Salesforce Sharing-and-Visibility-Architect Dumps

 Using the IsUpdateable() Apex method to test each field prior to allowing updates is the best way to fix this problem. This method returns true if the user has permission to edit a specific field on a specific object, and false otherwise. Option A is incorrect, since putting the code in a class that uses the With Sharing keyword would not affect field-level security permissions, but rather record-level access based on sharing rules. Option C is incorrect, since using the with SECURITY_ENFORCED keyword in the SOQL statement would not prevent updates on fields that are read-only for certain profiles, but rather enforce field- and object-level data protection. Option D is incorrect, since adding with Sharing keyword to the class would have the same effect as option A.

A sharing rule is missing to share Accounts to the AR team, which could be the issue preventing AR team members from seeing invoices. Since invoice is a custom object with a master-detail relationship to account, its sharing settings are controlled by its parent account. If AR users do not have access to account records, they will not be able to see or query invoice records either. Option A is incorrect, since a sharing rule to share invoices to the AR team would not work, as invoice inherits its sharing settings from account. Option B is incorrect, since assigning an invoice page layout to the AR team profile would not affect their visibility of invoice records. Option D is incorrect, since giving read permission to the invoice object to the Accounts receivable profile would not grant access to invoice records that are owned by other users.

To audit user setup in Salesforce, the team needs to have both View Setup and Configuration and View All Users permissions. View Setup and Configuration allows them to access the setup menu and see the user profiles, roles, and permission sets. View All Users allows them to see all the user records and their details, such as login history and assigned licenses

The most likely cause of this problem is that the sales rep was manually removed from the Opportunity team. This would revoke the access to the opportunity record that the sales rep was helping with. The other options are not valid causes, because:

The Account team does not affect the Opportunity team members, unless the account owner changes and the opportunity owner is set to match2.

The Opportunity team is specific to each opportunity record, so removing the sales rep from one opportunity team does not affect the access to another opportunity record of the same account3.

The opportunity owner cannot enable/disable if the “Default Opportunity team” is able to access the record. The default opportunity team is a template that can be applied when creating or editing an opportunity, but it does not override the existing opportunity team members.

 Ownership-based sharing rules are a way to grant access to records based on the record owner’s role or public group membership. Ownership-based sharing rules can be used to share records with Partner Community users, who are not supported by sharing sets. In this case, ownership-based sharing rules can be used to share Case and Container records owned by partner managers and partner users with other partner managers at the same distributor. Therefore, the answer D is correct and the other options are incorrect .

A new AccountShare record is created with Row Cause as “Manual” and Access Level as “Read/Write” when Paul manually shares the record with John. This record grants John edit access to the account owned by Paul. Option B is incorrect, since an existing AccountShare record is not updated, but a new one is created. Option C is incorrect, since the Row Cause is not “Owner”, but “Manual”. Option D is incorrect, since an existing AccountShare record is not updated, but a new one is created.

Roles and Public Groups are two options that can be selected to share data with when creating a sharing rule. Sharing rules can grant additional access to records based on the owner’s role or public group membership. Option C is incorrect, since Users are not an option for sharing rules. Option D is incorrect, since Profiles are not an option for sharing rules.

 Deferred Sharing Recalculation allows the admin to postpone the recalculation of sharing rules until a later time, which can improve performance and avoid locking issues when changing role hierarchy or ownership. Parallel Sharing Rule Recalculation allows the admin to run multiple sharing rule recalculations at the same time, which can also improve performance and reduce downtime. Granular Locking enables finer-grained locking for certain operations that affect large data sets, such as bulk loading or updating. These features can help avoid problems when reorganizing roles and reassigning account owners. Therefore, the answer B, C, and E are correct and the other options are incorrect

Removing order delete permission from profiles and permission sets is the best approach to ensure that order records cannot be removed from the system in the future. This way, only users with the Modify All Data permission can delete order records. Option A is incorrect, since removing the delete button from the order page layout would not prevent users from deleting order records using other methods, such as data loader or API. Option B is incorrect, since changing the record type/page layout assignment for orders to be read-only would not affect the delete permission, but only the edit permission. Option D is incorrect, since implementing a sharing rule that changes access for the records to read would not prevent users from deleting order records that they own.

The two options to propose a solution to meet the requirements are Scheduled Apex job to remove access and Opportunity team to share opportunities with sales managers. Scheduled Apex job allows developers to run Apex code at a specified time, which can be used to revoke the sharing access after two weeks. Opportunity team allows users to grant access to other users who work on the same opportunity1. Apex Sharing and Sharing Rules are not suitable options because they do not support automatic expiration of sharing.

To make the sensitive fields accessible to the Human Resource team, other than field level security, another option is to create a new custom object with private OWD and Lookup relationship to Employee to store new restricted information. This will allow creating a separate security model for the new custom object, which can be shared with the Human Resource team using sharing rules or permission sets. Creating a new custom object controlled by parent and a Master-Detail relationship to Employee will not work, as it will inherit the same OWD as Employee, which is Public Read Only. Changing OWD of Employee custom object to private and a Lookup self-relationship to store only new restricted information will not work, as it will make all employee records inaccessible to other users who need them.

 Leveraging default Account team is the best way to help improve sales reps productivity by granting access to supporting internal users for customer records when they need help. Default Account teams are predefined groups of users who work together on an account. When a user creates or owns an account, Salesforce automatically adds the default Account team to the account team related list on the account2. Creating a permission set with “view all data” and assigning it to supporting users would give them too much access to data that they may not need. Creating a public group and replacing the account ownership with it would not be feasible or scalable. Creating a criteria-based sharing rule to grant access to other users would require manual maintenance and may not reflect the changes in the account team.

Price books are a way to store different prices for products that can be added to opportunities. Price books can have different organization-wide defaults (OWD) settings that control the baseline level of access for users. To allow only specific branch staff to sell high risk products, the architect can recommend setting the price book OWD to View Only and sharing the high risk price book with the trained staff via manual sharing or sharing rules. Manual sharing allows the owner or anyone with Full Access to a record to share it with another user or group of users. Sharing rules allow the admin to automatically grant access to records based on certain criteria. Therefore, the answer A and C are correct and the other options are incorrect.

The error occurred because the trigger handler class is using ‘‘with sharing’’ and the user does not have access to the orders related to the opportunity. The ‘‘with sharing’’ keyword enforces the sharing rules that apply to the current user. This means that if the user does not have access to a record, they will get a permission error when trying to create or update it1. The trigger should use ‘‘without sharing’’ keyword instead, which ignores the sharing rules that apply to the current user. The trigger should not use RunAs(), IsCreateable(), or no sharing keywords as they will not prevent the error from occurring.

 A criteria-based sharing rule is the best option to give access to accounts based on a specific field value, such as the record type. Option A would give access to all accounts, not just person accounts. Option B would only control the layout and not the visibility. Option C would not apply to person accounts, since they do not have account contact roles

Sharing the folders with the “VP of Sales” Role and Subordinates and sharing the folders with a “Sales Managers” Public Group are two ways that UC can grant access to sales managers to automate access to these Reports and Dashboards folders. Folder sharing allows users to share reports and dashboards with other users based on roles, subordinates, public groups, or individual users. Option A is incorrect, since sharing the folders with lowest roles in the role hierarchy would not give access to superiors automatically, but only to subordinates. Option C is incorrect, since sharing the folders with a queue is not possible.

Using opportunity team and creating an assistant field, using Apex to share opportunities with the assistant agent is the optimum solution to meet the requirements. Opportunity teams are groups of users who work together on sales opportunities. By creating an assistant field on the opportunity object, the sales reps can specify an assistant agent who can help them with their deals. By using Apex, the system can automatically share the opportunity with the assistant agent based on the value of the assistant field, and remove access from the previous assistant if the field value changes. Option A is incorrect, since using share group to share opportunities with the assistant agent would require manual configuration and maintenance. Option C is incorrect, since using sharing rule to share opportunities with the assistant agent would not allow dynamic sharing based on the assistant field value. Option D is incorrect, since using Apex sharing to share and unshare opportunities with the assistant agent would be similar to option B, but without using opportunity teams.

Reviewing the user provisioning process to not automatically create a user role for any new user and contacting Salesforce support and requesting to increase the number of users’ roles allowed are two recommendations that could solve this problem. Salesforce has a limit on the number of roles that can be created in an organization, which depends on the edition and the number of licenses. If this limit is reached, no more roles can be created unless the limit is increased by Salesforce support. Therefore, it is not advisable to create a new role for every new user, as this would quickly exhaust the limit and cause the “User Role Limit Exceeded” error. Option B is incorrect, since removing role hierarchy from Salesforce org and controlling the record access using Apex managed sharing would be a complex and custom solution that would not address the root cause of the problem. Option D is incorrect, since creating an Apex class to replace the User Roles by generic one as soon as they are created would be unnecessary and inefficient.

 By default, three roles are created when the first external user is created on a partner account. These roles are Executive, Manager, and User. They form a role hierarchy that determines the level of access to data for the partner users

Assigning users profiles and unlocking users are two capabilities that the delegated administrator permission provides. Delegated administrators are users who can perform certain administrative tasks on behalf of administrators. These tasks include assigning users to specified profiles or permission sets, creating and editing users in specified roles or groups, unlocking users who have exceeded their login attempts limit, resetting passwords for users in specified roles or groups, logging in as users who have granted login access to administrators. Option C is incorrect, since setting OWD is not a capability that delegated administrators have. Option D is incorrect, since creating profiles is not a capability that delegated administrators have.

Setting the Request object’s OWD to Public Read/Write is the simplest and most efficient way to allow all employees to collaborate on requests. Option B is incorrect, since granting Modify All Data permission on all profiles would give too much access and affect other objects as well. Option C is incorrect, since creating a criteria-based sharing rule to share all records with all users would be redundant and inefficient. Option D is incorrect, since setting the OWD to Public Read Only would not allow users to edit requests3.

Setting the External OWD to Private for the Delivery object is the best approach to limit the records a distributor can see, since it will restrict the access to only the records they own or are shared with them. Option A is incorrect, since ownership-based sharing rules are not available for partner community users. Option B is incorrect, since removing Read permission from the distributor profile would prevent them from accessing any delivery records. Option D is incorrect, since criteria-based sharing rules are not available for partner community users.

The license type that must be used by community users who want to collaborate on opportunities is Partner Community. As mentioned above, Partner Community licenses allow users to access standard CRM objects such as opportunities and collaborate with other partners and internal users using Chatter and Communities. Sales Community licenses do not exist as a separate license type. Customer Community and Customer Community Plus licenses do not allow users to access opportunities, as they are intended for customer service scenarios rather than sales scenarios.

Enabling Community User Visibility is the best option to allow viewing chatter posts from all customers. Community User Visibility is a setting that allows community users to see and interact with other community users, regardless of their account or role2. Setting View All for Chatter posts, enabling Chatter Super User, and enabling Internal Users Visibility are not options that can achieve the same result.

Susan and users with the View All Data permission and Susan and users with access to the record are two statements that accurately describe who can view the file by default. When a file is posted to a record’s feed, it inherits the sharing settings of that record. Therefore, only users who can view the record can view the file. Users with the View All Data permission can view all records and files in the organization. Option C is incorrect, since users with a shared chatter post link to the file can only view the file if they have access to the record as well. Option D is incorrect, since Susan is not the only one who can view the file, but also users who have access to the record or the View All Data permission.

The architect can configure the system to support the requirements by using a sharing rule. A sharing rule is a declarative way of extending record access to users or groups of users based on criteria such as ownership, role, or field values3. In this case, the architect can create a sharing rule that grants read or read/write access to all records owned by customer community users to UC users in the customer support role. A sharing set is used to grant access to community users based on a common account or contact, not to internal users. A share group is used to share records with groups of community users who have Customer Community Plus or Partner Community licenses, not with internal users. Apex sharing is used to programmatically share records when declarative sharing cannot fulfill complex requirements, but it is not necessary in this case.

SOQL injection is a vulnerability that can exist when controllers use dynamic rather than static queries and bind variables. SOQL injection is a technique that exploits a security vulnerability by inserting malicious SOQL statements into an existing query. This can result in data loss, data exposure, or unauthorized access1. Buffer overflow attacks, cross-site scripting, and record access override are not vulnerabilities related to dynamic queries and bind variables.

The two actions that are required to achieve the requirement are setting up External Object to use OAuth to connect to the Accounting system and restricting access to data in the accounting system. OAuth is an authentication protocol that allows Salesforce to securely access data from an external system without storing the username and password of the external system user3. Restricting access to data in the accounting system is a way to ensure that only authorized users can view the invoice records from the external source. Creating an owner based sharing rule to grant visibility to the Invoice object and granting access to the External Object to only the Account Manager profile are not actions that can ensure that a user only accesses invoice records the user is authorized to see.

Only Bob can view the file that he uploads to his Files Home private library. Users above Bob in the role hierarchy, users with View All Data permission, or users with Modify All Data permission cannot access the file unless Bob explicitly shares it with them

Setting the organization-wide default on Shipment to Private, creating a trigger to update the Account record with the shipment information, and using a lookup relationship to Account are the best recommendations to accomplish this requirement. This way, the Marketing team can see the shipment information on the Account record, but not the Shipment records themselves. Option A is incorrect, since setting the organization-wide default on Shipment to Public would give access to all Shipment records to all users. Option B is incorrect, since using a master-detail relationship to Account would inherit the sharing settings from Account, which may not be Private. Option C is incorrect, since using a master-detail relationship to Account and setting the organization-wide default on Shipment to Controlled by Parent would have the same effect as option B.

 Adding the product specialist and solution engineer to the opportunity team is the optimal way for the junior account manager to share the opportunity, given the private sharing model. Opportunity teams are groups of users who work together on sales opportunities. Adding users to an opportunity team grants them access to the opportunity and related records. This way, the junior account manager can collaborate with the product specialist and solution engineer on the complex deal, and when the account is reassigned to a senior account manager, the opportunity team members will retain their access. Option A is incorrect, since manual sharing on the opportunity would be removed when the account owner changes. Option C is incorrect, since manual sharing on the account would not grant access to the opportunity, as it does not roll up from account to opportunity. Option D is incorrect, since creating an owner-based sharing rule would be unnecessary and inefficient.

A sharing set is the best way to share cases with community users based on a common account. Sharing sets are available for Customer Community licenses and can grant access to related records using predefined criteria. Option A is incorrect, since sharing rules are not available for community users. Option B is incorrect, since there is no such thing as a share group in Salesforce. Option D is incorrect, since Apex sharing is complex and requires code maintenance

The side effect of this approach is that sales reps on the same team will have read access to the accounts for opportunities owned by their team members. This is because owner-based sharing rules grant access to both the parent and child records of the same object. For example, if a sharing rule grants access to opportunities owned by a certain role, it also grants access to the accounts associated with those opportunities. All sales reps will not have read access to accounts for all opportunities, as the sharing rules are based on ownership. Sales reps on the same team will not have edit access to the accounts for opportunities owned by their team members, as owner-based sharing rules only grant read or read/write access to child records, not parent records. All sales reps will not have read access to all accounts, as the account organization-wide default is private.

The architect should consider that changing complex role hierarchy can cause a high level of sharing recalculation, and that replacing account records ownerships massively can cause data skew. Changing role hierarchy affects the sharing rules that are based on roles or role and subordinates, which can trigger a recalculation of sharing for all the records owned by users in those roles. Replacing account records ownerships massively can cause data skew, which is a condition where a large number of child records are associated with one parent record, resulting in performance issues. Using a temporary parking lot account to improve performance is not a recommended practice, as it can cause data quality issues and security risks. Restricting the organization-sharing configurations to private is not relevant to this situation, as it does not address the impact of changing roles and reassigning accounts.

Deleting the public link is the best way to ensure that the potential customers do not have access to the file after the meeting. Renaming the file, deleting the file, or moving the file to another folder will not affect the public link, which will still point to the file

Profiles and Permission Sets can be used to control the object-level and field-level access for different types of users. For example, sales reps can have read/write access to Account object but not to the segment field, while service reps can have read-only access to Account object and all fields. Role Hierarchy can be used to control the record-level access for users based on their position in the organization. For example, sales managers can access and modify any account of reps reporting to them, while service managers can access and modify any account regardless of ownership. Field-Level Security can be used to override the profiles and permission sets for specific fields on specific records. For example, service managers can edit the segment field on any account, even if their profile does not allow it. Therefore, the answer D is correct and the other options are incorrect3

 Enabling opportunity teams and allowing users to add the product manager is the best way to accomplish the requirement, as it allows for granular and flexible sharing of opportunities with specific users who are involved in the deal. Creating a sharing rule to allow the product manager to access the opportunity is not feasible, as it would require a criteria or an owner-based rule that would apply to all product managers and opportunities, not just specific ones. Enabling account team and allowing users to add the product manager is not sufficient, as it would only grant access to the account, not the opportunity. Using similar opportunities to share opportunities related to the product manager is not relevant, as it is a feature that helps users find and update similar opportunities based on fields and filters

Removing Read permission on the Driver profile will prevent the driver from seeing any feedback records, regardless of ownership. Having feedback ownership transferred to the driver when feedback is submitted will not prevent the driver from seeing their own feedback records. Using the Role Hierarchy to give access to a driver’s manager will not work if the driver changes managers, as the feedback records will still be owned by the previous manager. The best option is to create an ownership-based sharing rule that grants Read access to the feedback records owned by drivers in a specific role or public group to users in roles above them

The roles that Universal Containers has set for Partners users who will see records owned by partner users in roles below them in the hierarchy are Executive, Manager, and User2. These are the default roles that are created when you enable Partner Super User Access in Salesforce2. Partner Super User Access allows partner users to access records belonging to users in their account at their same role or lower in the role hierarchy, for Cases, Leads, Opportunities and Custom Objects.

The reason why there are many duplicate Account records and numerous sharing rules created in Salesforce is that the Organization-Wide Default for the Account object is Private4. This means that users can only see their own accounts and those shared with them explicitly by sharing rules or other means. This could lead to users creating duplicate accounts without knowing that they already exist in Salesforce. If the Organization-Wide Default for the Account object is Public Read/Write or Public Read Only, users would be able to see all accounts in Salesforce and avoid creating duplicates. The Object permissions for the Account object are not relevant for this question.

The sharing access options if OWD is Public Read Only are Read and Read/Write3. These are the options that you can choose when creating sharing rules or manual sharing for an object that has Public Read Only as its organization-wide default access level3. Public Read Only means that all users can view all records, but only the owners and users above them in the role hierarchy can edit those records.

To support the requirement of allowing only the owner and users in the Delivery profile to view and edit Job records, you need to use three platform sharing tools:

Organization-Wide Default sharing setting of Private on the Job Object: This will restrict access to Job records to only the owner by default.

Grant access Using Hierarchy sharing setting on the Job Object set to false: This will prevent users above the owner in the role hierarchy from accessing Job records.

“Modify All” permission for Job Object on the Delivery Profile: This will grant users in the Delivery profile full access to all Job records regardless of ownership.

Criteria-Based sharing rule and “View All Data” profile permission are not required for this scenario. Criteria-Based sharing rule would grant additional access to users who meet certain criteria, which is not necessary. “View All Data” profile permission would grant access to all data in the organization, which is too broad and may violate data security.

To reduce redundant leads and restrict their editing and reassignment, a Salesforce Architect should recommend implementing a private OWD on Lead. A private OWD means that only the owner of the lead record and users above them in the role hierarchy can view, edit, or transfer the lead. This will prevent duplicate leads from being created by other users, and also ensure that only the lead owner can modify or reassign the lead. Implementing a public read only OWD on Lead will not work, as it will allow other users to view the lead records, which may lead to duplication. Implementing a public read only/transfer OWD on Lead will not work, as it will allow other users to transfer the lead records to themselves or others. Implementing a public read/write OWD on Lead will not work, as it will allow other users to edit or reassign the lead records.

Deferred Sharing Recalculation is a feature that allows admins to postpone the recalculation of sharing rules until a scheduled maintenance window, which can improve performance and avoid locking issues when making changes to roles or account owners3. This is the best feature to recommend to avoid problems with this operation. Skinny table is a feature that improves performance by storing frequently used fields in a separate table, but it does not affect sharing recalculation. Partition data using Divisions is a feature that allows admins to segment data into logical subsets for reporting and searching purposes, but it does not affect sharing recalculation.

To support the requirements with the minimum amount of effort, three platform security features that are required are criteria-based sharing rules, role hierarchy, and permission sets. Criteria-based sharing rules can be used to share all accounts with the custom field “Kay Customer” to all senior account managers based on a filter condition. Role hierarchy can be used to grant access to accounts that users or their subordinates own based on the ownership and role level. Permission sets can be used to grant view and edit access to the custom field that contains sensitive information to the three designated users, regardless of their user groups or profiles

 To optimize the process of managed sharing recalculations for the custom Job object, the architect can create public groups for each team and share the jobs with the groups instead of users. This way, the architect can avoid updating the sharing records every time a team member changes, and only update the public group membership instead. This reduces the number of sharing recalculations and improves performance

The two methods that would be used to enforce this requirement are A and D. Schema.DescribeFieldResult and Schema.DescribeSObjectResult can be used to check the user permissions for creating records and accessing certain fields, even if the Visualforce controller is written with “Without Sharing”. The other options are either not related to field or object permissions, or not sufficient to enforce them.

According to this source, creating the share records and setting the RowCause to a custom Apex Sharing Reason will prevent them from being deleted when the owner of the account is changed. The other options will not have this effect.

Only the user who uploaded the PDF to the Files Home private library can view it, as private files are not shared with anyone else1. Users with View All Data permission or users above him/her in the Role Hierarchy will not be able to view the private file, unless the user explicitly shares it with them.

Implementing a third-party proxy server is the best technology to achieve the requirement of accessing on-premise information from Salesforce. A proxy server acts as an intermediary between Salesforce and the on-premise database, and it can handle authentication, encryption, and data transformation. Option A is incorrect, as tokenization is a technique to replace sensitive data with tokens, not to access on-premise data. Option B is incorrect, as it does not specify how Salesforce can connect to the on-premise database. Option D is incorrect, as Salesforce Shield is a set of tools to enhance data security and compliance in Salesforce, not to access external data sources.

According to this source, creating a lookup relationship from the Loan object to the User object and using a trigger on the Loan object to create the corresponding record in the Loan share object is the best way to meet the requirements. The other options will not work as expected or will not be scalable.

Using Encryption Policy and contacting Salesforce to update the existing records so that their field values are encrypted is the best way to proceed with this new policy change, as it allows admins to encrypt standard and custom fields using Platform Encryption without changing existing business processes3. Using Classic Encryption will not work, as it only supports a limited number of fields and requires changes to the data model and code. Waiting for an email from Salesforce indicating the field values are encrypted will not work, as encryption policy does not automatically encrypt existing records.

The Architect can support this request by creating a Permission Set with read-only access to the Category field and assigning it to the 3 users who need it. This will override the profile permissions and restrict their access to the field.

Using a trigger on Case to lookup and share to the manager of an Assigned Agent custom field using Apex Managed Sharing would allow the HR representative to control the visibility of the case based on the subject of the complaint. Criteria-based sharing rules cannot be used to exclude a specific user from seeing a record. Changing the owner of the case would affect other aspects of data visibility and security.

Creating and customizing Reports and Report Folders and Manage Reports in Public Folders are two permissions that are required to accomplish this task, as they allow users to create reports and folders and share them with other users or groups. Editing My Reports is not a permission that is required to accomplish this task, as it only allows users to edit reports in their personal folders. Creating Report Folders is not a permission that exists in Salesforce.

According to this source, the runAs system method in test classes can be used to test using different users and profiles, and the with sharing keyword in Apex classes can be used to enforce record visibility rules. The other options are not valid keywords in Apex

Using Dynamic Form to add different page sections and control visibility of sections by Work Order RecordType value is the best option to implement this requirement, as it will allow field agents to see only required information specific to the WorkOrder type they are addressing, without creating multiple page layouts or custom components. Using a custom LWC to override the view action of WorkOrder with custom metadata type defining relevant fields per WorkOrder type will work, but it will require additional development and maintenance. Using different page layouts per work order type with different sections representing key information about the specific work order type will work, but it will require creating multiple record types and page assignments.

To give access to a report folder to someone else in the organization, the user needs to have the “Manage Reports in Public Folders” profile permission and the “Manager” report folder permission. The “Viewer” and “Editor” report folder permissions only allow the user to view or edit the reports in the folder, but not to share the folder with others

Storing the value in a text field on a protected custom setting in the package is the best way to support this requirement. Protected custom settings are not visible to subscribers, but they can be accessed by the package code and support representatives. The other options either expose the value to subscribers (B and C) or do not allow support representatives to access it (D).

To improve performance when a dummy user owns more than 10,000 lead records, it is recommended to assign ownership to a small number of users and do not assign a role to the dummy user. Assigning ownership to a small number of users reduces the number of sharing calculations and recalculations that occur when role hierarchy changes. Not assigning a role to the dummy user prevents the dummy user from granting access to other users in the role hierarchy

 Enforcement of a user’s record sharing is the functionality that is verified by the system method “runAs()”. This method allows test methods to run in the context of a specific user and verify whether that user has access to the records based on the sharing settings. The other options are not verified by the runAs() method.

The two options that the Architect should consider when designing the solution are B and D. Option B ensures that the national accounts are only visible to the sales directors and above in the role hierarchy, as they inherit access from the owner. Option D ensures that the sales reps who are added to the opportunity team for a national account can access the account data, as they are granted access through implicit sharing

 To make sure service reps have access to all relevant information to attend to customer requests, the architect should consider that service reps will be able to access contact records if they are controlled by parent or due to implicit sharing. If contact records are controlled by parent, their access level is determined by the access level of their parent account. If service reps have View All permission on Case object, they also have implicit Read access to the accounts and contacts associated with cases that they can access3. Service reps will not be able to access contact records if account OWD is private and contact records are not controlled by parent, as they will need explicit sharing or permission to access them. Service reps will not be able to access contact records if they are controlled by parent and they do not have access to the parent account.

Creating a criteria-based sharing rule giving the Retail Sales role access to Accounts of type PersonAccount is the best option to meet these requirements, as it will grant access to all retail customers based on a field value, regardless of ownership2. Creating an owner-based sharing rule on AccountContactRelation will not work, as it will only grant access to account contact roles records owned by retail sales reps, not all retail customers. Updating the Retail Sales profile to grant access to Person Account record type will not work, as it will only control the record type visibility, not the record visibility.

 Partner User roles are limited to three levels, which means that affiliates cannot create more than three levels of roles for their internal sales team. This is the main problem an architect should address in this situation. The Channel Manager role can be shared with Partner Community, as it is used to manage partner accounts and users. Partner Community does support Role Hierarchy, as it allows affiliates to create their own roles and grant access based on their own hierarchy.

To troubleshoot why staff members can see accounts that they do not own and should not have access to after a change in the role hierarchy, the architect should log in as one of the staff members, navigate to a sample account, and use the sharing button to determine who has access. The sharing button shows all the reasons why a user has access to a record, such as role hierarchy, sharing rules, manual sharing, teams, etc. The architect can then identify which sharing mechanism is causing the issue and fix it accordingly

When assigning access level for a record using Apex Managed Sharing, you can only use ‘Read’ or ‘Edit’ values. Using ‘All’ or ‘None’ values will cause a DML exception on insert to the database.

The feature in Salesforce that is needed to restrict access to a custom object that has public read/write access is profile. Profile settings can control the create, read, edit, and delete permissions for a custom object at the user level, regardless of the organization-wide default settings. The other options are either not related to object access or not restrictive enough.

To increase performance of record access and sharing calculations, the architect should review the following areas: number of roles in the role hierarchy, number of sharing rules per object, and number of groups and group members. These areas can have a significant impact on how quickly and efficiently Salesforce can calculate and apply the sharing settings for each record. Custom object data, number of fields per object, and number of profiles in the org are not directly related to record access and sharing calculations.

A workaround to ownership data skew is to minimize possible performance impacts by not assigning the user(s) to a role. Ownership data skew occurs when a single user owns a large number of records (more than 10,000) of an object, which can cause performance issues when sharing calculations are performed. By not assigning the user to a role, you can prevent the sharing rules from being applied to the records owned by that user, and reduce the number of rows in the sharing tables.

Creating a reusable SOQLQueries class without specifying “With” or “Without Sharing” on the class or specifying “With Sharing” or “Without Sharing” on the methods are two ways to meet the requirements. The sharing mode of the class or method will depend on the context of the calling code, which can be either “With Sharing” or “Without Sharing”. Option B is incorrect because the runAs() method is only available in test methods and does not change the sharing mode. Option D is incorrect because it requires creating two separate classes for different sharing modes, which is not reusable.