Security
Key Takeaways
Security is the second highest failure domain on the CTA exam. Focus on sharing model design (OWD, role hierarchy, sharing rules), identity architecture (SAML, OAuth flows, MFA), and the trade-offs between security and usability. Judges probe deeply on record-level access, portal security, and encryption decisions.
This domain covers architecting secure solutions using platform security mechanisms, identity management, and data access controls. Security is the second highest failure domain on the CTA exam — candidates most commonly fail on sharing model design, identity architecture, and the trade-offs between security and usability.
Objectives
| # | Objective | Key Topics |
|---|---|---|
| 2.1 | Architect solutions using appropriate platform security mechanisms | Sharing Model, Encryption |
| 2.2 | Security considerations for portal architecture (internal and external users) | Portal Security |
| 2.3 | Declarative platform security features for record-level security | Sharing Model, Field & Object Security |
| 2.4 | Programmatic platform security features | Programmatic Security |
| 2.5 | Object and field access permissions | Field & Object Security |
| 2.6 | Design and justify end-to-end identity management solutions | Identity & SSO |
Key Topics
- Sharing Model: OWD, Role Hierarchy & Sharing Rules — the foundation of record-level security: OWD settings, role hierarchy design, sharing rules, implicit sharing, Apex managed sharing, teams, and territory management
- Identity & SSO: SAML, OAuth, and Access Management — SAML 2.0, all OAuth 2.0 flows, OpenID Connect, Connected Apps, My Domain, JIT provisioning, MFA, Named Credentials
- Field & Object Security: Profiles, Permission Sets & FLS — profiles, permission sets, permission set groups, muting permission sets, CRUD, View All/Modify All, FLS, the minimum access profile pattern
- Portal & Community Security: Experience Cloud Access — external user licenses, guest user security, HVCP sharing, external OWD, portal role hierarchy, sharing sets
- Experience Cloud Architecture — LWR vs Aura runtime, site templates, CMS architecture, SEO, CDN, multi-site strategy, Agentforce integration
- Programmatic Security: Apex Enforcement & Secure Coding — with/without/inherited sharing, CRUD/FLS enforcement, Named Credentials, secure coding, session-based permission sets
- Shield Platform Encryption, Event Monitoring & Field Audit Trail — deterministic vs probabilistic encryption, BYOK, cache-only keys, event monitoring, transaction security, field audit trail
- Territory Management Architecture — Sales Territories object model, hierarchy design, sharing interaction with role hierarchy, scaling limits, forecasting integration
- Security Decision Guides — visual decision flowcharts for OWD selection, sharing strategy, identity architecture, OAuth flow selection, encryption, and permission model
- Security Best Practices & Anti-Patterns — organized by sharing, identity, permissions, encryption, portal, and programmatic security
- Security Trade-offs — restrictive vs open OWD, security vs usability, encryption impact, sharing complexity vs performance
Practice
Related Topics
Security permeates every layer of a solution. These domains have the strongest security interdependencies:
- System Architecture — security requirements and compliance constraints drive architecture decisions
- Data Architecture — data classification, sensitivity tiers, and residency requirements drive encryption and access control choices
- Solution Architecture — secure design patterns determine which declarative vs programmatic approaches are viable
- Integration — OAuth flows, Named Credentials, and API security are core to integration architecture
Frequently Asked Questions
What security topics does the CTA exam focus on most heavily?
The CTA exam probes deepest on sharing model design (OWD settings, role hierarchy, sharing rules, implicit sharing), identity architecture (SAML 2.0, OAuth 2.0 flows, MFA, JIT provisioning), and the interplay between field-level security, profiles, and permission sets. Portal security for Experience Cloud external users is also heavily tested.
How is Security scored in the CTA review board?
Judges evaluate whether your sharing model is appropriately restrictive without being overly complex, whether identity flows are correctly selected for each user type, and whether you can defend the trade-offs between security and usability. They expect you to articulate why you chose a specific OWD setting and how your role hierarchy interacts with sharing rules.
What are the most common mistakes in Security during the CTA exam?
Candidates commonly fail by setting OWD to Public Read/Write without justification, confusing OAuth flow types (using the wrong flow for server-to-server vs user-facing scenarios), ignoring guest user security implications in Experience Cloud, not addressing encryption impact on search and filtering, and failing to account for implicit sharing through master-detail relationships.
When should I recommend Shield Platform Encryption in a CTA scenario?
Recommend Shield when the scenario mentions regulatory compliance requiring encryption at rest (HIPAA, PCI, GDPR), sensitive data fields that must be protected even from admins, or audit trail requirements beyond standard field history tracking. Always address the trade-offs: deterministic encryption limits filter and search capabilities, and probabilistic encryption restricts them further.
How do I choose between sharing rules, Apex sharing, and teams for record access?
Use sharing rules for predictable, criteria-based or ownership-based access patterns. Use teams (Account Teams, Opportunity Teams) when access follows relationship-based patterns tied to specific records. Use Apex managed sharing when access logic is too complex for declarative rules or requires runtime calculation. Always prefer the simplest mechanism that meets the requirement.
This is a personal study site for Salesforce CTA exam preparation. Built with AI assistance. Not affiliated with Salesforce.