Salesforce

Sharing & Security Model

by NAGARAJ TANKU
Introduction to Salesforce Security Model
• What is the Salesforce security model, and why is it crucial for
organizations using the platform?
• Answer: The Salesforce security model is a framework that ensures
data integrity and confidentiality within the Salesforce platform. It
encompasses various features such as profiles, roles, permissions,
and sharing settings. It is crucial as it helps organizations control
access to sensitive information, maintain data accuracy, and comply
with regulatory requirements.

by NAGARAJ TANKU
Salesforce Security Model
• Differentiate between Profiles and Permission Sets in Salesforce
security.
• Answer: Profiles in Salesforce define what a user can do within the
application, including object and field-level permissions. Permission
Sets, on the other hand, grant additional permissions to users beyond
what is assigned in their profiles. While profiles are assigned when
creating a user, permission sets can be added or removed later
without changing the user's profile.

by NAGARAJ TANKU
Salesforce Security Model
• Explain the purpose of Organization-Wide Defaults (OWD) in
Salesforce.
• Answer: Organization-Wide Defaults (OWD) in Salesforce set the
baseline level of access for records in an object. It defines the default
level of access that all users, regardless of their roles or profiles, have
to records. OWD is a critical component in shaping the overall data
access structure within Salesforce.

by NAGARAJ TANKU
Salesforce Security Model
• How does Salesforce handle record access when there are conflicting
settings between profiles and roles?
• Answer: Salesforce resolves conflicting settings between profiles and
roles by taking the most restrictive access. If a user has read access
through their profile but doesn't have read access through their role,
they will be denied access.

by NAGARAJ TANKU
Salesforce Security Model
• What is the significance of the "View All" and "Modify All"
permissions in Salesforce?
• Answer: The "View All" and "Modify All" permissions in Salesforce are
powerful settings that allow users to view or modify all records,
regardless of their ownership or sharing rules. These permissions are
often reserved for administrative roles and should be assigned
judiciously due to their broad-reaching impact.

by NAGARAJ TANKU
Role Hierarchy and Sharing Rules
• How does the role hierarchy impact record access in Salesforce?
• Answer: The role hierarchy in Salesforce establishes a logical order for
users within an organization. Users at higher levels can access records
owned by users below them in the hierarchy. This facilitates a top-
down approach to data access and ensures that managers have
access to their team's data.

by NAGARAJ TANKU
Role Hierarchy and Sharing Rules
• When would you use Manual Sharing in Salesforce, and how does it
differ from other sharing mechanisms?
• Answer: Manual Sharing in Salesforce is used when ad-hoc sharing is
required for specific records. It allows record owners to share
individual records with other users or groups. This is different from
other sharing mechanisms like role hierarchy and sharing rules, which
operate on a broader scale and are often automated.

by NAGARAJ TANKU
Role Hierarchy and Sharing Rules
• Explain the concept of Apex Sharing in Salesforce and when it is
necessary.
• Answer: Apex Sharing in Salesforce allows developers to
programmatically define sharing rules using Apex code. This is useful
when complex sharing requirements cannot be met through standard
configuration options. Apex sharing is commonly used for scenarios
where fine-grained control over record access is needed based on
custom business logic.

by NAGARAJ TANKU
Role Hierarchy and Sharing Rules
• What are Sharing Sets in Salesforce, and how do they enhance data
visibility?
• Answer: Sharing Sets in Salesforce extend access beyond the role
hierarchy by defining criteria-based sharing. They allow organizations
to share records with users who meet specified criteria, providing a
flexible way to grant access based on fields in the record.

by NAGARAJ TANKU
Role Hierarchy and Sharing Rules
• How do Sharing Rules and Criteria-Based Sharing differ, and when
would you use one over the other?
• Answer: Sharing Rules and Criteria-Based Sharing both extend record
access, but Sharing Rules are based on ownership or criteria defined
at a higher level, while Criteria-Based Sharing is more granular,
allowing access based on specific field criteria. Sharing Rules are
broader and can be used when a wider group needs access, while
Criteria-Based Sharing offers more precision.

by NAGARAJ TANKU
Record Ownership and Transfer of Records
• Describe the implications of changing the owner of a record in
Salesforce.
• Answer: Changing the owner of a record in Salesforce can impact
record access, especially if the new owner is in a different role. The
new owner inherits the sharing rules and access levels of their role,
and manual sharing might be required to maintain appropriate
access.

by NAGARAJ TANKU
Record Ownership and Transfer of Records
• How does the "Transfer Record" feature in Salesforce affect sharing
and security?
• Answer: The "Transfer Record" feature in Salesforce allows
administrators to transfer ownership of records from one user to
another. It's a powerful tool, but it's essential to consider the impact
on sharing rules, workflow rules, and other processes that rely on
record ownership.

by NAGARAJ TANKU
Record Ownership and Transfer of Records
• Can record ownership be changed through workflow rules, and what
considerations should be taken into account?
• Answer: Yes, record ownership can be changed through workflow
rules, but this should be done cautiously. Changing ownership
through workflow rules may trigger other automated processes, and
administrators must ensure that the new owner has the necessary
permissions to avoid data access issues.

by NAGARAJ TANKU
Record Ownership and Transfer of Records
• Explain the difference between Ownership-Based Sharing and
Criteria-Based Sharing.
• Answer: Ownership-Based Sharing in Salesforce is determined by the
role hierarchy and record ownership. Criteria-Based Sharing, on the
other hand, allows sharing based on specific criteria, irrespective of
ownership. While Ownership-Based Sharing is more straightforward,
Criteria-Based Sharing offers greater flexibility for custom scenarios.

by NAGARAJ TANKU
Record Ownership and Transfer of Records
• How can ownership-based sharing be overridden in Salesforce, and
why would you need to do so?
• Answer: Ownership-based sharing can be overridden using manual
sharing or Apex sharing. This might be necessary in scenarios where
exceptions are required, such as providing temporary access to
specific records without changing ownership.

by NAGARAJ TANKU
Field-Level Security and Data Encryption
• What is Field-Level Security (FLS) in Salesforce, and why is it
important?
• Answer: Field-Level Security (FLS) in Salesforce controls access to
specific fields on objects. It is important for maintaining data privacy
and ensuring that users only have access to the fields relevant to their
roles. FLS works in conjunction with profiles and permission sets.

by NAGARAJ TANKU
Field-Level Security and Data Encryption
• How does FLS differ from object-level security, and when would you
use one over the other?
• Answer: Object-level security controls access to entire objects, while
FLS controls access to specific fields within those objects. FLS is more
granular and is used to restrict access to sensitive data within records.
Object-level security is broader and restricts access to entire sets of
records.

by NAGARAJ TANKU
Field-Level Security and Data Encryption
• Explain the use of Platform Encryption in Salesforce and its impact on
data security.
• Answer: Platform Encryption in Salesforce protects sensitive data at
rest by encrypting it. It is especially crucial for organizations in
regulated industries or those with strict data privacy requirements.
Platform Encryption ensures that even if someone gains unauthorized
access to the underlying database, the encrypted data remains
unreadable.

by NAGARAJ TANKU
Field-Level Security and Data Encryption
• When is it appropriate to use Shield Platform Encryption over Classic
Encryption in Salesforce?
• Answer: Shield Platform Encryption is recommended when there is a
need to encrypt standard and custom fields across various objects,
including standard and custom objects. Classic Encryption is suitable
for encrypting only

by NAGARAJ TANKU
Sharing and Visibility Enhancements
• How does the "Grant Access Using Hierarchies" option impact record
visibility, and when might you choose not to enable it?
• Answer: Enabling "Grant Access Using Hierarchies" extends record
access up the role hierarchy, ensuring that users can access records
owned by users below them. In some scenarios, such as when dealing
with highly sensitive data, organizations may choose not to enable
this option to strictly control access and rely on other mechanisms
like sharing rules.

by NAGARAJ TANKU
Sharing and Visibility Enhancements
• Explain the implications of using the "Grant Access Using Hierarchies"
option in a large organization with a deep role hierarchy.
• Answer: In a large organization with a deep role hierarchy, enabling
"Grant Access Using Hierarchies" can lead to a wide distribution of
record access. This can impact performance and may require careful
consideration of sharing rules and other mechanisms to balance the
need for visibility with system efficiency.

by NAGARAJ TANKU
Sharing and Visibility Enhancements
• What is the difference between a Public Group and a Queue in
Salesforce, and how do they impact record access?
• Answer: A Public Group in Salesforce is a set of users who share a
common access level to records. A Queue, on the other hand, is a
container for records that are waiting to be processed. Public Groups
are often used for sharing rules, while Queues are used to manage
work items collectively.

by NAGARAJ TANKU
Sharing and Visibility Enhancements
• Discuss the role of Apex Managed Sharing in complex sharing
scenarios and its limitations.
• Answer: Apex Managed Sharing in Salesforce allows developers to
create custom sharing logic using Apex code. It is used in complex
sharing scenarios where standard configurations fall short. However,
it's important to note that Apex Managed Sharing has limitations,
such as the inability to share records owned by inactive users.

by NAGARAJ TANKU
Sharing and Visibility Enhancements
• When would you choose to use Manual Sharing over Sharing Rules,
and vice versa?
• Answer: Manual Sharing is suitable for individual, ad-hoc sharing of
specific records, whereas Sharing Rules are more appropriate for
automating broader record access based on criteria. The choice
depends on the specific use case and whether the sharing needs are
constant or dynamic.

by NAGARAJ TANKU
Sharing and Visibility Enhancements
• In what scenarios would you recommend using Territory
Management in Salesforce, and how does it impact data visibility?
• Answer: Territory Management in Salesforce is beneficial in scenarios
where organizations have a structured sales hierarchy based on
territories. It allows for the automatic assignment of accounts and
opportunities to territories, affecting data visibility and access based
on the defined territory hierarchy.

by NAGARAJ TANKU
Sharing and Visibility Enhancements
• Describe a real-world scenario where using both Criteria-Based
Sharing and Ownership-Based Sharing together is necessary. Provide
an example of how you would implement this in Salesforce.
• Answer: In a scenario where a sales team is divided into regions
(Ownership-Based Sharing) and certain high-value opportunities need
to be shared with a specialized team based on specific criteria
(Criteria-Based Sharing), a combination of both mechanisms is
necessary. For instance, opportunities with a deal size over a certain
threshold could trigger Criteria-Based Sharing to grant access to a
specialized team, while the ownership hierarchy ensures general
access within each region.
by NAGARAJ TANKU
Advanced Security Concepts
• How does Cross-Object Formula Field security differ from standard
Field-Level Security, and when would you use it?
• Answer: Cross-Object Formula Field security allows organizations to
create formula fields that reference fields from related objects, even if
the user does not have access to those related fields. This can be
useful when calculating values based on related data without
compromising overall data security.

by NAGARAJ TANKU
Advanced Security Concepts
• Explain the purpose of Apex Enforcement of CRUD and FLS in
Salesforce, and how it enhances security.
• Answer: Apex Enforcement of CRUD (Create, Read, Update, Delete)
and FLS (Field-Level Security) ensures that Apex code adheres to the
same security constraints as manual user interactions. This helps
prevent security vulnerabilities by enforcing data access and
modification restrictions defined by the platform.

by NAGARAJ TANKU
Advanced Security Concepts
• When and why would you consider implementing Platform Events for
security-related events in Salesforce?
• Answer: Platform Events in Salesforce can be leveraged for real-time
event-driven architecture. For security-related events, such as a
critical access change or a failed login attempt, implementing
Platform Events allows organizations to react immediately, providing
enhanced security monitoring and response capabilities.

by NAGARAJ TANKU
Advanced Security Concepts
• Discuss the considerations and best practices for implementing
External Object Sharing in Salesforce.
• Answer: External Object Sharing in Salesforce extends access to data
stored outside the platform. Best practices include carefully defining
external data source permissions, utilizing Named Credentials for
secure authentication, and considering data volume and performance
implications when accessing external objects.

by NAGARAJ TANKU
Advanced Security Concepts
• How does Salesforce Shield's Event Monitoring contribute to overall
security, and what types of events can be monitored?
• Answer: Salesforce Shield's Event Monitoring provides detailed
insights into user activity, helping organizations monitor and analyze
potential security threats. It captures events such as login attempts,
data export activities, and changes to sensitive data, contributing to a
comprehensive security strategy.

by NAGARAJ TANKU
Advanced Security Concepts
• In a scenario where a company is migrating from Classic to Lightning
Experience, describe the key considerations and strategies to ensure a
smooth transition while maintaining data security.
• Answer: Migrating from Classic to Lightning Experience involves not
only a change in user interface but also considerations for data
security. Key strategies include validating the impact on page layouts,
ensuring that custom components adhere to security settings, and
updating any custom code or processes that interact with the user
interface. Additionally, a phased rollout with thorough testing is
essential to identify and address any security-related issues during
the transition.
by NAGARAJ TANKU
 THANK YOU
for diving into the Salesforce
sharing and security Q&A
I appreciate your time and commitment to understanding
these crucial concepts

Best wishes in your preparation!

by NAGARAJ TANKU