Granular Locking is an advanced tool that allows admins to enable or disable locking behavior for specific objects when making changes to roles or account owners, which can improve performance and avoid locking issues for large-scale role hierarchy realignments1. Partitioning by Divisions is a feature that allows admins to segment data into logical subsets for reporting and searching purposes, but it does not affect role hierarchy realignments. Skinny Table Indexing is a feature that improves performance by storing frequently used fields in a separate table, but it does not affect role hierarchy realignments.

The roles that Universal Containers has set for Partners users who will see records owned by partner users in roles below them in the hierarchy are Executive, Manager, and User2. These are the default roles that are created when you enable Partner Super User Access in Salesforce2. Partner Super User Access allows partner users to access records belonging to users in their account at their same role or lower in the role hierarchy, for Cases, Leads, Opportunities and Custom Objects.

To support the requirement of allowing only the owner and users in the Delivery profile to view and edit Job records, you need to use three platform sharing tools:

Organization-Wide Default sharing setting of Private on the Job Object: This will restrict access to Job records to only the owner by default.

Grant access Using Hierarchy sharing setting on the Job Object set to false: This will prevent users above the owner in the role hierarchy from accessing Job records.

“Modify All” permission for Job Object on the Delivery Profile: This will grant users in the Delivery profile full access to all Job records regardless of ownership.

Criteria-Based sharing rule and “View All Data” profile permission are not required for this scenario. Criteria-Based sharing rule would grant additional access to users who meet certain criteria, which is not necessary. “View All Data” profile permission would grant access to all data in the organization, which is too broad and may violate data security.

According to this source, the runAs system method in test classes can be used to test using different users and profiles, and the with sharing keyword in Apex classes can be used to enforce record visibility rules. The other options are not valid keywords in Apex

To store sensitive invoice data in Salesforce, the architect should consider using a master-detail relationship between accounts and invoices, and setting the organization-wide default sharing for invoices to private. This would ensure that only the owners of the invoices and their subordinates can see them, and that the invoices inherit the sharing settings of the accounts. A workflow that populates the invoice sharing object upon insert is not necessary if the master-detail relationship is used. A lookup relationship between accounts and invoices would not enforce the same level of security and visibility as a master-detail relationship3

To reduce redundant leads and restrict their editing and reassignment, a Salesforce Architect should recommend implementing a private OWD on Lead. A private OWD means that only the owner of the lead record and users above them in the role hierarchy can view, edit, or transfer the lead. This will prevent duplicate leads from being created by other users, and also ensure that only the lead owner can modify or reassign the lead. Implementing a public read only OWD on Lead will not work, as it will allow other users to view the lead records, which may lead to duplication. Implementing a public read only/transfer OWD on Lead will not work, as it will allow other users to transfer the lead records to themselves or others. Implementing a public read/write OWD on Lead will not work, as it will allow other users to edit or reassign the lead records.

Private Account Sharing with Sharing Rules from Commercial Sales Group(s) to Commercial Support Group(s) and Consumer Sales Group(s) to Consumer Support Group(s) is the recommended Org-Wide Sharing Default for Accounts and the way to enable proper Commercial and Consumer Sales to Support Account Sharing for this scenario. This way, the sales and support departments can share their customers with each other, but not with the other departments. The other options are incorrect because they either do not allow the sales and support departments to share their customers (A and B) or they allow too much access to the accounts ©.

To ensure the data security of the custom web service, the Architect should consider the following design elements:

Query the Orders object with Dynamic SOQL based on the fulfillment ID: This will allow the web service to filter the orders based on the input parameter and return only the relevant records to the business partner.

Set the Orders object’s sharing settings to Private in the Org-Wide Defaults: This will restrict access to the Orders object to only the owner and users above them in the role hierarchy by default, and prevent unauthorized access from other internal or external users.

Develop a custom Apex web service using the “With Sharing” keyword: This will enforce the sharing rules defined for the Orders object and respect the record-level access of the web service user.

The architect can achieve this requirement by using a permission set. A permission set is a collection of settings and permissions that give users access to various tools and functions3. The architect can create a permission set that grants edit access to the flag field on the case object, and assign it to the users who are assigned as case assessors. Object permissions control the access level that users have to records, not fields. A custom lightning component is not necessary for this requirement, as it can be done declaratively. Field-level security controls the visibility of fields on page layouts and reports, not the editability.

A sales rep who is added to an opportunity team with Read/Write permissions can perform actions such as updating opportunity fields, adding products, creating tasks, and logging calls4. Therefore, updating opportunity stage is an action that she is allowed to perform in the opportunity. Adding or removing members in the opportunity team is an action that only the opportunity owner or users above the owner in the role hierarchy can perform. Replacing opportunity owner is an action that only the current owner or users above the owner in the role hierarchy can perform.

Using Dynamic Form to add different page sections and control visibility of sections by Work Order RecordType value is the best option to implement this requirement, as it will allow field agents to see only required information specific to the WorkOrder type they are addressing, without creating multiple page layouts or custom components. Using a custom LWC to override the view action of WorkOrder with custom metadata type defining relevant fields per WorkOrder type will work, but it will require additional development and maintenance. Using different page layouts per work order type with different sections representing key information about the specific work order type will work, but it will require creating multiple record types and page assignments.

To support the requirements with the minimum amount of effort, three platform security features that are required are criteria-based sharing rules, role hierarchy, and permission sets. Criteria-based sharing rules can be used to share all accounts with the custom field “Kay Customer” to all senior account managers based on a filter condition. Role hierarchy can be used to grant access to accounts that users or their subordinates own based on the ownership and role level. Permission sets can be used to grant view and edit access to the custom field that contains sensitive information to the three designated users, regardless of their user groups or profiles

The user who posted the file and users with access to the record can view the file by default, as files posted to a record’s feed inherit the record’s sharing settings3. Users with a shared chatter post link to the file will not be able to view the file by default, unless they also have access to the record. Only the user who posted the file will not be able to view the file by default, as other users who have access to the record can also view it.

Creating a custom object for defects and relating it to cases using lookup is the best option to meet the requirement. This way, the defects can have their own fields, owners, and security settings, and they can be related to multiple cases. The standard defect object does not exist in Salesforce, so option A is incorrect. Option C is not scalable or flexible, as it would require adding many fields to the case object and limit the number of defects per case. Option D is also not suitable, as it would make the defects dependent on the cases and delete them if the cases are deleted.

The recommended way for the architect to implement this is to create an AccountShare record associated to a public group containing the role. This way, the architect can use Apex Managed Sharing to share certain account records with all users who are assigned to a specific role in the role hierarchy. Creating an AccountShare record associated to a public group containing the users in the role is not possible because public groups can only contain users, roles, or other public groups, but not a combination of them. Creating an AccountShare record associated to each user who is assigned to the role is not efficient because it requires more sharing records and maintenance. Creating an AccountShare record associated to the required role is not valid because AccountShare records can only be associated to users or groups, not roles1

 Instituting a business process that calls for the account manager to be added to the account team once the account becomes a customer, and creating a criteria-based sharing rule that shares the account to the account management group when the type is customer are two methods that could be used to enable this sharing requirement, assuming a private sharing model for accounts. These methods would ensure that only accounts with type customer are shared with the account management users, and only when they are involved in the account team. Creating a public list view, where accounts of type customer are included and share the list view with account management public group is not a method to enable sharing, as it only filters the records that are already visible to the users, not grant access to new ones. Creating an account sharing rule that shares all accounts owned by sales to be shared with account management roles and subordinates is not a method to enable this sharing requirement, as it would share all accounts regardless of their type

The potential vulnerabilities in the code snippet are SOQL Injection and Data Access Control. SOQL Injection is a technique that exploits a security vulnerability in a database layer of an application. It occurs when user input is directly appended to a SOQL query string, which allows attackers to execute arbitrary SOQL commands2. Data Access Control is a mechanism that ensures that users have appropriate permissions to access data in Salesforce. It involves checking the object-level, field-level, and record-level access of the user before performing any data operation3. The code snippet does not perform any FLS check or data access control check, which could expose sensitive data to unauthorized users or allow them to modify data without proper permissions3. Arbitrary Redirects are not a vulnerability in this code snippet, as they occur when a web application accepts untrusted input that could cause the web browser to redirect the user to a malicious website

 According to this source, the Manage Dashboards permission allows users to create, edit, and delete dashboards in any folder they have access to, and the View All Data permission allows users to view all data in the org regardless of sharing settings. The other options are not necessary for creating a dashboard to compare sales numbers.

When a user transfers ownership of a record to another user, the original owner loses access to the record unless they have access through other means, such as role hierarchy, sharing rules, teams, etc. In this case, since both Sales Rep A and B have the same role in the role hierarchy, and the sharing model for the Opportunity object is private, Sales Rep A will have no access to the Opportunity after the transfer

Three advanced tools that Salesforce can enable for large-scale role hierarchy realignments in organizations with large data volumes are partitioning by divisions, deferred sharing calculation, and skinny table indexing. Partitioning by divisions allows the organization to segment data into logical sections based on business criteria, which reduces the number of records that need to be recalculated when role hierarchy changes. Deferred sharing calculation allows the organization to postpone the sharing recalculation until a scheduled time, which avoids impacting users during peak hours. Skinny table indexing allows the organization to create custom indexes on frequently used fields, which improves query performance and reduces locking contention

 Adding the user to the Sales Team for the Presentation record will not work, as Sales Teams are only available for standard objects, not custom objects. Giving Edit rights to the Presentation record via a Permission set will not work, as Permission sets are assigned to users, not records. The best option is to use a trigger on Presenter junction object that uses Apex Managed sharing to add or remove access to the related Presentation record based on the junction object records.

According to this source, if an object is set to Controlled by Parent in its organization-wide default settings, then access to its records is determined by the parent record. In this case, since Case object has View All permission for service reps, they will be able to access all contact records related to those cases, regardless of their ownership or sharing rules. However, they will not be able to access all account records, since account object has Private OWD and no other sharing mechanism is mentioned. The other options are not correct.

The Internal Default sharing settings for a custom object can be either Public Read/Write or Public Read Only if the External Default sharing setting is set to Public Read Only1. Controlled by Parent and Private are not valid options because they would not allow external users to access the custom object records.

Using Encryption Policy and contacting Salesforce to update the existing records so that their field values are encrypted is the best way to proceed with this new policy change, as it allows admins to encrypt standard and custom fields using Platform Encryption without changing existing business processes3. Using Classic Encryption will not work, as it only supports a limited number of fields and requires changes to the data model and code. Waiting for an email from Salesforce indicating the field values are encrypted will not work, as encryption policy does not automatically encrypt existing records.

The employees who will have access to the NewWorld account are A, Bob and Phil. Bob will have access because he is above Phil in the role hierarchy, and Phil will have access because he is the new owner of the account. Richard and Kevin will not have access because they are not related to Phil by role or account team, and Karen will not have access because she has moved to a new role and lost her manual sharing access.

Using a trigger on Case to lookup and share to the manager of an Assigned Agent custom field using Apex Managed Sharing would allow the HR representative to control the visibility of the case based on the subject of the complaint. Criteria-based sharing rules cannot be used to exclude a specific user from seeing a record. Changing the owner of the case would affect other aspects of data visibility and security.

According to this source, submitting to Force.com Security Scanner, using web application security tools, and using debug logs to check hijacked requests are some of the ways to make sure Visualforce pages are secure. The other options are not sufficient or recommended.

 To grant the sales managers access to the customer invoices data, the architect should control the invoices object permission on the sales manager’s profile. This will allow the sales managers to view and query the external object records, as long as they have access to the parent account records. Creating a sharing set or a sharing rule will not work, as they are not supported for external objects. Using manual sharing will not work, as it is not available for external objects

Disabling Grant Access Using Hierarchies for the object and creating a sharing rule to enable sharing to the Director of Support are the steps to ensure proper sharing in this role hierarchy structure. This way, the Team Leads will not have access to the Reimbursement records of their subordinates, but the Director of Support will have access to all Reimbursement records. Option A is incorrect, as setting the View All permission on the profile will grant access to all users with that profile, not just the Director of Support. Option B is incorrect, as changing the owner of the Reimbursement record will remove the access from the original submitter. Option D is incorrect, as by default, Grant Access Using Hierarchies is enabled for custom objects, which means that Team Leads will have access to their subordinates’ Reimbursement records.

Lead and Case are two objects that support creating queues. Queues are used to route records to a group of users who share workloads. Queues are available for standard objects such as Lead and Case, and custom objects that have a queue-supported lookup field. Option A is incorrect, since Account does not support creating queues. Option B is incorrect, since Opportunity does not support creating queues.

The option that the architect should consider when designing a solution is using the SOAP API to maintain the related SObject_share records. This option allows Universal Containers to integrate Salesforce with an external system to control record access programmatically by creating or updating sharing records for each SObject. The Security API does not exist in Salesforce, and the Metadata API cannot be used to maintain SObject records or create new criteria-based sharing rules

Price books are a way to store different prices for products that can be added to opportunities. Price books can have different organization-wide defaults (OWD) settings that control the baseline level of access for users. To allow only specific branch staff to sell high risk products, the architect can recommend setting the price book OWD to View Only and sharing the high risk price book with the trained staff via manual sharing or sharing rules. Manual sharing allows the owner or anyone with Full Access to a record to share it with another user or group of users. Sharing rules allow the admin to automatically grant access to records based on certain criteria. Therefore, the answer A and C are correct and the other options are incorrect.

The architect can design the solution to federate user setup to the partners by assigning delegated external administrators at each partner and allowing external users to self-register. A delegated external administrator is a user who can create and manage users in their own partner account. This way, the partners can have more control over their seasonal workers and reduce the administrative burden on UC. Allowing external users to self-register is another way of simplifying user creation and management for partners, as they can enable their workers to create their own accounts and log in to the community. Granting the Modify Users permission to the partner managers is not a good practice, as it would give them too much power over all users in the org. Creating a permission set giving Read/Write to the User object to partner manager is also not advisable, as it would expose sensitive user data and allow unauthorized changes.

 Partner super user is the only feature that supports the requirement of granting specific community users (agents) to view cases submitted by other agents of the same distributor. Partner super users are community users who can access and edit data owned by other partner users in their account. They can also access reports and dashboards that display data from their account1. Permission set to grant community admin permission, delegate external user, and partner community admin are not features that can achieve the same result.

 To give access to the invoice records from an external object on the account page, the Sales Architect should recommend including the Invoice Related List on Account Page layout. This will allow the finance users to see the invoice records related to each account, as long as they have access to the account record and the external object4. Creating sharing rules or using Apex managed sharing are not applicable for external objects, as they do not support manual or programmatic sharing

 Adding the product specialist and solution engineer to the opportunity team is the optimal way for the junior account manager to share the opportunity, given the private sharing model. Opportunity teams are groups of users who work together on sales opportunities. Adding users to an opportunity team grants them access to the opportunity and related records. This way, the junior account manager can collaborate with the product specialist and solution engineer on the complex deal, and when the account is reassigned to a senior account manager, the opportunity team members will retain their access. Option A is incorrect, since manual sharing on the opportunity would be removed when the account owner changes. Option C is incorrect, since manual sharing on the account would not grant access to the opportunity, as it does not roll up from account to opportunity. Option D is incorrect, since creating an owner-based sharing rule would be unnecessary and inefficient.

There is an Account ownership data skew problem, which could be the reason for this problem. Data skew occurs when a large number of records (more than 10,000) are owned by a single user or belong to a single role. This can cause performance issues when accessing or updating those records, as well as when recalculating sharing rules or changing ownership. In this scenario, since each donation rep owns over 50,000 donor accounts, there is a significant data skew that affects the system performance. Option A is incorrect, since the donation reps access to the assigned accounts is not a problem by itself, but rather a consequence of data skew. Option B is incorrect, since Salesforce sharing recalculation kicked off is not a problem by itself, but rather a consequence of data skew. Option D is incorrect, since the Account (donor) object OWD being Private is not a problem by itself, but rather a consequence of data skew.

Role hierarchy is a way to grant access to records based on the user’s position in the organization. Users higher in the role hierarchy can access and edit records owned by users lower in the role hierarchy, unless the Grant Access Using Hierarchies option is disabled for a specific object. In this case, the Operations manager can access and edit all scheduled courses owned by the Operations Users team members who report to them in the role hierarchy. Therefore, the answer B is correct and the other options are incorrect

 Searching for external users is the community functionality that is impacted by having the customer user visibility turned off. When customer user visibility is turned off, community users cannot find or interact with other community users in global search, people search, or chatter. Option B is incorrect, since updating their user profile is not affected by customer user visibility. Option C is incorrect, since creating new customer community users is not affected by customer user visibility. Option D is incorrect, since searching for internal users is not affected by customer user visibility.

 Creating an ownership-based sharing rule is the best way to achieve the requirements. Ownership-based sharing rules allow administrators to automatically grant access to records owned by certain users or roles to other users or roles2. This way, the sales manager in Australia can access the deals owned by the sales manager in Japan. Using sharing set, using opportunity teams, and assigning View All on the opportunity object are not options that can achieve the same result.

Creating a Sharing set for the Distributor profile to grant access to the Delivery object is the correct way to share records with users in a partner community. Sharing sets allow you to share records based on a common account or contact2. Criteria-based sharing rules are not available for partner communities3.

The action that Mary can take on Joe’s Invoice records is none. This is because Mary’s profile does not have the Read permission for the Invoice object, which means she cannot view any Invoice records, regardless of the OWD or role hierarchy settings. Profile permissions override any other access settings3. Read/Write, Edit Only, and View Only are not possible actions for Mary.

Using Account teams, Opportunity teams, and Case teams is the best way to achieve these requirements. Account teams allow you to share accounts and related records with a group of users. Opportunity teams allow you to share opportunities with a group of users who can have different levels of access. Case teams allow you to share cases and related records with a group of users who can have different roles and levels of access. Using Sharing rules to share cases with sales associates will not work, because sharing rules can only be based on record owner or criteria, not on account team membership. Using Account Teams to define access to accounts as well as opportunities and cases related to accounts will not work, because account team members can only have read-only access to cases by default.

 Controlling the invoices object permission on the sales manager’s profile is how the architect can grant the sales managers access to the customer invoices data. Object permissions determine whether a user can create, read, edit, or delete any record of that object. Since invoice data is surfaced in Salesforce using external objects, sales managers need to have at least read permission on the invoice object to view the customer invoices data. Option A is incorrect, since sharing rules are not available for external objects. Option B is incorrect, since manual sharing is not available for external objects. Option D is incorrect, since sharing sets are not available for external objects.

 To make sure service reps have access to all relevant information to attend to customer requests, the architect should consider that service reps will be able to access contact records if they are controlled by parent or due to implicit sharing. If contact records are controlled by parent, their access level is determined by the access level of their parent account. If service reps have View All permission on Case object, they also have implicit Read access to the accounts and contacts associated with cases that they can access3. Service reps will not be able to access contact records if account OWD is private and contact records are not controlled by parent, as they will need explicit sharing or permission to access them. Service reps will not be able to access contact records if they are controlled by parent and they do not have access to the parent account.

 Order, Asset, and Contact are the three objects that can be configured as “Controlled by Parent” in Sharing Settings when Person Account is enabled in a Salesforce organization. Controlled by Parent means that the sharing setting for the object is determined by the parent record. For example, an order’s sharing setting is determined by its associated account. Opportunity and Case are not objects that can be configured as “Controlled by Parent” in Sharing Settings.

Setting the External OWD to Private for the Delivery object is the best approach to limit the records a distributor can see, since it will restrict the access to only the records they own or are shared with them. Option A is incorrect, since ownership-based sharing rules are not available for partner community users. Option B is incorrect, since removing Read permission from the distributor profile would prevent them from accessing any delivery records. Option D is incorrect, since criteria-based sharing rules are not available for partner community users.

Setting the Request object’s OWD to Public Read/Write is the simplest and most efficient way to allow all employees to collaborate on requests. Option B is incorrect, since granting Modify All Data permission on all profiles would give too much access and affect other objects as well. Option C is incorrect, since creating a criteria-based sharing rule to share all records with all users would be redundant and inefficient. Option D is incorrect, since setting the OWD to Public Read Only would not allow users to edit requests3.

A new AccountShare record is created with Row Cause as “Manual” and Access Level as “Read/Write” when Paul manually shares the record with John. This record grants John edit access to the account owned by Paul. Option B is incorrect, since an existing AccountShare record is not updated, but a new one is created. Option C is incorrect, since the Row Cause is not “Owner”, but “Manual”. Option D is incorrect, since an existing AccountShare record is not updated, but a new one is created.

Only Bob can view the file that he uploads to his Files Home private library. Users above Bob in the role hierarchy, users with View All Data permission, or users with Modify All Data permission cannot access the file unless Bob explicitly shares it with them

 Creating a Permission Set that grants “View All” permission for Opportunity is the best approach to meet the requirements. This will allow the Sales Reporting team to view all Opportunity records without changing their profile or OWD settings. Creating a Permission Set that grants “View All Data” permission would give them access to all data in the org, which is not necessary. Making Opportunity OWD read-only would affect all users in the org, which may not be desirable. Giving “View All Data” permission to the Sales Reporting Profile would also give them access to all data in the org, which is not necessary

 Creating a criteria-based sharing rule to give access to the public group for high-value opportunities and creating a public group and assigning the auditors to the group are the best options to give access to high-value opportunities to a team of auditors distributed through the organization. Option A is incorrect, since putting the auditors as the highest level of the role hierarchy would give them access to all opportunities, not just high-value ones. Option B is incorrect, since adding the auditors to the default opportunity team would require manual configuration and maintenance

To mitigate the risk of improper access to records when using Apex managed sharing, the Salesforce architect should recommend using runAs system method in test classes and with Sharing keyword in Apex classes. The runAs system method allows testing the code as different users with different profiles and permissions, which can help verify that the sharing logic is working as expected2. The with Sharing keyword enforces the record visibility rules for the current user context, which can help prevent unauthorized access to records that are not shared with the user

 Deferred Sharing Recalculation allows the admin to postpone the recalculation of sharing rules until a later time, which can improve performance and avoid locking issues when changing role hierarchy or ownership. Parallel Sharing Rule Recalculation allows the admin to run multiple sharing rule recalculations at the same time, which can also improve performance and reduce downtime. Granular Locking enables finer-grained locking for certain operations that affect large data sets, such as bulk loading or updating. These features can help avoid problems when reorganizing roles and reassigning account owners. Therefore, the answer B, C, and E are correct and the other options are incorrect

The runAs() method can be used to verify the enforcement of a user’s record sharing, which determines what records they can view and edit. Option A is incorrect, since public group assignments are not enforced by runAs(). Option B and C are incorrect, since field-level security and permissions are not affected by runAs()

A sharing rule is missing to share Accounts to the AR team, which could be the issue preventing AR team members from seeing invoices. Since invoice is a custom object with a master-detail relationship to account, its sharing settings are controlled by its parent account. If AR users do not have access to account records, they will not be able to see or query invoice records either. Option A is incorrect, since a sharing rule to share invoices to the AR team would not work, as invoice inherits its sharing settings from account. Option B is incorrect, since assigning an invoice page layout to the AR team profile would not affect their visibility of invoice records. Option D is incorrect, since giving read permission to the invoice object to the Accounts receivable profile would not grant access to invoice records that are owned by other users.

The field has been configured for encryption, which might cause it to not show up on the list of available fields for creating a criteria-based sharing rule. Encrypted fields are not available for sharing rules, as they may contain sensitive data that should not be exposed. Option B is incorrect, since the architect does not need permission to Compliance fields to create a sharing rule. Option C is incorrect, since the architect’s profile does not need field-level security for this field to create a sharing rule. Option D is incorrect, since fields with validation rules are available for sharing rules.

 Leveraging default Account team is the best way to help improve sales reps productivity by granting access to supporting internal users for customer records when they need help. Default Account teams are predefined groups of users who work together on an account. When a user creates or owns an account, Salesforce automatically adds the default Account team to the account team related list on the account2. Creating a permission set with “view all data” and assigning it to supporting users would give them too much access to data that they may not need. Creating a public group and replacing the account ownership with it would not be feasible or scalable. Creating a criteria-based sharing rule to grant access to other users would require manual maintenance and may not reflect the changes in the account team.

The license recommendation that will meet distributor needs is Partner Community. Partner Community licenses are designed for users who are not employees of UC, but are part of their partner ecosystem, such as distributors, resellers, or suppliers. Partner Community users can access standard CRM objects such as accounts, contacts, leads, opportunities, cases, and campaigns. They can also collaborate with other partners and UC employees using Chatter and Communities. Sales Cloud licenses are for internal sales users who need full access to standard CRM and custom objects. Customer Community Plus licenses are for high-volume customers who need access to standard CRM objects and custom objects, but not opportunities. Customer Community licenses are for low-volume customers who need access only to custom objects and a subset of standard CRM objects.

Reviewing the user provisioning process to not automatically create a user role for any new user and contacting Salesforce support and requesting to increase the number of users’ roles allowed are two recommendations that could solve this problem. Salesforce has a limit on the number of roles that can be created in an organization, which depends on the edition and the number of licenses. If this limit is reached, no more roles can be created unless the limit is increased by Salesforce support. Therefore, it is not advisable to create a new role for every new user, as this would quickly exhaust the limit and cause the “User Role Limit Exceeded” error. Option B is incorrect, since removing role hierarchy from Salesforce org and controlling the record access using Apex managed sharing would be a complex and custom solution that would not address the root cause of the problem. Option D is incorrect, since creating an Apex class to replace the User Roles by generic one as soon as they are created would be unnecessary and inefficient.

A sharing set is the best way to share cases with partner users based on a common account. Sharing sets are available for Partner Community licenses and can grant access to related records using predefined criteria1. Option A is incorrect, since changing the external OWD to public read only would give access to all cases to all partner users, not just the ones related to their account. Option B is incorrect, since sharing rules are not available for partner users. Option C is incorrect, since the role hierarchy does not apply to partner users

Assigning users profiles and unlocking users are two capabilities that the delegated administrator permission provides. Delegated administrators are users who can perform certain administrative tasks on behalf of administrators. These tasks include assigning users to specified profiles or permission sets, creating and editing users in specified roles or groups, unlocking users who have exceeded their login attempts limit, resetting passwords for users in specified roles or groups, logging in as users who have granted login access to administrators. Option C is incorrect, since setting OWD is not a capability that delegated administrators have. Option D is incorrect, since creating profiles is not a capability that delegated administrators have.

SOQL injection is a vulnerability that can exist when controllers use dynamic rather than static queries and bind variables. SOQL injection is a technique that exploits a security vulnerability by inserting malicious SOQL statements into an existing query. This can result in data loss, data exposure, or unauthorized access1. Buffer overflow attacks, cross-site scripting, and record access override are not vulnerabilities related to dynamic queries and bind variables.

The sales rep will have read-only access to the related account record. This is because the organization-wide default for the account object is private, which means that users can only access the accounts that they own or are shared with them. However, when a user has access to an opportunity, they also have implicit read-only access to the account associated with that opportunity1. This is called implicit sharing and it allows users to view the parent records of the child records they own or can access2. Therefore, the sales rep can view the account record related to the opportunity, but cannot create, edit, or delete it.

List views are a way to filter and display records of a specific object based on certain criteria. List views can be shared with all users, a group of users, or only the owner of the list view. To share a list view with a group of users, such as sales executives who specialize in closing problematic deals, the architect can recommend creating a public group that includes those users and sharing the list view with that public group. Therefore, the answer B is correct and the other options are incorrect