I have cleared Salesforce Sharing and Visibility Designer certification on Jan 11th, 2019 and it helped me to become Salesforce Application Architect.

Let me quickly share the Exam Outline:
  • Total Number of Questions: 60 multiple-choice/multiple-select questions.
  • Time: 120 minutes
  • Passing Score: 68%
  • Registration Fee: USD 400; Retake Fee: USD 200
  • Prerequisite: None
In this blog post, I will share my notes and experience during the preparation and also during the exam. I hope it will help you in your #JourneyToCTA.
To me questions were very straight forward, but very descriptive, which took a lot of time to go through the entire question. Going through the entire question is very important because one single work can totally change your answer. 
Before I start preparing myself, I have gone through the below blog posts which helped me to create a consolidated list which I am going to share here.
Below are the topics from where I have received questions:

Understanding Profile and Permission Difference

  • Profile is user’s base level permission and all users having the same profile will have the same permission. 
  • Permission Set is assigned to individual users on top of profiles to extend their visibility.
  • You can set Login Ip, Hour, Session Settings, Password policies in Profiles, where these are not possible in permission sets.
  • Profiles are having hidden permission sets.
  • You can set default apps in Profiles, whereas setting default app is not possible in Permission Sets. You can provide app access to both Profiles and Permission Sets.

Difference Between Login Hour and Trusted IP

  • Login IP is set at the profile level. Use case: You want your internal employees will be allowed to login to your org only from corporate network. Anybody trying to login from outside will not be allowed to login.
  • Trusted IP is set at the Network Access / Org level. Anybody trying to login from the defined IP range, will not be asked to verify their identity. Otherwise, they need to verify their identity either through mobile authenticator or through email code.

Usage of System.runAs()

  • It is only applicable in test methods.
  • Since Apex always runs in System mode, user’s sharing settings is not enforced. That is why we need to use System.runAs() to change the user context and then that user’s sharing settings will  be enforced.
  • runAs() method doesn’t enforce user permission or field level permission. It only enforce record sharing.
  • runAs() ignores user licence limits means in test class you can still create users with runAs() even though you don’t have license in your organization.
  • runAs() will allow you to get rid of Mixed DML exception in Test Class.

Sharing Questions:

Sharing for Communities:

Enterprise Territory Management:

Identify Security threats and mitigation approaches:

  • SOQL Injection
  • XSS

Account Team:

  • Account team shares role with Opportunity Team. So removing account team role will eventually remove the role from Opportunity Team as well.
  • Account owner and users above the account owner in the role hierarchy can add, edit, and delete team members.
  • To add account team member, you just need edit access to the account.
  • To edit/delete team members, you have to be –
    • Account owner
    • Above the owner in the role hierarchy
    • Any user who is having full access to the account
    • And administrator
  • Access Levels for Account teams:
    • Only account owners and users above the account owner in the role hierarchy can:
      • Add team members who don’t have even read permission to the account record.
      • Grant team member some access which is higher than account owd. Note – You can only grant greater access, but you will never be able to restrict access.

  • Disabling Account Team:
    • Disabling account team removes the team from all the accounts and also deletes user’s default account team.
  • Removing Account Team Members
    • Removing one user from the account team will not remove the user from opportunity team
    • If a user in your default account team and you remove the user from one account team, then it will impact only that account, not your default account team.
  • Default Account Team
    • This is default account team for each users. User can select their default account team by going to the advanced settings.
    • While defining default account team, you have the option to apply the default account team to all your open accounts.
    • Clicking on “Add Default Team” from the account page layout’s related list will add the default team of the account owner, not the person who is clicking the button. Only Admin and users above the account owner in role hierarchy can add default team in the account.
    • The access level can be set to the same or wider than your owd access.

Other Topics:

  • Encryption in rest and transit
  • Usage of Protected Custom Metadata, Protected Custom Settings, Crypto Class.
  • Apex Managed Sharing and reason to avoid deletion of share record in case of record owner change.
  • How reports, dashboards and folders are shared.
  • List view accessibility.

Recommended Reading: