Certified Sharing and Visibility Designer - Salesforce Domain Certification

Hi Everyone, I got this certification recently and wanted to share my experience. You can comment if you have any questions. Once you appear for the exam, Please comment questions/topics you can remember, we can add them here in the main blog. Thanks

• Certification Guide ( go through this and its very likely to get same mock questions)
• Resource guide (schedule some 10-20 hours to go through this document )
• Exam is about lot of reading than answering, keep that in mind and practice it.
• Try to note your correct vs not sure answers which will help you during reviewing time.
• Hand-on will help to answer quickly.

Following were the key points before attempting exam:

• Difference between profile and permission set - What can be done with profiles that cannot be done with permission sets(questions around layout, record types, tab settings)

Assigned app / default app
License
Profile will have a hidden permission set
Login hours / IP

• Use of System.runAs() - What do we use this for checking FLS, Record sharing?

Not FLS only sharing
Crete users even though no license
Mixed DML without error

• Login Hours and Login IP changes - Done at org level or profile level and what difference

Org level IP– you can still login with outside IP by authenticating by mobile or email activation code
Profile hours – default time zone will come from org time zone (after this no effect even if org default time zone gets updates)
Profile hours – clear all time to set any time
After login hours one can continue to see existing page but no actions allowed
Org wide – business hours – entitlement, case, milestone, case escalation rules.

• How to restrict or grand access to the records by using Role Hierarchy, Public Groups, Team, Territory, Partners.
• Default sharing model for Internal and External users

External users – sharing sets
Internal – sharing

• Given a code snippet to identify the security threat - CSS. Using a input text and a command button assigns it to output text

Variable by param
Escape false
Use encode
Soql injection
Image source tag

• When to use territory management

Most of the time geographic expectation and any other business related segregation
Collaborative forecasting – yes
Customize - no

• Encryption in rest and transit
  • Apex crypto. Key is they want to encrypt a long text field which needs to be encrypted in rest and transit

Confidentiality - the protection of data either at rest or in transit from unauthorized parties
Integrity - the data is complete and correct
Authenticity - proof of the authenticity
128, 192,256 AES
Generate key

• Use of Protected Custom metadata types, Protected Custom settings, Crypto class

Managed package will use protected to not allow modification in any way and it hides

• Locking related issues and how to overcome that. - Group membership locks issue

Granular locking
Parallel
Deferred

• Use of Salesforce Shield
• Apex managed sharing and reason and when to use what.
• Sharing Set - Community sharing to external users
• Manual sharing and what happens if ownership is changed. - My question was on accounts

Sharing to manual people will be erased

• Use of FLS ( mostly with VF), Record type, page layout, permission set and custom permissions

• How reports and dashboards and files can be shared.

By folder, using manager, view access

• List view - With whom can a list view be shared

Group, role and users & queue (in case of case)

• Account teams and visibility control to them and what happens when you change access on a particular account member who is part of default account team.

For each account you own, you can remove any team member from the account team.
Unless specified, removing a member of your account team does not remove that person from your opportunity teams.
If a team member is on your default account team and you remove him or her from a specific account, those changes only affect that account. The setup of your default account team does not change. To remove users from your default account team, see Guidelines for Setting up Default Account Teams.
If a user on an account team has Read/Write access (Account Access, Contact Access, Opportunity Access, and Case Access) and is deactivated, the access will default to Read only if the user is reactivated.

Changes in the default team won’t affect open opportunity (while delete there is a check box which askes for removal)

Changes role did not reflect, changes access did not reflect
Deleted but has a check box

• If users have "Master" record type in their profile and one custom record type in their permission sets, which record type is a new record associated with?

Custom record type and user cannot select Master. Permission set overrides profile in this case.
& user cannot choose Master what so ever

• Territory Model State

Nothing but keeping a territory in planning mode (majorly for testing)

• RowCause 

Can be set manually in apex for custom object share record (doing this will help not lose the sharing's when owner change happens)

• reports

Only owner or manager can share the report (IMP)
Viewer, editor & Manager are the three ways of sharing the report folders

• Login hours

Org level IP ranges will not restrict user, meaning he can still verify and get logged in. However profile IP ranges are hard stop or restricted further login process

• When u change Account owner

Account team members (In Salesforce Classic, the Keep Account Team option must be selected. In Lightning Experience, it happens automatically).
Manual Share also is removed when owner is changed

• Portal

external users -  high volume portal users
internal users - sf users
sharing set - used for external users
sharing group - used for internal users to access record owner by members of sharing set

Few example questions:

• https://quizlet.com/220660847/salesforce-sharing-and-visibility-designer-su-17-flash-cards/
• https://quizlet.com/223415779/salesforce-sharing-and-visibility-flash-cards/
• https://quizlet.com/215571584/salesforce-certified-sharing-and-visibility-designer-flash-cards/

Few Helpful blogs:

• http://salesforcememo.com/2017/01/04/how-to-prepare-for-and-pass-sharing-and-visibility-designer-exam/
• https://icodecloud.wordpress.com/2017/04/21/salesforce-sharing-visibility-designer-certification/
• https://help.salesforce.com/articleView?id=users_license_types_communities.htm&type=5
• https://help.salesforce.com/articleView?id=000212568&type=1

Mock Questions:

Move all the SOQL in one place so that based on the need a developer can call the appropriate method to fire SOQL.
Create a WithSharingSOQL class and WithoutSharingSOQL class and Developer will invoke SOQL from respective class based on need

A sales representative needs to create dashboard to compare the sales figures for the quarter with sales figures of other representatives. Which permissions will he need? Choose 2 answers.
 Manage Dashboards.
 ‘View all’ permission on object

Confidential PHI information is captured in one field of an object whose OWD is private. This field should only be visible to 3 users from diverse groups. This field should also be encrypted at rest and in transit. What is the best approach for this with minimum effort? Choose 2 answers.
Permission sets
Apex Crypto class

Test the new model before rolling it out. They however have organization limit of 10000 territories.
Territory Model State

Data in the fields should be encrypted at rest and should be visible to the record owners and not even the reporting managers in the role hierarchy.
Private OWD for object with Grant Access to role hierarchy unchecked.
Platform encryption.

A user can only see the fields A, B, and C on a record of Object X until the Stage field value on the record changes from New to Working. Once the Stage field value is updated to Working and the record is saved, the user should be able to see fields A, B, C, and D.
How would an application developer configure this?
Use workflow to change the record type

Universal Containers has two departments: Collaboration and Customer Support. The cases owned by users on Collaboration department need to be shared within the department and to the VP of Universal Containers. The cases owned by users on the Customer Service Department need to be shared within the department and to the VP of UC. The two departments never need to work on cases owned by the other. How can the sharing be managed? Choose 2 answers.
Private OWD for case with Grant Access to role hierarchy checked.
Sharing rule to share records owned by collaboration group with other members of collaboration group and Customer service group with other members of customer service group

A recruiting agency used Job custom object to track job openings. A field Recruiter__c with a lookup on user object is used by Manager to assign the job opening to a recruiter based on dynamic parameters. The OWD on job object is private and they need to be shared with the recruiter assigned which can be different from the owner. Which sharing approach can be used to achieve this?
Apex Sharing

Who can share a report with other user? Choose 2 answers.
With Manager Access
Report owner

Universal containers has 1000 accounts and around 10000 contacts associated to the accounts.
Which feature they can use to avoid sharing calculation being suspended due to server maintenance?
Parallel Sharing Rule Recalculation

Users X and Y need to see the same candidate record. For security reasons, user Y should
NOT be able to view and report on the Email Address field on the record.
How would a developer meet this requirement?
Use field-level security to make the email address visible to user X but not user Y

Sales reps at AW Computing need assistance from product managers when selling certain products. Product managers do not have access to Opportunities but need to gain access
when assisting on a specific deal. How can the system administrator accomplish this?
Enable sales teams and allow users to add the product manager

Where an Admin can set the allowed IP addresses?
Profile

Universal Containers requires that some employees are able to view and edit records of a custom object called Positions, but none of them can delete them. How can Universal Containers accomplish this goal?
Remove the Delete permission for positions from all profiles

Noted few points after attempting the exam:

• Role hierarchy setup questions – 3 questions
  long text is given, read and map the roles and then answer questions ( like how role & subordinate sharing rule works, what happens if manual sharing is done and person role changed )
   
• APEX sharing 2-3 questions – scenario given and you have to suggest.
   
• FLS – 40 fields needs to available to a profile user but layout should not be cluttered.
   
• List View – two list views LsV1, LsV2 having shared to 2 groups G1, G2 respectively, unfortunately everyone were able to see both list views.
   
• Report/Dashboard – 2 questions – permissions, sharing & behaviors
   
• Data Skew – Scenario is given and asked what issue can happen.
  Please check whether any helps by organizing the pay load during data load ( meaning say organizing child’s of same parents )
   
• Question like how to handle 100000 opportunities and 1000 territory updates, what issue may happen – Group membership lock
   
• External / Internal Users: Sharing record to external users, keeping external user as owner, sharing to internal user
   
• APEX security – Sharing/Without Sharing and Nothing – 2 questions
   
• When Opportunity or Contact is set as Private -> what options will be available during Account team member creation.
   
• When Contact OWD is control by parent, what options will be available during Account team member creation.
   
• Protected Custom Setting, Metadata Type & Named Creds
   
• Sharing set/ Sharing group – 2 questions
   
• Default team / what happens removing or update member already in the account VS already in the team.
   
• One question, where there were 4 options on a Group membership issue ( no clue on the complete question, please fill in if you can remember):
  a. Creating a Territory
  b. Deleting a territory
  c. Creating a role
  d. Deleting a role
   
• One questions where APEX callout has to be done, but only records with Fulfillment Vendor access needs to be given. ( this is most confusing the apex section ), I remember all 5 options where you have to choose 3
  a. set object to private
  b. apex class with “With sharing”
  c. create separate login with Profile having API enabled
  d. Create APEX with “Without Sharing” to receive input as FullFillmentID
  e. Use input in the dynamic SOQL to retrieve the results
   
• Sharing Set config is not showing one object why?
   
• Vulnerabilities -  2 questions:
  Snippet one: output text without encode
  Snippet two: dynamic soql search VF & apex  ( there are 2 answers where SOQL Injection one of them )
   
• Two objects needs to be set up, Invoice & Invoice Line Item (has two amount fields which needs to be rolled up), select the relationship.
   
• Enterprise territory management ( only odd man out helped )
  removed two answers out 5 options - > cannot create group, cannot share report/dashboard
   
• Data at rest vs transit – 2 questions
  - Note with long text area needs to be secured
  - Field needs to be secured
   
• How to stop exporting report option
   
• Record type/Page layout/Profile usage
   
• APEX/VF -> how to make sure the accesses: use describe results
   
• VF standard controller behavior w.r.t FLS