Config & Setup (objectives 3 +4) Practice Exam
the Admin the will be on vacation for 3 days. He used the Delegated Admin function to allow the sales manager to do the admin duties. which tasks would Andrew be able to do as a result of being a delegated admin? which tasks would Andrew be able to do as a result of being a delegated admin
1. Assign specific permission sets 2. reset passwords for users in specific roles 3. create and edit users in specific profiles and roles Note: delegated admins cannot modify permission sets, assign profiles, or permission sets that have a 'modify all data' permission
a user would like to change the language that the user interface is displayed in. How can the admin accomplish this?
1. Change the Language setting for the user in the user detail page in Setup 2. Advise the user to change the language setting under 'my personal information'
Health Check Risk Categories and Recommended Actions
1. High Risk (such as max invalid login attempts and expired certificates) 2. Medium risk (such as password complexity req and min password length) 3. Low risk (such as password question req and force logout after expired session) 4. Informational security settings (such as days until certificate expiration)
what does network based security cover?
1. IP range restrictions 2. profile based IP restrictions 3. login hours however, use Network Access page to set trusted IP ranges for the whole org
which of the following auditing features are available in SF?
1. Login History 2. Field History Tracking 3. Setup audit trails Note: debug log is not an auditing tool, it is used by developer to check running of code.
An organization has a Security Health Check score of 55%. The admin needs to identify and fix potential vulnerabilities in security settings that are at high risk in order to remediate them. If the default Salesforce Baseline Standard is used for the health check, which of the following re High risk settings
1. Number of Expired Certificates 2. Maximum invalid login attempts
which features can an admin use to control record sharing?
1. OWD 2. Role Hierarchy 3. Sharing Rules Profiles and Permission sets are on the Object Level
A salesforce admin often deals wirh record level security. which of the following are correct regarding record level security?
1. Roles are used to create a sharing hierarchy among users 2. sharing rules can never be stricter than the org-wide sharing defaults
Company's security manager has reported that they are not able to view the Health Check page of the Salesforce org. what could be the problem?
1. The user does not have the 'view setup and configuration' permission 2. the user does not have the 'view health check' permission Note: to view the Health Check page, only the 'view health check' and 'view setup and configuration' permissions are required. and enabling the view health check page automatically enabled the 'view setup and confirmation' permission if it is not already enabled.
Where can a user's login attempts be found?
1. User Detail Section on User Record 2. Login History Page 3. Login History related list on user record (login attempts page and login security page do NOT exist)
which of the following are valid identity verification methods?
1. Using built in authenticator such as touch ID, Face ID, or Windows Hello 2. Using the SF Authenticator mobile app to verify the account activity 3. Using the verification code in an email that is sent to the address associated with the account
what are the considerations for deactivating the user?
1. a user that is assigned as the sole recipient of a dworkflow email alert, customer portal admin, default owner of Leads or Cases, or a user selected in a custom hierarchy field cannot be eactivated 2. a deactivated user will not be deleted from the system, but they will no longer be able to login to Salesforce 3. The records owned by the deleted user will be transferred to another user 5 Note: inactive users will continue to be listed as the Created By user. a user that is assigned as the sole recipient of a workflow email alert cannot be deactivated.
An admin needs to add 10 users into the system and is considering using the 'add multiple users' feature. which of the following statements are true regarding the 'add multiple users' functionality?
1. each user will be allocated the same license type 2. users can be allocated different roles 3. users the same or different profiles required fields: last name, email (same as username), profile, role) Note: when adding multiple users, the user's email also becomes the user's username. whether creating individual or multiple user records, first names are not required.
Which of the following are password policy setting that can be modified in a Salesforce org?
1. enforce password history 2. minimum password length 3. password expiration others: maximum invalid login attempts, lockout effective period, and password complexity requirement.
The users with the Sales profile should no longer have access to several fields on a custom object. The Salesforce Administrator employs field-level security for these fields. What should the Salesforce Administrator consider before changing the page layout and field-level security settings?
1. fields can be set as hidden in the page layout but users will still be able to access the fields in reports, search, and list view 2. if a field is hidden using field level security, it will not appear in page layouts, search results, list views, or reports why? field level security allows fields to be hidden or made read only on the profile level (object). if field level security is enabled, the field will not be visible in page layouts, search results, list views, related lists or reports. however, if it just removed from the page layout, you can still see it on those other places,
a user has left your company and you need to ensure immediately that they cannot login to SF. in what situations would you freeze rather than deactivate?
1. if the user is a default owner of Leads or Cases 2. if the user is part of custom hierarchy fields why? freezing a user prevents a user from logging in while the steps to deactivate are completed. a user cannot be deactivated if they are the default lead owner or a user is selected in a custom hierarchy, or if they are the sole recipient of a workflow email alert
What are all the forms of organization security controls
1. passwords (defined at profile level and organization level) 2. IP Restrictions (and login hours) 3. Identity Confirmation (MFA) 4. Network Settings (allow specifying trusted UP ranges from where users can login without verifying identity)
an admin would like to absolutely deny login access to the company's org if the users are logging in outside the specified hours and IP range. What are the options that can be used?
1. profile based IP restrictions 2. progile based login hour restrictions Note: login hours and IP addresses can be 'absolutely' restricted at the profile level, not organization
what options are available to set the length of time after which the system logs out inactive users
1. session timeout can be set at the organization level 2. session timeout can be set at the profile level
In a private sharing model, if the salesforce admin needs to make some exceptions to give access to account records, which features can be used?
1. sharing rules 2. manual sharing 3. account teams Note: There is no such thing as sharing exception rules and field permissions define access for object fields
A user is not able to login, what could be the reason for this?
1. the user is logging in from an IP address outside the defined range for their profile 2. the user is attempting to login outside of the hours defined for their profile Note: - IP ranges can be at both the Profile level and Organization wide level using login IP ranges and Trusted IP ranges, respectively. However, only IP Range is entirely restrictive - Login IP Address ranges can be set on a profile basis and define the range of IP addresses from which users can log in. Access is denied to a user who attempts to log in from an IP outside the range. - The Trusted IP ranges setting is set organization-wide and defines a list of IP addresses which users will not receive a login challenge. It will not stop the login attempt, they will just need to complete the challenge to continue - login hours are restricted on a Profile Basis, and login attempts outside the hours defined are deined
what are the implications of freezing a user?
1. the user will no longer be able to log in 2. access can be allowed again by unfreezing the user.
Under which of the following conditions can a user not be deactivated?
1. user is the sole recipient of a workflow email alert 2. user is selected in a custom hierarchy field why? a user that is selected in a hierarchy cannot be deactivated, the field must be deleted and permanently erased to deactivate the user.
The admin wants to make the org more secure with network based security such as login times and IP ranges. when should network based security be used?
1. when she wants to limit where people can log in from 2. when she wants to make it difficult to use stolen credentials 2. when she wants to limit when people can login
an admin is told to look through the forensics to spot any suspicious attempts to gain access to the org. which of the following can login forensics provide?
1. who logged in more than the average number of times 2. the average number of logins per user per a specified period of time 3. who logged in during non business hours 4. who logged in using suspicious IP ranges note: it will not provide information on the number of logins that each role or profile has made.
Which of the following is true regarding the addition of an identity verification method to a user's account
An email confirmation is sent if a user if a new identity verification method (like mobile phone) is added why? users can add their own identity confirmation methods for which they receive email notifications.
a group of managers needs to have access to several objects of a Salesforce app for a specific session. The Salesforce Admin intends to assign several permission sets to these users in order to give them the required access
Create a session based permission set group that contains the permission sets, and assigns them to the managers why? Session based access control can be given to users for specific sessions. once the session expires, the access is revoked automatically without having to remove assignments session based access control can be used with permission set groups that contain multiple permission sets. although multiple permission session based permission can be created to give different types of users access to certain users, it is more efficient to use a session based permission group instead
Cosmic Enterprises has a lightning web component that allows sales users to make API calls to an external system to update product data. However, due to certain limitations of the external system and to reduce the load on the external system, the sales director would like to implement a solution that blocks the API call and sends an email to the IT manager when a user's API request takes longer than 1000 milliseconds, how can this requirement be met?
Create an enhanced transaction security policy for the API event that sends an email notification based on the condition
A sales rep has just left the Cosmic Enterprise Solutions. What should be done to ensure user can no longer log in?
Deactivate the user record Why? Salesforce does not allow deletion of users because that would result in orphaned records. deactivating a user record ensures that they are no longer able to log into salesforce and preserves the historical activity and records.
A company would not like its employees access SF from Home. how can this be achieved.
Define Login IP Ranges for all profiles Trusted IP Ranges define a list of IP addresses from which users can log in without receiving a challenge for verification but it does not actually restrict logins from outside that range. Login IP Ranges can instead be defined at the profile level. Users outside the Login IP Range set on a profile will not be able to gain SF access.
the CIO of a technology company has directed the admin to enable SSO with delegated authentication for the org. which of the following are the benefits of delegated authentication?
Delegated Authentication SSO integrates Salesforce with a chosen authentication method, such as LDAP server. this authentication method is configured at the permission level, so it can be turned on or off for individual users. The method also allows the configuration that makes the login page accessible only inside a corporate firewall.
A Salesforce admin often helps users with their concerns about the Salesforce org. he realizes that it would be easier if he could log into the org as the users experiencing the problem so that he can view the org from their perspective. what is the most efficient way of achieving this?
Ensure the 'admin can login as any user' setting in the login access policies page is enabled how? setup, security, login access policies, select 'admin can login as any user' why? admins with the 'modify all data' permissions' and delegated admins with 'view config and setup' permission can login as any user without asking end-users to grant them access. An organization can also choose to enable the 'administrators can log in as any user' setting too.
A SF admin is tasked with securing the company's org. what feature should the admin start with that can be used to identify and fix any vulnerabilities in the org?
Health Check why? health check can be used to identify and fic any security vulnerabilities in security settings from a single page. a summary score shows how the org measures against the baseline. Note: a higher baseline score indicates closer to the baseline.
a sales manager is planning to send an email to a few hundred leads and wants each email to include the name of the intended recipient. the sales manager is wondering if there is a feature in Lightning Experience that would let them email multiple leads at the same time but modify each email to contain the name of the recipient. what salesforce feature would allow them to do this?
List Email why? list email in Lightning Experience allows personalized individuals to be sent to multiple contacts, leads, or campaign members. email templates with merge fields can be used to customize each of these emails. mass email would be an option but it is only available in Salesforce Classic. Einstein activity Capture is a feature meant to keep data between a company's email and calendar applications and the Salesforce org in sync. Similarly, Lightning sync is used to keep contacts and events between the Salesforce org and the Company's microsoft or Google Applications in sync
Login IP Ranges vs Trusted IP Ranges
Login IP Range: set on the profile basis. they define the range of IP addresses from which users with this profile may log in. If the user is outside the Login IP Range, they will be denied access Trusted IP Range: organization wide and defines a list of IP addresses from which users will not receive a login challenge. if outside the Trusted Range, they can still login, but they will have to pass the challenge (trusted can still gain login access if they prove themselves)
What is My Domain?
My Domain allows SF Admins to define a subdomain for their org URL. The defined subdomain replaces the instance pod in all URLs within the org. My Domain is required for SSO and certain Lightning components, as well as for certain managed packages. a subdomain can be defined for the org URL> it can be used to better manage login and authentication. with a subdomain, the company name can be included in the URL.
United Technologies is looking to customize their internal Salesforce URL to their branding, planning on leveraging SSO, as well as developing custom lightning components. which of the following is required in order to utilize these features?
My domain
what to know about SSO users
SSO enanled users cannot reset their passwords within Salesforce because it no longer manages their passwords. it needs to be reset in the application that is used to verify their identity. The password policies are managed by the identity provider
a user has reported that they do not see the 'contact type' field on the contact detail page. what should the admin check?
The contact page layout displayed for the profile assigned to the user note: page layouts determine which fields are visible. field level security determines which fields are visible on a page layout, however it is configured on the Profile level, not the user level
If a user is working in Salesforce when the login hours end, what will happen?
The user can continue viewing the page that they are currently on, but if they navigate to a new page, the session will end, they will be logged out and a message will be displayed: your login attempt has failed.
The SF admin has set up login hour restrictions on the marketing team profile so that they could access the application between 8-4pm. what will happen if a user logs in at 3:45 and works until 4:01?
The user is logged out upon navigation to a new page or data update operation (create, save, edit, delete) why? if users are logged in when their login hours end, the user can continue viewing the page they are currently on but they cannot take any further action. if they navigate to a new page or perform any data update operation, they will be logged out automatically.
Which of the following are organizational level security access controls?
Trusted IP Ranges Password Policies Multi Factor Authentication Why? Password policies are defined at the profile and organization levels to implement restrictions that make passwords more secure. Trusted IP ranges allow users to bypass the verification step when logging in from a different IP address from the one that is cached in the browser for the first time the user logs in MFA increases an org's security by requiring a second level of authentication for all users. (Permission sets allow specific permissions to be assigned to users, however they are not used as organization-level security access control
What should be done to ensure that a Salesforce Admin can troubleshoot on a User's behalf, without having to request access from the user?
Turn on 'Administrator can Login as Any User' setting in the login access policies page
The Salesforce Administrator of cosmic systems needs to initiate an email address change for an internal user but is concerned about the user's access to the salesforce org using the new email address. which of the following should the admin so to ensure the security of the org while changing the address?
Update the Email Address and reset the password of the user in the same operation why? when changing an org user's email address, the 'generate new password and notify user immediately' setting can be enabled so that the user receives a password reset link at their new email. this way, the user must create a new password to activate the new email, so the email is verified before changing it, ensuring security is intact.
Amazing inc uses a matrix organizational structure in which many users have two managers. How can you ensure that the manager for each user is recorded?
Use the standard Manager field on the User record and create an additional hierarchical relationship manager field why? Salesforce only has one manager field on the User record that can be used. an additional manager field created as a hierarchical lookup will be required to record the second manager. a hierarchical lookup type is available only for the User object, which allows association between one user and another and does not directly or indirectly refer to itself
a user is logged into Salesforce in the morning. He doesn't come back until the afternoon. He found that he was logged out, what should the admin explain to the user?
Users are logged out after a certain period of inactivity due to session timeout value Why? session timeout value can be changed in setup under Session Settings. Closing a browser window will not automatically log the user out
Recently, a new Candidate tab requested by the HR team of Telco Inc. was created for the recruitment application. The HR team is unable to locate the tab within the application. What should the Salesforce Administrator check to resolve the issue?
a. Check if the object permission is correctly applied to the HR profile b. check if the Candidate custom tab is added to the recruitment application c. check if the candidate custom tab is visible for the HR team user profile why? Creating a new tab and assigning it to an app has 3 steps: 1. create, name the tab and select the object 2. choose the user profiles for which the tab will be available 3. choose the apps for which the custom tab will be available user visibility to areas within the application can be controlled by profile app visibility, tabs, and object level permissions. Field level security only controls visibility on individual fields, and assigned app settings for a profile specify the apps that users can select in the force.com menu, but in this case, the app is visible.
On Sunday you need to restrict access to your org for all users in order to perform maintenance of the system. what is the best way to accomplish this?
add login hours restrictions to all profiles except the system admin profile note: login hour restrictions can be set by profile. setting the start time and end time to the same hour in a profile restricts the user's profile access the whole day. by applying this to all profiles except admin, only the admin can log in to the system and perform maintenance without interference.
A salesforce admin wants to insert recordings using Data Loader, but he does not have access to his email where the security token was sent. how can he proceed?
answer: add the IP address to the trusted range when the salesforce admin does not have the security token required to use Data Loader, the IP address can be added to the trusted ranges How? security controls, network access . why? this will allow the user to bypass any login challenges, so the token won't be sent.
A user left their phone at home which is usually used for MFA. what should the admin do to ensure access?
answer: generate a temporary verification code why? the admins should give the user a temporary code which can be used in place of the code that they would usually get from the mobile app.
How can a feature license be assigned to a user?
by selecting the checkbox next to the feature to be enabled on the user record why? a feature license entitles a user to access an additional feature that is not included in the original user license, such as marketing or knowledge. users can be assigned any number of feature licenses. On the user detail page, the checkbox is selected next to the feature license to be enabled.
HR has informed you that a Salesforce user has left the company. what is the best course of action?
deactivate the user after ensuring they are the not the sole recipient of a workflow email
For any customer centric organization, the opportunity or deal record data is sensitive. a sales manager has requested the admin to monitor some of the important fields that are getting changed by multiple teams from time to time during the sales lifecycle. which security option can the salesforce admin choose to achieve this
enable field history tracking for the opportunity object and create a report
Salesforce Administrator received a task to create 100 user records in his organization. he is planning to use Data loader, preparing a data load file and verifying that all required field information is present. from the list, which of the following fields are required to use Data Loader....
first name, last name, username, alias, email, profileID why? the 15 character ID is required, but not the profile ID. The license for the user will be assigned automatically based on the profile selected for the user,\
the HR manager of a company needs to create User records for new employees. a new security policy requires that the 'email' field on any new user record contains an email address that uses the company's email domain. how can a system admin configure Salesforce to restrict the email domain for this use case?
the 'email domain allowlist' can be enabled, and the company's email domain can be added to the 'allowed email domains'. Why? the email domain filters page in setup is used to configure filters for restricting recipient and sender domains that are used in the emails routed through an email relay. the 'user management settings' page in setup or a user's profile does not allow specifying allowed email domains.
brewmount inc has established a SSO for their org. with the SSO implementation, the users started reporting that they are unable to reset their passwords. what is true in this situation?
the SSO users cannot reset their passwords within Salesforce Salesforce password policies do not apply for SSO users
An admin is setting up a new org for the company with over 300 employees that will require setup of several roles and profiles. which statement regarding profiles and roles is correct?
the role hierarchy determines record access in a private data sharing model. why? profiles determine what parts of the application a user can see and the permissions on the object. the role hierarchy record access overall.
Which of the following statements are true about resetting passwords when users get locked out of Salesforce org that does NOT have a single-sign on enabled through an identity service other than salesforce?
the user's account is automatically unlocked after their password is reset. the user's security token is reset after resetting the password. why? a user can click the forgot password link on the login page to receive an email with steps to reset the PW. only admins can reset the passwords of single sign on users. locked accounts are automatically unlocked after the admin resets it. Users can request to reset their passwords through the forgot password link a maximum of 5 times within 24 hours.
What is true regarding setting up users?
the username and email address can be different, except when setting up multiple users The profiles available depend on the license type selected (For example, if the license type is Chatter Free, then the profile available will be Chatter Free User)
What to know about Trusted IP Addresses
to help protect your organization's data from unauthorized access, you can specify a list of IP addresses from which users can log in without receiving a login challenge. This will not restrict address, it will simply send them a security token to verify identity before access to granted. if you do not want the user to receive a security token, then add their IP address to the trusted range.
generating a temporary identity verification code
used when users cannot access the identity verification method that they typically use for MFA. the code can be set to expire in 1 -24 hours after generation. The code can be used multiple times until it expires. how? users, find user, find generate temporary verification code, set an expiration time, then generate
All internal users are being prompted to verify their identity when they login to the org from a new computer or device. The admin has been asked if it is possible to modify this behavior. which of the following statements can they reply with?
yes - device activation can be bypassed by adding a range of trusted IP addresses why? if users are logging in for the very first time or if they are logging in from an unrecognized browser/application, they are required to verify their identity. however, the prompt for device activation will be bypassed if the user is logging in to the org on a computer that is within a trusted IP range Remember: Device activation will be bypassed if the device is within the range defined on the trusted IP ranges