Salesforce Sharing-and-Visibility-Architect Salesforce Certified Sharing and Visibility Architect (SU24) Exam Practice Test

The three options that can change the owner of the opportunity are B, C, and E. The current opportunity owner can transfer the ownership to another user by editing the record or using the change owner button. The system administrator or a user with the “Transfer Records” permission can also change the owner of any record, regardless of the sharing settings. Someone above the opportunity owner in the role hierarchy can also change the owner, as they have full access to the records owned by users below them in the hierarchy. The other options are either incorrect or not possible.

Two platform features that can be used to support the requirements for granting access to Job records are “View All” profile settings and manual sharing. The “View All” profile setting can be enabled for the Delivery profile to grant them View access to all Job records regardless of ownership or role hierarchy. The manual sharing feature can be used by the Delivery user who owns a job to grant access to a Product Development user on a case-by-case basis

To increase performance of record access and sharing calculations, the architect should review the following areas: number of roles in the role hierarchy, number of sharing rules per object, and number of groups and group members. These areas can have a significant impact on how quickly and efficiently Salesforce can calculate and apply the sharing settings for each record. Custom object data, number of fields per object, and number of profiles in the org are not directly related to record access and sharing calculations.

 Instituting a business process that calls for the account manager to be added to the account team once the account becomes a customer, and creating a criteria-based sharing rule that shares the account to the account management group when the type is customer are two methods that could be used to enable this sharing requirement, assuming a private sharing model for accounts. These methods would ensure that only accounts with type customer are shared with the account management users, and only when they are involved in the account team. Creating a public list view, where accounts of type customer are included and share the list view with account management public group is not a method to enable sharing, as it only filters the records that are already visible to the users, not grant access to new ones. Creating an account sharing rule that shares all accounts owned by sales to be shared with account management roles and subordinates is not a method to enable this sharing requirement, as it would share all accounts regardless of their type

Implementing a third-party proxy server is the best technology to achieve the requirement of accessing on-premise information from Salesforce. A proxy server acts as an intermediary between Salesforce and the on-premise database, and it can handle authentication, encryption, and data transformation. Option A is incorrect, as tokenization is a technique to replace sensitive data with tokens, not to access on-premise data. Option B is incorrect, as it does not specify how Salesforce can connect to the on-premise database. Option D is incorrect, as Salesforce Shield is a set of tools to enhance data security and compliance in Salesforce, not to access external data sources.

Setting the Field Level Security for the Date of Birth field to be Visible to Customer Support Rep Profile, and set the Date of Birth Field Visible and Read-only to Banking Rep profile is the best approach to meet this requirement, as it allows admins to control who can see and edit a specific field on an object. Creating a Validation rule in the Data of Birth field so the rule returns true only when user.profilename matches Customer Support Rep will work, but it will require additional logic and error handling. Adding Date of Birth field to the Search layout of the Contact Object and modifying the Page layout assigned to Customer Support Rep and adding Date of Birth field as Required will not work, as it will only affect how the field is displayed and searched, not who can edit it.

 To optimize the process of managed sharing recalculations for the custom Job object, the architect can create public groups for each team and share the jobs with the groups instead of users. This way, the architect can avoid updating the sharing records every time a team member changes, and only update the public group membership instead. This reduces the number of sharing recalculations and improves performance

 Configuring organization-wide defaults of the Account object and creating sharing rules are two options that should be used together to achieve the requirements, as they allow admins to set the baseline level of access for accounts and then grant additional access based on criteria such as geographic location2. Creating the Account Team and adding branch manager team members will not work, as it will require manual maintenance and will not grant access to UC branch staff. Configuring Role Hierarchy will not work, as it will grant access based on the user’s position in the organization, not their geographic location

The roles that Universal Containers has set for Partners users who will see records owned by partner users in roles below them in the hierarchy are Executive, Manager, and User2. These are the default roles that are created when you enable Partner Super User Access in Salesforce2. Partner Super User Access allows partner users to access records belonging to users in their account at their same role or lower in the role hierarchy, for Cases, Leads, Opportunities and Custom Objects.

 Adding the user to the Sales Team for the Presentation record will not work, as Sales Teams are only available for standard objects, not custom objects. Giving Edit rights to the Presentation record via a Permission set will not work, as Permission sets are assigned to users, not records. The best option is to use a trigger on Presenter junction object that uses Apex Managed sharing to add or remove access to the related Presentation record based on the junction object records.

Sharing the folders with the Sales Managers profile is the best way to grant access to sales managers to automate access to these Public Reports and Dashboard folder, as it allows admins to share folders with users who have a specific profile4. Sharing the folders with a “Sales Managers” Public Group will work, but it will require manual maintenance and may not reflect changes in roles or positions. Sharing the folders with the lowest rates in the Role Hierarchy will not work, as folders cannot be shared with roles or subordinates.

The recommended way for the architect to implement this is to create an AccountShare record associated to a public group containing the role. This way, the architect can use Apex Managed Sharing to share certain account records with all users who are assigned to a specific role in the role hierarchy. Creating an AccountShare record associated to a public group containing the users in the role is not possible because public groups can only contain users, roles, or other public groups, but not a combination of them. Creating an AccountShare record associated to each user who is assigned to the role is not efficient because it requires more sharing records and maintenance. Creating an AccountShare record associated to the required role is not valid because AccountShare records can only be associated to users or groups, not roles1

 The Sharing button will appear on the Defect page layout if the sharing model is either Private or Public Read Only. This is because these are the only two settings that allow manual sharing of records. If the sharing model is Public Read/Write or Public Read/Write/Transfer, then manual sharing is not possible and the Sharing button will not appear

Public Groups and Roles and Subordinates are two options for sharing the List View with certain groups of users. Profiles and Manual Sharing are not valid options for sharing List Views

Two methods that will allow the architect to meet the requirements for creating a custom team solution on the custom Loan object are creating a custom trigger on the Custom Team object that inserts or updates records in the Loan_share object, and creating Apex Sharing Reasons on the Loan object to identify the reason the Loan record was shared. The custom trigger can use Apex Managed Sharing to grant Read Only or Read/Edit access to the Custom Team members based on the Primary field value. The Apex Sharing Reasons can be used to distinguish between different types of sharing and provide more granular control over access

Creating a permission set that grants the View All permission for Opportunity is the best approach to meet these requirements, as it will allow the sales reporting team members to view all opportunity records without modifying their profiles. Creating a permission set that grants the View All Data permission will work, but it will also grant access to all other objects, which may not be necessary or secure. Giving the View All Data permission to the Sales Reporting profile will work, but it will also affect all users with that profile, which may not be desired.

The user can be granted edit access to the record if they are not the owner by creating an Apex trigger to insert an Employee Review Share record with an access level of Edit. This is a programmatic way of extending sharing access to a specific user based on a lookup field.

Creating a criteria-based sharing rule giving the Retail Sales role access to Accounts of type PersonAccount is the best option to meet these requirements, as it will grant access to all retail customers based on a field value, regardless of ownership2. Creating an owner-based sharing rule on AccountContactRelation will not work, as it will only grant access to account contact roles records owned by retail sales reps, not all retail customers. Updating the Retail Sales profile to grant access to Person Account record type will not work, as it will only control the record type visibility, not the record visibility.

To improve performance when a dummy user owns more than 10,000 lead records, it is recommended to assign ownership to a small number of users and do not assign a role to the dummy user. Assigning ownership to a small number of users reduces the number of sharing calculations and recalculations that occur when role hierarchy changes. Not assigning a role to the dummy user prevents the dummy user from granting access to other users in the role hierarchy

 When using the runAs() method to design Apex unit tests, the architect should consider that runAs() does not enforce user permissions or field-level permissions in test classes, runAs() can be used inside of test classes to validate record-level security, and runAs() counts towards total DML statements issued within transaction. These are important considerations to ensure that the test classes cover all possible scenarios and do not exceed governor limits. runAs() cannot be used outside of test classes to bypass record-level security, and runAs() cannot be used inside of test classes to validate field-level permissions

The reason why there are many duplicate Account records and numerous sharing rules created in Salesforce is that the Organization-Wide Default for the Account object is Private4. This means that users can only see their own accounts and those shared with them explicitly by sharing rules or other means. This could lead to users creating duplicate accounts without knowing that they already exist in Salesforce. If the Organization-Wide Default for the Account object is Public Read/Write or Public Read Only, users would be able to see all accounts in Salesforce and avoid creating duplicates. The Object permissions for the Account object are not relevant for this question.

According to this source, if an object is set to Controlled by Parent in its organization-wide default settings, then access to its records is determined by the parent record. In this case, since Case object has View All permission for service reps, they will be able to access all contact records related to those cases, regardless of their ownership or sharing rules. However, they will not be able to access all account records, since account object has Private OWD and no other sharing mechanism is mentioned. The other options are not correct.

The record owner and any user above the external user in the role hierarchy have access to opportunity records owned by an external user. This is because external users are always at the bottom of the role hierarchy and do not grant access to users below them. The record owner and all internal users do not have access to opportunity records owned by an external user unless they have other sharing mechanisms such as sharing rules or manual sharing

The user groups that can add team members on the Account are the current Account Owner and someone above the Account Owner in the Role Hierarchy with read access3. The user specified as the Manager on the Owner’s User record and any Account Team Member with read access on the Account cannot add team members on the Account.

The expected behavior if a user without FLS accesses the VF page is that the field is automatically removed from the page. This is because apex:outputField respects FLS settings and will not render any field that the user does not have read access to. The user will not encounter any error, see the output field, or enter any value into the phone field

A sales rep who is added to an opportunity team with Read/Write permissions can perform actions such as updating opportunity fields, adding products, creating tasks, and logging calls4. Therefore, updating opportunity stage is an action that she is allowed to perform in the opportunity. Adding or removing members in the opportunity team is an action that only the opportunity owner or users above the owner in the role hierarchy can perform. Replacing opportunity owner is an action that only the current owner or users above the owner in the role hierarchy can perform.

A workaround to ownership data skew is to minimize possible performance impacts by not assigning the user(s) to a role. Ownership data skew occurs when a single user owns a large number of records (more than 10,000) of an object, which can cause performance issues when sharing calculations are performed. By not assigning the user to a role, you can prevent the sharing rules from being applied to the records owned by that user, and reduce the number of rows in the sharing tables.

The best way to review access to a certain set of key customer accounts is to export the Account Share table and review it. The Account Share table stores all the sharing records that grant access to accounts, including manual sharing, sharing rules, team sharing, and implicit sharing4. The other options are either not feasible or not comprehensive.

Three advanced tools that Salesforce can enable for large-scale role hierarchy realignments in organizations with large data volumes are partitioning by divisions, deferred sharing calculation, and skinny table indexing. Partitioning by divisions allows the organization to segment data into logical sections based on business criteria, which reduces the number of records that need to be recalculated when role hierarchy changes. Deferred sharing calculation allows the organization to postpone the sharing recalculation until a scheduled time, which avoids impacting users during peak hours. Skinny table indexing allows the organization to create custom indexes on frequently used fields, which improves query performance and reduces locking contention

The term that describes the situation when you make changes to roles and groups Salesforce locks the entire group membership table is Granular Locking. Granular Locking is a feature that improves the concurrency and performance of sharing operations by locking only the affected nodes in the role or territory hierarchy, instead of locking the entire hierarchy. This allows multiple sharing operations to run in parallel without causing lock contention or blocking each other.

 Enabling opportunity teams and allowing users to add the product manager is the best way to accomplish the requirement, as it allows for granular and flexible sharing of opportunities with specific users who are involved in the deal. Creating a sharing rule to allow the product manager to access the opportunity is not feasible, as it would require a criteria or an owner-based rule that would apply to all product managers and opportunities, not just specific ones. Enabling account team and allowing users to add the product manager is not sufficient, as it would only grant access to the account, not the opportunity. Using similar opportunities to share opportunities related to the product manager is not relevant, as it is a feature that helps users find and update similar opportunities based on fields and filters

 The option that supports this requirement is B. To restrict users’ access to export reports, the administrator can remove the “Export Reports” user permission from their profile or permission set. The “Report Manager” user permission is not related to exporting reports, but to creating and managing report folders.

The best solution for this scenario is to grant managers access to the fields using field-level security, and do not add them to a page layout. This way, the managers can see the fields in reports, but not on the account record detail page. The other options are either not feasible or not effective.

Programmatic sharing is the best option to share accounts automatically based on a lookup field, as it allows for more flexibility and scalability than manual sharing, account teams, or criteria-based sharing. Manual sharing is not automatic and requires user intervention. Account teams are not suitable for large numbers of users and accounts. Criteria-based sharing does not support lookup fields as criteria

 To prevent orders from being deleted in the future, a Salesforce Architect should recommend removing Order delete permission from profiles and permission sets, and changing the record type/page layout assignment for orders to be read only. Removing Order delete permission will prevent users from deleting any order records, regardless of their ownership or sharing. Changing the record type/page layout assignment will prevent users from editing any order fields, regardless of their field-level security. Implementing a sharing rule that changes access for order to read will not work, as it will only affect the record-level access, not the field-level access or the delete permission. Removing the Delete button from the order page layout will not work, as it will only affect the user interface, not the API or other ways of deleting records.

The side effect of granting opportunity access to sales reps on the same team using ownership-based sharing rules is that all sales reps will have Read access to all accounts. This is because ownership-based sharing rules are based on the role or territory of the owner of the record, and they grant access to both the record and its parent account. Therefore, if a sharing rule grants Read access to opportunities owned by users in a certain role or below, it also grants Read access to the accounts of those opportunities4. Sales reps on the same team will not have Edit access to the accounts for opportunities owned by their peers, as sharing rules only grant Read or Read/Write access, not Edit access. Sales reps on the same team will not have Read access to the accounts for opportunities owned by their peers only, as sharing rules grant access to all accounts in the specified role or below, not just their peers. All sales reps will not have Read access to accounts for all opportunities, as sharing rules only grant access to accounts for opportunities owned by users in a certain role or below, not all opportunities.

 Searching for external users is the community functionality that is impacted by having the customer user visibility turned off. When customer user visibility is turned off, community users cannot find or interact with other community users in global search, people search, or chatter. Option B is incorrect, since updating their user profile is not affected by customer user visibility. Option C is incorrect, since creating new customer community users is not affected by customer user visibility. Option D is incorrect, since searching for internal users is not affected by customer user visibility.

 Controlling the invoices object permission on the sales manager’s profile is how the architect can grant the sales managers access to the customer invoices data. Object permissions determine whether a user can create, read, edit, or delete any record of that object. Since invoice data is surfaced in Salesforce using external objects, sales managers need to have at least read permission on the invoice object to view the customer invoices data. Option A is incorrect, since sharing rules are not available for external objects. Option B is incorrect, since manual sharing is not available for external objects. Option D is incorrect, since sharing sets are not available for external objects.

The architect can configure the system to support the requirements by using a sharing rule. A sharing rule is a declarative way of extending record access to users or groups of users based on criteria such as ownership, role, or field values3. In this case, the architect can create a sharing rule that grants read or read/write access to all records owned by customer community users to UC users in the customer support role. A sharing set is used to grant access to community users based on a common account or contact, not to internal users. A share group is used to share records with groups of community users who have Customer Community Plus or Partner Community licenses, not with internal users. Apex sharing is used to programmatically share records when declarative sharing cannot fulfill complex requirements, but it is not necessary in this case.

Using Account teams, Opportunity teams, and Case teams is the best way to achieve these requirements. Account teams allow you to share accounts and related records with a group of users. Opportunity teams allow you to share opportunities with a group of users who can have different levels of access. Case teams allow you to share cases and related records with a group of users who can have different roles and levels of access. Using Sharing rules to share cases with sales associates will not work, because sharing rules can only be based on record owner or criteria, not on account team membership. Using Account Teams to define access to accounts as well as opportunities and cases related to accounts will not work, because account team members can only have read-only access to cases by default.

Disabling Grant Access Using Hierarchies and setting an Owner-Based Sharing rule for Strategic Deals team is the best way to design for this requirement. This will ensure that only the owner and the strategic team can access the confidential proposals, regardless of the role hierarchy. Setting the Proposal Owner to the Strategic Deals Team Queue will not work, because queues can only own leads, cases, orders, and custom objects. Setting a Criteria-Based Sharing rule for Strategic Deals team will not work, because criteria-based sharing rules can only grant access, not restrict it.

Removing order delete permission from profiles and permission sets is the best approach to ensure that order records cannot be removed from the system in the future. This way, only users with the Modify All Data permission can delete order records. Option A is incorrect, since removing the delete button from the order page layout would not prevent users from deleting order records using other methods, such as data loader or API. Option B is incorrect, since changing the record type/page layout assignment for orders to be read-only would not affect the delete permission, but only the edit permission. Option D is incorrect, since implementing a sharing rule that changes access for the records to read would not prevent users from deleting order records that they own.

The field has been configured for encryption, which might cause it to not show up on the list of available fields for creating a criteria-based sharing rule. Encrypted fields are not available for sharing rules, as they may contain sensitive data that should not be exposed. Option B is incorrect, since the architect does not need permission to Compliance fields to create a sharing rule. Option C is incorrect, since the architect’s profile does not need field-level security for this field to create a sharing rule. Option D is incorrect, since fields with validation rules are available for sharing rules.

A sharing set is the best way to share cases with partner users based on a common account. Sharing sets are available for Partner Community licenses and can grant access to related records using predefined criteria1. Option A is incorrect, since changing the external OWD to public read only would give access to all cases to all partner users, not just the ones related to their account. Option B is incorrect, since sharing rules are not available for partner users. Option C is incorrect, since the role hierarchy does not apply to partner users

Cloning the Sales Rep profile, adjusting settings, and assigning the pilot users the new profile is the optimal way to grant only this Sales Reps access to the new functionality, while hiding it from other users. This way, the pilot users can have different permissions and access than the other Sales Reps who are not part of the pilot. Option B is incorrect, since revoking access to legacy function in the Sales Rep profile and creating a permission set for the new functionality would affect all Sales Reps, not just the pilot users. Option C is incorrect, since creating a permission set to grant access to the new functionality and hide the old functionality would not work, as permission sets cannot revoke access. Option D is incorrect, since creating new user records for the pilot user that they will use for the pilot would be unnecessary and inefficient.

 Creating a specific Sharing Reason for the custom object is the best way to make sure that users that gained access to a custom object do not lose access to it when its owner is changed. Sharing Reasons are labels that identify why users or groups have access to records. They are used in Apex managed sharing, which allows developers to programmatically create and maintain sharing rules1. Using ‘‘runAS’’ system method in Apex classes to enforce record visibility, creating a new record in_Share object with RowCause ‘‘Manual’’, and using ‘‘With Sharing’’ keyword to make sure record visibility will be considered are not ways to prevent losing access when the owner changes.

 Adding the product specialist and solution engineer to the opportunity team is the optimal way for the junior account manager to share the opportunity, given the private sharing model. Opportunity teams are groups of users who work together on sales opportunities. Adding users to an opportunity team grants them access to the opportunity and related records. This way, the junior account manager can collaborate with the product specialist and solution engineer on the complex deal, and when the account is reassigned to a senior account manager, the opportunity team members will retain their access. Option A is incorrect, since manual sharing on the opportunity would be removed when the account owner changes. Option C is incorrect, since manual sharing on the account would not grant access to the opportunity, as it does not roll up from account to opportunity. Option D is incorrect, since creating an owner-based sharing rule would be unnecessary and inefficient.

Creating a Share Group based on the sharing set created for the Customer Community User Profile is the best way to give support representatives access to Container and Case records owned by Customer Community users. Share Groups are groups of users who have access to records based on a sharing set. Sharing sets are settings that grant community users access to records that have a lookup relationship to their user record1. Creating an ownership-based sharing rule, creating a criteria-based sharing rule, and relying on the role hierarchy are not options that can achieve the same result.

The OWD for pricebook should be set to Use, which means that users can only view and use price books that are shared with them. This way, sales agents can have access to products and create opportunities for their customers. Option A is incorrect, since Public Read Only would give access to all price books to all users. Option B is incorrect, since Public Read Write would give access and edit rights to all price books to all users. Option C is incorrect, since View is not a valid OWD setting for pricebook.

The most likely reason why some users cannot see the accounts shared with the public group is that their profiles do not have access to the account object. Sharing rules and public groups cannot grant access to an object that is not enabled by the profile. Option A is incorrect, since permission sets do not control record status. Option B is incorrect, since the role hierarchy does not affect sharing rules. Option D is incorrect, since page layouts do not affect visibility

Assigning users profiles and unlocking users are two capabilities that the delegated administrator permission provides. Delegated administrators are users who can perform certain administrative tasks on behalf of administrators. These tasks include assigning users to specified profiles or permission sets, creating and editing users in specified roles or groups, unlocking users who have exceeded their login attempts limit, resetting passwords for users in specified roles or groups, logging in as users who have granted login access to administrators. Option C is incorrect, since setting OWD is not a capability that delegated administrators have. Option D is incorrect, since creating profiles is not a capability that delegated administrators have.

To audit user setup in Salesforce, the team needs to have both View Setup and Configuration and View All Users permissions. View Setup and Configuration allows them to access the setup menu and see the user profiles, roles, and permission sets. View All Users allows them to see all the user records and their details, such as login history and assigned licenses

Reviewing the user provisioning process to not automatically create a user role for any new user and contacting Salesforce support and requesting to increase the number of users’ roles allowed are two recommendations that could solve this problem. Salesforce has a limit on the number of roles that can be created in an organization, which depends on the edition and the number of licenses. If this limit is reached, no more roles can be created unless the limit is increased by Salesforce support. Therefore, it is not advisable to create a new role for every new user, as this would quickly exhaust the limit and cause the “User Role Limit Exceeded” error. Option B is incorrect, since removing role hierarchy from Salesforce org and controlling the record access using Apex managed sharing would be a complex and custom solution that would not address the root cause of the problem. Option D is incorrect, since creating an Apex class to replace the User Roles by generic one as soon as they are created would be unnecessary and inefficient.

Only Bob can view the file that he uploads to his Files Home private library. Users above Bob in the role hierarchy, users with View All Data permission, or users with Modify All Data permission cannot access the file unless Bob explicitly shares it with them

Public Read Only is the best organization-wide default configuration to fulfill the requirements. Public Read Only means that all users can view all records, but only the owners and those above them in the role hierarchy can edit them3. This matches the requirements for sales users and sales managers. For service users, a record type-based sharing rule can be created to restrict their access to accounts with a RecordType of Prospect. Public Read Write, Private, and Public Read/Transfer are not suitable configurations for the requirements.

 Cross-Site Scripting (XSS) and SOQL Injection are two common types of security vulnerabilities that can affect Salesforce applications. XSS occurs when malicious code is injected into a web page that can execute in the browser of a user who visits that page6. SOQL Injection occurs when user input is used to construct a SOQL query without proper validation or escaping, which can allow an attacker to manipulate the query and access unauthorized data7. To prevent XSS, developers should use appropriate encoding methods when displaying user input on custom pages8. To prevent SOQL Injection, developers should use bind variables or the escapeSingleQuotes() method when building SOQL queries with user input9. Option A is incorrect, since Apex queries are not vulnerable to XSS. Option D is incorrect, since testing for invalid user access attempts is not related to security vulnerabilities within the Salesforce organization.

Using bind variables or the escapeSingleQuotes() method are two techniques that can prevent SOQL Injection attacks by ensuring that user input is treated as literal strings rather than part of the query9. Bind variables are preferred over escapeSingleQuotes(), as they also improve performance and readability of the code10. Option A is incorrect, since escaping double quotes in the user input does not prevent SOQL Injection. Option D is incorrect, since using the with Sharing keyword on the controller does not affect SOQL Injection, but rather enforces record-level access based on the user’s profile and sharing rules.

 Creating an ownership-based sharing rule is the best way to achieve the requirements. Ownership-based sharing rules allow administrators to automatically grant access to records owned by certain users or roles to other users or roles2. This way, the sales manager in Australia can access the deals owned by the sales manager in Japan. Using sharing set, using opportunity teams, and assigning View All on the opportunity object are not options that can achieve the same result.

Lead and Case are two objects that support creating queues. Queues are used to route records to a group of users who share workloads. Queues are available for standard objects such as Lead and Case, and custom objects that have a queue-supported lookup field. Option A is incorrect, since Account does not support creating queues. Option B is incorrect, since Opportunity does not support creating queues.

 Ownership-based sharing rules are a way to grant access to records based on the record owner’s role or public group membership. Ownership-based sharing rules can be used to share records with Partner Community users, who are not supported by sharing sets. In this case, ownership-based sharing rules can be used to share Case and Container records owned by partner managers and partner users with other partner managers at the same distributor. Therefore, the answer D is correct and the other options are incorrect .

Enabling Community User Visibility is the best option to allow viewing chatter posts from all customers. Community User Visibility is a setting that allows community users to see and interact with other community users, regardless of their account or role2. Setting View All for Chatter posts, enabling Chatter Super User, and enabling Internal Users Visibility are not options that can achieve the same result.

 Setting the OWD for internal users to Public Read Only is the simplest and most efficient way to give access to all internal employees to the ServiceFeedback object. Option A is incorrect, since creating a trigger on ServiceFeedback to change ownership to an internal employee would be complicated and affect the data quality. Option B is incorrect, since ensuring all the internal users are above the partners in the role hierarchy would not work, as the role hierarchy does not apply to partner users. Option C is incorrect, since creating an owner-based sharing rule for all ServiceFeedback records owned by partners would be redundant and inefficient

The sales rep will have read-only access to the related account record. This is because the organization-wide default for the account object is private, which means that users can only access the accounts that they own or are shared with them. However, when a user has access to an opportunity, they also have implicit read-only access to the account associated with that opportunity1. This is called implicit sharing and it allows users to view the parent records of the child records they own or can access2. Therefore, the sales rep can view the account record related to the opportunity, but cannot create, edit, or delete it.

SOQL injection is a vulnerability that can exist when controllers use dynamic rather than static queries and bind variables. SOQL injection is a technique that exploits a security vulnerability by inserting malicious SOQL statements into an existing query. This can result in data loss, data exposure, or unauthorized access1. Buffer overflow attacks, cross-site scripting, and record access override are not vulnerabilities related to dynamic queries and bind variables.

List views are a way to filter and display records of a specific object based on certain criteria. List views can be shared with all users, a group of users, or only the owner of the list view. To share a list view with a group of users, such as sales executives who specialize in closing problematic deals, the architect can recommend creating a public group that includes those users and sharing the list view with that public group. Therefore, the answer B is correct and the other options are incorrect 

A new AccountShare record is created with Row Cause as “Manual” and Access Level as “Read/Write” when Paul manually shares the record with John. This record grants John edit access to the account owned by Paul. Option B is incorrect, since an existing AccountShare record is not updated, but a new one is created. Option C is incorrect, since the Row Cause is not “Owner”, but “Manual”. Option D is incorrect, since an existing AccountShare record is not updated, but a new one is created.

Setting the External OWD to Private for the Delivery object is the best approach to limit the records a distributor can see, since it will restrict the access to only the records they own or are shared with them. Option A is incorrect, since ownership-based sharing rules are not available for partner community users. Option B is incorrect, since removing Read permission from the distributor profile would prevent them from accessing any delivery records. Option D is incorrect, since criteria-based sharing rules are not available for partner community users.

Apex sharing is a way to programmatically grant access to records for users or groups of users. Apex sharing can be used to share records with Customer Community Plus users, who are not supported by other declarative sharing options such as sharing sets or sharing rules. Apex sharing uses the Account__Share table to store the sharing information for the Account object. Therefore, the answer A is correct and the other options are incorrect

The architect can design the solution to federate user setup to the partners by assigning delegated external administrators at each partner and allowing external users to self-register. A delegated external administrator is a user who can create and manage users in their own partner account. This way, the partners can have more control over their seasonal workers and reduce the administrative burden on UC. Allowing external users to self-register is another way of simplifying user creation and management for partners, as they can enable their workers to create their own accounts and log in to the community. Granting the Modify Users permission to the partner managers is not a good practice, as it would give them too much power over all users in the org. Creating a permission set giving Read/Write to the User object to partner manager is also not advisable, as it would expose sensitive user data and allow unauthorized changes.

Susan and users with the View All Data permission and Susan and users with access to the record are two statements that accurately describe who can view the file by default. When a file is posted to a record’s feed, it inherits the sharing settings of that record. Therefore, only users who can view the record can view the file. Users with the View All Data permission can view all records and files in the organization. Option C is incorrect, since users with a shared chatter post link to the file can only view the file if they have access to the record as well. Option D is incorrect, since Susan is not the only one who can view the file, but also users who have access to the record or the View All Data permission.

The Apex method that must be used to make sure only allowed fields are shown to the users is isAccessible(). This method returns true if the user has read access to the field, and false otherwise2. isReadable(), isShowable(), and isViewable() are not valid Apex methods for checking field-level security.