharing reasons can be defined for standard and custom objects.
answer
False. Custom sharing reasons can only be written for custom objects.
question
T/F Object shares can be written for standard and custom objects.
answer
True
question
T/F Objects with a default sharing setting of "Public Read/Write" have a share table?
answer
False
question
T/F The UserOrGroupID can be assigned to a Role ID.
answer
False. The UserOrGroupID should instead be assigned to the matching Group ID from the Group table.
question
How does Apex managed sharing behave differently than other forms of record-level sharing?
answer
1) Sharing records are maintained across record owner changes 2) The only users that can modify these sharing records are those with the "Modify All Data" permission 3) A record can be shared multiple times with the same user or group using different Apex sharing reasons
question
In which scenarios will SFDC not enforce FLS or CRUD?
answer
1) When objects or field values are referenced as generic data types or data is copied to other elements. 2) Passing custom Apex classes that copy or wrap SObject data to VF pages 3) All Apex web services 4) Lightning components when you reference objects or retrieve objects from an Apex controller 4) SObject updates, creates, or deletes done within Apex controllers or extensions
question
How can you enforce CRUD/FLS in Apex web services, Lightning components, and controllers?
answer
Call isAccessible() on all SObject fields before returning data to the user
question
How can you enforce CRUD/FLS for Create, Update, and Delete Operations in Apex classes?
answer
For create and update operations, each field assigned a value in Apex should have a describe result isCreateable() or isUpdateable(). (Fields assigned a value with apex:inputField tag are automatically checked) For delete operations, the check should be at the object level. The object's describe result isDeletable() should be called.
question
What is the easiest way to enforce CRUD/FLS in Apex?
answer
Perform operations in VisualForce and to operate directly on SObjects and fields.
question
How do you check the field-level update permission of the contact's email field before updating it?
answer
if (Schema.sObjectType.Contact.fields.Email.isUpdateable()) { //Update contact email }
question
How do you check the field-level create permission of the contact's email field before creating a new contact?
answer
if(Schema.sObjectType.Contact.fields.Email.isCreatable()){ //Create new contact }
question
How do you check the field-level read permission of the contact's email field before querying the field?
answer
if (Schema.sObjectType.Contact.Fields.isAccessible()){ Contact c = [SELECT Email FROM Contact WHERE IF= :ID]; }
question
How do you check the object-level permission for the contact before deleting it?
answer
if(Schema.sObjectType.Contact.isDeleteable()){ //Delete Contact }
question
What is Account Data Skew?
answer
A situation where an Account's parent object has more than 10,000 child objects.
question
How can you avoid account data skew?
answer
1) Design architecture to limit account objects to 10,000 children. (You could create a pool of Accounts and assign children in a round robin OR use Custom settings for the current account and number of children.) 2) Consider a Public Read/Write sharing model 3) If the account is skewed, redistribute child objects during off-peak hours
question
What is the high-level benefit of the SFDC group membership architecture?
answer
Since the group is a representation of one or more users who share a single access grant, moving a group access grant involves maintaining only a single share record for the group (instead of a share record for every member of the group).
question
What happens when a user is moved from one group to another?
answer
An org-wide group membership lock is triggered. Highly dynamic groups can have a negative impact on performance.
question
How is the sharing performance benefit correlated with the number of group members and the frequency of user movement within the groups?
answer
The benefit will decrease as the number of group members decreases and the frequency of user movement within the groups increases.
question
Which actions does SFDC perform when a user moves from one branch of the hierarchy to another, if the user is the first member in their role to own data?
answer
1) Salesforce adds access to the user's data for people who are above the user's new role in the hierarchy 2) Salesforce removes access for people who were above the user's old role in the hierarchy
question
Which actions does Salesforce take when a user moves from one branch of the hierarchy to another, if the user has a new role with different settings for accessing contacts, cases, and opportunities?
answer
1) Adds shares to those child objects where the new settings are more permissive 2) Removes existing shares where the new settings are more restrictive
question
Which actions does SFDC always taken, when a user moves from one branch of the hierarchy to another?
answer
1) Removes all of the user's records from the scope of sharing rules where the old role is the source group 2) Adds all of the user's records to the scope of rules where the new role is the source
question
What is ownership data skew?
answer
When a single user owns more than 10,000 records of an object
question
How can you minimize the impact of users facing ownership data skew?
answer
1) Place the user in a separate role at the top of the hierarchy 2) Do not move them out of that top-level role 3) Keep the user out of public groups that could be used as the source for sharing rules
question
Why would a user experience a "could not acquire lock" error?
answer
The sharing system locks the tables holding group membership info during updates to prevent incompatible concurrent updates, which could lead to inaccurate data about users' access rights. The customer is likely executing large data loads or integrations that are making changes to tole/group structure, user assignments to role and groups, or both.
question
How can you lesson the chance of group membership locking errors?
answer
1) Schedule separate group maintenance processes so they don't overlap 2) Implementing retry logic in integrates and other automated group maintenance processes to recover from a failure 3) Use the granular locking feature to allow some group maintenance operations to proceed simultaneously
question
What does Parent Implicit Sharing provide?
answer
Read-only access to the parent account for a user with access to a child record Note: 1) Not used when sharing on the child is controlled by the parent 2) Expensive to maintain with many account children 3) When a user loses access to a child, SFDC has to check all other children to see if it can delete the implicit parent sharing grant.
question
What dos Child Implicit Sharing provide?
answer
Access to child records for the owner of the parent account Note: 1) Not used when sharing on the child is controlled by its parent 2) Controlled by child access setting for the account owner's role 3) Supports account sharing rules that grant child record access 4) Supports account team access based on team settings 5) When a user loses access to the parent, SFDC has to remove all the implicit child sharing for that user
question
What does Boss Implicit Sharing provide?
answer
Access to records owned by or shared to portal users for internal users Note: 1) Shared to the role of the account owner 2) Supports inheritance within portal roles
question
What does Portal Implicit Sharing provide?
answer
Access to portal account and all associated contacts for all portal users under that account Note: Shared to the lowest role under the portal account
question
What is Parent-Child Data Skew?
answer
The association of a large number of child records (10,000 or more) with a single parent account.
question
How can you avoid creating implicit shares?
answer
Configure child objects to be Controlled by Parent whenever possible
question
How can you tune your updates for maximum throughput?
answer
Work with batch sizes, timeout values, the Bulk API, and other performance-optimizing techniques.
question
What is deferred sharing maintenance?
answer
Instead of processing separate updates and waiting for them to complete, the admin "turns off" processing of group maintenance operations and makes all the desired changes at the same time. Once the changes have been completed, the admin resumes processing group maintenance, and the system performs a recalculation to make the role and group changes take effect. The system then requires a full recalculation of sharing rules, which can be set to take place immediately or to start at a later time.
question
Who can benefit from deferred sharing?
answer
Company's that can negotiate downtime with customers and have struggled to complete updates in a timely fashion.
question
What are the key advantages of granular locking?
answer
1) Groups that are in separate hierarchies can be manipulated concurrently 2) Public groups and roles that do not include territories can be manipulated concurrently 3) Users can be added concurrently to territories and public groups 4) User provisioning can occur in parallel 5) A single-long running process, such as a role delete, only blocks a small subset of operations
question
What is granular locking?
answer
The system employs additional logic to allow multiple updates to proceed simultaneously if there is no hierarchical or other relationship between the roles or groups involved
question
Who can benefit from granular locking?
answer
Customers who frequently experience locking that restricts their ability to manage manual and automated group maintenance operations.
question
Which activities take out group membership locks during their transaction?
answer
1) Role Creation 2) Role Deletion 3) Moving a role in the hierarchy 4) Adding a user to a territory 5) Removing a user from a territory 6) Moving a territory in the hierarchy 7) Territory deletion 8) Territory creation 9) Provisioning an internal user with an existing role 10) User role change 11) Provisioning a non-HVPU portal user under an account 12) Portal Account owner change 13) User Role change of a user who owns one or more portal accounts
question
What information can you review at trust.salesforce.com?
answer
1) Current and archived history of system status and performance metrics 2) Planned upgrades and maintenance windows 3) System performance incidents, including why and methods for preventing future incidents
question
How does Force.com validate a user has permission to access an org when the user establishes a connection?
answer
1) Force.com assigns the session a client has value 2) Force.com confirms that the user context (the org ID) accompanies each application request 3) When data is returned, Force.com confirms that the data is coming from the user context
question
What is a free application you can use to check your security related settings and that will make recommendations for improving security?
answer
Security Health Check
question
What is the Apex Crypto class?
answer
The class provides a number of cryptographic functions for creating digests, message authentication codes and signatures, and functions for encrypting and decrypting data.
question
In which scenarios, is the Apex Crypto class used?
answer
1) Confidentiality - the protection of data from unauthorized party 2) Integrity - the data is complete and correct 3) Authenticity - proof of the authenticity of the sender or receiver of the message
question
Who can see encrypted data?
answer
Users with the "View encrypted data" permission
question
What does the recipient see when an encrypted field is included in an email template?
answer
The value is masked, regardless of whether the recipient has the "View encrypted data" permission
question
T/F If a user with the "View encrypted data" permissions grant login access to another user, the user will view the encrypted data in plain text.
answer
True
question
What restrictions exist for encrypted fields?
answer
1) Encrypted fields cannot be unique, external, or have a default field 2) For leads, are not available for lead mapping 3) Cannot be used in report filers, but can be included in report results 4) Are not searchable, but can be included in search results 5) Are not available for Salesforce for Outlook, workflow rules, lead conversion, formula fields, web-to-lead
question
T/F Encrypted fields are not editable for users without the "View encrypted data"
answer
False. Use validation rules to prevent edits after the initial entry
question
T/F You can use validation rules or Apex to validate encrypted fields data
answer
True
question
T/F Encrypted fields can be converted into another data type and other data types can be converted into encrypted fields.
answer
False
question
How does shield platform encryption work?
answer
It relies on a unique tenant secret you control and a master secret controlled by Salesforce. The secrets are combined to create a unique data encryption key.
question
What is different between shield platform encryption and classic encryption?
answer
1) Shield Platform has an additional fee 2) Shield Platform requires Manage Encryption Keys Permission 3) Shield Platform can encrypt standard fields, attachments, files, and existing fields 4) Shield Platform encrypted fields are available in Workflow Rules and field updates 5) Classic encryption supports Masking
question
How Much Visibility Do Managers Get To Standard Objects Their Subordinates Own or have Shared With Them?
answer
The same level of access.
question
What Are Two Best Practices for Users Who Own More Than 10,000 Records?
answer
1. They shouldn't have a role in the role hierarchy. 2. If they must hold a role, it should be at the top in their own branch.
question
Who can take ownership of records belonging to a queue?
answer
Queue members and users higher in the role hierarchy.
question
How can you restrict access to an object?
answer
Org wide defaults are the only way. Everything else grants access.
question
What's the recommended max depth of a role hierarhy?
answer
10 levels.
question
What can a public group consist of?
answer
Users, Roles (with or without subordinates), Territories, or Other Public Groups
question
Which permission is needed to sync files?
answer
Sync Files
question
Who can grant access to a record?
answer
1. The record owner 2. A user in a role above the owner in the hierarchy 3. Any user granted Full Access to the record 4. An administrator
question
To whom can you grant access to a record?
answer
1. Managers Group 2. Manager Subordinates Groups 3. Public Groups 4. Personal Groups 5. Users 6. Roles 7. Roles and Subordinates 8. Roles and Internal Subordinates 9. Roles and Internal and Portal Subordinates 10. Territories 11. Territories and Subordinates
question
T/F You can share an opportunity or case to users without Read access on the Account and where you do not have the ability to share the Account.
answer
False
question
What are the three key components of the ownership-based architecture?
answer
1. Owner field for all records 2. Object share tables 3. Group membership tables
question
Which fields does a row in an object share table contain?
answer
1. ID of the record being shared 2. ID of the user or group being granted access 3. Level of access 4. Reason the access is being granted
question
How many sharing records are created when a group of 5 users is granted access?
answer
One. A single sharing record is created for groups in the object share table.
question
Describe the process followed when a user requests access to a record.
answer
1. First, it checks whether a profile, permission set, or OWD setting already gives the user the level of access requested. 2. If the user does not have that level of access, the system queries the object share table to see if there is a row in which the record's ID and user's ID appears. 3. Next, it queries the group membership table to identify all groups that could provide access to the user. 4. It then scans the object share table again to see if there is a row in which any of these groups has already been granted access. 5. Finally, it compares the level of access granted directly to the user with the levels of access granted to the groups the user belongs to, giving the user the least restrictive level of access.
question
What are role groups?
answer
Role groups gives users assigned to a role access to records owned by or shared to members of subordinate roles, and records shared to the subordinate roles themselves.
question
What security tactic should you employ if you don't want anyone including the record owner, to be able to delete or share the record?
answer
Create a "dummy" or "integration" user to own the data, then use sharing rules or apex to share data to the appropriate groups.
question
Why would you need to use a custom permission?
answer
Although permission sets and profile settings include access settings to many things (like objects, fields, etc.), they don't include access for some custom processes and apps. Use custom settings when standard functionality isn't enough.
question
What are custom permissions?
answer
They let you define access checks that can be assigned to users via permission sets or profiles.
question
What is an example of a custom permission?
answer
You can define access checks in Apex that make a button a VF page available only if a user has the appropriate custom permission.
question
What is an external object?
answer
They are similar to custom objects, except they map to data that's stored outside of Salesforce. They enable your users to to search and interact with external data.
question
What are the four types of Access Grants?
answer
1. Explicit Grants 2. Group Membership Grants 3. Inherited Grants 4. Implicit Grants
question
What is an Explicit Grant?
answer
Records are shared directly to users or groups (Ex: - A user or queue becomes the owner of a record. - A sharing rule shares the record to a public group, queue, role, or territory - An assignment rule shares a record to a user)
question
What is a Group Membership Grant?
answer
A grant that occurs when a user, public group, queue, role, or territory is a member of a group that has explicit access to the record.
question
What is an Inherited Grant?
answer
A grant that occurs when a user, group, queue, role, or territory inherits access through a role or territory hierarchy.
question
What is an Implicit Grant?
answer
A grant that occurs when a built-in record sharing behavior provides access to a record. (Ex: - Users can view a parent record if they have access to its child opportunity. - If a User has access to a parent account record, they also have access to its child opportunity, case, and contact records.
question
Which three tables does Salesforce use to store access grants?
answer
1. Object Record Tables 2. Object Sharing Tables 3. Group Maintenance Tables
question
What information do the Object Sharing Tables contain?
answer
The tables store data that supports explicit and implicit grants. Each object has its own Object Sharing Table unless it is a detail in a master-detail relationship.
question
What information do the Group Maintenance Tables contain?
answer
The tables store data supporting group membership and inherited access grants (Ex: If the Object Sharing Table grants access to a specific User, Salesforce checks the Group Maintenance Table to determine which users inherit access from Bob and grants these users access to the record.
question
What do sharing rows do?
answer
Grant users or groups access to a specific record.
question
What do sharing rows include?
answer
1) Record ID 2) User or Group ID 3) Level of Access 4) Row Cause
question
What are the three system-defined groups in Group Maintenance Tables?
answer
1) Roles 2) RolesandSubordintates 3) RolesandInternalSubordinates
question
T/F Removing someone from an Account Team removes them from the Opportunity Team?
answer
False
question
Which fields does the Account Team contain?
answer
1) Account Access 2) Case Access 3) Contact Access 4) Opportunity Access 5) Team Member 6) Team Role
question
Which permissions do you need to create custom list views?
answer
1) Read access on the object 2) Create and Customize List Views
question
Which permission do you need to create, edit, or delete public list views?
answer
1) Manage Public List Views
question
To what can you share a report folder?
answer
1) User 2) User Group 3) Role 4) Role and Subordinate
question
Which access levels can be granted for a report folder?
answer
1) Viewer 2) Editor 3) Manager
question
What is the difference in report folder permissions between Editor and Manager?
answer
Managers can do everything Editors can do AND control who has access to the folder, delete it, and change its properties.
question
If you have access to an account's child record, what permission does that grant you to the account?
answer
Read Only
question
If you have access to an account, what permission does that grant you to its children (Contacts, Cases, Opportunities)?
answer
Depends on the account owner's role
question
What are the three Communities User Licenses?
answer
1) Customer Community 2) Customer Community Plus 3) Partner Community
question
What is the Customer Community license best used for?
answer
B2C with large number of external users (up to 10 million users)
question
What is the Customer Community Plus license best used for?
answer
B2B for support and non-sale scenarios (up to 1 million users)
question
What is the Partner Community license best used for?
answer
B2B that need access to sales data (up to 1 million users)
question
What is a sharing set?
answer
Grants HVC access to any account or contact that matches the user's contact or account. Also supports indirect lookups
question
What is a share group?
answer
Because HVC don't have roles, share groups are used to specify the other external users that should have access to HVC owned records.
question
What is the name of the share table where MyCustomObject is the name of a custom object?
answer
MyCustomObject__Share
question
T/F Objects on the detail side of a Master-Detail object do not have a sharing table?
answer
True
question
Which three types of sharing are supported through the Share Table?
answer
1) Apex sharing 2) User managed sharing 3) Force.com sharing
question
Which properties does a Share Table have?
answer
1) Access Level: Edit, Read, All 2) Parent ID: Id of the object 3) RowCause: Reason why the user or group is being granted access 4) UserOrGroupID: the user or group ID to which you are granting access
question
What is Apex managed sharing?
answer
Apex managed sharing enables developers to programmatically manipulate sharing to support their application's behavior through Apex or the SOAP API. (Maintained across record ownership changes.)
question
What is an Apex sharing reason?
answer
A method to track why a record is shared with a user or group.
question
What two things make up an Apex sharing reason?
answer
1) Label, which displays the reason 2) Name, which is used when referencing the reason through the API and Apex
question
What format would the Apex Sharing Reason have where the name is MyReasonName?
answer
MyReasonName__c
question
How would the Apex Sharing Reason MyReasonName be referenced for an object CustomObject?
answer
Schema.CustomObject__Share.rowCause.MyReasonName__c
question
How would an apex sharing reason called Recruiter for a custom object Job be called?
answer
Schema.Job__Share.rowCause.Recruiter__c
question
How do you prevent Apex managed sharing from being deleted when an owner is changed?
answer
Set the row case to value other than "Manual" using (the default) using Apex Sharing Reasons. (ONLY FOR CUSTOM OBJECTS; OTHERWISE USE AN OUTBOUND MESSAGE)
question
What does Apex running in the system context mean?
answer
The current user's permissions, FLS, and sharing rules are not taken into consideration during code execution.
question
What is the exception to Apex running into the system context?
answer
Apex code executed with the executeAnonymous call and Chatter are not executed in system context. (It executes using the full permissions of the current user.)
question
What is the best way to avoid accidentally revealing secured info through Apex classes?
answer
Use the "With Sharing" keyword to enforce sharing rules
question
Why might you not want to specify "With Sharing" on an Apex class?
answer
1) Enforcing sharing rules at compile time is impractical 2) Enforcing security at runtime could become costly in terms of performance 3) There are some useful scenarios where it's valuable to bypass security
question
T/F The "With Sharing" keyword enforces the user's permission, FLS, and sharing rules?
answer
False. "With Sharing" only enforces sharing rules.
question
T/F A class declared as "with sharing" will never call code that operates as "without sharing".
answer
False. If an inner class is declared as "Without Sharing", it will execute without enforcing the sharing rules that apply to the context user.
question
What happens to manually shared records when the owner is changed?
answer
User managed sharing is removed when the record owner changes.
question
T/F Custom sharing reasons can be defined for standard and custom objects.
answer
False. Custom sharing reasons can only be written for custom objects.
question
T/F Object shares can be written for standard and custom objects.
answer
True
question
T/F Objects with a default sharing setting of "Public Read/Write" have a share table?
answer
False
question
T/F The UserOrGroupID can be assigned to a Role ID.
answer
False. The UserOrGroupID should instead be assigned to the matching Group ID from the Group table.
question
How does Apex managed sharing behave differently than other forms of record-level sharing?
answer
1) Sharing records are maintained across record owner changes 2) The only users that can modify these sharing records are those with the "Modify All Data" permission 3) A record can be shared multiple times with the same user or group using different Apex sharing reasons
question
In which scenarios will SFDC not enforce FLS or CRUD?
answer
1) When objects or field values are referenced as generic data types or data is copied to other elements. 2) Passing custom Apex classes that copy or wrap SObject data to VF pages 3) All Apex web services 4) Lightning components when you reference objects or retrieve objects from an Apex controller 4) SObject updates, creates, or deletes done within Apex controllers or extensions
question
How can you enforce CRUD/FLS in Apex web services, Lightning components, and controllers?
answer
Call isAccessible() on all SObject fields before returning data to the user
question
How can you enforce CRUD/FLS for Create, Update, and Delete Operations in Apex classes?
answer
For create and update operations, each field assigned a value in Apex should have a describe result isCreateable() or isUpdateable(). (Fields assigned a value with apex:inputField tag are automatically checked) For delete operations, the check should be at the object level. The object's describe result isDeletable() should be called.
question
What is the easiest way to enforce CRUD/FLS in Apex?
answer
Perform operations in VisualForce and to operate directly on SObjects and fields.
question
How do you check the field-level update permission of the contact's email field before updating it?
answer
if (Schema.sObjectType.Contact.fields.Email.isUpdateable()) { //Update contact email }
question
How do you check the field-level create permission of the contact's email field before creating a new contact?
answer
if(Schema.sObjectType.Contact.fields.Email.isCreatable()){ //Create new contact }
question
How do you check the field-level read permission of the contact's email field before querying the field?
answer
if (Schema.sObjectType.Contact.Fields.isAccessible()){ Contact c = [SELECT Email FROM Contact WHERE IF= :ID]; }
question
How do you check the object-level permission for the contact before deleting it?
answer
if(Schema.sObjectType.Contact.isDeleteable()){ //Delete Contact }
question
What is Account Data Skew?
answer
A situation where an Account's parent object has more than 10,000 child objects.
question
How can you avoid account data skew?
answer
1) Design architecture to limit account objects to 10,000 children. (You could create a pool of Accounts and assign children in a round robin OR use Custom settings for the current account and number of children.) 2) Consider a Public Read/Write sharing model 3) If the account is skewed, redistribute child objects during off-peak hours
question
What is the high-level benefit of the SFDC group membership architecture?
answer
Since the group is a representation of one or more users who share a single access grant, moving a group access grant involves maintaining only a single share record for the group (instead of a share record for every member of the group).
question
What happens when a user is moved from one group to another?
answer
An org-wide group membership lock is triggered. Highly dynamic groups can have a negative impact on performance.
question
How is the sharing performance benefit correlated with the number of group members and the frequency of user movement within the groups?
answer
The benefit will decrease as the number of group members decreases and the frequency of user movement within the groups increases.
question
Which actions does SFDC perform when a user moves from one branch of the hierarchy to another, if the user is the first member in their role to own data?
answer
1) Salesforce adds access to the user's data for people who are above the user's new role in the hierarchy 2) Salesforce removes access for people who were above the user's old role in the hierarchy
question
Which actions does Salesforce take when a user moves from one branch of the hierarchy to another, if the user has a new role with different settings for accessing contacts, cases, and opportunities?
answer
1) Adds shares to those child objects where the new settings are more permissive 2) Removes existing shares where the new settings are more restrictive
question
Which actions does SFDC always taken, when a user moves from one branch of the hierarchy to another?
answer
1) Removes all of the user's records from the scope of sharing rules where the old role is the source group 2) Adds all of the user's records to the scope of rules where the new role is the source
question
What is ownership data skew?
answer
When a single user owns more than 10,000 records of an object
question
How can you minimize the impact of users facing ownership data skew?
answer
1) Place the user in a separate role at the top of the hierarchy 2) Do not move them out of that top-level role 3) Keep the user out of public groups that could be used as the source for sharing rules
question
Why would a user experience a "could not acquire lock" error?
answer
The sharing system locks the tables holding group membership info during updates to prevent incompatible concurrent updates, which could lead to inaccurate data about users' access rights. The customer is likely executing large data loads or integrations that are making changes to tole/group structure, user assignments to role and groups, or both.
question
How can you lesson the chance of group membership locking errors?
answer
1) Schedule separate group maintenance processes so they don't overlap 2) Implementing retry logic in integrates and other automated group maintenance processes to recover from a failure 3) Use the granular locking feature to allow some group maintenance operations to proceed simultaneously
question
What does Parent Implicit Sharing provide?
answer
Read-only access to the parent account for a user with access to a child record Note: 1) Not used when sharing on the child is controlled by the parent 2) Expensive to maintain with many account children 3) When a user loses access to a child, SFDC has to check all other children to see if it can delete the implicit parent sharing grant.
question
What dos Child Implicit Sharing provide?
answer
Access to child records for the owner of the parent account Note: 1) Not used when sharing on the child is controlled by its parent 2) Controlled by child access setting for the account owner's role 3) Supports account sharing rules that grant child record access 4) Supports account team access based on team settings 5) When a user loses access to the parent, SFDC has to remove all the implicit child sharing for that user
question
What does Boss Implicit Sharing provide?
answer
Access to records owned by or shared to portal users for internal users Note: 1) Shared to the role of the account owner 2) Supports inheritance within portal roles
question
What does Portal Implicit Sharing provide?
answer
Access to portal account and all associated contacts for all portal users under that account Note: Shared to the lowest role under the portal account
question
What is Parent-Child Data Skew?
answer
The association of a large number of child records (10,000 or more) with a single parent account.
question
How can you avoid creating implicit shares?
answer
Configure child objects to be Controlled by Parent whenever possible
question
How can you tune your updates for maximum throughput?
answer
Work with batch sizes, timeout values, the Bulk API, and other performance-optimizing techniques.
question
What is deferred sharing maintenance?
answer
Instead of processing separate updates and waiting for them to complete, the admin "turns off" processing of group maintenance operations and makes all the desired changes at the same time. Once the changes have been completed, the admin resumes processing group maintenance, and the system performs a recalculation to make the role and group changes take effect. The system then requires a full recalculation of sharing rules, which can be set to take place immediately or to start at a later time.
question
Who can benefit from deferred sharing?
answer
Company's that can negotiate downtime with customers and have struggled to complete updates in a timely fashion.
question
What are the key advantages of granular locking?
answer
1) Groups that are in separate hierarchies can be manipulated concurrently 2) Public groups and roles that do not include territories can be manipulated concurrently 3) Users can be added concurrently to territories and public groups 4) User provisioning can occur in parallel 5) A single-long running process, such as a role delete, only blocks a small subset of operations
question
What is granular locking?
answer
The system employs additional logic to allow multiple updates to proceed simultaneously if there is no hierarchical or other relationship between the roles or groups involved
question
Who can benefit from granular locking?
answer
Customers who frequently experience locking that restricts their ability to manage manual and automated group maintenance operations.
question
Which activities take out group membership locks during their transaction?
answer
1) Role Creation 2) Role Deletion 3) Moving a role in the hierarchy 4) Adding a user to a territory 5) Removing a user from a territory 6) Moving a territory in the hierarchy 7) Territory deletion 8) Territory creation 9) Provisioning an internal user with an existing role 10) User role change 11) Provisioning a non-HVPU portal user under an account 12) Portal Account owner change 13) User Role change of a user who owns one or more portal accounts
question
What information can you review at trust.salesforce.com?
answer
1) Current and archived history of system status and performance metrics 2) Planned upgrades and maintenance windows 3) System performance incidents, including why and methods for preventing future incidents
question
How does Force.com validate a user has permission to access an org when the user establishes a connection?
answer
1) Force.com assigns the session a client has value 2) Force.com confirms that the user context (the org ID) accompanies each application request 3) When data is returned, Force.com confirms that the data is coming from the user context
question
What is a free application you can use to check your security related settings and that will make recommendations for improving security?
answer
Security Health Check
question
What is the Apex Crypto class?
answer
The class provides a number of cryptographic functions for creating digests, message authentication codes and signatures, and functions for encrypting and decrypting data.
question
In which scenarios, is the Apex Crypto class used?
answer
1) Confidentiality - the protection of data from unauthorized party 2) Integrity - the data is complete and correct 3) Authenticity - proof of the authenticity of the sender or receiver of the message
question
Who can see encrypted data?
answer
Users with the "View encrypted data" permission
question
What does the recipient see when an encrypted field is included in an email template?
answer
The value is masked, regardless of whether the recipient has the "View encrypted data" permission
question
T/F If a user with the "View encrypted data" permissions grant login access to another user, the user will view the encrypted data in plain text.
answer
True
question
What restrictions exist for encrypted fields?
answer
1) Encrypted fields cannot be unique, external, or have a default field 2) For leads, are not available for lead mapping 3) Cannot be used in report filers, but can be included in report results 4) Are not searchable, but can be included in search results 5) Are not available for Salesforce for Outlook, workflow rules, lead conversion, formula fields, web-to-lead
question
T/F Encrypted fields are not editable for users without the "View encrypted data"
answer
False. Use validation rules to prevent edits after the initial entry
question
T/F You can use validation rules or Apex to validate encrypted fields data
answer
True
question
T/F Encrypted fields can be converted into another data type and other data types can be converted into encrypted fields.
answer
False
question
How does shield platform encryption work?
answer
It relies on a unique tenant secret you control and a master secret controlled by Salesforce. The secrets are combined to create a unique data encryption key.
question
What is different between shield platform encryption and classic encryption?
answer
1) Shield Platform has an additional fee 2) Shield Platform requires Manage Encryption Keys Permission 3) Shield Platform can encrypt standard fields, attachments, files, and existing fields 4) Shield Platform encrypted fields are available in Workflow Rules and field updates 5) Classic encryption supports Masking
question
Administer communities in Salesforce
answer
Not available
question
Global Header
answer
The drop-down in the global header shows a list of communities the user created or has access to. Also links back to their internal organization. Can't access communities in Inactive status. Can see communities in Preview status if a link is provided.
question
Your Name menu in Global Header
answer
Same as in internal organization. Chatter Free users see a My Settings menu, an Edit Contact Info menu, and a Logout link. For Chatter Free users, the My Settings menu opens an overlay where they can update location settings, security settings, email settings, and approved connections. These settings apply across the internal organization and all communities that users have access to. This overlay is different from the My Settings page that other internal users see if the organization has enabled the improved Setup user interface.
question
Community Management menu in Global Header
answer
Users with "Manage Communities" can see the menu and use it to preview the community or access Community Builder, Site. com Studio, and Force. com. Note that the Community Builder option doesn't appear for communities created using the Salesforce Tabs + Visualforce template. This menu only appears within Community Management.
question
Salesforce Online Help
answer
Standard Salesforce user sees Salesforce Online Help. Chatter Free user sees Chatter help.
question
People
answer
Can see everyone else in the community and vice versa.
question
Profiles and people hovers
answer
Can see all contact information fields (such as Title, Work Phone, and Email) on all community members' profiles. In people hovers, user always sees members' Title, Work Phone, and Mobile Phone fields.
question
Records (such as accounts, leads, opportunities)
answer
Standard Salesforce user sees records they have access to (based on sharing rules) across all communities and their internal organization. Chatter Free user doesn't have access to records.
question
Dashboards and Reports
answer
Can view and create dashboards and reports
question
Salesforce Knowledge Articles
answer
Salesforce Knowledge User License, Read permission on the article type, and visibility on the article's category.