There are two types of Shield Encryption: Deterministic & Probabilistic. Deterministic encryption is for the field which you need in the where clause in a query but the Probabilistic type ensures extra security than the Deterministic type.
Don’t get confused between Classic encryption and Shield platform encryption, Classic encryption is also provided on top of the platform with no cost but it doesn’t support the Standard field, File, also it provides 128 bit AES and user access to the encryption field is managed by permission set
There are three kinds of packages one can build in the Salesforce platform, Out of which Salesforce Unlock Package is very powerful for the use-case of project deployment, release management, and CICD.
Manage Package: Metadata is IP Protected, distributed via AppExchange
Unmanage Package : Metadata is not IP Protected, you can protect via password but not a good way of working
Unlock Package: Metadata elements are not locked, use it for modular development
Salesforce Unlock package provides a great way for modular development and release, Best suited for Multi org rollout of core functionalities. The diagram below illustrates the unlock packaging and release via Salesforce CLI. Core reviews can also be automated using Salesforce CLI Scanner plug-in using PMD v6.38.0, ESlint v6.8.0, and RetireJS v2.2.5. My blog on Salesforce Code Review Process has more details on that https://twirltech.in/2021/10/salesforce-code-review-process/
It’s Source driven development and deployment mechanism comes with Platform, no-cost, fully integrated with developer IDE VS Code
There are many AppExchange tools for Salesforce Static code analysis, few of the market leaders are SonarQube, CheckMarx, CodeScan. PMD (Programming Mistake Detector) is also a popular option. These tools help the Release Manager in Salesforce Code Review Process.
I will not go through each tool’s capability rather highlight my opinion and comparison between two of my personal favorite CodeScan and PMD; Paid vs Open Source. And Lastly want to cover Salesforce CLI Scanner which can be a viable alternative.
PMD
PMD has a set of built-in rules available for both Apex and Visualforce pages. Static ruleset with define priority n PMD for Apex.
2. Finds common programming flaws like unused variables, empty catch blocks, unnecessary object creation, and so forth
3. Supports Salesforce Apex & Visualforce
4. Plugin for VS Code, ANT build, Eclipse
5. It is Open-source which doesn’t have any licensing cost
Major drawback – The scan doesn’t review Lightning and LWC Components.
Code Quality check with the Salesforce CLI Scanner
The Salesforce CLI Scanner plug-in is a unified tool for static analysis of source code. Developer can install the plug-in on a local developer machine or integrate it into a CI/CD process to scan the code.
It can be seamlessly integrated with Salesforce dx release management to automate the code review process.
Salesforce CLI Scanner plug-in uses PMD v6.38.0, ESlint v6.8.0, and RetireJS v2.2.5 at this moment. Salesforce is actively implementing new features to further improve Salesforce CLI Scanner.
PMD is a source code analyzer that allows for static analysis of code written in a number of supported languages, including Java, Apex, and Visualforce. It’s built-in rules detect common flaws in code, such as empty catch blocks or unused variables.
ESLint is a popular linting tool for JavaScript. It provides numerous static analysis rules that help developers write quality code.
RetireJS is an engine that analyzes a project’s third-party JavaScript dependencies and identifies those that have known security vulnerabilities
Salesforce Einstein Analytics Deployment: Salesforce Einstein Analytics components can be deployed in orgs via three ways:
If the Einstein Analytics components will be deployed to a related org then Change set is the best option. Else Package-based metadata deployment using VS Code is the freeware to carry out the deployment.
There are deployment tools like AutoRabit, Copado Gearset etc who supports Einstein Analytics component deployment seamlessly but the assumption here is customers don’t have a license of any of those tools.
Before starting, please make sure who is carrying out the deployment has the below permission
The customer is using email2case. When customers send an email to the support email ( like product@domain.com) then a case is successfully created. Now, from Console when an Agent replies back to the customer from Feed->Send mail the email is NOT reaching the customer.
2. publish the CNAME and alternate CNAME to the DNS server. You may need to involve your infrastructure IS and email domain admin
3. Once done, wait for few hours and activate the DKIM key in Salesforce.
4. Next is to have Salesforce SPF added in your DNS’s SPF records. Below is the article for reference: Include Salesforce in Your SPF Record https://help.salesforce.com/articleView?id=sf.emailadmin_spf_include_salesforce.htm&type=5
5. Once you have activated DKIM and SPF, we recommend you to disable the below deliverability settings: – ‘Activate bounce management’ – ‘Enable compliance with standard email security mechanisms’
If you want to send email notifications (like case status change, Lead creation) to the customers from your corporate email for branding or don’t want to expose the sales or service personal email then
Create a service emailbox in the corporate email service
go to Salesforce Organization-Wide Addresses
Set User Selectable Organization-Wide Email Addresses and get it verified
This email address will then automatically be avaialble for selection in workflow email alert and flow email alert.
This’s it. Customers will get the notification from the defined corporate branded email id
Options to transfer File through Salesforce Einstein BOT
Currently, there is no file upload functionality in the einstein chatbot – between Bot and a Customer. A file transfer facility is available between Agent and Customer, by transferring chat from Einstein bot to Agent and then Agent can request the customer to transfer file by sending a link to transfer file.
A customer can’t upload a file until you initiate the file transfer by clicking the file transfer icon. This restriction helps prevent customers from uploading unsolicited or potentially dangerous files into the chat.
response_type is used against authorization endpoint. This parameter define what authorization response must contain in its response. For example, code when using authorization code grant . Salesforce OAuth 2.0 Response and Grant Type
https://login.salesforce.com/services/oauth2/authorize?response_type=code&client_id=<your_client_id> &redirect_uri=<your_redirect_uri>response_type=code: to request an authorization coderesponse_type=token:
to request an access token The /authorize endpoint is used for the Web Server OAuth Authentication Flow and User-Agent OAuth Authentication Flow. End user interaction is needed to provide username/password and to authorize the client.
Salesforce OAuth 2.0 Response and Grant Type
grant_type
grant_type on the other hand is used against token endpoint. It define the grant used to get the token from the Authorization Server. For example, authorization_code is the grant used for authorization code grant
https://login.salesforce.com/services/oauth2/token?grant_type=password&client_id=<your_client_id> &client_secret=<your_client_secret> &username=<your_username>&password=<your_password> The /token endpoint is used for the Username-Password OAuth Authentication Flow and the OAuth Refresh Token Process.
grant_type=password : used to get access token directly in exchange of username and password Request:grant_type with the value passwordclient_id with the the client’s IDclient_secret with the client’s secretscope with a space-delimited list of requested scope permissions.username with the user’s usernamepassword with the user’s password Response:token_type with the value Bearerexpires_in with an integer representing the TTL of the access tokenaccess_token a JWT signed with the authorization server’s private keyrefresh_token an encrypted payload that can be used to refresh the access token when it expires.
grant_type=authorization_code : server exchanges the auth code for an access token It has two Parts1. First go to the Authorization endpoint to get the authorization code2.
Part II is to hit the Token end point with the authorization code Request:grant_type with the value of authorization_code client_id with the client identifier client_secret with the client secret redirect_uri with the same redirect URI the user redirected back to code with the authorization code from the query string Response:token_type with the value Bearerexpires_in with an integer representing the TTL of the access token access_token a JWT signed with the authorization server’s private keyrefresh_token an encrypted payload that can be used to refresh the access token when it expires.
grant_type = refresh_token: Access tokens eventually expire; however some grants respond with a refresh token which enables the client to refresh the access token. Request:grant_type with the value refresh_tokenrefresh_token with the refresh tokenclient_id with the the client’s IDclient_secret with the client’s secretscope with a space-delimited list of requested scope permissions. This is optional; if not sent the original scopes will be used, otherwise you can request a reduced set of scopes. Response:token_type with the value Bearer expires_in with an integer representing the TTL of the access token access_token a new JWT signed with the authorization server’s private key refresh_token an encrypted payload that can be used to refresh the access token when it expires
grant_type=client_credentials : applications need a way to get an access token for their own account, outside the context of any specific user. This grant is suitable for machine-to-machine authentication, for example for use in a cron job which is performing maintenance tasks over an API. Not Applicable in Salesforce grant_type = assertion
Salesforce Force.com Site and Site.com can build a public website and application. The website is directly integrated with a Salesforce Org – without requiring users to log in with a credential- hence not requiring any Salesforce license. One can publicly expose any information stored in the company through a branded URL and make the site’s pages match the look and feel of any company’s brand. Create a branded, custom Web address, such as https://twirltech.in, by registering through a domain name registrar. Create CNAME records to redirect your branded domain and sub-domains to the Salesforce Sites domain without exposing the force.com name in the URL. the public users could access the Force.com site or Site.com site by Guest User licenses. If Community is enabled, these users also have access to public pages in the communities. Site visitors have access to any information made available on an active public site. For each Guest User license, one can develop one site for your organization. So lets discuss more on Force.com Site Vs Site.com.
Salesforce Site.com
What is Site.com Site Site.com Site is more template-driven, built using Community Builder or Site.com Studio, no CRM functionality – don’t have access to the Accounts and Contacts objects. Users have access to an unlimited number of custom tabs but are limited to the use of one custom app, which is defined as up to 20 custom objects. Each Site.com the Only user also needs either a Site.com Contributor or Site.com Publisher feature license to access Site.com.
Community Builder is an intuitive, convenient tool for customizing a community that can have public pages. Community Builder lets a developer/administrator create a community based on a pre-configured template, and then apply branding, edit pages, update your template, and publish changes all from one user-friendly interface. Using Community builder, a developer can create public pages that anyone can access or set a home page and set up multilingual support for the community in Site.com Studio, a Web content management system that provides extra configuration options. Site.com Studio is easily accessible from Community Management.
Developer, Enterprise, Unlimited, and Performance Editions each come with unlimited Guest User licenses of Site.com
Force.com Sites VS Site.com Sites
Force.com Sites:
Force.com sites supports both authenticated and public websites
Included in all Enterprise Edition (or above) and Developer orgs.
Support for custom pages using Visualforce, JavaScript, CSS.
Developers must be familiar with the above languages.
