Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
13 views9 pages

Data Security

The document outlines various aspects of data security in Salesforce, including levels of security such as Object-Level, Field-Level, and Record-Level Security. It explains key concepts like Organization-Wide Defaults, Role Hierarchy, Sharing Rules, and Manual Sharing, along with best practices for securing data during integrations. Additionally, it discusses Login IP Ranges, Login Hours, and the differences between Sharing Rules and Apex Sharing.

Uploaded by

Sushant
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views9 pages

Data Security

The document outlines various aspects of data security in Salesforce, including levels of security such as Object-Level, Field-Level, and Record-Level Security. It explains key concepts like Organization-Wide Defaults, Role Hierarchy, Sharing Rules, and Manual Sharing, along with best practices for securing data during integrations. Additionally, it discusses Login IP Ranges, Login Hours, and the differences between Sharing Rules and Apex Sharing.

Uploaded by

Sushant
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

DATA SECURITY

Interview Questions and Answers


1. What are the different levels of data security in Salesforce?
1. Object-Level Security
Controls visibility to objects using Profiles and Permission Sets.
Example: A user can have access to the Account object but not to the
Opportunity object.
2. Field-Level Security
Controls visibility and editability of individual fields within an object.
Example: A user can view the Account Name but not the Annual
Revenue.
3. Record-Level Security
Controls access to individual records in an object. This includes:
o OWD (Organization-Wide Defaults)
o Role Hierarchy
o Sharing Rules
o Manual Sharing
o Apex Sharing

2. What is Organization-Wide Default (OWD) in Salesforce?

OWD is the baseline level of access that users have to records they do not own.
It is set per object and determines whether records are:
• Private: Only owner and those above in the role hierarchy can access.
• Public Read Only: All users can view but not edit.
• Public Read/Write: All users can view and edit.
• Controlled by Parent: Access to the child record depends on access to
the parent.
OWD is configured in Setup > Sharing Settings.
3. How does Role Hierarchy affect data access?
Role Hierarchy in Salesforce allows managers or higher-level users to access
records owned by users below them in the hierarchy. This is primarily
read/write access.
• It works automatically with private OWD settings.
• It doesn't override object- or field-level security.

4. What is the difference between Profiles and Permission Sets?

Profile Permission Set

Mandatory for every user. Optional and additive.

One profile per user. Multiple permission sets per user.

Controls object, field, tab, and Grants additional access without changing
other access. the profile.

Best Practice: Use minimal profiles and extend permissions with permission
sets.

5. How do Sharing Rules work?


Sharing Rules are used to open up access to records on top of OWD. They can
be based on:
• Owner-based rules: Share records owned by users in specific roles or
groups.
• Criteria-based rules: Share records meeting certain field criteria.
Sharing Rules allow:
• Read-only or read/write access.
• Only automatic sharing, not revoking.
6. What is Manual Sharing?

Manual Sharing allows record owners or administrators to share a single record


with another user or group.
• Available only when OWD is Private or Read Only.
• Not available in Lightning Experience by default (requires enabling).

7. What is Apex Sharing?

Apex Sharing is programmatic sharing of records using Apex code. It's used
when:
• Sharing logic is too complex for declarative sharing.
• Custom objects require user-defined sharing.
Apex Sharing involves:
• Creating Share objects (e.g., AccountShare, CustomObject__Share).
• Setting UserOrGroupId, AccessLevel, and RowCause.

8. How is Field-Level Security enforced in Salesforce?

Field-Level Security (FLS) controls access to specific fields using:


• Profiles and Permission Sets: Define visibility and read-only access.
• Page Layouts: Control what is visible on UI (but not secure for API
access).
• API: FLS is enforced in API calls only when explicitly checked using tools
like Schema.DescribeFieldResult.
9. How would you troubleshoot if a user cannot see a record?
Steps to troubleshoot:
1. Check Object Permission (Profile/Permission Set).
2. Check Field-Level Security.
3. Check Record-Level Access:
o Is OWD too restrictive?
o Does Role Hierarchy grant access?
o Is there a Sharing Rule?
o Is the record manually shared?
o Any Apex Sharing logic?
4. Use “View All” or “Modify All” permissions (admin-level override).
Use "Sharing Button" or "Why can't I see this record?" in Lightning
Experience.

10. What are "View All" and "Modify All" permissions?


• View All: Grants read access to all records of an object, bypassing
sharing rules.
• Modify All: Grants full access (read/write/delete) to all records of an
object, bypassing sharing rules.
These permissions should be used cautiously as they override record-level
security.
11. What is the difference between Sharing Rules and Apex
Sharing?
Aspect Sharing Rules Apex Sharing

Type Declarative Programmatic

Limited to role/public
Flexibility Fully customizable
group/criteria

Use Case Standard scenarios Complex conditions

Slower if not managed


Performance Better performance
properly

12. How do you secure data when integrating Salesforce with


external systems?
Best practices include:
• Use Named Credentials for authentication.
• Use OAuth for secure access delegation.
• Leverage API security features: IP restrictions, User Session settings.
• Validate inputs to avoid SOQL/SOSL injection.
• Ensure field-level and object-level permissions are enforced in Apex
controllers.

13. Can a user see a field on a page layout but not access its data via
API?
Yes. Page layout visibility does not guarantee API access. Field-Level Security
must be explicitly enabled for API access. Tools like Apex or integrations should
check FLS via Schema.Describe.
14. What are Login IP Ranges and Login Hours?
Defined at the Profile level:
• Login IP Ranges: Restrict users to log in only from specific IP addresses.
• Login Hours: Restrict users to log in only during defined hours.
Outside these limits, login is blocked.

15. What are best practices for data security in Salesforce?


• Apply the Principle of Least Privilege.
• Use Permission Sets over creating multiple Profiles.
• Avoid using “Modify All Data” unless absolutely necessary.
• Use Field-Level Security to restrict sensitive data.
• Audit access with Field Audit Trail or Login History.
• Use Shield Platform Encryption for encrypting sensitive fields.
• Regularly review Sharing Settings and access logs.

16. What happens if a user tries to log in from an IP outside the


allowed range?

If a user tries to log in from an IP address outside the defined range:


• They will be denied access without being able to verify their identity
through a verification code.
• If no IP ranges are defined, Salesforce uses identity verification
(email/SMS) instead.
17. Can you set Login Hours or IP Ranges for individual users?

No, Login Hours and IP Ranges are set at the Profile level, not for
individual users. If user-specific restrictions are needed, you may have to
create a separate profile for that user.

18. How do Login IP Ranges differ from Trusted IP Ranges?


• Login IP Ranges (in Profile) block access entirely outside the range.
• Trusted IP Ranges (set in Network Access) allow access but may
prompt for identity verification if the user logs in from an
unrecognized location.

19. How do Login IP Ranges differ from Trusted IP Ranges?

• Login IP Ranges (in Profile) block access entirely outside the range.
• Trusted IP Ranges (set in Network Access) allow access but may prompt
for identity verification if the user logs in from an unrecognized location.

20. What is Login IP Range in Salesforce?

Login IP Range is another security feature that restricts user access


based on their IP address. Users can only log in to Salesforce from IP
addresses within the defined range, which is set at the profile level.

You might also like