Security

This domain covers architecting secure solutions using platform security mechanisms, identity management, and data access controls. Security is the second highest failure domain on the CTA exam — candidates most commonly fail on sharing model design, identity architecture, and the trade-offs between security and usability.

Objectives

#	Objective	Key Topics
2.1	Architect solutions using appropriate platform security mechanisms	[[02-security/sharing-model
2.2	Security considerations for portal architecture (internal and external users)	[[02-security/portal-security
2.3	Declarative platform security features for record-level security	[[02-security/sharing-model
2.4	Programmatic platform security features	[[02-security/programmatic-security
2.5	Object and field access permissions	[[02-security/field-object-security
2.6	Design and justify end-to-end identity management solutions	[[02-security/identity-sso

Key Topics

• Sharing Model: OWD, Role Hierarchy & Sharing Rules — the foundation of record-level security: OWD settings, role hierarchy design, sharing rules, implicit sharing, Apex managed sharing, teams, and territory management
• Identity & SSO: SAML, OAuth, and Access Management — SAML 2.0, all OAuth 2.0 flows, OpenID Connect, Connected Apps, My Domain, JIT provisioning, MFA, Named Credentials
• Field & Object Security: Profiles, Permission Sets & FLS — profiles, permission sets, permission set groups, muting permission sets, CRUD, View All/Modify All, FLS, the minimum access profile pattern
• Portal & Community Security: Experience Cloud Access — external user licenses, guest user security, HVCP sharing, external OWD, portal role hierarchy, sharing sets
• Experience Cloud Architecture — LWR vs Aura runtime, site templates, CMS architecture, SEO, CDN, multi-site strategy, Agentforce integration
• Programmatic Security: Apex Enforcement & Secure Coding — with/without/inherited sharing, CRUD/FLS enforcement, Named Credentials, secure coding, session-based permission sets
• Shield Platform Encryption, Event Monitoring & Field Audit Trail — deterministic vs probabilistic encryption, BYOK, cache-only keys, event monitoring, transaction security, field audit trail
• Territory Management Architecture — Sales Territories object model, hierarchy design, sharing interaction with role hierarchy, scaling limits, forecasting integration
• Security Decision Guides — visual decision flowcharts for OWD selection, sharing strategy, identity architecture, OAuth flow selection, encryption, and permission model
• Security Best Practices & Anti-Patterns — organized by sharing, identity, permissions, encryption, portal, and programmatic security
• Security Trade-offs — restrictive vs open OWD, security vs usability, encryption impact, sharing complexity vs performance

Related Domains

Security permeates every layer of a solution. These domains have the strongest security interdependencies:

• System Architecture — security requirements and compliance constraints drive architecture decisions
• Data Architecture — data classification, sensitivity tiers, and residency requirements drive encryption and access control choices
• Solution Architecture — secure design patterns determine which declarative vs programmatic approaches are viable
• Integration — OAuth flows, Named Credentials, and API security are core to integration architecture