Security: Quiz

These questions are designed to be similar to ones that will be asked on certification exams.  Aim to get most of these questions correct on the first attempt.
To view the remainder of this content, you must register for a free account.  Please Login or Sign Up.

39 Responses to “Security: Quiz”

  1. msjohncox July 17, 2017 at 11:26 pm #

    I did get all of these right! Awesome quiz by the way – just the right level of difficulty for what we have covered so far. Here’s what went through my head while doing the quiz.
    Question 1: I chose c. If you went with a. or b., higher-up users would be able to see the records because of role hierarchy. Don’t pick d. because permission sets might still allow unauthorized users to see the list view. Only through groups can you appropriately restrict list views.
    Question 2: I chose d, because you need the flexibility to use both profiles and permission sets. If you choose a. or c., all sales reps would be able to see it. You can’t choose b., because permission sets only apply to individual users, not profiles or or roles.
    Question 3: I chose c. That way, you can opt-in only authorized CSRs. That’s in keeping with the best practice of locking everything down at the OWD level, then opening things up as needed.
    Question 4: I chose a. Since sharing like this is rare in this organization, it is easiest to just have Jim share this one record. There is no need to create a queue, group, profile, etc.

  2. gurubharadwaj July 18, 2016 at 6:19 pm #

    For question 2, option 2 / B is very close to being the perfect option except that the permission set does not restrict to the 2 sales reps. If the answer is reworded as “Grant field-level visibility to the Delinquency Status field to the finance team, sales manager, and 2 sales reps via permission set”, wouldn’t that be the ideal answer over the current answer (which is option 4 / D). The reason being such a permission set would make future changes to the delinquency field visibility much easier than updating profiles and permission sets separately.

    Thoughts, John?

    • JohnCoppedge July 21, 2016 at 10:26 pm #

      Depends – if you are managing access to an application through a permission set then it is generally better to centralize permissions under the permission set. For one off scenarios like the question either can work.

    • msjohncox July 17, 2017 at 11:09 pm #

      The reason I didn’t choose B is because you can only assign permission sets to individual users, not profiles or roles. You could do this with permission sets all the way, but it would be cumbersome if there are many members of the finance team and then you’d have to edit things again if there were new users in these job positions. I chose D, because in this case, you need the flexibility of granting permission via profiles and permission sets. Yes?

  3. ppinto June 15, 2016 at 7:33 pm #

    Hi John,

    First off, thank you so much for the quizzes (both of them). They’ve been extremely helpful.

    Out of curiosity, will there be any updates made (such as additional quizzes or questions) to the Security Quiz section? I know its a lot to ask but the question’s you’ve propose are challenging and its hard to find other sites that push the envelope as hard as you do.

    If time is limited for you and it’s better off referring me to other resources, that would be great too.

    Thanks alot!
    Pedro

  4. CarlosSiqueira May 25, 2016 at 8:22 pm #

    John:

    On question 1, “…ability to access several list views and a report folder”, I am interpreting that “access” means “what you can see” which I believe in this case, is driven by Public Group (The ones that see the list view and reports). Permission set would apply when deciding what can be done to each record. Am I right on my assumptions?

    Thanks

    • JohnCoppedge May 27, 2016 at 3:09 pm #

      Access meaning that they can select the list view. Being able to select the list view does not mean the user can see all of the records within.

      Access to the view is controlled independently of access to the records (however both rely heavily on roles, groups).

  5. CarlosSiqueira May 16, 2016 at 2:11 am #

    Trick questions, but keep you on your toes.

  6. angelemontielp May 9, 2016 at 7:31 pm #

    Is this updated?

  7. crystalq December 25, 2015 at 7:06 am #

    Hi John, I would like to check with you about Q4. Look like only one account record is to be shared by Jim and the answer is the first one. If the question is changed to many opportunity records related to the account “Squared Wireless” are to be shared by Jim. What is the best solution? May we use criteria rule base to share the records? The second answer might be right. Many thanks for your advice! -Crystal

    • JohnCoppedge January 9, 2016 at 3:07 am #

      When you share the account manually you can also share the access of related records such as opps, so manual sharing could still work.

  8. morna October 25, 2015 at 3:25 pm #

    Hi, could you clarify the answer to Q1? I struggled with it, but I guess I don’t understand sharing rules well enough. Is the reason for this answer (rather than D, which was what I chose) because it’s about record security rather than object security?

    • JohnCoppedge November 9, 2015 at 5:51 pm #

      I refer to this as “folder security” although I don’t think it has a technical term- basically encompassing the security that controls access to list views, report folders, etc.

      This is controlled by groups rather than permission sets – take a look at the matrix for comparison: http://certifiedondemand.com/security-model-matrix/

  9. kgisi October 6, 2015 at 4:44 pm #

    Hello! This sentence is worded a bit awkwardly. I had to read it a couple times to understand this explanation:
    -Question 1, answer description-
    “Creating a public group would be ideal in this scenario regardless, as would be able manage the list of users in a centralized fashion…”

  10. Kayla Brown May 20, 2015 at 1:47 am #

    Hey John ~ on question 2, I thought the right answer was D or the last answer – but chose the second because I thought the answers displayed were trying to trick me. Wouldn’t you have to create a custom profile for finance and sales managers? If so, I choose the other answer because it wasn’t specified.

    • JohnCoppedge May 20, 2015 at 8:27 pm #

      This is somewhat subjective – but the idea is that you would want to assign the permission with broad strokes at the profile and to the individuals using permission sets. You could use permission sets for everything but that would create a lot of manual work.

  11. Matej Blatnik April 29, 2015 at 7:44 pm #

    Question number 2.

    I got it right. However, could we not get the same solution if assigning it to all eligible users via permission sets?

    • JohnCoppedge April 29, 2015 at 8:22 pm #

      Not really – a permission set would grant access to object or field level security, but not to records.

      • Matej Blatnik April 29, 2015 at 9:28 pm #

        But question 2 is about field level security. I was refering to the I love permissions tutorial, where they say we should have the minimum amount of profiles and then use permission sets.

        Could you kindly elaborate, why we could not grant access to commission field via permission sets for all eligible users.

        Regards,

        Matej Blatnik

        • JohnCoppedge May 1, 2015 at 7:41 pm #

          Gotcha- it depends on how you define “minimum”. Technically speaking, you could have one profile and use only permission sets for everything.

          The idea is that you define the shared baseline between users in a profile, and then use permission sets for the non-standard variances. For example, finance and sales are probably going to need separate profiles. If you have two separate profiles, you would define access to that field at the profile level. What you might consider implementing is 2 profiles: 1 finance, 1 sales. Then use permission sets for all sales manager and the 2 sales users – that would make sense if you wanted to further limit profiles.

      • Munira Majmundar October 7, 2015 at 10:38 pm #

        John:

        But, you are giving 2 Sales Rep access to the Field via Permission Set. No?

        • JohnCoppedge October 10, 2015 at 2:49 pm #

          Correct- again you definitely need a permission set. The question would be whether finance and sales would share a profile… and although it is possible, most of the time that’s going to be very unlikely.

  12. Dave Holford February 15, 2015 at 12:41 pm #

    Question 4 – That was a loaded question – maybe consider updating the question to be a little more prescriptive as I went for the answer, which on the surface is what I thought was the ‘best practice’ answer.

    Maybe something like “What would be the easiest and quickest way for for Jim to share the record with Jill”…..just a suggestion.

    • JohnCoppedge April 29, 2015 at 8:21 pm #

      It is a bit wordy but does drop hints to suggest that it should be a manual/quick solution, namely: Account collaboration is rare within your organization.

      All other solutions involve setup which would not be appropriate if that were the case. Thanks for the feedback!

      • msjohncox July 17, 2017 at 11:22 pm #

        Yes, I chose D as well for Question 4. You could do it in other ways, but I think we should assume that the correct answer will tend to be the simplest one that gets the job done with just the right amount of flexibility, just like in the real world. I did get the hint that collaboration in this company is rare, so a one-off user-to-user sharing would be simplest.

  13. Vasu Sanghani December 26, 2014 at 11:02 pm #

    I am confused about question 1. Would the group have then – the marketing groups, some of the execs and some of the sales users?
    Thanks

    • JohnCoppedge December 26, 2014 at 11:34 pm #

      Yes

    • msjohncox July 17, 2017 at 11:13 pm #

      I chose c for question 1. If you went with a. or b., unauthorized higher-up users would be able to see the records because of role hierarchy. Don’t pick d., because permission sets might still allow unauthorized users to see the list view – only through groups can you keep list views from being seen. Correct?

  14. Isaac Pak March 14, 2014 at 12:46 am #

    I don’t understand the difference in these answers to question 2:

    * Grant field-level visibility to the Delinquency Status field to the finance team, sales manager, and sales reps via permission set.

    * Grant field-level visibility to the Delinquency Status field to the finance team and sales manager profiles. Grant field-level visibility to the Delinquency Status field to the two sales reps via permission set.

    It seems like the same answer to me.

    • Jim Garrison March 14, 2014 at 3:00 pm #

      The first choice was:
      By using a Permission Set rule, grant Field Level visibility to:
      Finance Team
      Sales Manager
      Sales Reps

      The second choice was:
      Grant field level visibility to:
      Finance Team
      Sales Manager
      but give the two reps access via Permission Set.

      Remember in using SFDC it’s better to ‘tie down’ over all and then ‘free up’ as needed. Could you have done it the first way? Yes, but it would’ve taken a lot of time to actually set it up to each member of the finance team and sales managers, not to mention, in the future it would be hard to track it back down in case rules change.

      • Isaac Pak March 14, 2014 at 3:03 pm #

        Yes, I get it now. Thanks for clarifying that for me.

      • msjohncox July 17, 2017 at 11:16 pm #

        Good point. I think in theory, you could do a pretty good job just by locking everything down at the OWD level and then opening things up with permission sets. However, since permission sets only apply to users (not groups or roles), you’d have to do everything on a user-by-user basis, which is very cumbersome if rules change, people change jobs, etc.

    • Mark Lewis December 15, 2014 at 9:12 am #

      First part of the answer is all sales reps, the second part specifies two sales reps. It caught me out!

    • Munira Majmundar October 7, 2015 at 10:42 pm #

      The word TEAM threw me off. Can a profile be assigned to a TEAM? Thinking aloud, Sales Manager is technically a Team. But still, Finance Team to me would suggest many different profiles comprising a team 🙁

      • JohnCoppedge October 10, 2015 at 2:49 pm #

        Team in this case does not refer to a feature in salesforce… I’ll look at clarifying that

        • msjohncox July 17, 2017 at 11:18 pm #

          Yes, team threw me off a bit. But since we have never discussed “team” in Salesforce, nor is there any standard “team” object, I assumed “team” here referred to some human construct. I could see a “team” corresponding to something like a formal Salesforce group, role, profile or permission set.

Leave a Reply