Salesforce Sharing-and-Visibility-Architect Salesforce Certified Sharing and Visibility Architect (SU24) Exam Practice Test

The access that has to be given to partner users to access records belonging to users in their account at their same role or lower in the role hierarchy, for Cases, Leads, Opportunities and Custom Objects is Super User Permission2. Super User Permission is a profile permission that enables partner users to act as super users for their accounts2. Super users can view, edit, and delete records that they do not own within their account.

The correct format for creating share objects for custom objects in Apex code is MyCustomObject__Share. Share objects are used to grant access to individual records that are owned by another user or queue. For standard objects, the share object name is ObjectNameShare, such as AccountShare or ContactShare. For custom objects, the share object name is ObjectName__Share, such as MyCustomObject__Share or Project__Share.

 The option that supports this requirement is B. To restrict users’ access to export reports, the administrator can remove the “Export Reports” user permission from their profile or permission set. The “Report Manager” user permission is not related to exporting reports, but to creating and managing report folders.

Storing the value in a text field on a protected custom setting in the package is the best way to support this requirement. Protected custom settings are not visible to subscribers, but they can be accessed by the package code and support representatives. The other options either expose the value to subscribers (B and C) or do not allow support representatives to access it (D).

When adding account team members to an account, the user can see the opportunity access options that are equal to or less than the organization-wide default access level for the opportunity object3. Since the organization-wide default access level for the opportunity object is Public Read Only, the user can see Read Only and Read/Write options. Private and Private and Read Only are not valid options.

The best option for the architect to make sure Universal Health stays compliant is B. Enabling Salesforce Shield Platform Data Encryption and marking the patient notes field as encrypted will ensure that the data is encrypted at rest as well as in transit, using a tenant secret that only Universal Health can access. This will also allow them to use standard Salesforce features and functionality with the encrypted data. The other options are either incorrect or not optimal.

Reviewing the Account structure to split the United Automotive account into multiple branch accounts is the option that the Architect should recommend. This way, the number of child cases under one parent account will be reduced, and the locking errors will be avoided. The locking errors occur when multiple transactions try to access or modify records that are related to a single parent record. The other options do not address the root cause of the locking errors, which is the high number of child cases under one parent account.

 To make sure service reps have access to all relevant information to attend to customer requests, the architect should consider that service reps will be able to access contact records if they are controlled by parent or due to implicit sharing. If contact records are controlled by parent, their access level is determined by the access level of their parent account. If service reps have View All permission on Case object, they also have implicit Read access to the accounts and contacts associated with cases that they can access3. Service reps will not be able to access contact records if account OWD is private and contact records are not controlled by parent, as they will need explicit sharing or permission to access them. Service reps will not be able to access contact records if they are controlled by parent and they do not have access to the parent account.

According to this source, Apex managed sharing is the best way to share records based on complex logic that can’t be handled by declarative sharing. In this case, the architect can use Apex code to create a trigger on the Job Interview object that will create a share record for the interviewer user when the lookup field is populated. The other options are not feasible or scalable.

The sharing access options if OWD is Public Read Only are Read and Read/Write3. These are the options that you can choose when creating sharing rules or manual sharing for an object that has Public Read Only as its organization-wide default access level3. Public Read Only means that all users can view all records, but only the owners and users above them in the role hierarchy can edit those records.

To troubleshoot why staff members can see accounts that they do not own and should not have access to after a change in the role hierarchy, the architect should log in as one of the staff members, navigate to a sample account, and use the sharing button to determine who has access. The sharing button shows all the reasons why a user has access to a record, such as role hierarchy, sharing rules, manual sharing, teams, etc. The architect can then identify which sharing mechanism is causing the issue and fix it accordingly

A workaround to ownership data skew is to minimize possible performance impacts by not assigning the user(s) to a role. Ownership data skew occurs when a single user owns a large number of records (more than 10,000) of an object, which can cause performance issues when sharing calculations are performed. By not assigning the user to a role, you can prevent the sharing rules from being applied to the records owned by that user, and reduce the number of rows in the sharing tables.

Three advanced tools that Salesforce can enable for large-scale role hierarchy realignments in organizations with large data volumes are partitioning by divisions, deferred sharing calculation, and skinny table indexing. Partitioning by divisions allows the organization to segment data into logical sections based on business criteria, which reduces the number of records that need to be recalculated when role hierarchy changes. Deferred sharing calculation allows the organization to postpone the sharing recalculation until a scheduled time, which avoids impacting users during peak hours. Skinny table indexing allows the organization to create custom indexes on frequently used fields, which improves query performance and reduces locking contention

Creating a territory is an activity that can happen in parallel to changing a community account owner without risking group membership lock errors, assuming granular locking is enabled. Granular locking is a feature that allows for concurrent sharing operations on different objects or groups, reducing lock contention and improving performance. Deletion or creation of a role is an activity that can cause group membership lock errors, as it affects the role hierarchy and all the groups that are associated with it. Deletion of a territory is also an activity that can cause group membership lock errors, as it affects the territory hierarchy and all the groups that are associated with it

The reason why there are many duplicate Account records and numerous sharing rules created in Salesforce is that the Organization-Wide Default for the Account object is Private4. This means that users can only see their own accounts and those shared with them explicitly by sharing rules or other means. This could lead to users creating duplicate accounts without knowing that they already exist in Salesforce. If the Organization-Wide Default for the Account object is Public Read/Write or Public Read Only, users would be able to see all accounts in Salesforce and avoid creating duplicates. The Object permissions for the Account object are not relevant for this question.

According to this source, users with access to a child case have read-only access to the parent account by default, and owners of a parent account have access to child opportunities by default. The other options are not implicit record access mechanisms.

 According to this source, the Manage Dashboards permission allows users to create, edit, and delete dashboards in any folder they have access to, and the View All Data permission allows users to view all data in the org regardless of sharing settings. The other options are not necessary for creating a dashboard to compare sales numbers.

The Internal Default sharing settings for a custom object can be either Public Read/Write or Public Read Only if the External Default sharing setting is set to Public Read Only1. Controlled by Parent and Private are not valid options because they would not allow external users to access the custom object records.

The user can be granted edit access to the record if they are not the owner by creating an Apex trigger to insert an Employee Review Share record with an access level of Edit. This is a programmatic way of extending sharing access to a specific user based on a lookup field.

 The optimal solution for an architect to recommend is to grant super user access to the lead agents as part of the community user setup. Super user access allows community users to access records that they do not own within their account or role hierarchy. This way, the lead agents can see the opportunities for all of the other agents at the dealer without changing the organization-wide defaults or creating any sharing rules

To support the requirement of allowing only the owner and users in the Delivery profile to view and edit Job records, you need to use three platform sharing tools:

Organization-Wide Default sharing setting of Private on the Job Object: This will restrict access to Job records to only the owner by default.

Grant access Using Hierarchy sharing setting on the Job Object set to false: This will prevent users above the owner in the role hierarchy from accessing Job records.

“Modify All” permission for Job Object on the Delivery Profile: This will grant users in the Delivery profile full access to all Job records regardless of ownership.

Criteria-Based sharing rule and “View All Data” profile permission are not required for this scenario. Criteria-Based sharing rule would grant additional access to users who meet certain criteria, which is not necessary. “View All Data” profile permission would grant access to all data in the organization, which is too broad and may violate data security.

To store sensitive invoice data in Salesforce, the architect should consider using a master-detail relationship between accounts and invoices, and setting the organization-wide default sharing for invoices to private. This would ensure that only the owners of the invoices and their subordinates can see them, and that the invoices inherit the sharing settings of the accounts. A workflow that populates the invoice sharing object upon insert is not necessary if the master-detail relationship is used. A lookup relationship between accounts and invoices would not enforce the same level of security and visibility as a master-detail relationship3

Named Credentials, Protected Custom Metadata, and Protected Custom Settings are three options to secure the credentials for the external system. They allow the developer to store the credentials in a secure way that is not exposed to other users or packages. Storing the credentials in a custom object using encrypted fields or in the apex code are not secure options

Creating a permission set that grants the View All permission for Opportunity is the best approach to meet these requirements, as it will allow the sales reporting team members to view all opportunity records without modifying their profiles. Creating a permission set that grants the View All Data permission will work, but it will also grant access to all other objects, which may not be necessary or secure. Giving the View All Data permission to the Sales Reporting profile will work, but it will also affect all users with that profile, which may not be desired.

 To prevent orders from being deleted in the future, a Salesforce Architect should recommend removing Order delete permission from profiles and permission sets, and changing the record type/page layout assignment for orders to be read only. Removing Order delete permission will prevent users from deleting any order records, regardless of their ownership or sharing. Changing the record type/page layout assignment will prevent users from editing any order fields, regardless of their field-level security. Implementing a sharing rule that changes access for order to read will not work, as it will only affect the record-level access, not the field-level access or the delete permission. Removing the Delete button from the order page layout will not work, as it will only affect the user interface, not the API or other ways of deleting records.

Two platform features that can be used to support the requirements for granting access to Job records are “View All” profile settings and manual sharing. The “View All” profile setting can be enabled for the Delivery profile to grant them View access to all Job records regardless of ownership or role hierarchy. The manual sharing feature can be used by the Delivery user who owns a job to grant access to a Product Development user on a case-by-case basis

According to this source, creating the share records and setting the RowCause to a custom Apex Sharing Reason will prevent them from being deleted when the owner of the account is changed. The other options will not have this effect.

To give access to a report folder to someone else in the organization, the user needs to have the “Manage Reports in Public Folders” profile permission and the “Manager” report folder permission. The “Viewer” and “Editor” report folder permissions only allow the user to view or edit the reports in the folder, but not to share the folder with others

According to this source, users with the View All Data permission can view any file in the org, and users with access to the record can view files posted to that record’s Chatter feed. The other options are not accurate.

Changes affect only the ACME Account. Changing the team member access to the account does not affect the default account team, the default opportunity team, or the child accounts. The team member access is specific to the individual account record.

To support the requirements with the minimum amount of effort, three platform security features that are required are criteria-based sharing rules, role hierarchy, and permission sets. Criteria-based sharing rules can be used to share all accounts with the custom field “Kay Customer” to all senior account managers based on a filter condition. Role hierarchy can be used to grant access to accounts that users or their subordinates own based on the ownership and role level. Permission sets can be used to grant view and edit access to the custom field that contains sensitive information to the three designated users, regardless of their user groups or profiles

 To grant the sales managers access to the customer invoices data, the architect should control the invoices object permission on the sales manager’s profile. This will allow the sales managers to view and query the external object records, as long as they have access to the parent account records. Creating a sharing set or a sharing rule will not work, as they are not supported for external objects. Using manual sharing will not work, as it is not available for external objects

Private Account Sharing with Sharing Rules from Commercial Sales Group(s) to Commercial Support Group(s) and Consumer Sales Group(s) to Consumer Support Group(s) is the recommended Org-Wide Sharing Default for Accounts and the way to enable proper Commercial and Consumer Sales to Support Account Sharing for this scenario. This way, the sales and support departments can share their customers with each other, but not with the other departments. The other options are incorrect because they either do not allow the sales and support departments to share their customers (A and B) or they allow too much access to the accounts ©.

The best way to review access to a certain set of key customer accounts is to export the Account Share table and review it. The Account Share table stores all the sharing records that grant access to accounts, including manual sharing, sharing rules, team sharing, and implicit sharing4. The other options are either not feasible or not comprehensive.

Creating a criteria-based sharing rule giving the Retail Sales role access to Accounts of type PersonAccount is the best option to meet these requirements, as it will grant access to all retail customers based on a field value, regardless of ownership2. Creating an owner-based sharing rule on AccountContactRelation will not work, as it will only grant access to account contact roles records owned by retail sales reps, not all retail customers. Updating the Retail Sales profile to grant access to Person Account record type will not work, as it will only control the record type visibility, not the record visibility.

Implementing a third-party proxy server is the best technology to achieve the requirement of accessing on-premise information from Salesforce. A proxy server acts as an intermediary between Salesforce and the on-premise database, and it can handle authentication, encryption, and data transformation. Option A is incorrect, as tokenization is a technique to replace sensitive data with tokens, not to access on-premise data. Option B is incorrect, as it does not specify how Salesforce can connect to the on-premise database. Option D is incorrect, as Salesforce Shield is a set of tools to enhance data security and compliance in Salesforce, not to access external data sources.

Reviewing the user provisioning process to not automatically create a user role for any new user and contacting Salesforce support and requesting to increase the number of users’ roles allowed are two recommendations that could solve this problem. Salesforce has a limit on the number of roles that can be created in an organization, which depends on the edition and the number of licenses. If this limit is reached, no more roles can be created unless the limit is increased by Salesforce support. Therefore, it is not advisable to create a new role for every new user, as this would quickly exhaust the limit and cause the “User Role Limit Exceeded” error. Option B is incorrect, since removing role hierarchy from Salesforce org and controlling the record access using Apex managed sharing would be a complex and custom solution that would not address the root cause of the problem. Option D is incorrect, since creating an Apex class to replace the User Roles by generic one as soon as they are created would be unnecessary and inefficient.

A sharing set is the best way to share cases with community users based on a common account. Sharing sets are available for Customer Community licenses and can grant access to related records using predefined criteria. Option A is incorrect, since sharing rules are not available for community users. Option B is incorrect, since there is no such thing as a share group in Salesforce. Option D is incorrect, since Apex sharing is complex and requires code maintenance

The architect should consider that changing complex role hierarchy can cause a high level of sharing recalculation, and that replacing account records ownerships massively can cause data skew. Changing role hierarchy affects the sharing rules that are based on roles or role and subordinates, which can trigger a recalculation of sharing for all the records owned by users in those roles. Replacing account records ownerships massively can cause data skew, which is a condition where a large number of child records are associated with one parent record, resulting in performance issues. Using a temporary parking lot account to improve performance is not a recommended practice, as it can cause data quality issues and security risks. Restricting the organization-sharing configurations to private is not relevant to this situation, as it does not address the impact of changing roles and reassigning accounts.

The OWD for pricebook should be set to Use, which means that users can only view and use price books that are shared with them. This way, sales agents can have access to products and create opportunities for their customers. Option A is incorrect, since Public Read Only would give access to all price books to all users. Option B is incorrect, since Public Read Write would give access and edit rights to all price books to all users. Option C is incorrect, since View is not a valid OWD setting for pricebook.

 To give access to the invoice records from an external object on the account page, the Sales Architect should recommend including the Invoice Related List on Account Page layout. This will allow the finance users to see the invoice records related to each account, as long as they have access to the account record and the external object4. Creating sharing rules or using Apex managed sharing are not applicable for external objects, as they do not support manual or programmatic sharing

Granular locking is an advanced tool that Salesforce can enable for large-scale role hierarchy realignments. Granular locking allows finer-grained locking for certain operations that affect large data sets, such as bulk loading or updating. Granular locking can reduce the locking time and avoid performance issues when changing role hierarchy or ownership. Therefore, the answer C is correct and the other options are incorrect

 By default, three roles are created when the first external user is created on a partner account. These roles are Executive, Manager, and User. They form a role hierarchy that determines the level of access to data for the partner users

The field has been configured for encryption, which might cause it to not show up on the list of available fields for creating a criteria-based sharing rule. Encrypted fields are not available for sharing rules, as they may contain sensitive data that should not be exposed. Option B is incorrect, since the architect does not need permission to Compliance fields to create a sharing rule. Option C is incorrect, since the architect’s profile does not need field-level security for this field to create a sharing rule. Option D is incorrect, since fields with validation rules are available for sharing rules.

A sharing rule is missing to share Accounts to the AR team, which could be the issue preventing AR team members from seeing invoices. Since invoice is a custom object with a master-detail relationship to account, its sharing settings are controlled by its parent account. If AR users do not have access to account records, they will not be able to see or query invoice records either. Option A is incorrect, since a sharing rule to share invoices to the AR team would not work, as invoice inherits its sharing settings from account. Option B is incorrect, since assigning an invoice page layout to the AR team profile would not affect their visibility of invoice records. Option D is incorrect, since giving read permission to the invoice object to the Accounts receivable profile would not grant access to invoice records that are owned by other users.

A sharing set is the best way to share cases with partner users based on a common account. Sharing sets are available for Partner Community licenses and can grant access to related records using predefined criteria1. Option A is incorrect, since changing the external OWD to public read only would give access to all cases to all partner users, not just the ones related to their account. Option B is incorrect, since sharing rules are not available for partner users. Option C is incorrect, since the role hierarchy does not apply to partner users

The Apex method that must be used to make sure only allowed fields are shown to the users is isAccessible(). This method returns true if the user has read access to the field, and false otherwise2. isReadable(), isShowable(), and isViewable() are not valid Apex methods for checking field-level security.

The Grant Access Using Hierarchies option on Shipment Sharing Settings allows users above the owner in the role hierarchy to have the same level of access as the owner. If this option is disabled, the role hierarchy will not grant access to the Shipment records, even if it is configured correctly. Therefore, the answer A is correct and the other options are incorrect

Assigning users profiles and unlocking users are two capabilities that the delegated administrator permission provides. Delegated administrators are users who can perform certain administrative tasks on behalf of administrators. These tasks include assigning users to specified profiles or permission sets, creating and editing users in specified roles or groups, unlocking users who have exceeded their login attempts limit, resetting passwords for users in specified roles or groups, logging in as users who have granted login access to administrators. Option C is incorrect, since setting OWD is not a capability that delegated administrators have. Option D is incorrect, since creating profiles is not a capability that delegated administrators have.

 A criteria-based sharing rule is the best option to give access to accounts based on a specific field value, such as the record type. Option A would give access to all accounts, not just person accounts. Option B would only control the layout and not the visibility. Option C would not apply to person accounts, since they do not have account contact roles

The territory with the highest territory type priority is automatically assigned to the opportunity when an account meets criteria for multiple territories4. Option A is incorrect, since creating a process builder process to update the territory field on the opportunity would be unnecessary and complex. Option C is incorrect, since creating an Apex class that implements Filter-Based Opportunity Territory Assignment would be an advanced and custom solution that is not required in this scenario. Option D is incorrect, since creating a criteria-based sharing rule on the opportunity to assign it to a territory would not work, as sharing rules do not assign territories5.

Removing the Work Order Edit permission from the sales representative profile is the optimal approach to implement these requirements, as it will prevent sales representatives from changing virtual container work orders that are provisioned immediately by the system. Option B is incorrect, since removing the edit button from the work order page layout would not prevent sales representatives from editing work orders using other methods, such as inline editing or data loader. Option C is incorrect, since changing the record type/page layout assignment for Work Order to be Read Only would not affect the edit permission, but only the layout configuration. Option D is incorrect, since implementing a sharing rule that changes access for all Work Order to Read would not prevent sales representatives from editing work orders that they own.

Creating a Share Group based on the sharing set created for the Customer Community User Profile is the best way to give support representatives access to Container and Case records owned by Customer Community users. Share Groups are groups of users who have access to records based on a sharing set. Sharing sets are settings that grant community users access to records that have a lookup relationship to their user record1. Creating an ownership-based sharing rule, creating a criteria-based sharing rule, and relying on the role hierarchy are not options that can achieve the same result.

The report owner is the only one who can view and run the report that is saved in the “Private Reports” folder. Option A is incorrect, since there is no such thing as the “My Private Reports” folder in Salesforce. Option B is incorrect, since the role hierarchy does not affect the access to private reports. Option D is incorrect, since the “View All Data” permission does not grant access to private reports.

Sharing the folders with the “VP of Sales” Role and Subordinates and sharing the folders with a “Sales Managers” Public Group are two ways that UC can grant access to sales managers to automate access to these Reports and Dashboards folders. Folder sharing allows users to share reports and dashboards with other users based on roles, subordinates, public groups, or individual users. Option A is incorrect, since sharing the folders with lowest roles in the role hierarchy would not give access to superiors automatically, but only to subordinates. Option C is incorrect, since sharing the folders with a queue is not possible.

 Account records can be accessed due to implicit sharing from Opportunity and Account records can be accessed due to role hierarchy are two reasons that could be causing this issue. Implicit sharing grants access to parent records when a user has access to a child record. For example, if a user has access to an opportunity, they also have access to its related account and contract records. Role hierarchy grants access to records owned by or shared with users who are below in the hierarchy. For example, if a user is above another user in the role hierarchy, they can access any records that the lower user can access. Option A is incorrect, since contact records cannot be accessed due to implicit sharing from account, as implicit sharing does not grant access to child records. Option C is incorrect, since contact records cannot be accessed due to implicit sharing from opportunity, as implicit sharing does not grant access to child records.

 Creating a Permission Set that grants “View All” permission for Opportunity is the best approach to meet the requirements. This will allow the Sales Reporting team to view all Opportunity records without changing their profile or OWD settings. Creating a Permission Set that grants “View All Data” permission would give them access to all data in the org, which is not necessary. Making Opportunity OWD read-only would affect all users in the org, which may not be desirable. Giving “View All Data” permission to the Sales Reporting Profile would also give them access to all data in the org, which is not necessary

SOQL injection is a vulnerability that can exist when controllers use dynamic rather than static queries and bind variables. SOQL injection is a technique that exploits a security vulnerability by inserting malicious SOQL statements into an existing query. This can result in data loss, data exposure, or unauthorized access1. Buffer overflow attacks, cross-site scripting, and record access override are not vulnerabilities related to dynamic queries and bind variables.

The likely cause of this issue is that sales users profile does not have access to the remaining fields. Profile permissions determine what users can do with records, such as create, read, edit, or delete. If sales users profile does not have read permission for certain fields on the Invoice object, they will not be able to see those fields on the record detail page3. Page layout assigned to sales user profile, org-wide sharing settings, and role-based sharing are not likely causes of this issue.

The internal Pre-Sales users will no longer have access to the opportunity after the ownership transfer, since manual sharing is removed when a record owner changes. Option A is incorrect, since inherited sharing does not apply to manual sharing. Option B is incorrect, since implicit sharing does not apply to internal users. Option D is incorrect, since team access does not apply to manual sharing.

The impact of these sharing settings is that Sales Engineers Managers and their managers in the role hierarchy will also have access to these records. This is because sharing rules extend access to users in public groups, roles, or territories. The access granted by a sharing rule is inherited by users above those users in the role hierarchy1. Subordinates of Managers who have Sales Engineers in the public group, Sales Engineers that have a similar role of the Sales Engineers of the public group, and Sales Engineers direct reports will not have access to these records unless they are explicitly granted by other means.

 Creating a criteria-based sharing rule to give access to the public group for high-value opportunities and creating a public group and assigning the auditors to the group are the best options to give access to high-value opportunities to a team of auditors distributed through the organization. Option A is incorrect, since putting the auditors as the highest level of the role hierarchy would give them access to all opportunities, not just high-value ones. Option B is incorrect, since adding the auditors to the default opportunity team would require manual configuration and maintenance

Creating a criteria-based sharing rule that shares delivery records matching the Distributor to users of a Public Group created for the distributor is the correct solution for this scenario. This will allow all users at a distributor to access delivery records for all customer accounts associated with that distributor. Creating a Sharing set for the Distributor profile will not work, because sharing sets are only available for portal or community users, not internal users. Giving ownership of the delivery record to a distributor user will not work, because it will limit the access to only one user per record. Creating a criteria-based sharing rule that shares delivery records matching the Distributor to user distributor will not work, because it will not share records with other users at the same distributor.

The most likely cause of this problem is that the sales rep was manually removed from the Opportunity team. This would revoke the access to the opportunity record that the sales rep was helping with. The other options are not valid causes, because:

The Account team does not affect the Opportunity team members, unless the account owner changes and the opportunity owner is set to match2.

The Opportunity team is specific to each opportunity record, so removing the sales rep from one opportunity team does not affect the access to another opportunity record of the same account3.

The opportunity owner cannot enable/disable if the “Default Opportunity team” is able to access the record. The default opportunity team is a template that can be applied when creating or editing an opportunity, but it does not override the existing opportunity team members.

Susan and users with the View All Data permission and Susan and users with access to the record are two statements that accurately describe who can view the file by default. When a file is posted to a record’s feed, it inherits the sharing settings of that record. Therefore, only users who can view the record can view the file. Users with the View All Data permission can view all records and files in the organization. Option C is incorrect, since users with a shared chatter post link to the file can only view the file if they have access to the record as well. Option D is incorrect, since Susan is not the only one who can view the file, but also users who have access to the record or the View All Data permission.

Setting the organization-wide default to Private and unchecking the Access Using Hierarchies option for the NPS object will prevent the managers from accessing the NPS records of their subordinates. This is because the access using hierarchies option allows users above the owner in the role hierarchy to have the same level of access as the owner

 Using the IsUpdateable() Apex method to test each field prior to allowing updates is the best way to fix this problem. This method returns true if the user has permission to edit a specific field on a specific object, and false otherwise. Option A is incorrect, since putting the code in a class that uses the With Sharing keyword would not affect field-level security permissions, but rather record-level access based on sharing rules. Option C is incorrect, since using the with SECURITY_ENFORCED keyword in the SOQL statement would not prevent updates on fields that are read-only for certain profiles, but rather enforce field- and object-level data protection. Option D is incorrect, since adding with Sharing keyword to the class would have the same effect as option A.

 Setting the OWD for internal users to Public Read Only is the simplest and most efficient way to give access to all internal employees to the ServiceFeedback object. Option A is incorrect, since creating a trigger on ServiceFeedback to change ownership to an internal employee would be complicated and affect the data quality. Option B is incorrect, since ensuring all the internal users are above the partners in the role hierarchy would not work, as the role hierarchy does not apply to partner users. Option C is incorrect, since creating an owner-based sharing rule for all ServiceFeedback records owned by partners would be redundant and inefficient

List views are a way to filter and display records of a specific object based on certain criteria. List views can be shared with all users, a group of users, or only the owner of the list view. To share a list view with a group of users, such as sales executives who specialize in closing problematic deals, the architect can recommend creating a public group that includes those users and sharing the list view with that public group. Therefore, the answer B is correct and the other options are incorrect 

To make the sensitive fields accessible to the Human Resource team, other than field level security, another option is to create a new custom object with private OWD and Lookup relationship to Employee to store new restricted information. This will allow creating a separate security model for the new custom object, which can be shared with the Human Resource team using sharing rules or permission sets. Creating a new custom object controlled by parent and a Master-Detail relationship to Employee will not work, as it will inherit the same OWD as Employee, which is Public Read Only. Changing OWD of Employee custom object to private and a Lookup self-relationship to store only new restricted information will not work, as it will make all employee records inaccessible to other users who need them.

 Cross-Site Scripting (XSS) and SOQL Injection are two common types of security vulnerabilities that can affect Salesforce applications. XSS occurs when malicious code is injected into a web page that can execute in the browser of a user who visits that page6. SOQL Injection occurs when user input is used to construct a SOQL query without proper validation or escaping, which can allow an attacker to manipulate the query and access unauthorized data7. To prevent XSS, developers should use appropriate encoding methods when displaying user input on custom pages8. To prevent SOQL Injection, developers should use bind variables or the escapeSingleQuotes() method when building SOQL queries with user input9. Option A is incorrect, since Apex queries are not vulnerable to XSS. Option D is incorrect, since testing for invalid user access attempts is not related to security vulnerabilities within the Salesforce organization.