These questions are designed to be similar to ones that will be asked on certification exams. Aim to get most of these questions correct on the first attempt.
39 Responses to “Security: Quiz”
Leave a Reply
You must be logged in to post a comment.
I did get all of these right! Awesome quiz by the way – just the right level of difficulty for what we have covered so far. Here’s what went through my head while doing the quiz.
Question 1: I chose c. If you went with a. or b., higher-up users would be able to see the records because of role hierarchy. Don’t pick d. because permission sets might still allow unauthorized users to see the list view. Only through groups can you appropriately restrict list views.
Question 2: I chose d, because you need the flexibility to use both profiles and permission sets. If you choose a. or c., all sales reps would be able to see it. You can’t choose b., because permission sets only apply to individual users, not profiles or or roles.
Question 3: I chose c. That way, you can opt-in only authorized CSRs. That’s in keeping with the best practice of locking everything down at the OWD level, then opening things up as needed.
Question 4: I chose a. Since sharing like this is rare in this organization, it is easiest to just have Jim share this one record. There is no need to create a queue, group, profile, etc.
For question 2, option 2 / B is very close to being the perfect option except that the permission set does not restrict to the 2 sales reps. If the answer is reworded as “Grant field-level visibility to the Delinquency Status field to the finance team, sales manager, and 2 sales reps via permission set”, wouldn’t that be the ideal answer over the current answer (which is option 4 / D). The reason being such a permission set would make future changes to the delinquency field visibility much easier than updating profiles and permission sets separately.
Thoughts, John?
Depends – if you are managing access to an application through a permission set then it is generally better to centralize permissions under the permission set. For one off scenarios like the question either can work.
The reason I didn’t choose B is because you can only assign permission sets to individual users, not profiles or roles. You could do this with permission sets all the way, but it would be cumbersome if there are many members of the finance team and then you’d have to edit things again if there were new users in these job positions. I chose D, because in this case, you need the flexibility of granting permission via profiles and permission sets. Yes?
Yep exactly correct
Hi John,
First off, thank you so much for the quizzes (both of them). They’ve been extremely helpful.
Out of curiosity, will there be any updates made (such as additional quizzes or questions) to the Security Quiz section? I know its a lot to ask but the question’s you’ve propose are challenging and its hard to find other sites that push the envelope as hard as you do.
If time is limited for you and it’s better off referring me to other resources, that would be great too.
Thanks alot!
Pedro
John:
On question 1, “…ability to access several list views and a report folder”, I am interpreting that “access” means “what you can see” which I believe in this case, is driven by Public Group (The ones that see the list view and reports). Permission set would apply when deciding what can be done to each record. Am I right on my assumptions?
Thanks
Access meaning that they can select the list view. Being able to select the list view does not mean the user can see all of the records within.
Access to the view is controlled independently of access to the records (however both rely heavily on roles, groups).
Trick questions, but keep you on your toes.
Is this updated?
Yes- please see the FAQ
Hi John, I would like to check with you about Q4. Look like only one account record is to be shared by Jim and the answer is the first one. If the question is changed to many opportunity records related to the account “Squared Wireless” are to be shared by Jim. What is the best solution? May we use criteria rule base to share the records? The second answer might be right. Many thanks for your advice! -Crystal
When you share the account manually you can also share the access of related records such as opps, so manual sharing could still work.
Hi, could you clarify the answer to Q1? I struggled with it, but I guess I don’t understand sharing rules well enough. Is the reason for this answer (rather than D, which was what I chose) because it’s about record security rather than object security?
I refer to this as “folder security” although I don’t think it has a technical term- basically encompassing the security that controls access to list views, report folders, etc.
This is controlled by groups rather than permission sets – take a look at the matrix for comparison: http://classic.certifiedondemand.com/security-model-matrix/
Hello! This sentence is worded a bit awkwardly. I had to read it a couple times to understand this explanation:
-Question 1, answer description-
“Creating a public group would be ideal in this scenario regardless, as would be able manage the list of users in a centralized fashion…”
Thanks, updated
Hey John ~ on question 2, I thought the right answer was D or the last answer – but chose the second because I thought the answers displayed were trying to trick me. Wouldn’t you have to create a custom profile for finance and sales managers? If so, I choose the other answer because it wasn’t specified.
This is somewhat subjective – but the idea is that you would want to assign the permission with broad strokes at the profile and to the individuals using permission sets. You could use permission sets for everything but that would create a lot of manual work.
Question number 2.
I got it right. However, could we not get the same solution if assigning it to all eligible users via permission sets?
Not really – a permission set would grant access to object or field level security, but not to records.
But question 2 is about field level security. I was refering to the I love permissions tutorial, where they say we should have the minimum amount of profiles and then use permission sets.
Could you kindly elaborate, why we could not grant access to commission field via permission sets for all eligible users.
Regards,
Matej Blatnik
Gotcha- it depends on how you define “minimum”. Technically speaking, you could have one profile and use only permission sets for everything.
The idea is that you define the shared baseline between users in a profile, and then use permission sets for the non-standard variances. For example, finance and sales are probably going to need separate profiles. If you have two separate profiles, you would define access to that field at the profile level. What you might consider implementing is 2 profiles: 1 finance, 1 sales. Then use permission sets for all sales manager and the 2 sales users – that would make sense if you wanted to further limit profiles.
John:
But, you are giving 2 Sales Rep access to the Field via Permission Set. No?
Correct- again you definitely need a permission set. The question would be whether finance and sales would share a profile… and although it is possible, most of the time that’s going to be very unlikely.
Question 4 – That was a loaded question – maybe consider updating the question to be a little more prescriptive as I went for the answer, which on the surface is what I thought was the ‘best practice’ answer.
Maybe something like “What would be the easiest and quickest way for for Jim to share the record with Jill”…..just a suggestion.
It is a bit wordy but does drop hints to suggest that it should be a manual/quick solution, namely: Account collaboration is rare within your organization.
All other solutions involve setup which would not be appropriate if that were the case. Thanks for the feedback!
Yes, I chose D as well for Question 4. You could do it in other ways, but I think we should assume that the correct answer will tend to be the simplest one that gets the job done with just the right amount of flexibility, just like in the real world. I did get the hint that collaboration in this company is rare, so a one-off user-to-user sharing would be simplest.
I am confused about question 1. Would the group have then – the marketing groups, some of the execs and some of the sales users?
Thanks
Yes
I chose c for question 1. If you went with a. or b., unauthorized higher-up users would be able to see the records because of role hierarchy. Don’t pick d., because permission sets might still allow unauthorized users to see the list view – only through groups can you keep list views from being seen. Correct?
I don’t understand the difference in these answers to question 2:
* Grant field-level visibility to the Delinquency Status field to the finance team, sales manager, and sales reps via permission set.
* Grant field-level visibility to the Delinquency Status field to the finance team and sales manager profiles. Grant field-level visibility to the Delinquency Status field to the two sales reps via permission set.
It seems like the same answer to me.
The first choice was:
By using a Permission Set rule, grant Field Level visibility to:
Finance Team
Sales Manager
Sales Reps
The second choice was:
Grant field level visibility to:
Finance Team
Sales Manager
but give the two reps access via Permission Set.
Remember in using SFDC it’s better to ‘tie down’ over all and then ‘free up’ as needed. Could you have done it the first way? Yes, but it would’ve taken a lot of time to actually set it up to each member of the finance team and sales managers, not to mention, in the future it would be hard to track it back down in case rules change.
Yes, I get it now. Thanks for clarifying that for me.
Good point. I think in theory, you could do a pretty good job just by locking everything down at the OWD level and then opening things up with permission sets. However, since permission sets only apply to users (not groups or roles), you’d have to do everything on a user-by-user basis, which is very cumbersome if rules change, people change jobs, etc.
First part of the answer is all sales reps, the second part specifies two sales reps. It caught me out!
The word TEAM threw me off. Can a profile be assigned to a TEAM? Thinking aloud, Sales Manager is technically a Team. But still, Finance Team to me would suggest many different profiles comprising a team 🙁
Team in this case does not refer to a feature in salesforce… I’ll look at clarifying that
Yes, team threw me off a bit. But since we have never discussed “team” in Salesforce, nor is there any standard “team” object, I assumed “team” here referred to some human construct. I could see a “team” corresponding to something like a formal Salesforce group, role, profile or permission set.