Security Trade-offs

Every security decision involves trade-offs. The CTA board does not just want to hear what you recommend. They want to hear what you considered and rejected, and why.

Restrictive vs Open OWD

The fundamental tension: how locked down should the default record access be?

Dimension	Restrictive (Private OWD)	Open (Public Read/Write OWD)
Security	Maximum; users only see what is explicitly shared	Minimum; all users see all records
Complexity	Higher; sharing rules, teams, or Apex sharing needed to grant access	Lower; no sharing configuration needed
Performance	Share table rows created for every record; sharing recalculation on rule changes	No share table overhead; fastest queries
Scalability	Share tables grow with record volume; recalculation time increases	No scalability concern from sharing
Audit	Clear audit trail of who has access and why	No access controls to audit
Flexibility	Can open access selectively as needs change	Cannot restrict without changing OWD (breaking change)
LDV impact	At 10M+ records, share tables can become a bottleneck	No share table impact

When Restrictive OWD Becomes Problematic

Figure 1. Private OWD performance degrades non-linearly as record volume and sharing rule count increase together. At over 10M records with more than 50 sharing rules, sharing recalculation time can span hours, requiring architectural changes rather than incremental tuning.

Security vs Usability

The more secure a system is, the more friction users experience. Finding the right balance is an architectural skill.

Security Measure	Usability Impact	Mitigation
MFA on every login	Additional step; lost devices block access	Salesforce Authenticator push notification reduces friction; backup codes for lost devices
Private OWD + sharing rules	Users cannot see records they expect to see; “why can’t I see this?” support tickets	Clear communication; well-designed sharing rules; sharing reason field on shared records
FLS hiding fields	Users confused by missing data; reports appear incomplete	Document which user types see which fields; provide appropriate list views and reports
Session timeout (short)	Users logged out frequently; work may be lost	Balance timeout length with security requirements; auto-save functionality
IP restrictions	Remote workers blocked; VPN required	Use IP relaxation for Connected Apps; Named Credentials for integrations
Platform Encryption	Search limitations; report filter restrictions; slower typeahead	Communicate limitations upfront; redesign reports; use deterministic where search is needed
SSO (no direct login)	If IdP is down, users cannot access Salesforce	Configure breakglass admin accounts that bypass SSO; monitor IdP availability

Figure 2. Sharing model complexity compounds: each additional hierarchy level and sharing rule adds recalculation overhead and audit burden. A model that starts simple can drift toward unmanageable complexity as new business requirements are accommodated without revisiting the underlying OWD and hierarchy design.

Dimension	Simple Sharing	Complex Sharing
Role hierarchy depth	2-4 levels	8-15 levels
Sharing rules per object	5-15	50-100+
Recalculation time	Minutes	Hours (defer to maintenance window)
Debugging access issues	Straightforward	”Why can this user see this record?” becomes a multi-hour investigation
Onboarding new admins	Quick training	Weeks to understand the model
Impact of changes	Predictable	Ripple effects across rules

When to Accept Complexity

The business has genuinely complex data access requirements (multi-territory, matrix management, regulatory segmentation)
The alternative (Public OWD with manual processes) creates security risk
The organization has dedicated Salesforce architects who can maintain the model
Performance testing confirms acceptable recalculation times

When to Simplify

More than 50 sharing rules per object: redesign the hierarchy
Sharing recalculation takes more than 4 hours: too many rules or too many records
Admins cannot explain who has access to what: the model is too complex to govern
Users report “I can see records I shouldn’t” or “I can’t see records I should” frequently

Encryption Impact Analysis

The trade-off between data protection and platform functionality is the most concrete and testable security trade-off.

Functionality Impact by Encryption Scheme

Capability	Unencrypted	Deterministic	Probabilistic
SOQL WHERE (exact match)	Full	Yes	No
SOQL WHERE (LIKE, CONTAINS)	Full	No	No
SOQL ORDER BY	Full	Limited	No
Aggregate functions (SUM, AVG)	Full	No	No
Validation rules	Full	Limited	Limited
Workflow field comparisons	Full	Limited	Limited
Duplicate rules	Full	Exact match	No
Report grouping	Full	Yes	No
Report filtering	Full	Exact match	No
Search (SOSL)	Full	Depends on search index encryption	No
Formula references	Full	Limited functions	Limited functions
Auto-complete	Full	No	No

Cost of Encryption

Cost Dimension	Impact
License cost	Shield is 30-50% of platform license cost
Functionality regression	Features break; users lose search/filter capabilities
Development effort	Code must be reviewed and potentially refactored
Testing effort	Every report, integration, and workflow touching encrypted fields must be tested
Operational overhead	Key management, rotation, disaster recovery for keys
Performance	Encrypted field operations are slower (encrypt/decrypt overhead)

Profile Complexity vs Permission Set Groups

Dimension	Many Profiles	Minimum Access + PSG
Initial setup effort	Lower (clone existing profiles)	Higher (design atomic Permission Sets)
Ongoing maintenance	High (changes across all profiles)	Lower (change one Permission Set)
Auditability	Difficult (permissions scattered)	Clear (each PS has one purpose)
Scalability	Poor (profile limit: EE 1,500; UE 2,000)	Good (PSG composition is flexible)
User provisioning	Assign one profile	Assign one PSG (bundles multiple PS)
Exception handling	Create another profile clone	Add/remove individual PS or use Muting PS
Migration effort	N/A (legacy approach)	Significant (retrofitting existing profiles)

Multi-Org Identity Trade-offs

Multi-org scenarios (common after M&A or in global enterprises) introduce identity complexity that the CTA board frequently probes.

Figure 3. Multi-org SSO requires a clear IdP decision. Option A (central external IdP) provides instant deprovisioning across all orgs when a user is disabled at the IdP level. Option B (Salesforce as IdP) avoids additional IdP licensing cost but creates a single point of failure: if the IdP org is compromised, all spoke orgs are at risk.

Dimension	Central External IdP (Option A)	Salesforce as IdP (Option B)
Best when	Existing IdP serves all apps; M&A consolidation	No external IdP; SF is primary system
Deprovisioning	Disable at IdP; all orgs locked out instantly	Must manage Connected Apps per org
MFA	Single MFA policy at IdP	MFA at IdP org; spokes trust it
Cost	IdP license cost	No additional license cost
Risk	IdP outage blocks all access	Compromised IdP org compromises all orgs
Complexity	One SAML config per org	Connected App per spoke org

IdP Architecture Trade-offs

Dimension	SF as Service Provider	SF as Identity Provider
Best when	Corporate IdP exists (Okta, Azure AD, ADFS)	SF is the user SOR (portals, small companies)
User experience	Consistent with other corporate apps	SF-centric; other apps redirect to SF
MFA management	IdP handles MFA centrally	SF handles MFA (or delegates)
User provisioning	IdP provisions via SCIM/JIT	Manual or custom provisioning
Deprovisioning	Disable at IdP; SSO stops working	Must deactivate in SF explicitly
Availability	Dependent on IdP uptime	Dependent on SF uptime
Complexity	SAML/OIDC configuration	Connected Apps for each SP
Cost	IdP license cost	No additional cost

Session-Based vs Permanent Permissions

Dimension	Permanent Permission Sets	Session-Based Permission Sets
Access duration	Always active	Active only during qualifying session
Use case	Standard business roles	Elevated access, step-up authentication, time-limited access
Security posture	Permissions always available	Permissions only when actively needed
Complexity	Simple; assign and forget	Requires activation logic (Flow, Auth Provider, Apex)
Audit trail	User always has permissions	Clear audit of when permissions were activated/deactivated
User experience	Transparent	May require re-authentication or additional steps

The Security Architecture Decision Summary

For CTA board presentations, frame security trade-offs using this structure:

Figure 4. The CTA board expects architects to articulate trade-offs, not just conclusions. This five-step communication pattern (recommend, justify, trade-off, mitigate, alternatives) transforms a security answer from a list of choices into a defensible architectural narrative.

Example: “I recommend Private OWD for Accounts because the scenario includes partner users who should not see each other’s customer data. The trade-off is increased sharing complexity: I need three criteria-based sharing rules to grant regional visibility for internal sales teams. I mitigate this by keeping the role hierarchy flat at four levels and using public groups as sharing targets, which simplifies future changes. I considered Public Read Only but rejected it because partner users would see all Account names, which the scenario identifies as confidential.”

Sharing Model: sharing architecture details
Shield Encryption: encryption details and impact
Field & Object Security: permission model architecture
Identity & SSO: identity architecture decisions
Decision Guides: visual decision flowcharts
Security Best Practices: patterns and anti-patterns

Sources

Salesforce Architects: Sharing and Visibility
Salesforce Architects: Data Protection
Salesforce Help: Platform Encryption Considerations
Salesforce Architects: Security Architecture

Personal study notes for the Salesforce CTA exam. Content compiled from VJ's study notes, official Salesforce documentation, community sources, and online publicly available content, then organized and presented with AI assistance. Not affiliated with Salesforce. © 2025–2026 VJ Srivastava.