Skip to main content Join us at TDX in San Francisco or on Salesforce+ on March 5-6 for the Developer Conference for the AI Agent Era. Register now.

#Security292 discussing

We have a custom checkbox field ‘archived’ on the account object to identify accounts that have been archived. The sharing rule is set to Criteria - When Archived = False, Share with all Internal users. But users can still see accounts with checkbox ticked (Archived = True). OWD is set to private.

What could possibly be wrong?

#Security #OWD Access #Object Access #User's Access
1 answer
  1. Today, 9:41 PM
    I got this exact same answer from ChatGPT also.
0/9000

Hello Everyone,

I’m facing an issue while configuring Single Sign-On (SSO) from Azure Active Directory (Azure AD) as the Identity Provider (IDP) to Salesforce Community. Specifically, the problem I am encountering is that no SAML request is being sent from Azure AD to Salesforce Community during the authentication process.

Here’s a detailed breakdown of what I’ve done so far and what I’ve observed:

Configuration Steps:

  1. Set up Azure AD as the IDP:
    • I’ve registered the Salesforce Community application in Azure AD.
    • I’ve configured the necessary SAML settings, including the Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), and the required certificate.
    • The settings for SSO are configured correctly based on the instructions provided by both Azure and Salesforce documentation.
  2. Set up Salesforce Community as the Service Provider (SP):
    • I’ve configured the SSO settings in Salesforce by enabling SSO and inputting the necessary details, including the SAML IdP metadata (or manually entering the certificate and metadata).
    • The SAML login URL and certificate seem to match the Azure AD configuration.
  3. Testing the SSO flow:
    • When trying to access the Salesforce Community page, it redirects me to the Azure AD login page.
    • However, after successful login on Azure AD, it seems like no SAML request is sent to Salesforce to complete the authentication process.
    • I’ve verified that the URL paths and configurations are correct, but the request is not reaching Salesforce.

Troubleshooting Steps Taken:

  • Checked the Azure AD logs: The logs don’t show any errors or issues with the SSO flow, but there’s no record of a SAML request being generated for Salesforce either.
  • Verified Salesforce SSO Settings: The SSO settings in Salesforce are correct, and the metadata from Azure is properly imported.
  • Reviewed Network Traffic: I have checked the network traffic in the browser, but there’s no sign of a SAML request being made when I attempt to log in.

What I’m Stuck On:

  • No SAML Request: The main issue is that no SAML request is being generated from Azure AD during the login attempt, even though I’ve followed all the steps and configuration guidelines.

Has anyone encountered a similar issue or have any suggestions on what could be causing the SAML request not to be sent? are there any specific settings with regards to the community site that need to be applied or checked?    

1 answer
0/9000

Hi Community,

I struggled with "Control Access to Objects." I created the Permission Set "Access and Manage Reviews," but when I try to assign access to the "Reviews" object, it doesn’t appear in the object list. I also created a Custom Object, but it’s not being accepted for the challenge.

 

Similarly, I couldn’t find the

"Positions" object in the object list.

Can the community help me fix this?

 

 

 

#Trailhead Challenges  #Salesforce Developer  #Certifications  #Security  #Datasecurity

3 answers
  1. Today, 12:47 PM

    Hello @NAVEED ZIAI

    This is really confusing. The Challenge instructions talk about: 

    • Position
    • Candidate
    • Job Application
    • Review

    These objects are installed as part of the Recruiting App, but I haven't seen any installation instructions, neither in this Challenge nor in the previous ones, although they should have been included.

     

    In this case, let's install the Recruiting App ourselves, and after that, you can move forward.

    1. Open Playground Starter

    App  

    2. Select "Install a Package" and using this ID install the Recruiting App.

    04t0P000000N9rs
0/9000

Have the relevant Profile Assigned in Supervisor Profiles in the OmniChannel supervisor configurations.

Also have Queues and Skills ticked in Supervisor Actions within omni-channel supervisor settings

 

But on Assigned Profile only visibily tab is Change Queues and Change Groups. Trying to find where to adjust settings or permissions to have Change Skills appear.

For reference is viewable on Sys Admin view but not on the other specified profiles

3 answers
  1. Today, 7:22 AM

    Update on the FLS Permissions required to ensure that 'Change Skills' action button is visible in Omni Supervisor. The below permissions are required on top of having at least 1 Service Resource in the Active Status. 

     

    To change skills:  

    • Create, read, update on service resources 

    • Read access and Edit access for the Active field on Service Resource field-level security 

    • Read access and Edit access for the following fields on Service Resource Skill field-level security: End Date, Start Date, and Skill Level

0/9000

Hey Everyone! Users with a specific custom profile cannot add new contacts from the contacts list view. When the button is clicked the pop-up only shows System Information like Created by, Contact Owner, and Last Modified. Users in that profile can view and edit fields in existing contact records. Help please!     

3 answers
  1. Today, 2:24 AM

    Fixed it! My Lightening Page Layout didn't have Dynamic Record Detail section. Instead the fields were added directly from the Lightening Page Layout. 

0/9000

Since the implementation the Sandbox Access via a Public Group for Dev and Dev Pro sandboxes, I had created a Public Group for System Admins.  I added the System Administrator Role to the group.  It appears that all of these users are still getting frozen and have the ".invalid" on their email.  Are Roles within a Public Group not considered during the refresh for access?  I did add a single user to the Public group as well and that one user appears to have been given proper access according to the documentation.

3 answers
  1. Yesterday, 8:33 PM

    Hi @Ben Morch

     

    I am having the same issue and found that selective sandbox access considers only users who are of type "Users" in Public group. Roles and Subordinates or any other Parent/Child Public Group won't work. It is mentioned in below salesforce help doc. Not sure how they designed it but looks like, we have to create Public Groups specifically for spinning up the sandboxes. Thank you! 

     

    https://help.salesforce.com/s/articleView?id=platform.data_sandbox_selective_access.htm&type=5

0/9000

In our org we have implemented a restriction that prevents users from deleting tasks.  

 

However, this restriction was causing the Salesforce Outlook plugin to fail to log tasks sometimes with the below error. Once delete task permission was given back to user, they no longer encountered this error.

 

Is there a way in which Task Delete permissions can remain restricted and still have this plugin work? We do not want users deleting tasks however they do need to be able to log emails from Outlook.  

Screenshot 2025-02-03 105622.png

 

 

 

#Security

4 answers
0/9000

I have a user who sends an email through the case and this worked until recently.  When he selects the Template it doesn't data fill the screen like it used to and then he gets an insufficient permission error. Other users don't have this issue. One thing we noticed if the user selects any template with a template type of HTML or text it works but there are 2 templates that have a Template type of Custom that don't work. This has been working fine and just recently started happening for the 1 user. I even changed his profile to be the same as the other users and his still doesn't work.    he can respond to emails no problem its just selecting that Custom template    Also tried a separate browser thinking it could be some extension but it still didn't work     both users are on classic     John      

1 answer
  1. Yesterday, 3:53 PM

    This issue ONLY seems to be 1 user having the issue and its only on Classic using Safari, Chrome and Firefox on Windows or Mac. We kept trying to isolate it. 

     

    if he goes into lighting it works  

     

    the exact error when he goes to send this template: 

     

    Insufficient Privileges 

    You do not have the level of access necessary to perform the operation you requested. Please contact the owner of the record or your administrator if access is necessary. for more information, see Insuffieicent Privileges Errors 

     

    I put this user on the same profile as the user where his works and as far as permissions sets goes this user has more of them also how could it be a permission to a record if it works in Lightning  

     

0/9000

Hi.   I have a strange issue. I have two objects  Object A and Object B.  Object B has a lookup field on Object A.    On Lightning Record page for Object A I have Related List Quick Links component.   I have Sys Admin profile and able to see Related List for Object B on Object A Lightning Record Page and have an access to Object B records.  But users with another Profile, let's say Member Profile, don't see Related list and don't have an access to Object B records.    Setup    Object A  - one Page Layout with Object B Related List  - this Page Layout is assigned to both Record Types for all Profiles  - on Member Profile  I have  such a permissions for Object A:  Read, Create, Edit, Delete, View All Records, Modify All Records    Object B  - object has one Page Layout  - object has only Master Record Type. I mean I didn't create any additional Record Types  - no Restriction Rules  - Sharing settings set to   Default Internal Access  -  | Public Read/Write  - Lookup field on Object A has Visible = true for Member Profile  - on Member Profile  I have  such a permissions for Object B:       Read, Create, Edit, Delete, View All Records, Modify All Records, View All Fields       All fields have Read Access    When user with Member Profile trying open Object B record by direct reference he sees such a message:  "This page isn't available in Salesforce Lightning Experience or mobile app."    What is the issue? Any thought..            

0/9000

I have an apex class which calls the tooling api. The error code is 302. How can I authenticate it as if it's run by system. The apex class gets called by agentforce    

1 answer
  1. Yesterday, 10:19 AM

    Hi @Arya Kaujalgi

     

    To set up a Named Credential and External Credential for authenticating Agentforce, follow these steps:

    1. Create an External Credential:

    • In Setup, search for "Named Credentials" in the Quick Find box and select Named Credentials.
    • Click on the External Credentials tab.
    • Click New and enter the required details.
    • For Label and Name, use your Salesforce Commerce Cloud instance name (e.g., SFCC).
    • Set the Authentication Protocol to No Authentication.
    • Save your changes.

    2. Create and Authenticate an OAuth External Credential:

    3. Create a Named Credential:

    For authenticating an Apex class calling the Tooling API with a 302 error:

    • You can use the Headless Passwordless Login Flow for private clients. This involves configuring the Headless Passwordless Login API via an Experience Cloud site to log the user in. Here's how:

    1. Complete Prerequisites for Headless Identity:

    2. Configure Experience Cloud Settings for Headless Passwordless Login:

    • In your Experience Cloud settings, enable Require authentication to access this API.
    • Include an access token issued to an internal integration user when making the initial request to the "services/auth/headless/init/passwordless/login" endpoint.

    3. Implement the Flow:

    • Your app sends a headless POST request to the passwordless login endpoint on your Experience Cloud site.
    • Salesforce will return a success message with a request identifier.
    • Salesforce sends an OTP to the user.
    • The user enters the OTP into your app.
    • Your app then initializes the Authorization Code and Credentials Flow, sending a request to the authorization endpoint to exchange the request ID and OTP for an authorization code.
    • Salesforce will return a 302 redirect to a preconfigured URL with the authorization code.
    • Your server-side callback handler extracts the authorization code and sends a POST request to the token endpoint.
    • Salesforce will validate the request and return an access token.

    For more detailed instructions, refer to the "Headless Passwordless Login Flow for Private Clients" guide (https://help.salesforce.com/s/articleView?id=sf.remoteaccess_headless_passwordless_login_private_clients.htm&language=en_US

    ). 

     

     Hope this helps. Thanks!

0/9000