Security Flashcards Preview

SFDC Sharing and Visibility Designer > Security > Flashcards

Flashcards in Security Deck (51)
Loading flashcards...
1
Q

What is the bluntest way to prevent a user from seeing, creating, editing or deleting any instance of a particular type of object, such as a lead or opportunity?

A

Object-level security (also known as object permissions) via Permission sets and Profiles

2
Q

How can you hide whole tabs and objects from particular users, so that they don’t even know that type of data exists?

A

Use Object-level security (also known as object permissions) via Permission sets and Profiles

3
Q

Describe Profiles as defined in Salesforce

A

Profiles are typically defined by a user’s job function (ex, system administrator or sales representative). A profile can be assigned to many users, but a user can be assigned to only one profile

4
Q

What do Permission Sets do?

A

Permission sets are used to grant additional permissions and access settings to users. It’s easy to manage user’s permissions and access with permission sets, because you can assign multiple permission sets to a single user

5
Q

What are the 3 steps in setting up record-level security?

A
  1. Determine the organization-wide sharing settings for each object,
  2. Define a hierarchy for your users
  3. Create sharing rules
6
Q

What is the consequence if you disable a permission or remove an access setting in a profile and any permission sets that are assigned to a user?

A

The permission or access setting is disabled for all other users assigned to the profile or permission sets

7
Q

What is the consequence if a permission or access setting is enabled in the user’s profile and you assign them a different profile, or if you remove a permission set from the user?

A

The user may lose other permissions or access settings associated with the profile or permission sets

8
Q

What are the following permissions used for:

  • View All
  • Modify All
A

it’s used for delegation of object permissions

9
Q

What are the following permissions used for:

  • View All Data
  • Modify All Data
A

It’s used to manage all data in an organization; for example, data cleansing ,deduplication, mass deletion, mass transferring, and managing record approvals

10
Q

What is the following permission use for:

- View All Users

A

It’s used for viewing all users in the organization. Grants Read access to all users, so that you can see their user record details, see them in searches, list views, and so on.

11
Q

Who would typically need the following permissions:

  • View All
  • Modify All
A

Delegated administrators who manage records for specific objects

12
Q

Who would typically need the following permissions:

  • View All Data
  • Modify All Data
A

Administrators of an entire organization

13
Q

Who would typically need the following permission:

- View All Users

A

Users who view all users in the organization, especially if the organization-wide default for the user object is Private. Administrators with the “Manage Users” permission are automatically granted the “View All Users” permission

14
Q

There are 4 Salesforce Standard objects for which “View All” and “Modify All” are not available. Which 4 are those?

A

Ideas
Price books
Article Types
Products

15
Q

Who is the target audience for permissions that respect sharing?

A

End-users

16
Q

Who is the target audience for permissions that override sharing?

A

Delegated Data Administrators

17
Q

Where are permissions that respect sharing managed?

A

CRED object permissions
and
Sharing Settings

18
Q

Where are permissions that override sharing managed?

A

“View All” and “Modify All”

19
Q

For permissions that respect sharing, do you have the ability to approve records, or edit and unlock records in an approval process?

A

No

20
Q

For permissions that override sharing, do you have the ability to approve records, or edit and unlock records in an approval process?

A

It’s available on all objects with “Modify All” access

21
Q

For permissions that respect sharing, how can you report on all records

A

If you have a sharing rule that states: the records owned by the public group “Entire Organization” are shared with the specified group, with Read-Only access

22
Q

Which permission that overrides sharing will provide you with the ability to report on all records?

A

If you have “View All” available on the object

23
Q

Can you edit multiple profiles at the same time?

A

If enhanced profile list views are enabled for your organization, you can change permissions in up to 200 profiles directly from the list view, without accessing individual profile pages

24
Q

Is it possible to edit all contacts associated with an account you own even if you don’t own the contacts themselves?

A

Yes, you can set contact access so that users in a role can edit all contacts associated with accounts that they own

25
Q

If a user does not have the “View Encrypted Data” permission, can they still edit the encrypted field?

A

Yes

26
Q

How can you restrict edit access to an encrypted field?

A

Use validation rules, field-level security settings, or page layout settings to prevent users from editing encrypted fields

27
Q

Can you create criteria-based sharing rules with Apex?

A

No. You also cannot test criteria-based sharing with Apex

28
Q

Can high-volume portal users be included in sharing rules?

A

No, because they don’t have roles and can’t be in public groups

29
Q

What is the limit of criteria-based sharing rules per object?

A

50

30
Q

How can an admin prevent users outside of he Sales Department from accessing the Leads object?

A. Create, read, update, delete restrictions
B. Field level security restrictions
C. Sharing settings
D. All of the above

A

A. Create, read, update, delete restrictions

31
Q

How can an admin give a regional Sales team access to a subset of opportunity records?

A. Create, read, update, delete restrictions
B. Field level security restrictions
C. Sharing settings
D. All of the above

A

C. Sharing settings

32
Q

How can an admin give only the HR department access to the Salary field on the User object?

A. Create, read, update, delete restrictions
B. Field level security restrictions
C. Sharing settings
D. All of the above

A

B. Field level security restrictions

33
Q

Which of the following automatically enforces CRUD/FLS settings?

A. Custom Visualforce pages with standard controller
B. Apex controllers
C. Apex Triggers
D. Apex Webservice

A

A. Custom Visualforce pages with standard controller

34
Q

When does the platform bypass admin-configured authorization settings by default?

A. When you call executeanonoymous() API
B. When you access the standard Accounts tab
C. In a custom Apex Trigger
D. When you have a custom Visualforce page with a standard controller

A

C. In a custom Apex Trigger

35
Q

If Salesforce is secure software, why is application security important to Force.com developers?

A. As a platform, Salesforce releases some security control to developers to provide maximum flexibility to meet business needs

B. Application security is not important, developers do not need to learn anything about security

C. Security is only the responsibility of Salesforce administrators

D. All the above

E. None of the above

A

A. As a platform, Salesforce releases some security control to developers to provide maximum flexibility to meet business needs

36
Q

Why is application security of increased importance to developers releasing products to AppExchange?

A. AppExchange products reach many customers, so issues are replicated across many environments

B. The AppExchange listing process requires a mandatory security assessment with zero security findings

C. Customer trust is of utmost importance to Salesforce, and it is essential for AppExchange partners to maintain this trust

D. All the above

E. None of the above

A

D. All the above

37
Q

What is typically involved in setting up Record-level access

A
  • Organization-wide defaults
  • Role hierarchy
  • Territory hierarchy
  • Sharing Rules
  • Teams
  • Manual sharing
  • Programmatic sharing
38
Q

When can you use Custom Metadata Types to store authentication data and other secrets?

A

You can use “Protected Custom Metadata Types”. Within a namespaced managed package, protected custom metadata types are suitable for storing authentication data and other secrets. Custom metadata types can also be updated via the metadata API in the organization that created the type, and can be read (but not updated) at run time via SOQL code within an apex class in the same namespace as the metadata type.

Secrets which are common across all users of the package (such as an API key) needs to be stored in Managed Protected Custom Metadata Types. Secrets should never be hard-coded in the package code or displayed to the user.

39
Q

How can you assure Custom Settings that is included in a managed package can only be accessed programatically via Apex code within the package?

A

Set the visibility of the Custom Setting Definition to “Protected” and include it in a managed package. This is useful for secrets that need to be generated at install time or initialized by an admin user.

40
Q

Can custom settings be updated at run-time in your Apex class?

A

Yes, but it cannot be updated via the Metadata API

41
Q

Can custom metadata types be updated at runtime in your Apex class?

A

No, but it can be updated via the Metadata API

42
Q

What does the Apex Crypto class provide?

A

Algorithms for creating digests, MACs, signatures and AES encryption. When using the crypto functions to implement AES encryption, keys must be generated randomly and stored securely in a Protected Custom Setting or Protected Custom Metadata type. Never hardcode the key within an Apex class

43
Q

How are Encrypted Custom fields encrypted?

A

Via 128-bit keys and using the AES algorithm

44
Q

How does an XSS attack work?

A

XSS attacks occur when user supplied input is reflected in the HTML of a web page. Due to poor separation between code context and user data, the user input is executed as code

45
Q

What can you do to prevent SOQL Injection?

A

Avoid using dynamic SOQL queries. Instead use static queries and binding variables.

46
Q

If you must use dynamic SOQL, how can you prevent SOQL Injection?

A

Use the escapeSingleQuotes method to sanitize user-supplied input. This method adds the escape character () to all single quotation marks in a string that is passed in from a user. The method ensures that all single quotation marks are treated as enclosing strings, instead of database commands

47
Q

What are the three main encoding functions that developers can use to neutralize potential XSS threats

A

HTMLENCODE
JSENCODE
JSINHTMLENCODE

48
Q

If the value is going to be parsed by the JavaScript parser, should you use:
A. HTMLENCODE
B. JSENCODE
C. JSINHTMLENCODE

A

B. JSENCODE

49
Q

If the value is going to be parsed by the HTML parser, should you use:
A. HTMLENCODE
B. JSENCODE
C. JSINHTMLENCODE

A

A. HTMLENCODE

50
Q

If it’s a combination of both JavaScript parser and HTML parser, what should you use?
A. HTMLENCODE
B. JSENCODE
C. JSINHTMLENCODE

A

You can use C. JSINHTMLENCODE or a combination of A and B as follows; JSENCODE(HTMLENCODE())

51
Q

What does the escape=”false” attribute do in HTMLENCODE() functions?

A

It disables the built-in platform HTML encoding. The developer has to wrap the merge field with HTMLENCODE to ensure the value is rendered as text and not code