Skip to content
theCodeFlash

Security Decision Guides

Use these decision flowcharts as mental models when analyzing scenarios. The board expects you to articulate the decision process, not just the final answer.

Decision 1: OWD Selection Per Object

Sharing model selection starts with a per-object OWD decision, not an org-wide choice. For each object, identify the single most restrictive user — the one who must see the fewest records — and set OWD accordingly. Once OWD is set, fill access gaps using the sharing stack in order: role hierarchy for upward management visibility, ownership-based sharing rules for predictable owner-pattern access, criteria-based sharing rules for field-value patterns, teams for collaborative record-specific access, and Apex managed sharing for runtime-calculated access that declarative mechanisms cannot express. A common mistake is reaching for Apex sharing too early, which adds maintenance burden for patterns that criteria-based rules could handle with zero code. Present your OWD and hierarchy choices first, then justify each sharing rule as closing a specific gap.

For each object in the data model, follow this decision tree to select the correct OWD.

Comprehensive OWD selection flowchart covering all five OWD settings, external OWD configuration, and hierarchy access toggle for each object in the data model.
Figure 1. OWD selection must be performed per object, not once for the whole org. The presence of even a single user who must not see all records of an object forces Private OWD, and then external OWD and hierarchy settings are configured as follow-on decisions.

CTA Approach

Walk through this decision tree for every object in the scenario. Start with the most sensitive objects first. The board wants to see a systematic process, not gut instincts.

Decision 2: Sharing Strategy Selection

Once OWD is set to Private, determine how to open access for users who need it.

Decision tree for choosing between role hierarchy, ownership-based rules, criteria-based rules, teams, Apex sharing, and territory management based on the access pattern type.
Figure 2. Sharing mechanism selection follows the nature of the access pattern. Predictable, field-value-based patterns suit criteria sharing rules; unpredictable or per-record collaborative access suits teams; complex runtime logic requires Apex managed sharing.

Sharing Mechanism Complexity and Performance

MechanismSetup ComplexityPerformance ImpactMaintenance BurdenScale Limit
Role HierarchyLowLow (built-in)Low~500 roles (practical)
Ownership Sharing RulesLowMedium (recalculation)Low300 per object
Criteria Sharing RulesLowMedium (recalculation)Medium50 per object
TeamsMediumLow per recordMediumNo hard limit
Territory ManagementHighMedium-HighHighComplex territory models
Apex Managed SharingHighVaries (depends on code)HighGovernor limits

Decision 3: Identity Architecture

Identity approach selection starts with whether a corporate IdP already exists. If it does, Salesforce is always the Service Provider and the corporate IdP authenticates users via SAML 2.0 or OIDC. If no corporate IdP exists and Salesforce is the system of record for users (typically in customer portal scenarios), Salesforce becomes the IdP. In post-M&A or multi-business-unit scenarios with multiple IdPs, recommend a centralized identity broker such as Okta or Azure AD, with Login Discovery routing users to the correct IdP by email domain. The wrong pattern is configuring SAML SSO directly to two competing IdPs without a broker — this creates user routing ambiguity and requires manual fallback procedures. Always address the SSO breakglass scenario: a designated admin account that bypasses SSO, reachable when the IdP is down.

Determine the identity architecture for the scenario based on existing infrastructure and user types.

Decision tree for positioning Salesforce as a service provider or identity provider based on existing IdP infrastructure, then selecting the appropriate protocol for each authentication scenario.
Figure 3. The first identity architecture decision is whether Salesforce acts as an SP or IdP, which is almost always SP when a corporate IdP exists. Protocol selection follows: SAML for pure web SSO with legacy systems, OIDC when modern web or mobile apps also need API access.

IdP Selection Criteria

FactorUse Existing Corporate IdPUse Salesforce as IdPRecommend New IdP
Existing IdP in placeYesNoNo
No existing IdPNoIf SF is user SORFor enterprise needs
Multiple cloud appsYesNoYes
Customer portal onlyMaybeYesNo
Regulatory complianceDepends on IdP capabilitiesIf SF meets requirementsDedicated IdP preferred
Total users > 100KYes (scalable IdP)Evaluate SF limitsYes

Decision 4: OAuth Flow Selection

When an integration or application needs API access to Salesforce, select the correct OAuth flow.

Decision guide for selecting the correct OAuth 2.0 flow for Salesforce API access, routing by user involvement and application type, all converging on Connected App configuration.
Figure 4. All OAuth flows terminate at a Connected App configuration, but the path to get there differs. Server-to-server integrations with a certificate should use JWT Bearer, as it is the most secure option and does not expose credentials in requests.

OAuth Flow Security Comparison

FlowSecret Exposure RiskToken LifetimeRefresh TokenMFA Compatible
Authorization CodeLow (server-side secret)Short (configurable)YesYes
Auth Code + PKCEVery Low (no secret)ShortYesYes
JWT BearerLow (certificate-based)ShortNoN/A (no user)
Client CredentialsMedium (secret required)ShortNoN/A (no user)
SAML BearerLow (assertion-based)ShortNoVia SAML IdP
DeviceMedium (polling period)ShortYesYes

Decision 5: Encryption Strategy

Encryption strategy selection follows a three-level decision cascade. First, establish whether regulatory compliance mandates encryption (HIPAA, PCI-DSS, GDPR, SOX). If yes, identify the regulated fields. Second, determine whether the org is on Hyperforce — if it is and the requirement is broad data-at-rest protection, Database Encryption has zero functional impact and is preferred over field-level encryption. If field-selective control or Cache-Only Key management is needed, Shield Platform Encryption is the option regardless of infrastructure. Third, for each field to be encrypted with Shield FLE, evaluate whether it must be searchable or filterable. If yes, use deterministic encryption and explicitly address the LIKE/aggregate trade-offs with whoever owns the reporting requirements. If no, use probabilistic for maximum protection. Always perform a query impact analysis before enabling encryption on any field used in existing reports, list views, or SOQL filters.

Determine what to encrypt and how, based on regulatory requirements and business needs.

Decision tree for determining whether Platform Encryption is needed, then selecting deterministic or probabilistic scheme and the appropriate key management option per regulated field.
Figure 5. Encryption decisions cascade: regulatory requirement drives whether to encrypt at all, searchability requirements drive scheme selection, and existing query patterns determine whether refactoring is needed before encryption can be safely enabled.

Encryption Decision Matrix

Data TypeEncrypt?SchemeRationale
SSN / Tax IDYesDeterministicSearchable for matching; regulatory requirement
Credit card numbersYesProbabilistic (or don’t store)PCI-DSS; avoid storing if possible
Health recordsYesProbabilisticHIPAA; rarely need to search within
Email addressMaybeDeterministic if encryptedOften needed for search; weigh risk vs functionality
Phone numberMaybeDeterministic if encryptedSimilar to email
Financial amountsRarelyConsider impactBreaks aggregation, reporting
Free-text notesIf regulatedProbabilisticCannot search encrypted notes
AddressesIf regulatedDeterministicMay need for matching/dedup

Decision 6: Permission Model Architecture

Decision tree for choosing between Minimum Access Profile with Permission Set Groups versus a small number of custom profiles, based on access pattern count and projected org growth.
Figure 6. The Minimum Access Profile pattern is the default recommendation for any org with growth potential or more than three distinct access patterns. Even when starting with a few custom profiles, the design should plan for migration to the PSG model as the org scales.

Decision 7: Portal Security Architecture

Decision tree for external user portal security covering customer versus partner license selection, volume-based HVCP versus Community Plus decisions, and guest user lockdown configuration.
Figure 7. Portal license selection at scale hinges on whether reporting and role hierarchy are genuinely needed. Customer Community (HVCP) with Sharing Sets handles millions of users more efficiently than Community Plus, but surrenders role-based reporting. This trade-off must be explicitly justified.

Quick Reference: Security Decision Checklist

Use this checklist for every CTA scenario to ensure full security coverage:

#DecisionKey QuestionReference
1OWD per objectWho is the most restrictive user?Sharing Model
2External OWDAre there external users? Set separatelyPortal Security
3Role hierarchyData access pattern, not org chart?Sharing Model
4Sharing rulesWhat access gaps remain after hierarchy?Sharing Model
5Profile/Permission modelMinimum access + Permission Set Groups?Field & Object Security
6FLS per profile/PSWhich fields do each user type need?Field & Object Security
7Identity/SSOExisting IdP? SF as SP or IdP?Identity & SSO
8OAuth flowsWhich flows for which integrations?Identity & SSO
9MFAWhere is MFA enforced?Identity & SSO
10Portal securityLicense type, External OWD, guest user?Portal Security
11EncryptionRegulatory requirement? What fields?Shield Encryption
12Apex securitywith sharing? CRUD/FLS enforced?Programmatic Security

Sources

Personal study notes for the Salesforce CTA exam. Content compiled from VJ's study notes, official Salesforce documentation, community sources, and online publicly available content, then organized and presented with AI assistance. Not affiliated with Salesforce. © 2025–2026 VJ Srivastava.