Salesforce Advanced Administrator Certification Guide E-Book

Salesforce Advanced Administrator Certification Guide

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Richa TripathiAcquisition Editor:Alok DhuriContent Development Editor:Pathikrit RoySenior Editor: Rohit SinghTechnical Editor: Ketan KambleCopy Editor: Safis EditingProject Coordinator:Francy PuthiryProofreader: Safis EditingIndexer:Pratik ShirodkarProduction Designer:Deepika Naik

First published: November 2019

Production reference: 1071119

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-83864-389-8

www.packt.com

Packt.com

Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Fully searchable for easy access to vital information

Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Enrico Murru is a solution and technical architect at WebResults (an engineering company), an Italian platinum Salesforce partner, and ISV. He completed his MSc in Electronic Engineering at the University of Cagliari in 2007. In 2009, he joined WebResults as a junior Salesforce developer. In 2013, he launched his first blog named Nerd @ Work. In 2016, he was nominated as the first Italian Salesforce MVP due to his commitment to the Salesforce community. In the same year, he started collecting Salesforce certifications, gaining 20 of them over the next 3 years, as part of his own path to the Salesforce Technical Architect certification. In 2016, he started one of his most popular projects, the ORGanizer for Salesforce Chrome and Firefox extension.

About the reviewers

Chamil Madusanka was the first Sri Lankan Salesforce MVP and is the director of Sri Lanka's Dazeworks Technologies Pvt. Ltd. office. He has four Salesforce certifications. He is the founder of the Sri Lankan chapter of Salesforce Saturday and a program called TCICThursday.

He has authored Visualforce Developer's Guide and Learning Force.com Application Development. He has also reviewed Salesforce Reporting and Dashboards and Salesforce Lightning Reporting and Dashboards.

He completed his first degree, a BSc in computer science, at the University of Colombo's School of Computing. He achieved his MBA in management of technology at the University of Moratuwa. Chamil hails from Polonnaruwa, and can be reached via Twitter at @chamilmadusanka.

Himanshu Atal is a chief information officer at India's Dazeworks Technologies Pvt. Ltd. office, and a very well-known partner of Salesforce with 11 MVPs in the organization. He has more than 8 years' experience in Salesforce and has successfully delivered more than 150 projects using the Salesforce platform.

He has worked with organizations such as IBM India Pvt. Ltd. and Persistent Systems.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Salesforce Advanced Administrator Certification Guide

Dedication

About Packt

Why subscribe?

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Section 1: Security, Access, and Organization Management

Secure Data Access

Controlling who sees what

Licensing

The sharing model

Profiles, permission sets, and object security

Permission sets

Object-Level Security (OLS)

Field-Level Security (FLS)

The Salesforce sharing model

OWD sharing

Role hierarchies

Sharing rules

Public and personal groups

Working with sharing rules

Manual sharing

Apex managed sharing

Team sharing

Account teams

Opportunity teams

Case teams

Some considerations about sharing

Enterprise territory management

Sharing within Salesforce communities

High-volume community users

Summary

Questions

Auditing and Monitoring

Delegated administration

Monitoring your organization

Monitoring object-specific limits

Monitoring storage

Monitoring the login history

Monitoring the identity verification history

Monitoring changes: View Setup Audit Trail

Field history tracking

Background job monitoring

Debug log monitoring

Monitoring email logs

Health check monitor

Event monitoring

Summary

Questions

Change Management

Testing using sandboxes

Developer sandbox

Developer Pro sandbox

Partial Copy sandbox

Full sandbox

About sandbox flow architectures

Deploying changes with change sets

Deploying changes with packages

Deploying changes with other tools

Handling data changes

Importing data with the Data Import Wizard

Importing data with Data Loader

Exporting data

Summary

Questions

Section 2: Data Model Management

Extending Custom Objects

Advanced aspects of object relationships

Master–detail relationships

Roll-up fields

Many-to-many relationships

Lookup relationships

Hierarchical relationships

Formula fields and relations

External relationships

Validation rules

VLOOKUP

REGEX

PRIORVALUE

Picklist management

Dependent picklists

Summary

Questions

Section 3: Sales and Service Cloud Applications

Support Sales Strategies with Sales Cloud Features

Managing products, product schedules, and pricebooks

Product schedules

Managing quotes and quote templates

Quote templates creation

Quote versus opportunity synchronization

Predicting deals with forecasts

Setting up collaborative forecasting

Summary

Questions

Service Cloud Applications

Salesforce Knowledge

Setting up Salesforce Lightning Knowledge

Handling articles

Managing data categories

Importing external knowledge

Configuring Omni-Channel

Skill-based routing

External routing

Omni-Channel Supervisor app

Live Agent chat and communities

Salesforce Community setup

Chat (Live Agent) Setup flow

Einstein Bots

Entitlements for SLA management (and more)

Summary

Questions

Section 4: Data and Content Management

Improving Data Quality with Duplicate Management

Understanding duplicate management

Local duplicate management

Global duplicate management

Exploring and customizing rules

Customizing duplicate rules

Customizing matching rules

Considerations regarding duplicate management

Summary

Questions

Salesforce CRM Content Management

Setting up Salesforce CRM Content

Further Salesforce CRM Content options

Handling content libraries

Adding files to libraries

Enabling Google Docs

Content packs

Content delivery

Content search

Summary

Questions

Section 5: Reports and Dashboards

Mastering Reports

Building reports

Report types

Report formats

Filtering reports

Charting report data

Advanced highlighting for report data

Bucket fields

Formulas in reports

Joined reports

Tracking history on reports

Historical Tracking Reports

Reporting Snapshots

Subscribing to reports

Further considerations

Summary

Questions

Visualizing Key Metrics with Dashboards

Building dashboards

Reports and dashboards folders

Setting up a dashboard

Selecting the right charting option

Filtering dashboards

Subscribing to a dashboard

Limitations with dashboards

Summary

Questions

Section 6: Process Automation

Automation with Workflows

What is process automation?

Which tool should you choose?

Building workflow rules

Automated actions

Field updates

Cross-object field updates

Task actions

Email alert actions

Outbound message actions

Time-dependent actions

Further considerations on workflows

Summary

Questions

Automating Record Approval with Approval Processes

Understanding approvals

Creating an approval process

Creating approval steps

Adding actions to approvals

Using approvals

Limits and considerations

Summary

Questions

Lightning Process Builder

Setting up a Lightning Process Builder

Shaping a Process Builder

Trigger selection

Criteria definition

Defining action groups

Creating records

Updating records

Processes

Posting to Chatter

Email alerts

Submitting for approval

Flows

Quick Actions

Custom notifications

Apex

Managing the Process Builder

Final considerations for building with a Process Builder

Summary

Questions

Lightning Flows

Flow concepts

Building a flow

Connecting flows and subflows

Autolaunched flows

Managing a flow

Testing a flow

Transactions and governor limits

Limits and considerations

Summary

Questions

The Coding Approach

Exploring Apex triggers

Order of execution

Trigger features and rules

Apex trigger anatomy

The before event

The after event

User interface development

Summary

Questions

Section 7: Taking Your Certification Exam

Tips and Tricks for Passing Your Exam

Keep studying

Topics and scores

Need more resources?

Facing the exam with the right attitude

Failure is an option

Schedule it right now!

Preparing for the exam

Question format

The final step

Summary

Mock Test A and B

Mock Test A

Mock Test B

Assessments

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

Chapter 6

Chapter 7

Chapter 8

Chapter 9

Chapter 10

Chapter 11

Chapter 12

Chapter 13

Chapter 14

Chapter 15

Chapter 17

Mock Test A

Mock Test B

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

When I was a child, I had a few secret wishes:

Becoming a great football player

: Given my limited football ability, I soon forgot this one.

Becoming a rock star

: Although I love playing drums and piano, I knew this was not my main path.

Teaching a computer to do what I want

: I started coding when I was a small child and this dream soon became reality; not by becoming the best coder in the world, but by being able to adapt to new technologies quickly and productively.

Being able to draw like a real artist

: No chance here – I've literally no artistic skills.

Writing a book

.

Writing a book is something that has always been on the list, but I've never had the skill to be a poet or a novel writer. A few years after the start of my career in the Salesforce world, and a few years before my first Salesforce MVP nomination, I casually started to write my own blog, Nerd @ Work, because I discovered that I had something to tell people: not philosophy, not an amazing drama, but my experience on the Salesforce platform. Who was the audience? The Salesforce Ohana, and I was surprised that people liked what I had to say (again, not art but solid technical stuff). This commitment to the community lead me to the unexpected Salesforce MVP nomination and, at the time of writing, I'm approaching my fifth nomination (fingers crossed).

But writing a blog is not like writing a whole book:

With a blog, you don't have the same commitment

: You can write whenever you want.

With a blog, you don't need a logical thread

: You can write whatever you want.

With a blog, you just keep writing on and on

: There is no end and there are no milestones.

That's why I started to think that I could end up with a whole book about the Salesforce platform, but honestly, I didn't have a clear idea of what to write about or whom the book should be targeted at.

And just while I was compiling a list of possible book titles, the Packt team appeared and proposed that I should write the very book that you are now reading – how strange life is!

Writing this book has been a great challenge that has involved countless weekends and nights passed reading, studying, deepening my knowledge, and writing and reviewing this content. 

Although the Packt team and I fixed few mid-term milestones, I only had one milestone in my mind: reach the last chapter, and I was surprised that, chapter after chapter, I really did end up finishing the book.

Childhood dream: check!

As a Salesforce developer and architect with more than 10 years' experience, I always say that any Salesforce technician should have strong administration skills, and I usually suggest that my young colleagues start their career with the Salesforce Advanced Administrator certification rather than the Platform Developer I certification. 

Since I was writing about a journey to the Salesforce Advanced Administrator certification, I knew that I had to not only pour all of my experience into the book, but also change my point of view: explaining advanced concepts to trailblazers who have potentially never had the chance to write a single line of code. Believe me, it's not the simplest thing to do, given that I'm a developer at heart who prefers to show code rather than explain how an algorithm works...why? Because it's easier for my brain.

While I was having to cover most of the Salesforce topics required for this certification, I tried to maintain a simple and trivial style to keep the storytelling funny and interesting, more or less like I try to do on my blog, without losing sight of the main target: helping you successfully gain the Salesforce Advanced Administrator certification.

There is no one size fits all rule, and I don't have the perfect recipe: study; experiment with configurations; and consolidate your knowledge with the reference links provided to official Salesforce docs, trailblazer's blogs, and Trailhead modules. But, most of all, trust yourself – don't be afraid to schedule your exam and face this certification. 

This book has been written to give the Salesforce Ohana another way to master the Salesforce platform and I really hope that, by the end of the last chapter, you'll feel more confident in your increased chances of successfully passing this hard, yet useful, certification and confirming that you are a, #AwesomeAdmin.

Who this book is for

This book is suggested to Salesforce administrators who want to maximize their administration skills by having a deeper knowledge of the Salesforce CRM's key features. As a developer at heart, I suggest that you read all the topics that are covered in this book, because I think that a great developer should also have a strong administrator background.

What this book covers

This book covers all the topics of the Salesforce Advanced Administrator certification, comprising 17 chapters contained in 7 sections.

Section 1, Security, Access, and Organization Management, deals with security concerns, monitoring, and change management.

Chapter 1, Secure Data Access, discusses how the administrator is the key holder of a Salesforce organization, the guardian of the company's data. As such, their main concern is protecting this valuable asset. The correct object permissions mean that users can only shape data in accordance with the permissions of that user, while planning the right sharing strategy means users will only see the subset of records that they are authorized to read and/or write, thereby delivering coherent and safe business processes.

Chapter 2, Auditing and Monitoring, is where we will learn how to take control of our organization by monitoring key metrics: user login histories, data usage, setup changes, record field histories, debug logs, and events.

Chapter 3, Change Management, teaches you about the different Salesforce organization types (such as sandboxes, developer organizations, and production organizations). We will also learn how to master change management with change sets and see what other tools can be used to move organization configurations from one organization to another, and we'll learn how to pull and push data using Data Loader.

Section 2, Data Model Management, is all about extending custom objects with relations, advanced formulas, and picklist management.

Chapter 4, Extending Custom Objects, covers the creation of advanced object relationships to support the most complex business cases. You will master validation rules to ensure optimal data quality and consistency, and manage picklist values to increase consistency between objects.

Section 3, Sales and Service Cloud Applications, is about delivering sales cloud and service cloud features to unleash sales strategies and service support for your sales reps and service agents.

Chapter 5, Support Sales Strategies with Sales Cloud Features, explores how to set up and manage products, customize product scheduling settings for the right payment and delivery constraints, and handle price books to organize prices to deliver to customers. Also, we'll delve into using quotes to deliver product pricing propositions to customers, configuring templates to deliver the right information to customers, and using collaborative forecasts to predict sales revenues and quantities from your opportunity pipeline.

Chapter 6, Service Cloud Applications, looks at how to empower service support and use Salesforce Knowledge to create a powerful knowledge base integrated within service processes. Also, we will learn how to use entitlements and milestones to enforce a customer service level agreement. The other topics we'll learn about include delivering efficient service channels with LiveAgent and omnichannel configuration, integrating with your Salesforce console app, and streamlining the way you create, manage, and view cases with case feed configuration.

Section 4, Data and Content Management, covers increasing data quality with duplication rules and managing files with Salesforce CRM Content.

Chapter 7, Improving Data Quality with Duplicate Management, dives into keeping data clean and accurate to ensure quality: defining duplicate policies for real-time local management, and scheduling duplication jobs for organization-wide management. Also, controlling matching rules to customize how Salesforce identifies duplicates and the way that users are notified when a match is found will be discussed.

Chapter 8, Salesforce CRM Content Management, goes into depth on how to use Salesforce CRM Content to organize, share, search, and manage all types of files within our organization. Setting up content, managing the publication of files, organizing files in libraries, searching files, and using content delivery to convert documents into web-optimized versions for online viewing will be the other learning areas of this chapter.

Section 5, Reports and Dashboards, introduces you to report creation and how to visualize complex dashboards.

Chapter 9, Mastering Reports, teaches you about reports, which give us access to our Salesforce data. Using report types to select targeted objects, selecting the required fields to be displayed, setting up filters to narrow down results, scheduling reports, subscribing to reports to receive notifications, reporting key metrics, and organizing reports to speed up searches will be the key things you will master in this chapter.

Chapter 10, Visualizing Key Metrics with Dashboards, is where you will learn how to use dashboards to understand changing business conditions so that you can make decisions based on the real-time data that is gathered by reports. Learning how to build dashboards based upon data from reports, displaying data using different kinds of charts, filtering dashboards, running dashboards with different users, managing dashboards, running schedules, and subscriptions will be the main things that are covered in this chapter.

Section 6, Process Automation, is concerned with implementing Salesforce automation with workflows rules, approval processes, Process Builder, Lightning flows, and custom Apex code.

Chapter 11, Automation with Workflows, takes you through how to deliver point-and-click automation to your business processes by leveraging workflow rules. Creating different kinds of automated actions, such as field updates, email alerts, outbound messages, and task creation will also be explained in this chapter.

Chapter 12, Automating Record Approval with Approval Processes, moves on to specifying all the steps required to approve a record, which includes defining the rules and activating the processes. Advanced examples of these concepts will also be present in the chapter.

Chapter 13, Lightning Process Builder, takes workflow rules to a new level with Process Builder, looking at defining criteria based on objects or platform events to triggeraction groups, which consist of immediate or scheduled actions. Troubleshooting a process to understand why errors are arising in order to speed up debugging will also be covered in this chapter.

Chapter 14, Lightning Flows, will cover flows, which actually collect data and perform actions in our Salesforce organization or an external system. We will also learn about using screen flows to collect data from agents or customers (for example, tutorials or wizards) and explore using autolaunched flows, which are flows that are launched after a record is changed or a button is clicked.

Chapter 15, The Coding Approach, shows you that when deeper customization is needed, the coding approach is a win-win situation. Understanding how Apex triggers can deliver complex automation for your processes when the point-and-click approach is not enough, and evaluating Visualforce and Lightning component adoption when user experience constraints necessitate coding magic, are the core learning areas in this chapter.

Section 7, Taking Your Certification Exam, prepares you for exam day and tests your skills with two mock tests.

Chapter 16, Tips and Tricks for Passing Your Exam, teaches you how to really get the most out of this book in terms of passing the exam, preparing you for the Salesforce Advanced Administrator certification, and showing you the best ways to increase your score and get that certification.

Chapter 17, Mock Tests A and B, contains two complete mock certification exams to help you measure your preparation level.

To get the most out of this book

Although this book covers most of the topics of the exam from scratch, knowledge of the following base concepts is regarded as having already been acquired by the reader:

The Salesforce Platform architecture

Standard object definitions and features in Sales Cloud and Service Cloud (accounts, contacts, opportunities, cases, and so on)

Data model customization (custom objects, custom fields, validation rules, record types, and so on)

User interface customization (page layouts, Lightning pages, applications and tabs, and so on)

Basic profiles, roles, and user management

The basic Salesforce object-sharing model

Process automation features (workflows, flows, Process Builder, and so on)

The difference between declarative and programmatic customization

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packt.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/Salesforce-Advanced-Administrator-Certification-Guide. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781838643898_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: " TheTriggerkeyword comes in handy as well and gives us access to current record values (and even to old ones):"

A block of code is set as follows:

1. trigger OpportunityTrigger on Opportunity (before insert, before update,2. before delete, after insert, after update,3. after delete, after undelete) {4. //code goes here...5. }

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "The User License field is one of the mandatory fields of the Salesforceuserobject."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Security, Access, and Organization Management

In this section, you will learn how to efficiently manage your Salesforce organization by mastering data access security and record sharing, and enhancing monitoring and auditing. You will learn about best practices so that you can handle change management and data across different organizations.

This section includes the following chapters:

Chapter 1

,

Secure Data Access

Chapter 2

,

Auditing and Monitoring 

Chapter 3

,

Change Management

Secure Data Access

In each Salesforce organization, the administrator is the key holder: they are the guardian of the company's data and thus their main concern is protecting this valuable asset. The right object permissions shape data according to the kind of user who accesses it, while planning the right sharing strategy enables users to see only the subset of records they are authorized to read and/or write, thus delivering coherent and safe business processes.

In this chapter, we will learn about the following topics:

How data security is handled within the Salesforce platform

The difference between profiles and permission sets to define what users can do

Setting up record-level security to restrict/allow access to data depending on the user's shape

The Salesforce sharing model (from organization-wide default sharing to manual sharing), which determines which objects can be accessed by whom

Setting up Enterprise Territory Management for a territory-based record-sharing model

Handling sharing in Salesforce communities to give external users access to data

Controlling who sees what

With tens (or even thousands) of users in your Salesforce organization, choosing the right way to make data visible is an administrator priority: you have to control who sees what and you need to be aware of all the options your Salesforce customer relationship management (CRM) provides.

It's not a coincidence that secure data access is the first subject we are going to study in this book.

In my 10 years' experience, being able to master data access management has always been the key to better data organization, better platform performances, better CRM usability, and of course better customer satisfaction.

Data is your number one CRM resource, so use it carefully and with be conscious of it. Let the Salesforce platform take care of it and gently bring your sharing model to life.

Licensing

Like in most applications, every data story begins with a user: they authenticate against the application, they are recognized by their credentials and profile (we're not talking about Salesforce profiles but the generic set of powers a specific kind of user has), and then they are allowed to access the application's features and a subset of the data.

A Salesforce user is identified by their license. The User License field is one of the mandatory fields of the Salesforce user object:

The available licenses can be found in Setup | Company Settings | Company Information, in the User Licenses section:

The number and type of available licenses you have depends on what your company or your customer has agreed to with Salesforce.

We can reasonably divide licenses into three groups regarding data sharing:

Full sharing model usage users/licenses

: Users within this category have full access to the Salesforce sharing system. Some objects may not be accessible (for example, the free edition cannot access base CRM objects), but the engine is still there and configurable. This class of users is usually referred to as

internal users

.

High volume customer portal licenses

: Users within this category do not have access to the sharing model. Instead, sharing is enabled by matching user fields with other object's relations (for example, the contact lookup on the user is used to provide access to cases with the same contact value). This class of users is generally used in Salesforce communities.

Chatter-free license

: This category doesn't have access to the sharing model or any CRM object (standard or custom) and it features collaboration-only access (chatter, groups, and people, to name a few).

In a few words, the license constrains the kind of powers a user has, which is then delivered with profiles and permission sets. We'll take a look at these in the upcoming sections.

The sharing model

One of the first steps when designing a new Salesforce CRM implementation is to set up data access using the sharing model engine. This specifies who can see what!

To understand how this works, have a look at the following diagram:

The 

Organization-Wide Defaults

 (

OWD

) define how users have access to each other's records: when you want to protect an object, you set up the most restrictive access type (for example, Private) and then use the other available tools to give wider access to specific subsets of users. Let's say a specific profile has access to read and write on the case object: if OWD is set to

Public Read Only

, a user can read all the cases but won't be able to update them unless they are the owner of the record or are allowed to due to the other sharing features.

Role hierarchy 

represents a hierarchic view of the company's employee structure (such as an organization chart). This level of sharing defines how records are shared across the hierarchy (for example, sales managers can see all the records that are owned by their sales representatives).

Sharing rules

 are exception rules that can give wider access to records or a group of users who shouldn't actually see those records because of OWD and Role Hierarchy configurations.

Sharing sets/groups

 are used to share records with Salesforce community users.

Users can be given the power to share records they own with other users who don't have access to them otherwise. This is called

manual/Apex sharing

, and although it's not an automated configuration, it gives your users the needed flexibility to work with their team members.

Use

team sharing

to grant access to specific records (for opportunity, account, and case objects only): the record's owner (or users who are higher in the role hierarchy or administrators) can create a team granting read-only or read/write access to their team users to access the record. You can only have one team per object.

Territory hierarchies

is a feature that's specific for accounts, opportunities, and their child records (records that have a master-child relation with them). You can provide access to records based on specific

one-dimensional

 division (for example, business units, zip code, and country) using territory sharing rules, which are recalculated every time the record changes its

territory-linked

 fields.

Apex sharing

is the most powerful and granular feature that can give your sharing needs the right way to control record access if the previous features are not enough or don't apply to your sharing model. Developers can create algorithms to programmatically share objects with whichever users/groups they need to.

One final kind of sharing is implicit sharing, which is related to specifically standard objects and is a native feature that cannot be switched off. Parent implicit sharing means that if a user has access to opportunities, cases, or contacts, they also have access to the parent account. Child implicit sharing is the opposite; it gives users access to child objects (contacts, opportunities, and cases) to the owner of a given account: the administrator can set up read, write, or no access for child sharing in the role definition.

The following diagram summarizes the previous concepts:

Let's dig deeper into each way we can grant access to records.

Profiles, permission sets, and object security

Profiles define how users can access data and the whole Salesforce application.

Your organization comes with standard profiles that (there are exceptions for some Salesforce editions, such as contact manager, group edition, or essentials edition), you can customize a few permissions for on a standard profile or clone (creating a new custom profile) so that you have full access to its customization (for example, custom object access, field-level security access). The only thing you cannot change is the license type related to a profile.

Permission sets are similar to profiles with a simple difference: you can assign zero or more permission sets to a single user, thus providing additional capabilities that are not set up in the base profile. This increases permissions attribution granularity when creating simple profiles with few capabilities and granting users different powers as needed (sometimes, a Salesforce user can have both sales and service capabilities, but you don't want to create a profile with both permissions).

You may ask the following question:

You definitely can, but only if your users have clear permission needs and their operative role in the CRM is well defined, which is usually not the case. The business can ask for the sales representatives to be able to access and edit cases, though some service agents may be required to edit opportunities, which are a sales representative's unique permission. If you have to take into account any exceptions when setting up permissions, you would end up with tens of custom profiles, a task that can be time-consuming. Instead, you should deliver some base and exclusive profile configuration and provide a class of permissions using permission sets to specific users when needed (a user can have only one profile but can be related to multiple permission sets).

You can edit a profile with two different interfaces: the enhanced profile user interface and the original (or standard) profile interface.

To enable the Enhanced Profile User Interface, click on Setup | Users | User Management Settings and enable the Enhanced Profile User Interface flag:

This interface is a more powerful profile editing page that supports all the settings that are provided by the original interface: the main enhancement is the capability to search for settings as opposed to the original interface, where all the main options are in a single page. To switch from a master setting to a child one, you need to browse different pages.

From now on, we'll be using the original interface.

Let's briefly look at every section on the profile editor page:

Profile Detail

: This section contains the main details of the profile, including whether it is a standard profile or a custom one. This section is editable on custom profiles only.

Console Settings:

Edit layout assignment in Salesforce console apps.

Page Layouts: 

This section is used to assign layouts to records (and record types if the object has at least one record type).

Field-Level Security

: For each object, this defines which fields are visible and editable.

Custom App Settings

: This decides which Salesforce applications are accessible by the user and which ones are the default ones.

Tab Settings

: Like the

Custom App Settings

section, we can choose which tabs are enabled or hidden.

Record Type Settings

: For any object that supports record types, you can allow users to use them when creating a new record, thus allowing users to have access to specific business processes.

Administrative permissions and General User Permissions

: This section contains all the administrative settings and general permissions (such as the

View All Data

 and

Modify All Data

 superpowers). This section can only be edited for custom profiles.

Standard Object Permissions, Custom Object Permissions, and Platform Event Permissions

: These sections define the OLS, that is, CRUD operations and the

View All

 and

Modify All

 superpowers, which allow the user to view and modify all the records of a given type. Platform events can only be configured with read or create access.

Session Settings and Password Policies

: These sections display profile-specific session settings (such as session duration and security level) and everything about password management that overrides the

Setup | Security | Session Settings

and

Password Policies

org-wide settings.

Login Hours

: Define when a user should be able to log in to Salesforce.

Login IP Ranges

: Defined the origin IP addresses that are considered safe to access your Salesforce organization (there's a restriction on a company's IP ranges). Within this range of IPs, users won't be asked for an activation pin (this is sent via email or SMS). You can also restrict this to org-wide login so that it's executed from within this range in

Setup | Security | Session Settings

.

Enabled Apex Classes Access and Enabled Visualforce Page Access

: From here, you can enable access to Apex classes (for example, enable a user to access a specific custom Apex web service) and Visualforce pages (for example, access to a specific Visualforce wizard).

Other permissions

:

External Data Source Access

: Access to external records (defined in

Setup | Integrations | External Data Sources

).

Named Credential Access

: Access to specific external web servers (

Setup | Security | Named Credentials

).

Service Presence status:

Available presence statuses (for example, live chat operator status such as Active, Away, or Offline. Go to 

Setup | Features Settings | Service | Omni-Channel | Presence Statuses

 to do this. Note that you need 

Omni-Channel

activation).

Custom Permissions

: Allows profiles to have custom permissions that have been designed to modify a Visualforce or Lightning component's behavior on the developer side and validation rules on the administrator side (

Setup | Custom Code | Custom Permissions

).

Default Community

: Default Salesforce community (if any).

If you want to create a new custom profile, you only have to jump to the standard profile you want to modify (or choose another custom profile that's already set up) and click the Clone button, which brings you to the following page:

From now on, the profile will be completely customizable and will be listed as a custom profile on the profile's Setup | Users | Profiles page:

Now, let's look at how we can create permission sets.

Permission sets

Permission sets are, as the term suggests, a collection of permissions or settings that give users access to specific platform features/functions.

Permission sets are used to extend application feature access to users without changing their profiles.

This concept is valid for whatever kind of permission that's available on the permission sets.

You can create a permission set by going to Setup | Users | Permission Sets:

If you don't fill in the License field, you won't be able to see all the possible settings. Only use no license permission sets when you want to apply them to users whose license is allowed to enable it.

The permission set editor uses the enhanced profile view:

The Session Activation Required flag is used to create permissions sets that are associated with specific kinds of sessions.

The following limitations apply for the maximum number of permission sets that can be created in a given organization:

Personal edition

Contact manager

Group edition

Essentials edition

Professional edition

Enterprise edition

Unlimited and performance edition

Developer edition

N/A

1

5

10

1,000

1,000

1,000

1,000

Object-Level Security (OLS)

The first level of access type is Object-Level Security (OLS), as we saw previously on the profile edit page:

These kinds of operations are usually referred to as CRUD operations:

C

reate

R

ead

U

pdate (or Edit)

D

elete

Some of them respect sharing configurations while some do not:

Read

: Users can view records of this type if the sharing settings allow them to (sharing respected).

Create

: Users can create and view records (sharing respected regarding the read operation); that is, you cannot have 

Create

without

Read

enabled.

Edit

: Users can edit and read records (sharing respected); there can be no

Edit

without

Read

.

Delete

: Users can read, edit, and delete records (sharing respected); there can be no

Delete

without

Read

and

Edit

.

View All

: Users can see all the records of this object and thus sharing is not respected.

Modify All

: Users can read, edit, delete, transfer, and run approval on all the records of this object, thereby overriding the sharing settings.

View All and Modify All work like the View All Data and Modify All Data user permissions on profiles, but there should be a better alternative to convey better access granularity to records.

Object accessibility causes the object's tab to be visible to a given user.

Field-Level Security (FLS)

The concept of Field-Level Security (FLS) is easily pictured in the FLS settings for a given profile's access to an object:

You can define Read Access and Edit Access on fields (Edit Access requires Read Access). If you remove Read Access from a given field, the user won't be able to see that field on the object layout, even if the field has been added on that layout.

The same applies to Edit Access. If the record is in edit mode but the current user doesn't have Edit Access to that field, the field won't be writable.

Required fields (marked as required or master-detail fields) will always have read and edit access, while system fields (such as Created By or Created Date) will always be read-only.

If you want to see what determines field access, jump to Setup | Object Manager, look for any object, click on Fields & Relations, select any field, and click on the View Field Accessibility button to see the following display:

For every record type (if any) and profile, you will have a picture of field accessibility (Hidden, Read-Only, or Editable) on the assigned profile.

The Salesforce sharing model

Once you have selected which objects and fields a user can have CRUD access too, you need to know how to control record-level access. We can do this using Salesforce's sharing settings.

OWD sharing

To define the Organization-Wide Defaults sharing settings, go to Setup | Security | Sharing Settings:

A selection of standard objects and all custom objects can be set in this page.

By default, Salesforce uses role hierarchies to grant access to records to the users that belong to roles above a given user hierarchy. This means that if a user owns a record (whose object is set as Private in the OWD, so it should be only visible to its owner), using hierarchies, the manager user who is above that role can access the record as well.

If you change an object's OWD to a wider value (for example, from Private to Public Read-Only) the visibility is updated instantly: users who weren't able to access the records will immediately be allowed to do so.

If you restrict access (for example, from Public Read/Write to Private), Salesforce will start a recalculation that could take hours to complete, depending on the size of the dataset.

The OWD settings have the following values (a selection object has specific values that differ from this list):

Controlled by Parent

: If a record is a

child

 of another kind of record (for example, a contact is parented to an account), you can give this record the same access level as its parent. If a user can edit an account, then they're allowed to edit its children contacts as well. When a custom object is a

master-detail

 child of a standard object, the only available value is

Controlled by Parent

 and it is not editable.

Private

: Only the record's owner and users above their role hierarchy can view, edit, and report on the record.

Public Read Only

: The record is viewable and reportable by any user, but it can only be edited by its owner and users above the owner's hierarchy.

Public Read/Write

: The record is viewable and editable by any user in your organization. Only the owner can delete or manually share the record.

Public Read/Write/Transfer

: Available only on cases and leads, the transfer operation allows a record to be transferred of ownership, but only the owner can delete or manually share it.

Public Full Access

: Available only on campaigns, this allows all users to read, edit, and delete a campaign, regardless of whether they are the owner or not.

A user object has the following two available values:

Private

: A record is accessible by the owner (that is, the same user) and by the users on the hierarchy above it.

Public Read-Only

: The record is accessible by any user in the organization.

In order to improve recalculation performance, you can enable External Organization-Wide Defaults and change the way records are shared with external users (such as customer community users).

Some types of external users are as follows:

Authenticated website users

Chatter external users

Community users

Customer portal users

Guest users

High-volume portal users

Partner portal users

Service cloud portal users

It's good practice to set the Default External Access to Private and then extend accessibility using, for example, sharing rules or sharing sets for the external users only.

External access can be set for the following objects:

Account

Asset

Case

Contact

Individual

Opportunity

Order

User

Custom objects

To enable external OWD defaults, click on the Enable External Sharing Model button on the Setup | Security | Sharing Settings page. All external default values are matched with the internal settings.

Role hierarchies

With role hierarchies, users can have access to records that are owned by or have been shared with users below their hierarchy. In a few words, the CEO (the person with the highest role) can see any record owned by any user, while the Sales Manager can see records that are owned by or have been shared with sales representatives but cannot see records owned by Service Manager users.

This applies to objects with OWD set to Private or Read Only because of the principle that sharing can grant wider access and not restricted access.

To set up roles, go to Setup | Users | Roles:

You can create up to 500 roles for your organization.

Every user should have a role, otherwise their data won't show up on displays based on their role (such as an opportunities report and forecast rollups).

System administrator users may not have the role set, but it is good practice to fill in this field, especially if these users own records. If a role is not set, it is likely that their records won't appear on reports/views.

To avoid performance issues, no user should be able to own more than 10,000 records. If this is unavoidable (for example, the user is an integration user), assign that user a higher role to avoid complex sharing calculations.

Sharing rules

Sharing rules create exceptions for OWD settings and can grant wider access to public groups, roles, and territories.

Before we look at sharing rules in detail, let's talk about Groups.

Public and personal groups

Groups are sets of users and can contain users, other groups, and all the users in a given role or territory hierarchy (or even the users below that given role/territory, that is, the so-called subordinates).

Your organization supports public groups, which are created by administrators and can be used by any user, and personal groups, which are created by any user and only accessible to them.

Groups can be created for the following reasons:

For default sharing with sharing rules (only public)

To share a record with other users (both public and personal)

To share a Salesforce CRM Content library (only public)

To assign users to a selected action on Salesforce Knowledge (only public)

Since public groups are involved in sharing calculations to increase system performance, we need to take the following into account:

Avoid creating groups with few users (use manual sharing instead).

Don't adopt groups for users that need frequent move in and out.

Don't nest groups for more than five levels deep.

Enable 

Grant Access Using Hierarchies

on the public group configuration, but only if that group doesn't include a

ll internal users.

A group can contain the following:

Users

Public groups