Skip to main content
+2,500 points

Salesforce Security Advocate Superbadge Unit

Encourage and facilitate the adoption of security best practices in your Salesforce org.

~1 hr

Salesforce Security Advocate Superbadge Unit

What You'll Be Doing to Earn This Superbadge

  1. Automate permission set expiration dates based on related training.
  2. Use In-App Guidance to increase user awareness for common cybersecurity risks.
  3. Import a custom baseline in Health Check to gauge an org’s security health.
  4. Explain Salesforce security best practices and critical concepts.

Concepts Tested in This Superbadge

  • Cybersecurity

Prework and Notes

Sign Up for a Developer Edition Org with Special Configuration

To complete this superbadge unit, you need a special Developer Edition org that contains special configuration and sample data. Note that this Developer Edition org is designed to work with the challenges in this superbadge unit.

  1. Sign up for a free Developer Edition org with special configuration.

  2. Fill out the form. For Email address, enter an active email address.

  3. After you fill out the form, click Sign me up.

  4. When you receive the activation email (this might take a few minutes), open it and click Verify Account.

  5. Complete your registration by setting your password and challenge question. Tip: Save your username, password, and login URL in a secure place—such as a password manager—for easy access later.

  6. You are logged in to your superbadge Developer Edition org.

Now, connect your new Developer Edition org to Trailhead.

  1. Make sure you’re logged in to your Trailhead account.

  2. In the Challenge section at the bottom of this page, select Connect Org from the picklist.

  3. On the login screen, enter the username and password for the Developer Edition org you just set up.

  4. On the Allow Access? page, click Allow.

  5. On the Want to connect this org for hands-on challenges? page, click Yes! Save it. You are redirected back to the Challenge page and ready to use your new Developer Edition org to earn this superbadge unit.

  6. Now that you have a Salesforce org with special configuration for this superbadge unit, you’re good to go.


  • Complete all steps in this superbadge in Salesforce Lightning Experience.

  • Some of the terminology used in this superbadge is descriptive and may not match the name as it appears in the user interface (UI). This is to test your knowledge of Salesforce features and ability to select the correct feature to satisfy a business need.

  • Where possible, formulas will be evaluated based on the expected outcome instead of specific formula syntax. We recommend using sample data to test and validate your formulas.

  • Descriptions must be set for all new fields, permission sets, and so on in order to pass the challenges.



Before you begin the challenges, review Security Advocacy Specialist Superbadge: Trailhead Challenge Help.

Make sure you’re using a new Developer Edition org from this sign up link to complete the challenges in this superbadge unit. If you use an org that’s been used for other work, you won’t pass the challenges in this superbadge unit.

This superbadge unit is part of the Security Advocacy Specialist Superbadge. Complete the capstone assessment and related superbadge units to receive the Security Advocacy Specialist Superbadge.

Review Superbadge Challenge Help for information about the Salesforce Certification Program and Superbadge Code of Conduct.

Use Case

The leadership at Cloud & Proud Industries (CPI) takes security very seriously. CPI knows it’s critical that all members of the organization are active participants in the CPI cybersecurity program. This is why CPI has implemented targeted security awareness initiatives to promote a culture of cybersecurity across the organization.

As a Salesforce Security Advocate at CPI, your job is to understand the threats and security risks that your Salesforce org faces and advocate for the best ways to protect against them. You collaborate with the rest of the Salesforce team to enforce security best practices, like the principle of least privilege. You help maintain the security of your Salesforce data by minimizing user access when possible and utilizing the most up-to-date tools and resources available. Most importantly, you advocate for the health of your org by keeping cybersecurity top of mind for all users.

Business Requirements

The CPI cybersecurity program is well-established, but every Salesforce Security Advocate knows that the threat landscape is constantly evolving. It’s critical to continue monitoring the threats, vulnerabilities, and risks that are most relevant to CPI. This section represents the requirements for your security advocate tasks this week.

Automate Permission Expiration

CPI requires employees to complete trainings focused on topics that range from specific Salesforce features and products to web accessibility to, you guessed it, security. CPI tracks training assignments and progress for each user in Salesforce with the help of two custom objects.

  1. Training: This object contains a record for each training CPI leadership assigns to its users. It records the training name, description, type, etc. It also lists any related permissions where assignment is dependent on training completion.
  2. User Training: A junction object between the custom Training object and the User object, each User Training record tracks an individual’s information related to an assigned training.

Custom object relationship diagram showing that the custom User Training object is a junction object between the standard User object and the custom Training object.

The custom training architecture in the CPI Salesforce org has been great for assigning trainings and reporting on user progress. The Salesforce team also built the User Training Permission Set Assignment flow to automatically assign the related permission set once a user completes the required training associated with the permission.

But the current configuration doesn’t account for training that needs to be completed annually or at other regular cadences. For example, the Reports & Dashboards Security Training, which grants users the permission to export reports, is part of CPI’s annual security training program.

Your task is to build in the functionality required to determine when a user’s training and any related permissions expire. To start, create two new fields.

Object Data Type Field Label Field Name Description
Training Number Valid For (Months) Valid_For_Months This field lists the number of months the training is valid for. CPI doesn’t have any training valid for more than 24 months (Field Length = 2, Decimal Places = 0).
User Training Formula* Expiration Date Expiration_Date This field returns the date and time the user’s training will expire based on the training’s Valid For (Months) field and the user training’s Completion Date field.
*Use the ADDMONTHS() function for this field.

Next, update the User Training Permission Set Assignment flow to make sure any assigned permission sets expire when the training expires. Use the existing Permission Set Assignment Creation element to build your solution. Be sure to save and activate the new version of the flow.

Mitigate Data Export and Manual Sharing Risk

Between required security trainings, you strive to keep security hygiene at the forefront of your users’ day-to-day activities. After interviewing users and consulting with the rest of the Salesforce team, you’ve decided to try In-App Guidance to provide just-in-time security reminders where needed most.

You’ve identified the first two use cases for In-App Guidance. Use the information below to build the prompts according to the requirements.



Trailblazers who use screen readers should refer to the Accessibility considerations for this superbadge section of this superbadge's Help article for tips on working with the In-App Guidance product.

Report Export Warning

As mentioned earlier, CPI only grants the permission required to export report data after the required security training is completed. As a security advocate, you understand the risks and vulnerabilities associated with exporting data but you trust your trained users to export responsibly. A friendly in-app reminder will help maintain awareness.

Create an In-app Guidance Prompt with the following requirements. Make sure the prompt is active and has a description. Note: Settings that are not outlined below will not be checked but may be required to save the prompts.

Name Report Export Warning
Location Report record page in any app
Type Floating Prompt
Prompt Body For the security of our clients and staff, do not export reports that contain personally identifiable information.
Media (Optional) To grab users’ attention, include this image of Security Astro. Be sure to add alt text for the image.
Action Include a button that links to with the label, Trailhead: Cybersecurity
Frequency Starting today, show this prompt 10 total times with 1 day between.
Restrictions Only show this prompt to users who have the ability to export reports.

Case Manual Sharing Reminder

Because the case object contains personally identifiable information (PII), it's critical that records are only shared with users who need access. While case record access is already locked down for the org, you would like to remind users who may need to manually share a case record with another user.

Create an In-App Guidance prompt with the following requirements. Make sure the prompt is active and has a description. Note: Settings that are not outlined below will not be checked but may be required to save the prompts.

Name Case Manual Sharing Reminder
Location Case record page in any app
Type Targeted Prompt, targeted to the Sharing button on the case record
Prompt Body For data security purposes, only share records with users as necessary based on work requirements.
Media (Optional) To grab users’ attention, include this image of Security Astro. Be sure to add alt text for the image.
Action Include a button that links to with the label, Trailhead: Cybersecurity
Frequency Starting today, show this prompt 5 total times with 1 day between.
Restrictions None

Customize Your Org’s Security Standards

As the official Salesforce Security Advocate for a large and established org, you work with the security team to establish and adhere to standards that are customized to CPI. The standards recommended by Salesforce in the Health Check tool are mostly aligned with CPI’s standards, but with a couple key differences.

Import a custom baseline for Health Check with the updated values listed below. No other settings require custom standards. Give your custom baseline the API name Cloud_and_Proud_Custom_Baseline and set it as the org’s default baseline.

Minimum Password Length

  • Compliant Value(s): 16.0
  • Warning Value(s): 12.0
  • Critical Value(s): Not Applicable

Session Timeout

  • Compliant Value(s): FifteenMinutes,ThirtyMinutes,SixtyMinutes,NinetyMinutes
  • Warning Value(s): TwoHours,FourHours,EightHours,TwelveHours
  • Critical Value(s): TwentyFourHours

Ready to Tackle This Superbadge?

Please first complete the prerequisites and the challenge for Salesforce Security Advocate Superbadge Unit will be unlocked.

~1 hr