Salesforce Experience Cloud and Record Sharing

Salesforce Experience Cloud has three types of user licenses that are intended as long-term replacements for the legacy portal licenses:

  • Customer Community — for high-volume user. upper cap 10M
  • Customer Community Plus — role-based Customer Community license, upper cap 2M
  • Partner Community — For Sales Partner, upper cap 2M

Below decision tree will help to decide the right Community license for your organization

Choose the Right Community License

Record Sharing to Experience Cloud User

There Is only one feature in Salesforce to share a record with a Customer Community user: Sharing Set. The other sharing options are only available to the Customer Community Plus or Partner Community license via Groups, Roles

Sharing Set: Grant a user access to records based on affiliation with the user’s contact or account. A relation with Account or Contact is a must to share the object record via Sharing ser. The rule is something like for a requirement share the cases which are raised by a community user User.Contact=Case.Contact

Sharing Set

Share Group: Members of this share group can access any records owned by high-volume portal users in the associated sharing set. Note that members’ access to the records is not restricted to the objects defined in the sharing set.

Use share groups to share records owned by an external user (Customer Community or High-Volume Customer Portal ) with internal users, partner users, or other Customer Community users in the same account.

Share Group

Sharing Rule: Just like other Salesforce internal users, Owner and Criteria-based sharing rules can be used to share records within the Partner Community and Customer Community Plus.

Apex sharing is not available for Customer Community users, only available to the Customer community plus or Partner Community license
Role Hierarchy: Partner Community and Customer Community Plus can have Role Hierarchy, max 3 roles (Executive, Manager and User) and then Executive reports to Internal Channel Manager.

Delegate External User Administration

If partner organizations have many users, you can delegate user administration to external users within their own Account, access is given in their Profiles

Super User Access to a Partner User or CC+

grant access to all records for the account to certain users. Super users can get insights into the records of other partner users who are at their role level or below them in the role hierarchy. Superusers can access records according to their level of permission. For example, if a manager with full access to cases is granted Super User Access, then they can view and edit cases of other managers and their direct reports. A different manager who has read-only access to cases can only view the cases of other managers and their direct reports, even as a Super User. Available for Partner Community, Customer Community Plus

Delegated Account Management

Give external users the power to manage account members and account brand information. Available for Partner Community, Customer Community Plus

Community License and Object Access
Salesforce File

Salesforce File and Data Model

In this article, we will be going to give a few important information about Salesforce File. The lightning experience uses Salesforce Files for any Content, Attachments, Files, Content, and Documents. The internal object name is ContentDocument.

ContentDocument object represents a document that has been uploaded to a library in Salesforce CRM Content or Salesforce Files

Content Document Object Model

Now the ContentDocumentLink object represents the link between a Salesforce CRM Content document, Salesforce file, or ContentNote and where it’s shared. A file can be shared with other users, groups, records, and Salesforce CRM Content libraries

Use this object to query the locations where a file is shared or query which files are linked to a particular location. For example, the following query returns a particular document shared with a Chatter group

  • Point to note that both ContentDocument and ContentDocumentLink objects are not customizable, you cannot add custom fields.
  • Use the ContentDocumentLink  object to query the locations where a file is shared or query which files are linked to a particular location. For example, the following query returns a particular document shared with a Chatter group

SELECT ContentDocument.title FROM ContentDocumentLink WHERE ContentDocumentId = ‘069D00000000so2’ AND LinkedEntityId = ‘0D5000000089123’

  • The ContentDocumentLink object supports triggers 

These are the few important settings when you enable File in a Salesforce organization

If you are using File Connect then the external files (like from Google Drive, SharePoint, Box etc) can be connected to Salesforce.

For more articles, please visit

Salesforce Code Review Process

There are many AppExchange tools for Salesforce Static code analysis, few of the market leaders are SonarQube, CheckMarx, CodeScan. PMD (Programming Mistake Detector) is also a popular option. These tools help the Release Manager in Salesforce Code Review Process.

I will not go through each tool’s capability rather highlight my opinion and comparison between two of my personal favorite CodeScan and PMD; Paid vs Open Source. And Lastly want to cover Salesforce CLI Scanner which can be a viable alternative.

  1. PMD has a set of built-in rules available for both Apex and Visualforce pages. Static ruleset with define priority n PMD for Apex.

2. Finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth

3. Supports Salesforce Apex & Visualforce

4. Plugin for VS Code, ANT build, Eclipse 

5. It is Open-source which doesn’t have any licensing cost

Major drawback – The scan doesn’t review Lightning and LWC Components.


CodeScan Features

  1. Codescan is an end to end code analysis solution to ensure quality and security of Salesforce orgs 2.
  2. 350+ security and quality rules for Apex, Visualforce, Lightning and Metadata
  3. IDE plugins helps developers to get the review on real time to address any issues with the code quality
  4. 4.Integrates directly with Salesforce and all popular CI/CD pipelines, Integration with Jira
  5. Covers Lightning Component and Javascript related issues and standards.
  6. Easy to configure/modify a ruleset as needed
  7. It is not open source. License cost is involved. Self-host or cloud plan

CodeScan SFDX Plugin
IDE Plugins
Azure DevOps
Bitbucket Pipelines
GitHub Actions

Code Quality check with the Salesforce CLI Scanner

The Salesforce CLI Scanner plug-in is a unified tool for static analysis of source code. Developer can install the plug-in on a local developer machine or integrate it into a CI/CD process to scan the code.

It can be seamlessly integrated with Salesforce dx release management to automate the code review process.

Salesforce CLI Scanner plug-in uses PMD v6.38.0, ESlint v6.8.0, and RetireJS v2.2.5 at this moment. Salesforce is actively implementing new features to further improve Salesforce CLI Scanner.

PMD is a source code analyzer that allows for static analysis of code written in a number of supported languages, including Java, Apex, and Visualforce. It’s built-in rules detect common flaws in code, such as empty catch blocks or unused variables.

ESLint is a popular linting tool for JavaScript. It provides numerous static analysis rules that help developers write quality code.

RetireJS is an engine that analyzes a project’s third-party JavaScript dependencies and identifies those that have known security vulnerabilities

Plugin Design
Salesforce CLI Scanner

Salesforce Einstein Analytics Deployment

Salesforce Einstein Analytics components can be deployed in orgs via three ways:

If the Einstein Analytics components will be deployed to a related org then Change set is the best option.
Else Package-based metadata deployment using VS Code is the freeware to carry out the deployment.

There are deployment tools like AutoRabit, Copado Gearset etc who supports Einstein Analytics component deployment seamlessly but the assumption here is customers don’t have a license of any of those tools.

Before starting, please make sure who is carrying out the deployment has the below permission

  • Manage Analytics
  • API enabled
  • Modify Metadata
  • Modify All Data

Below is the package.xml

  • Security Predicates update is a post deployment manual task

Connect to the source org from VS code and retrieve the components using the above xml. Then connect to the destination org and deploy.

Please be cautious about any component override.

Change set based deployment link

Salesforce: Send Email delivery to Gmail, Yahoo

Let’s consider a use-case of this problem:

The customer is using email2case. When customers send an email to the support email ( like then a case is successfully created. Now, from Console when an Agent replies back to the customer from Feed->Send mail the email is NOT reaching the customer.


1. Create DKIM key in Salesforce

2. publish the CNAME and alternate CNAME to the DNS server. You may need to involve your infrastructure IS and email domain admin

3. Once done, wait for few hours and activate the DKIM key in Salesforce. 

4. Next is to have Salesforce SPF added in your DNS’s SPF records. Below is the article for reference:
Include Salesforce in Your SPF Record

5. Once you have activated DKIM and SPF, we recommend you to disable the below deliverability settings:
– ‘Activate bounce management’
– ‘Enable compliance with standard email security mechanisms’

Salesforce: email notifications from corporate email domain

If you want to send email notifications (like case status change, Lead creation) to the customers from your corporate email for branding or don’t want to expose the sales or service personal email then

  1. Create a service emailbox in the corporate email service
  2. go to Salesforce Organization-Wide Addresses
  3. Set User Selectable Organization-Wide Email Addresses and get it verified
  4. This email address will then automatically be avaialble for selection in workflow email alert and flow email alert.

This’s it. Customers will get the notification from the defined corporate branded email id

Salesforce: File transfer through Einstein BOT

Currently, there is no file upload functionality in the einstein chatbot – between Bot and a Customer. A file transfer facility is available between Agent and Customer, by transferring chat from Einstein bot to Agent and then Agent can request the customer to transfer file by sending a link to transfer file.

A customer can’t upload a file until you initiate the file transfer by clicking the file transfer icon. This restriction helps prevent customers from uploading unsolicited or potentially dangerous files into the chat.

The is an idea to allow file transfer through Einstein BOT:

Salesforce OAuth 2.0 Response and Grant Type

Salesforce OAuth 2.0 and Grant Type

response_type is used against authorization endpoint. This parameter define what authorization response must contain in its response. For example, code when using authorization code grant<your_client_id> &redirect_uri=<your_redirect_uri>response_type=code: to request an authorization coderesponse_type=token: 

to request an access token
The /authorize endpoint is used for the Web Server OAuth Authentication Flow and User-Agent OAuth Authentication Flow. End user interaction is needed to provide username/password and to authorize the client.


grant_type on the other hand is used against token endpoint. It define the grant used to get the token from the Authorization Server. For example, authorization_code is the grant used for authorization code grant<your_client_id> &client_secret=<your_client_secret>                                                                             &username=<your_username>&password=<your_password>
The /token endpoint is used for the Username-Password OAuth Authentication Flow and the OAuth Refresh Token Process.

grant_type=password : used to get access token directly in exchange of username and password Request:grant_type with the value passwordclient_id with the the client’s IDclient_secret with the client’s secretscope with a space-delimited list of requested scope permissions.username with the user’s usernamepassword with the user’s password
Response:token_type with the value Bearerexpires_in with an integer representing the TTL of the access tokenaccess_token a JWT signed with the authorization server’s private keyrefresh_token an encrypted payload that can be used to refresh the access token when it expires.

grant_type=authorization_code : server exchanges the auth code for an access token
It has two Parts1. First go to the Authorization endpoint to get the authorization code2.

Part II is to hit the Token end point with the authorization code Request:grant_type with the value of authorization_code client_id with the client identifier client_secret with the client secret redirect_uri with the same redirect URI the user redirected back to code with the authorization code from the query string Response:token_type with the value Bearerexpires_in with an integer representing the TTL of the access token access_token a JWT signed with the authorization server’s private keyrefresh_token an encrypted payload that can be used to refresh the access token when it expires.

grant_type = refresh_token: Access tokens eventually expire; however some grants respond with a refresh token which enables the client to refresh the access token. Request:grant_type with the value refresh_tokenrefresh_token with the refresh tokenclient_id with the the client’s IDclient_secret with the client’s secretscope with a space-delimited list of requested scope permissions. This is optional; if not sent the original scopes will be used, otherwise you can request a reduced set of scopes. Response:token_type with the value Bearer
expires_in with an integer representing the TTL of the access token
access_token a new JWT signed with the authorization server’s private key
refresh_token an encrypted payload that can be used to refresh the access token when it expires

grant_type=client_credentials : applications need a way to get an access token for their own account, outside the context of any specific user. This grant is suitable for machine-to-machine authentication, for example for use in a cron job which is performing maintenance tasks over an API. Not Applicable in Salesforce
grant_type = assertion


grant_type: urn:ietf:params:oauth:grant-type:saml2-bearer

grant_type=device Site Vs

Salesforce Site Vs

Salesforce Site and can build a public website and application. The website is directly integrated with a Salesforce Org – without requiring users to log in with a credential- hence not requiring any Salesforce license. One can publicly expose any information stored in the company through a branded URL and make the site’s pages match the look and feel of any company’s brand. Create a branded, custom Web address, such as, by registering through a domain name registrar. Create CNAME records to redirect your branded domain and sub-domains to the Salesforce Sites domain without exposing the name in the URL. the public users could access the site or site by Guest User licenses. If Community is enabled, these users also have access to public pages in the communities. Site visitors have access to any information made available on an active public site. For each Guest User license, one can develop one site for your organization.

What is Site Site is more template-driven, built using Community Builder or Studio, no CRM functionality – don’t have access to the Accounts and Contacts objects. Users have access to an unlimited number of custom tabs but are limited to the use of one custom app, which is defined as up to 20 custom objects. Each the Only user also needs either a Contributor or Publisher feature license to access 

Community Builder is an intuitive, convenient tool for customizing a community that can have public pages. Community Builder lets a developer/administrator create a community based on a pre-configured template, and then apply branding, edit pages, update your template, and publish changes all from one user-friendly interface.
Using Community builder, a developer can create public pages that anyone can access or set a home page and set up multilingual support for the community in Studio, a Web content management system that provides extra configuration options. Studio is easily accessible from Community Management.

Developer, Enterprise, Unlimited, and Performance Editions each come with unlimited Guest User licenses of Sites VS Sites Sites:

  • sites supports both authenticated and public websites
  • Included in all Enterprise Edition (or above) and Developer orgs.
  • Support for custom pages using Visualforce, JavaScript, CSS.
  • Developers must be familiar with the above languages.
  • Can access all objects.

  • Is a provisioned product.
  • is meant for non-technical administrators as there is no coding necessary.
  • Drag n drop support for CMS.
  • Allows custom coding using HTML, CSS, Javascript.
  • Includes a security model of who can contribute to and publish sites.
  • Chatter supported for contribution of content while chatter is not available on the front end website. SitesCommunity Builder Sites
Visualforce pagesYesNo
Can it have AuthenticationNoYes
Can be Template drivenNoYes
Can host Public pagesYesYes
Out-of-the-box login, logout, self-registration, and error pagesYesYes
Can it have Pixel-perfect designsYesYes
Can impose IP restrictionsYesYes
Can success to data from Salesforce org, Account Contact cases, leads, and opportunitiesYesYes
Can support CMSNoYes Sites vs