Top 20 Salesforce Security Scenario Questions and Answers for Developers
Security is a vital aspect of Salesforce development. Developers must ensure Apex code, Lightning Components, and Visualforce pages respect Salesforce’s security model, including CRUD, FLS, sharing rules, and encryption. Here are 20 scenario-based questions with answers for interview preparation.
1. Field-Level Security Scenario
Question: You created a custom Apex class exposing sensitive fields on Contact. How do you ensure only authorized profiles access those fields?
Answer: Use Schema.DescribeFieldResult methods isAccessible() and isUpdateable() before displaying or updating fields.
if(Schema.sObjectType.Contact.fields.Email.isAccessible()){
// Access field
}
2. CRUD Permissions Scenario
Question: A trigger updates Opportunity records for all users. How do you ensure users without edit rights cannot modify restricted fields?
Answer: Check CRUD permissions using isUpdateable() before performing DML operations.
if(Schema.sObjectType.Opportunity.isUpdateable()){
update oppList;
}
3. Sharing Rules Scenario
Question: Only a subset of users should see certain Account records. How do you implement this in Apex?
Answer: Declare the Apex class with sharing to enforce record-level security.
4. Encrypted Fields Scenario
Question: Social security numbers need encryption. How do you store, access, and manipulate encrypted fields?
Answer: Use Platform Encryption. Encrypted fields are accessible in Apex, but certain operations (e.g., LIKE queries) are limited.
5. SOQL Injection Scenario
Question: Users can input values to search Account records. How do you prevent SOQL injection?
Answer: Use bind variables and escape user input.
String searchName = ‘%’ + String.escapeSingleQuotes(userInput) + ‘%’;
List<Account> accList = [SELECT Id, Name FROM Account WHERE Name LIKE :searchName];
6. REST API Security Scenario
Question: You expose a custom Apex REST API to external systems. How do you secure it?
Answer: Implement authentication using OAuth or Named Credentials and enforce with sharing in the Apex class.
7. Batch Apex Security Scenario
Question: A batch job updates Contact records for all users. How do you respect CRUD and FLS?
Answer: Always check isUpdateable() and isAccessible() before updating or reading fields in the execute method.
8. Visualforce/LWC Security Scenario
Question: Users call Apex methods via Lightning Web Components. How do you prevent unauthorized access?
Answer: Enforce CRUD, FLS, and sharing checks in Apex. Do not rely solely on front-end validation.
9. Platform Encryption Scenario
Question: Sensitive fields on Opportunity and Contract must be encrypted. How do you implement this?
Answer: Use Platform Encryption. Ensure formulas, reports, and integrations are compatible with encrypted fields.
10. Auditing Scenario
Question: You need to track unauthorized access attempts. How do you implement auditing?
Answer: Use Field History Tracking, Event Monitoring, and custom Apex logging for unauthorized access.
11. With/Without Sharing Scenario
Question: Should you declare a helper class with sharing or without sharing?
Answer: Use with sharing to respect user record access. Use without sharing only when access must bypass sharing rules.
12. CRUD/FLS in Triggers Scenario
Question: A trigger updates multiple objects. How do you enforce security?
Answer: Use isUpdateable() for objects and isAccessible() for fields before DML operations.
13. Community User Security Scenario
Question: External community users should access certain objects. How do you secure data?
Answer: Configure Sharing Sets, Sharing Rules, and Apex with sharing to enforce record visibility.
14. Multi-Factor Authentication Scenario
Question: The client mandates MFA for all users. How can it be enforced?
Answer: Configure MFA policies in Setup; Apex cannot bypass MFA. Ensure compliance via login flows.
15. Login IP Restrictions Scenario
Question: A user cannot log in from a new location. How do you handle this?
Answer: Configure IP ranges at the profile level and monitor login history.
16. Apex REST Security for Sensitive Data Scenario
Question: Your REST API exposes sensitive fields. How do you secure them?
Answer: Enforce CRUD and FLS in Apex, validate OAuth tokens, and use with sharing to respect access.
17. Dynamic SOQL Security Scenario
Question: You must query objects dynamically based on user input. How do you prevent unauthorized access?
Answer: Use bind variables, escape input, and enforce CRUD/FLS checks before querying records.
18. Event Monitoring Scenario
Question: You need to monitor record access across Salesforce. How do you implement this?
Answer: Enable Event Monitoring, use Transaction Security Policies, and analyze login/record events.
19. Record Visibility Scenario
Question: Some Opportunity records must be restricted to regional managers. How do you enforce this in Apex?
Answer: Use with sharing and consider Criteria-Based Sharing Rules to control record access.
20. Logging Unauthorized Actions Scenario
Question: How do you log unauthorized record access attempts?
Answer: Implement custom logging in Apex using a Custom Object, store attempts, and monitor via reports or dashboards.