An organization uses Enterprise
Territory Management to assign Accounts based on geography. In addition,
Opportunity Teams are used on complex deals. Sales Reps want to clearly see
which Opportunities are part of their territory separate from Opportunities
related to the team.
What is the recommended method to meet this requirement?
A.
Use a separate Opportunity record types based
on Territory or Team.
B.
Run an
Opportunity report and Show My territories' opportunities.
C.
Set the Opportunity Owner to a Queue and filter
in a List View.
D.
Use Account Teams instead of Opportunity Teams,
which will implicitly restricts access.
Enterprise Territory Management
You and
your reps can now filter information on opportunity reports by territory. This
feature is new in both Lightning Experience and Salesforce Classic. Also new in
Lightning Experience and all versions of the Salesforce app, reps see which
users are assigned to an account’s territories, just like in Salesforce
Classic.
When creating, editing, or
running an opportunity report, select My territories’ opportunities in the
Show field to include the opportunities that belong to your territories.
2 of 5.
Person Accounts are enabled in Universal
Containers (UC) org. UC also uses Business Accounts and related Contacts.
Users have requested the ability to share Contact records associated with
Business Accounts with their colleagues.
Which feature enables this requirement to be met?
A.
Set
Organization-Wide Sharing Default for Accounts and Contacts to Private,
and manually share the Business Contact.
B.
The Organization-Wide Sharing Default for
Contact cannot be independently set when Person Accounts are used.
C.
Change the Account and Contact
Organization-Wide Sharing Default to Public Read Write.
D.
Set Organization-Wide Sharing Default for
Contact to Controlled by Parent, and manually share the Business Account.
Sales Reps at an organization use Lightning
Experience. When on vacation, Sales Reps want to have specific colleagues
cover appointments scheduled with prospects as well as create new
appointments on their behalf.
Which is the recommended method to meet this requirement?
A.
Instruct
Sales Reps to use Share Calendar, and provide Show Details and Add Events
access to colleagues.
B.
Sales Reps should change the Assigned To on
Events that colleagues will cover and colleagues use Chatter for new
appointments.
C.
The Administrator should change Organization
Wide Sharing Default for Calendar to Show Details and Add Events.
D.
Sales Reps should switch to Salesforce Classic
in order to view Calendar details.
4
of 5.
A company uses Einstein Analytics to
analyze Opportunity data from Salesforce. Within Salesforce, the appropriate
sharing has been set up to limit Opportunity record access to the appropriate
users. Within Einstein Analytics, users must see only the data that they can
access in Salesforce.
What is the correct security control to implement?
A.
Disable the Download Data System Permission for
users who access Einstein Analytics.
B.
Change the Einstein Analytics Security User to
read only object access.
C.
Einstein Analytics automatically follows
Salesforce Sharing, no changes are needed.
D.
Set the
dataset Row Level Sharing Source to Opportunity and Security Predicate to
false.
5
of 5.
Sales Managers at a company create
reports and dashboards in Lightning Experience. Sales Managers want to share
several reports with their Sales Teams. They also want Sales Team members to
be able to contribute their own reports to the team.
What is the recommended method to meet these requirements?
A.
Switch to Salesforce Classic, create a folder,
and share Viewer access with a Group.
B.
Ask an Administrator to schedule report
distribution emails to the team members.
C.
In Lightning
Experience, create a folder and share Editor access to a Group.
D.
Share My Personal Custom Reports with Manager
Access to Everyone.
Universal Containers (UC) uses
Salesforce for all of its internal users. Recently UC started getting a lot
of complaints from users regarding locked user accounts due to users not
being able to reset their passwords.
What is the recommended solution a Salesforce administrator can follow to
solve this problem?
A.
Modify password policies and set Password
Expires to "Never Expires" so that users can log in without any
interruption.
B.
Implement a third-party Identity Provider to
centralize user management and authentication policies.
C.
Enable
two-factor authentication using Lightning Login to allow users to log in
without their passwords.
D.
Configure social media authentication provider
to allow users to log in via their social media credentials.
Password-free logins rely on Salesforce Authenticator (version 2 or later), the two-factor authentication mobile app that’s available as a free download for iOS and Android devices. Lightning Logins add a layer of security by requiring two factors of authentication for login.
The first factor is something that the user has—a mobile device that has Salesforce Authenticator installed and connected with the user’s Salesforce account.
The second factor is something that the user is, such as a fingerprint, or something that the user knows, such as a PIN. The second level of authentication enhances security by requiring access to the mobile device and the user’s fingerprint or PIN.
Lightning Login isn’t limited to orgs using Lightning Experience. It works in Salesforce Classic, too.
All internal users (not external community users) are eligible for Lightning Login by default, but you can decide whether to make it available to all users. You can also determine user eligibility by using the Lightning Login User permission.
From Setup, enter Session Settings in the Quick Find box, then select Session Settings.
Review the default settings for Lightning Login.
Make sure that Allow Lightning Login is enabled.
You can disable Allow Lightning Login at any time to switch users back to username and password logins.
Decide if you want to make Lightning Login available to all users or only users with the Lightning Login User permission.
Confirm that a Standard session security level is appropriate for this login method.
Lightning Login establishes a Standard security level for the user’s session. Standard is the default security level for the Username Password method that Lightning Login typically replaces. If needed, you can change the security level to High Assurance.
Assign the Lightning Login User permission to users in the user profile (for cloned or custom profiles only) or permission set. Lightning Login isn’t supported for external users.
Consider these points about how Lightning Login relates to other login, identity verification, and two-factor authentication features.
You can monitor your users’ Lightning Login activity using Login History or Identity Verification History tools.
If enrolled users attempt a Lightning Login from an unrecognized browser or device, Salesforce requires login using username and password, along with identity verification.
If an enrolled user previously logged in from a browser and selected Remember me, login hints on the login page show a lightning bolt next to past usernames that are Lightning Login–enabled.
NOTE For Lightning Login to display login hints properly in the Apple Safari browser, change theCookies and website data option in the browser. Advise your users to change it from Allow from websites I visit to Always allows.
If your org sets a two-factor authentication policy for logins, the Lightning Login method satisfies the second factor requirement. Salesforce does not separately require users with the Two-Factor Authentication for User Interface Logins permission to provide a second factor.
If your org has defined a transaction security policy that requires two-factor authentication, Lightning Login isn’t supported. Enrolled users who attempt a Lightning Login must use log in with username and password instead.
2
of 5.
Universal Containers uses Customer
Community for its customers and wants to make sure that there is an extra
layer of security to avoid unauthorized access.
What is the recommended way of enabling two-factor authentication for
external users?
A.
Use dynamic login on the customer community to
allow customers to verify their identity.
B.
Use custom login flows to implement two-factor
authentication for external users.
C.
Use an AppExchange application to implement
two-factor authentication for external users.
D.
Update
external user profile to allow users to verify their identity and avoid
unauthorized access.
3
of 5.
An administrator resets a user
password in Salesforce.
Which attribute will be updated with the "True" value in the
Identity URL or UserInfo endpoint?
A.
password_updated
B.
email_verified
C.
password_reset
D.
active
Explanation : The email_verified attribute in the UserInfo endpoint and identity URL now reflects whether users successfully verified their email address after clicking a link in an email confirmation message. Previously, it reflected only whether the org had email verification enabled.
The email_verified attribute’s value is set to true when org and community users click a link in the email they receive after:
They change their email address
They change their password, or a Salesforce admin resets their password
They verify their identity, such as in two-factor authentication
A Salesforce admin creates them as a new user
For example, a Salesforce admin creates the user Roberta Smith. Roberta receives a “Welcome to Salesforce” email message with a link to verify her account. After she clicks the link, the email_verified value is set to true.
4
of 5.
Universal Containers (UC) uses an
external website to allow its customers to perform self-service functions.
The website doesn't support authentication through SAML or OpenID Connect. UC
has decided to implement Salesforce and authenticate its users via
Salesforce.
What is the recommended solution to allow users to authenticate via
Salesforce on the external website?
A.
Migrate the website to Customer Community to
allow a seamless experience and set existing passwords as their customer
community user passwords.
B.
Configure Salesforce as a Service Provider, and
implement custom federation services using existing Identity Store.
C.
Configure a connected app in Salesforce and use
username-password flow to allow customer to authenticate on the website.
D.
Configure
Customer Community identity providers, and use Embedded Login to allow
customers to authenticate on the website using configured identity
providers.
Explanation : Embedded Login
Who Does What
The Salesforce admin creates a community, brands the login page, and configures the authentication providers. Then the admin adds the website domain to the Cross Origin Resource Sharing (CORS) whitelist (1).
The Salesforce admin creates an Embedded Login connected app. The connected app handles the interaction between Salesforce and the website (2).
The web developer adds Embedded Login meta tags to the web page to display the login form (3).
The web developer supplies JavaScript functions and the onlogin and onlogout specifications to determine what happens when the user logs in and out. The logout function is optional. (4).
The web developer creates a callback to handle the authentication response, specifying callback-specific meta tags (5).
The result is a web page with login capabilities (6).
What’s Happening Behind the Scenes
When a user clicks the button and enters credentials in the login form, Salesforce authenticates the user. Then Salesforce checks the connected app to determine the type of access token to grant.
Salesforce sends the access token to the callback.
The callback uses the access token to pull the user’s information from Salesforce and cache it locally.
The onlogin function determines which information to display to the user.
If the website requires ongoing interaction with Salesforce after authentication, the connected app maintains a connection between the web page and the Salesforce community.
5
of 5.
Universal Containers (UC) uses
Customer Community to allow its customers to register and perform
self-service functions. Due to the growth of the business and the customer
base, UC wants to deliver a different experience to its customers based on
runtime circumstances.
What is the secure and recommended way of enabling this?
A.
Develop Lightning components to deliver
different experience to customers using their information stored in
Salesforce.
B.
Enable
dynamic login experience by adding expid request parameter in the client
configuraiton SSO initialization URL.
C.
Use an AppExchange product to customize the
Customer Community login experience and deliver a personalized experience
to customers
D.
Use custom login flows to deliver different
experiences by extracting the source from the URL where the customer is
visiting from.
Explanation : Dynamic Login You can use dynamic branding to customise your community’s login experience at run time. For example, you can change which logo to display depending on whether the user is an employee or customer. Or display a particular self-registration page based on the user’s country code.
When using dynamic branding to customize the login experience, it applies to the entire login process: the initial login page plus related pages, such as two-factor authentication or a login flow. You can add dynamic branding to Community Builder, Visualforce, and custom login pages.
Use dynamic URLs for your login pages to present a different look and behavior based on the run-time situation. For example, different logos appear depending on who the user is or where the user’s logging in from. Dynamic branding relies on a URL parameter called the experience ID. The {expid} determines what the user experiences. At run time, the{expid} resolves to the current value, and the appropriate URL is created.
Here’s a scenario. Universal Distributing wants to brand the login experience depending on whether the user is internal or external. You create logos for each brand, appropriately named internal_logo.png and external_logo.png. Then you set the logo URLs so that internal users see http://.../internal_logo.png and external users see http://.../external_logo.png.
From the Administration Login & Registration page, you specify the logo URL with the {expid}:https://universaldistributing.com/{expid}_logo.png.
When an external user logs in, {expid} is set to external, the URL becomeshttps://universaldistributing.com/external_logo.png, and the external logo appears on the login page. Likewise, when an internal user logs in, {expid} is set to internal, the URL becomeshttps://universaldistributing.com/internal_logo.png, and the internal logo appears on the login page.
You define dynamic branding URLs for logos and right-frames on the Community Workspaces Administration Login & Registration page. They apply to default and custom login pages.
In addition to setting the experience ID, your login implementation must set the login URL according to the value of the experience ID. For example, by adding the logic to your login button, when expid=INTERNAL, the login button directs the user to https://universaldistributing.com/brands/expid=INTERNAL.
You can also use Visualforce and Apex to create dynamic URLs. Use the Apex getExperienceId method of the System.Site class to retrieve the value of the experience ID. To set the experience ID, use the setExperienceIdmethod, or add an experience ID dynamic parameter to one of these login endpoints.
For example, use the CommunitiesSelfReg endpoint to pass in a different {expid} value to the self-registration page to deliver a different registration flow for each brand.
