Getting Started
You may want to quickly skim the instructions then dive right into a challenge, without fully reviewing the use case or prerequisite information. This method sometimes works for standard Trailhead projects, particularly if you have background knowledge of the topic. A Superbadge challenge is different. A slow and through review of the entire requirement listing is necessary prior to feverish clicking. Trailhead Baby's method is to print, read, and re-read. The pre-work for the Security Superbadge contains critical information.
I rarely complete a Superbadge in one sitting. In order to ensure that you are using the same Trailhead Playground every time that you login, customize your playground with a unique name. Click on your name and select "settings." You will see a listing with all of your Salesforce Hands-on Orgs. Click on the pencil icon to change the label. My original name? "Security Superbadge."
Ready? Let's go!
Pre-work and Notes
Installing the Trailhead Security managed package will require a Salesforce login and password. You can launch your Playground org directly from the Superbadge requirements page then navigate to "users" on the setup menu. From the all users page, click the checkbox next to your name and select "reset password(s)." Write your new password down for later use! You can also obtain your username from the "users" menu, then install the managed packaged with your newly acquired password.
Challenge 1: Object-level Security Settings
I started by setting up the org wide settings to ensure that opportunities and accounts have the proper default access. If you need a refresher on object security, skim the "Data Security" module. It is a prerequisite to the Superbadge, but contains much detailed information that is easy to overlook the first time.
For profiles, you will have to clone an existing one in order to create the custom profiles. There are many options of profile types to clone, but I used the "standard" one. Within profiles you will have to establish login hours for the Inside Sales Users. If Monday thru Friday login hours are entered, you will need to have login hours for Saturday and Sunday as well. Set the start and end time to be the same in order to set up a day where users are unable to log in.
Hint - Everything that you need in order to pass the first step of the Superbade can be done within profiles after the org wide defaults are established.
I am stuck in challenge 5 can you please help with the steps?
ReplyDeletePlease leave a comment on the blog post that references challenge 5 with a more detailed description of the question. I will not post the "steps" to any challenge, but I am happy to examine what you have and provide tips.
DeleteI have a small doubt we only 2 salesforce user licensee how I will be able to create 3 user as I don't have enough licensee.
DeleteYou only need to create 1 user for this superbadge. Permissions such as profiles and roles are separate from users.
Deletehaving a deep level of fustration over this step one error 'Challenge Not yet complete... here's what's wrong:
ReplyDeleteThe Sales Executive User does not appear to have the correct object permissions for Accounts and Opportunities.' OWD have qccts as read and opps as private. Roles are set up with salees exec over fields and inside sales, sales exec profile has Accts as read only and Opps as read only. Any onput would be greatly appreciated. Thanks.
Hello! My apologies for the slow response- I hope you are not stuck on this step any more! (My baby brother arrived this week, so I took a few days off to play with him.) You will want to re-read the criteria for the Sales Executive User:
Delete"Sales Executive users should be able to view all opportunities and accounts (regardless of other sharing settings), but not be able to create, edit, or delete any opportunities or accounts. "
If the user can only see their own private opportunities, they will not meet the required criteria.
Congratulations on your baby brother. I'm sure he will be fun to play with. Thanks for the help. Hopfully this will remedy my issue.
DeleteCan this really be done with just OWD and Profiles?
ReplyDelete"Restrict access to opportunities to the people who own them (and their managers)." This to me says that Opps have to be Private, which means you'd have to use Sharing Rules to get Sales Exec Users to have access to them.
But I couldn't get that to work so I went back to Public R/O for both Accounts & Opps, and it still complains that Sales Executive Users don't have the correct permissions for Accounts & Opps. I cloned that profile from Read Only, made sure "View All" isn't checked anywhere, and left "Read" checked for Accounts & Opps on the Sales Exec Profile.
In the "real world" I would use profiles and OWD. Not for this superbadge though... Clone the Standard User Profile for the new Inside Sales/Sales Exec/Field Sales profiles.
Delete(Minor tweaks on each profile are needed...) Opps need to be private org wide but access opened to the correct people via roles & sharing rules.
I recently wrote a new post about this particular superbadge that might be helpful:
https://trailheadbaby.blogspot.com/2018/08/security-specialist-superbadge-1.html
Even with the correct sharing rules, you have to do a specific set of steps in order to pass this step.
Feel free to leave another comment if you are still stuck!
Hi, I am currently in the midst of completing this superbadge, but I dont have the required number of salesforce licenses to assign to the users. I have 1 left, but have 4 users to create. I installed the package to my trailhead playground, so I am not sure what I should be doing here. I am stuck! please help. Thanks!
ReplyDeleteOnly 1 user needs to be created.... perhaps you are confusing "users" with "profiles"?
DeleteHi there, great advice here! I am trying to complete this superbadge and I am having trouble connecting Samantha Cordero's user to the Field sales profile...I set up the profile correctly, but unsure how to add the user Samantha to it. When I try it,it tells me I don't have enough licenses left..am I missing something? Thank you!
Deleteyeah how to connect these profiles to samantha ....maryanne did u get it how to connect
DeleteYou assign a profile to a user when you create the user.
DeleteHello Trailhead Baby!
ReplyDeleteYou are super cool! I had something I wanted to bring up: On this superbadge, some of the profile requirements say "should have mobile access, granted by the admin on demand". I could not find this in profile settings or under installed packages, yet I passed the first section of the superbadge. Any idea what this statement means?
Thanks
Good question! In setup, search for "connected apps"- click "edit policies" at the top, and you will see a few options under "OAuth policies" including "permitted users." You can pick the permitted users by permission set or profile - click back to the page where you selected "edit policies." I assumed that "mobile access on demand" meant that only the correct users should have access -not that the poor admin would have to manually grant access to each person. Does this help?
DeleteNote- It may be a little obnoxious- but the mobile settings have be configured twice. Once for android & once for iOS.
hi there. So when I go to Connected Apps, mobile isn't listed? But I did install the package I was supposed to. I'm stumped on it...
DeleteI'm also stumped on how to force remote users to use VPN...
A little secret- to see connected app settings a user has to login via mobile. Start creating Samantha Codero / download the SF app then login as her. Check back with connected apps, and you should see some options.
DeleteVPN question- if you are referring to the IP restrictions...scroll to the bottom of a profile. If not, could you reword the question? I didn't quite understand what was being asked :)
Thank you that helped!
DeleteNow I'm stuck on step 1 - I checked challenge and it says that "Could not find a profile named 'Field Sales User'" but I have clearly and carefully made that profile... I think correctly? I triple checked it. Any ideas? Thank you!
What profile did you clone to create the Field Sales User Profile?
DeleteStandard User
DeleteThe other question I already have (sorry!) is that it says MyDomain is already configured, and not to mess with settings, but MyDomain is not already set up in my TP. Is that bc I'm using a Dev Edition?
Probably... the good news is that MyDomain is not difficult to set up. (A "playground" comes with MyDomain already set up.)
DeleteHere's a how to guide:
https://developer.salesforce.com/docs/atlas.en-us.eclipse.meta/eclipse/eclipse_lightning_explore_enable.htm
ok thanks. yeah I did it for my org and it was not hard, I just thought it meant that maybe I'm NOT supposed to be in a Dev org. Maybe just a regular Trailhead Playground? I feel like I'm going to have to start ALL over even though I keep checking and everything looks right.
DeleteA Dev org should be fine.... I usually would recommend starting with a Playground though since it comes "preconfigured" somewhat. Starting over is never fun! (I've had to do it myself a time or two)
DeleteHello!
ReplyDeleteIn challenge 1, I keep getting the same error "The account object level permissions are not configured correctly for the Field Sales User profile"
My account and opportunities have read and view all checked, but it still shows this error.
Please help!!
Double check the instructions - "do not use the profile View All or Modify All settings."
DeleteNow it says "The opportunity object level permissions are not configured correctly for Field Sales User profile"
DeleteI've rectified the above issue, but now my Inside Sales User has an issue with the object permissions for accounts and opportunities.
DeleteAnd thank you very much for your help earlier. :)
Please help with the new issue..
What permissions do you have set for the inside sales user on the account / opp objects?
DeleteI have view all and modify all object permissions set for both.
DeleteAnd with view all and modify all, view, edit and delete are automatically getting selected. so, all 5.
DeleteDouble check the instructions - view all / modify all are not used on the profile. You lock things down with profiles then open them in a limited way with another feature.
DeleteI'm still not getting it. The instructions given in the challenge description don't specify what object permissions I need to give for these profiles. :(
DeleteThe instructions won't give exact step-by-step guidance...however... I'm sure you can figure it out. I recommend writing it out - thinking of Org Wide Defaults as your most restrictive setting. IE - If everyone can not see opps, then they can not be set to "read all" or "write all." Profiles open up the objects for specific groups- IE- What should a "Inside Sales Manager" be able to see? If only their own opps, they can not have "read all" since then they could see all of the opps in the org...etc. Sharing rules open things up even more - expanding beyond the visibility allowed in the profile. I hope this helps! If not, I'd go back to trailhead and brush up on security. Data Security is a good module for this.
DeleteI FINALLY got it!! I can't tell you how thankful and elated I am!!
DeleteThanks heapss! You're doing an amazing job by helping trailblazers like us! :D
Thanks for these posts. I am still stuck on challenge 1 though with "The account object level permissions are not configured correctly for the Field Sales User profile". My OWD for Opps and Accounts are set correctly and I am not using the View All/Modify All options in the profile.
ReplyDeleteAny suggestions?
Hi Jason! What account permissions do you have in place for Field Sales?
DeleteAnd what OWD are you using for opps/accounts?
OWD - account is set to public read/write (but I also tried read only), opps is set to private.
DeleteIn the profile, I have read/edit for accounts. One thing I found odd is that there isn't any standard object permissions for opps within the profile.
Double check the OWD for accounts... You were correct the first time.
DeleteThe profile- accounts are correct, but there are standard object permissions for opps.... look on the right - It's a little hidden.
There is no way for me to post a screen shot, so here is a list of the items I see under "Standard Object Permissions":
DeleteAccounts, Coaching, Contacts, D&B Companies, Documents, Feedback, Feedback Questions, Feedback Question Sets, Feedback Requests, Feedback Templates, Goals, Goal Links, Metrics, Metric Data Links, Performance Cycles, Rewards, Reward Funds, Reward Fund Types and Streaming Channels.
I have even done a find on the profile edit page for "opportunity" and there are 0 results.
Really at a loss!
Got it! I'd bet that the Field Sales Profile was created by cloning the incorrect profile type. Click on the "Standard User" profile and scroll down - You should see the opportunity object permissions on the right. This is the profile that I would use to clone the 3 custom profiles. I'd bet you used the "standard platform user" profile instead. Does this help?
DeleteThat was it. Thank you for the assistance.
DeleteThank you for this tip about "Standard User"!!
Deletehai,
ReplyDeletei am getting this error 'Could not find a profile named 'Field Sales User'.
i have created profile and assigned the premissions also
could u help..
What profile did you clone to create the Field Sales User profile?
DeleteHey! I've been facing the same issue as well and I cloned it from Standard User only.
DeletePlease help out!
Thanks in advance!
Double check the spelling- one common issue is to call the profile "Field Sales" instead of "Field Sales User" Also - Is the user license "Salesforce"
DeleteCheck whether you have another playground open and that is set as the default one. closing the other open playgrounds might might fix the issue
DeleteLots of trouble with this one:
ReplyDeleteOWD for Account: I've tried both Pub Read Only and Public Read/Write
OWD for Oppt: Private
Object Permissions for Field Sales
Accounts: R,E
Opptys: R,E
Object Permission for Inside Sales
Accounts: C,R,E
Opptys: C,R,E
Object Permission for Sales Exec
Accounts: R
Opptys: R
I created Roles for each with both the FS and IS reporting to the Sales Exec. I then created a Sharing rule for Opptys for records of a Public Group (All internal users) to share their records with the Inside Sales Role with Read/Write access. I then created a second sharing rule for all Internal Users Opptys to be shared with the Sales Executive Role wtih Read Only access.
I get "The Sales Executive User does not appear to have the correct object permissions for Accounts and Opportunities."
OWD for accounts- Try locking that one down to public read only.
DeleteThere should be 4 sharing rules total- 2 on accounts, 2 on opportunities.
One 1 of the sharing rules uses a public group- the rest are tied to roles.
Object permissions-
* Tweak for the Sales Exec & Field Sales. (Inside Sales looks good)
I'm really lost on the Sales Exec permissions. It says "view all opptys and accounts (regardless of sharing settings), but not be able to CED and opportunties or accounts."
DeleteHow is that not a View only permission on Opportunities and Accounts? Help!
Sales Exec - You need two boxes checked for both account and opp profile access. (What you have is correct but you need one more per object)
DeleteThanks, I'm also really stuck on the first challenge. I can see that roles and sharing rules are involved but not clear how I should be relating that to the initial profiles setup. Profiles do not tie to roles, so do i need to create all the users and assign roles? The verification is looking to see whether the profile has access not the user.
DeleteThink of security setup as a top down exercise. First, you lock down the org to the most secure with the OWD. Then open it up a bit with profile, then role, then permission set/ sharing rules... etc.
Deletehttp://sfdcsrini.blogspot.com/2014/07/what-is-difference-between-roles-and.html
Thanks. I am working through the top-down. With Challenge #1, the implication is that you only need to go down from org to profile set up. But it seems you do need to set up roles, sharing and then users with roles assigned for them to have the proper access.
DeleteThe error says the profile does not have the right object permissions, but the instructions require permissions to be adjusted per user with specific roles and sharing, I think. Right track?
Oh goodness... You made me dig out my old dev org :) I do not have the challenge steps in front of me...but If my memory isn't faulty
DeleteFor step 1, I would take a look at the OWD and adjust the profiles. I don't think you have to set up roles for the first step.
The superbadge requires rolls, a public group, sharing rules, etc.
IE- If not everyone can see all oppportunities- adjust the OWD accordingly. If Sales Executives should see all opps - profile. If a profile should see their opps plus another profiles opps....profile and sharing rule.
I hope this helps!
If you get too stuck, I'm happy to take a look at a screenshot and point you in a good direction (rebecca@capstorm.com)
Thanks, I'm starting a whole new DE and going from zero today and will let you know.
Delete"If a profile should see their opps plus another profiles opps....profile and sharing rule. "
Doesn't a sharing rule require a role or public group? can be done before setting up roles? That's where I thought I got stuck first time.
Bingo! I passed first challenge simply by ignoring all the access rules that are pertinent to later steps and Roles setup.
DeleteThe most important tip I think for challenge 1 is that you *only* need to set up OWD and profiles. No roles, no sharing rules, no users, etc. Leave all those requirements for the later steps.
So glad you got it!!! Congrats!
DeleteHi there, I am also getting the error 'Could not find a profile named 'Field Sales User'. I have cloned the Standard User profile to create it
ReplyDeleteThat is an odd error - I would expect that there is some sort of spelling issue since the Standard Profile is the correct one to clone. What is the unique name for the profile?
DeleteTry assigning of the user (Samantha Cordero) to the profile, this should help.
Deletesame exact user and I followed this to the T
ReplyDeleteCould not find a user named Samantha Cordero with the Field Sales User profile.., plz help i have created accordingly and passed apex tests too but when checking the challenge im getting this error
ReplyDeleteDid you login via your phone using her user name?
Deletehello Trailhead Baby
ReplyDeleteI need help with the flow part of the process automation superbarge. I will like to send you a snapshot if you let me know how (via email?).
You have 4 warnings.
Resolve these issues (2)
These issues prevent activation.
Search_Products (Get Records) - The field "Id" isn't compatible with the SObject element "ProductID". "ProductID" can't be a SObject.
Search_Products (Get Records) - The field "Name" isn't compatible with the SObject element "ProductName". "ProductName" can't be a SObject.
Just a heads up... (2)
These issues don't prevent activation, but can cause problems when you run the flow.
Search_Products (Get Records) - The section of the flow starting from "Search_Products" is never used.
Show_Products (Screen) - The section of the flow starting from "Show_Products" is never used.
Would you mind posting the question along with some details of what you have on the blog post related to this superbadge? I am happy to take a look.
DeleteI have a question about the wording of OWD in the instructions. It says "Allow access to accounts to anyone in the org, regardless of who owns them, as long as their profile allows access to Accounts in general." Is that public read/write (allow access to accounts to anyone) or public read only because 'access' means 'view' not including 'edit/create/delete'? I'm just starting learning salesforce and I must say that superbadges are superhard compared to regular badges.
ReplyDeleteKudos to you for reading the instructions so throughly! In this case, OWD of read only answers that is needed. Access will allow a person to read all, just not edit.
DeleteHi,
ReplyDeleteI did go through some of the comments above, but I am still not sure if I have all the business requirements set for Challenge1. I do have all the three profiles created and only Sales Executive User profile permission has view all set. For Sharing Settings -> Org wide defaults, I have Accounts as Public Read/Write and Opportunities as Private. But I am not clear on what you mean by:
There should be 4 sharing rules total- 2 on accounts, 2 on opportunities.
One 1 of the sharing rules uses a public group- the rest are tied to roles.
The above two statements are from your previous comments and I don't see 4 sharing rules created under my OWD page. Can you please help on this.
You need to create the sharing rules.
DeleteHi ,
ReplyDeletePlease help I am stuck on challenge 2 for security Badge
Apex tests are not cleared
Its drivning me crazy as this is my 3rd org with same problem and I dont know how to resolve this.
I am getting 0/2 in apex test and System.QueryException: List has no rows for assignment to SObject
Stack Trace
Class.sb_security.BeAwesome.createUser: line 133, column 1
Class.sb_security.BeAwesome.setup: line 124, column 1
Please help
Hi champ- How about I take a glance at some screenshots before you go crazy... email to rebecca@capstorm.com
DeleteI'm getting the same error. Would you mind sharing insight on the needed correction?
DeleteThank you.
Can you help in challenge 1 .
ReplyDeleteA lot of confusion
Hello,
ReplyDeleteI am working on challenge 1 of the Security Super Badge Challenge and am stuck on the object-level security for the Inside Sales position. The instructions say:
They should be able to create and manage list views for themselves and other people. Inside sales users can view, create, and edit all accounts and opportunities (but not delete them). Note: When providing access to see and edit all accounts and opportunities for Inside Sales, do not use the profile View All and Modify All settings.
I am not sure what to do here. When I select Edit all accounts in the profile settings, it automatically selects Delete. I am unable to remove delete without also taking off edit. I also tried settings up a permission set, but it seems I can only assign that to users, rather than profiles. They keep telling me "The Inside Sales User does not appear to have the correct object permissions for Accounts and Opportunities.". I am paying particular attention to the part of their instructions where they say "when providing access to see and edit all accounts and opportunities for Inside Sales, do not use the profile View All and Modify All settings.", but I am unsure where to fix this. Any guidance would be appreciated!
You can select read/edit for all opportunities without selecting view all or modify all. This is done on a profile level. You will also need to open up access via some sharing rules- but I think this is on step 2 of the superbadge.
DeleteI struggled with remembering how to set the OWD's but there is a great video online:
ReplyDeleteWho Sees What: Org-Wide Defaults (Lightning Experience)
https://www.youtube.com/watch?v=xCEPbbdycjc
Hope it helps.
The unit tests in the managed package have not passed successfully. Make sure you run all test in your org before checking this section. Ensure that they all pass.........................this is the error to me getting while ddoing the superbadge.
ReplyDeleteThen check your sharing settings and the profile settings to ensure that they line up with the challenge requirements.
DeleteHi! Thank you for all the insight from above! I've been working to improve my security skills and found this badge helpful but challenging. I was able to proceed with all the requirements and set up of all the profiles, including the mobile access and Organizational Wide Defaults, however I'm still receiving an error when i got to check the first challenge.
ReplyDeleteThe error states: There was an unhandled exception. Please reference ID: UUGQVSAS. Error: Restforce::UnauthorizedError. Message: INVALID_AUTH_HEADER: INVALID_HEADER_TYPE
Do you know why this is happening? I originally thought it was the playground description, but I made sure the new playground was the default. I even changed the url with my domain to simplify but the issue still persists. Any insights into how I can resolve this issue.
hmm. That is an odd one. Are your IP ranges specified for the profile you are using? (Does your IP fall outside the range?)
DeleteHi could you please help me out in below error from Security Super Badge Challenge .
ReplyDelete'
We couldn't find the Sharing Rule that shares Opportunities owned by Field Sales users with Inside Sales users. Please check if the setup of this Sharing Rule is correct. Also, make sure that Samantha Cordero has been assigned the Field Sales role.'
What's your sharing rule that you have created if you can please share
Deleteactually I am in middle of 'set record level security settings' I just created User and created Opportunities I don't understand what sharing rule I have to crate.
ReplyDeleteRestrict access to opportunities to the people who own them (and their managers).
ReplyDeleteAllow access to accounts to anyone in the org, regardless of who owns them, as long as their profile allows access to Accounts in general. Note: keep default options for contacts.
Note: These general record-level security requirements can be overridden by the more specific requirements set below.
Please also help in this too
But make sure to stay hydrated. Coffee can dehydrate your body pretty quickly, so it’s important to increase your water intake during this time. You can also add some energy drinks to this regimen, as it may aid in the hydration process as well as fulfill your body’s mineral requirement. Also, on days prior to the test, stay taking B-vitamin supplements. This should ensure that your urine does not lose its natural color due to the extensive detoxification.Apple Cider VinegarApple cider vinegar can help with the detox process too.
ReplyDeleteHi,
ReplyDeleteI am not able to set the access for the opportunities, I have done it for sales though
I don't see an object called opportunities in the object settings
DeleteThe Sales Executive User does not appear to have the correct object permissions for Accounts and Opportunities.
ReplyDeleteHello sir- I am doing the Superbadge for User Authentication Settings Superbadge Unit Challenge 2 Login Requirements and Limits. I keep getting the following error- Challenge Not yet complete... here's what's wrong:
ReplyDeleteWe can't find the expected login IP range to allow Inside Sales users to log in at the corporate office. Make sure you've set a description for the setting, too.
I have set the range provided but not sure the issue