Data Security Model interview questions

 Data Security  Model Interview Questions :

1.            1. I have a profile by name 'ProvideReadAccess' and two users U1 and U2 assigned to it.                 And I have object X. My Question is I want to have Read Write access for U1 and Read                 Only  access for U2 for the object X. How do I do this?

     Read Access for both users is common hence in the Profile settings give 'Read' access for the             object 'X'. By doing this User U2 will be able to read all the records (One condition satisfied) but     UI will also be able to only read the records(Second condition not satisfied).

    So next what do we do is we create a permission set say 'GrantWriteAccess' and in this                 permission set we give the object 'X' the Write access and assign the user U1 to this permission set.   (2nd condition satisfied).

  2.     I have not given any CRUD permission in the profile 'P1' for an object O1, yet I'm able to create records for object 'O1'. How could this be possible?

Any permission with respect to creation /deletion/Updating/viewing of object is possible only through permission set or Profile.

Meaning If we are able to create records in a object then the Create Permission in either Profile or in Permission Set should be enables. If its not enabled in the Profile then it has to be in the Permission set. So check for the permission set.

 3.   I have a User, who will leave the organization tomorrow. He is basically a manager and there are 15 users below him. Now when this user leaves the organization i would generally inactivate the User. But now my concern is if I inactivate this user What happens to the Role hierarchy? the assignment rules, Approval processes, the records created by him and records to which he is the default owner like leads and cases. And what would be best possible solution to keep this application intact and running and yet have this user de activated?

To prevent users from logging into your organization while you perform the steps to deactivate them, you can freeze user accounts.

So, in this way until you find ways to remove this User from Role hierarchy/assignment rules/update the Owner of the records created by him / from any place where this user is used, we can make use of FREEZE button on the User record.

Note:

1. When we click on FREEZE button, the user will not be able to login to the application any more.

2. Freezing user accounts doesn't freeze the user licenses available for use in your organization. We have to   deactivate the user to free the license.

 4. What will happen if profile related to user U1 above in role hierarchy doesn’t have CRUD permission for object say A. User U2 below in his role hierarchy have CRUD permission to object A. Will user U1 will be able to see or edit record if Grant Access Using Hierarchies is checked for object A in sharing settings?

No. If a user does not have read or edit access to an object via OWD, a profile or permission set, they will have no visibility on object regardless of their role and role hierarchy.

 5.     Can we restrict permission for users through Permission sets?

No. permission sets always extends the permission.

6.     If a user does not have access to a specific record type, will they be able to see the records that have that record type?

Yes, because record type only control the UI visibility.

7.     If field is hidden and user try to search that value which is in that field. What happen?

Record with that field value will return in query.

8.     Difference between View All and Modify All?

a.      View All: In this user can see all the records of that object regardless of the sharing and security settings.

b.     Modify All: In this user can create, write all the records of that object regardless of the sharing and security settings.

9.     Name some OWD options available.

a.      private

b.     public read only

c.      public read/write

d.     public read/write/transfer (for Lead & Case)

e.     public full access (for campaign)

f.       controlled by parent (for order,contact,asset).

 

10.   Can 2 users have a similar profile? will 2 profiles be assigned to a single user?

users can have a same profile. No, 2 profiles can not be assigned to a single user.

 

11.  Case object has OWD set to private. Now regardless of hierarchies, like top to down (e.g. manager can view lead cases), down to top (e.g. lead can view manager cases), and horizontal (e.g. lead can view lead cases), and cross functionally, all cases should be visible to anyone without change in OWD. How is this possible?

for this we can create sharing rule based on criteria where we will give access to “Roles and subordinates” to the head of department, It will give everyone access on case object regardless of their role.

 

12.    Which permissions gives the User to edit any record, regardless of the Sharing Model? 

Modify All Data

 

13.  How to trigger Sharing rule of Formula field?

Sharing rule does not let you use formula fields in the rule criteria, but workaround is to replace the formula field with a regular field and put the formula that populates it into a workflow that fires whenever an object is created or edited. By this way, you’ll have a regular field with the same value.

 14.   Can we restrict any user profile to use salesforce application from specific IP range? 

Yes, we can restrict user profile for specific IP range.

Setup -> Profile-> Login IP Ranges -> Specify IP Range

15.  What is session-based permission set?

Session based permission set is temporary permission set which is assigned in some specific condition.

Use Case: We want to restrict Interview room access only when if interview panel connect LAN interview.

16.  What will happen when we set 0.0.0.0 to 255.255.255.255 at your network level for IP restrictions?

We cannot set this range in IP restriction. It can be set in profile level.

17.  What if user is logged in when their login hours end?

User can continue to their page but they can not do any action. Like they can not create or edit operation.

18.  Can custom object on detail side has sharing rule?

Custom objects on the detail side of a master-detail relationship cannot have sharing rules, manual sharing, or queues, as these require the Owner field.

19. What is the difference between role and profile?

Roles and profiles are fundamental security and access components within Salesforce that work together to control what a user can see and do on the platform.

·        Profiles control what a user in Salesforce can do. Profiles are required, and control which objects and fields a user can access.

·        Roles control what a user in Salesforce can see. The administrator is responsible for increasing data visibility and access using organization-wide defaults, role hierarchy, and sharing rules.

20.What are the different types of Sharing Rules in Salesforce?

Sharing rules allow the administrator to increase data visibility to select users by making exceptions to organization-wide sharing settings.

There are two types of sharing rules in Salesforce:

·        Owner-based sharing rules – access based on who owns the record

·        Criteria-based sharing rules – access based on the values of fields in the record

21.What are different Levels of data access in Salesforce?

·        Organization-wide defaults

·        Role hierarchies

·        Sharing rules

·        Manual sharing.

22. What is Organization-wide defaults?

Organization Wide Defaults (OWD) in salesforce is the baseline level of access that the most restricted user should have. Organizational Wide Defaults are used to restrict access. We grant access through other means like(sharing rules, Role Hierarchy, Sales Teams and Account teams, manual sharing, Apex Sharing ). In simple words Organization Wide Defaults (OWD) specify the default level of access users have to each other’s records.

23. What is role hierarchy?

It gives access for users higher in the hierarchy to all records owned by users below them in the hierarchy. Role hierarchies don’t have to match your organization chart exactly. Instead, each role in the hierarchy should represent a level of data access that a user or group of users needs.

 

24. What are Sharing Rules?

Sharing Rules are automatic exceptions to organization-wide defaults for particular groups of users, so they can get to records they don’t own or can’t normally see. Sharing rules, like role hierarchies, are only used to give additional users access to records. They can’t be stricter than your organization-wide default settings.

 

25. What is Manual sharing?

It allows owners of particular records to share them with other users. Although manual sharing isn’t automated like org-wide sharing settings, role hierarchies, or sharing rules, it can be useful in some situations, such as when a manager is going on vacation needs to temporarily assign ownership of his job to someone else.

 

26. What is Profile

Each user has a single profile that controls which data and features that user has access to. A profile is a collection of settings and permissions. Profile settings determine which data the user can see, and permissions determine what the user can do with that data.

• The settings in a user’s profile determine whether she can see a particular app, tab, field, or record type.
• The permissions in a user’s profile determine whether she can create or edit records of a given type, run reports, and customize the app.

NOTE- A profile can be assigned to many users, but a user can have only one profile at a time.

 

27. What is Permission Set?

A permission set is a collection of settings and permissions that give users EXTRA access to various tools and functions. The settings and permissions in permission sets are also found in profiles, but permission sets extend users’ functional access without changing their profiles.
Permission sets make it easy to grant access to the various apps and custom objects in your org, and to take away access when it’s no longer needed.
Users can have only one profile, but they can have multiple permission sets.

 

28. What is “View all” and “Modify all” permission?

View all and Modify all permissions are usually given to system administrator. When you grant “View All” or “Modify All” for an object on a profile or permission set, you grant any associated users access to all records of that object regardless of the sharing and security settings.
In essence, the “View All” and “Modify All” permissions ignore the sharing model, role hierarchy, and sharing rules that the “Create,” “Read,” “Edit,” and “Delete” permissions respect. Furthermore, “Modify All” also gives a user the ability to mass transfer, mass update, and mass delete records of that specific object, and approve such records even if the user is not a designated approver.
These tasks are typically reserved for administrators, but because “View All” and “Modify All” let us selectively override the system, responsibilities that are usually reserved for the administrator can be delegated to other users in a highly controlled fashion.

 

29. Is it possible to restrict permission for users using permission set?

No, Permission Set always extends the permission. It does not restrict permission to users.

30. In Profile settings, what is difference between “Modify All Data” and “Modify All”?
Modify All Data : Read, Create, edit, delete, view all and modify all objects for current Profile, regardless of sharing settings.
Modify All : Give Read, Edit, Delete and View All permission to selected Object, Create permission is not included in Modify All  permission.

31. In case of Master-Detail relationship, on Update of master record can we update the field of child record using workflow rule?  No
32. In case of Master-Detail relationship, on Update of child record can we update the field of Parent record using workflow rule?
Yes, the Master fields are also available for “Criteria evaluation”.

33. While setting OWD (Organization wide sharing), can we change/modify the setting of child record in case of Master-Detail relationship?
No, Child record is controlled by the Parents setting.

34.  Suppose there are 3 user A, B and C belongs to the profile “Manager”. All these three users can access (Read, Create, Edit, Delete) an object Account. How to revoke the access of user B and C so that they cannot access object Account and only user A can access object Account.
First, remove all permission from Manager profile. Now create a new permission set and give Read, Create, Edit, Delete (whatever access you want) and then assign this permission set to user A.

In this way user A can access object Account. User B and C cannot access object Account.

35. What is apex manage sharing?

Apex managed sharing is a programmatic sharing. To share record using Apex managed sharing, you need to write the Apex code.

Fields	Description
ParentId	The Id of the record being shared. This is read-only.
UserorGroupId	The Id that we are granting access to. The Id is Role Id (or) User Id (or) Public group Id (or) Territory Id.
AccessLevel	Level of Access Read or Edit.
RowCause	Reason for why the record is shared to user or group.

 Apex managed sharing will create records in Share tables with custom RowCause or “Manual” RowCause.   Manual RowCause is User Managed Sharing.

When you use apex managed sharing to share a custom object, only users with the “Modify All Data” permission can add or change the sharing on the custom object’s record, and the sharing access is maintained across record owner changes.

Salesforce create share table for all objects for which OWD is either public read only or Private. For standard object, share table name is table name followed by share word. For example: AccountShare, ContactShare, CaseShare
For custom object, it is followed by __share. For example : For Position__c, share table name is Position__share.