Data and Security Sections In CTA

The data and security sections are two of the most fundamentally important sections of the CTA. They are closely interconnected and span across the entire CTA scenario. A CTA candidate must pass all the seven sections in the board exam. However, doing well in these two sections is imperative and this session will explore the reasons as to why this is the case.

Two fundamental sections in the CTA

All the seven sections in the CTA exam are equally important. But your chances of doing well can be boosted by getting these two sections right. 

  1. Data
  2. Security

Recognise that all the requirements in the scenario need to come together in your solution in a coherent fashion. Understanding the data elements in the scenario and their lifecycle is critical. Demonstrating that you can secure not just the data but the whole solution in general is important. This session serves to emphasise on the importance of these two fundamental sections.

Data – Exam Outline

Given a scenario, describe the platform architecture considerations, platform impact and optimization methods used when working with large data volumes. Given a scenario, describe data modeling concepts and implications of database design and modeling. Given a scenario, determine the data migration strategy, considerations, and appropriate tools to use.


Why is the Data Model so important?

Arguably the most important artifact in the exam. Identifies all the key data entities (objects) in the scenario. Has a direct impact on 

  1. License choices
  2. Sharing and Visibility
  3. Data Migration and archival
  4. Solution Architecture
  5. Integration
  6. Reporting
  7. Org strategy

Should convey the following to the judges

  1. Objects and relationships (LU/MD/Self/external). 
  2. Ownership
  3. Cardinality
  4. LDV
  5. Sharing (OWD for int and ext)
  6. Relevant data residing externally
Salesforce Data Model


How I studied for the data section? 

Went back to basics and learn about Relational database concepts.

  1. ER Modelling
  2. Normalised forms / Denormalisation
  3. Understand how SF differs from relational databases
  4. Looked up general industry data models and reviewed them – Hotel reservation, Event management, Vehicle dealerships etc
    • Data models for – Uber, AirBNB, SpaceX etc
  5. Behaviour of junction objects
  6. Acknowledged and fixed my blind spots!

Review and practice SF standard data models. Reviewed the SF industry cloud data models. Fiddle with Schema Builder in your developer org. Practice! Practice! Practice! to Develop muscle memory for speed. 

Data Model Patterns

Understand other clouds like CPQ and FSL etc. 

  1. No need to learn in depth
  2. Understand when they can help extend core SF to solve a requirement
  3. Maybe overkill to suggest without good justification.

Look at industry cloud data models and identify patterns to use.

  1. FSL data model:
  2. CPQ Data model: (Don’t ask why)
  3. NPSP cloud data model:
  4. Education Cloud data model:
  5. FSC data model:

Data Model : Tips

Identify the objects as you are solving the scenario. Maybe best to create a rough working copy. Goal: Optimal data model which solves the requirements with relevant justification. Key decisions

  1. Standard v/s custom 
  2. External object and their relationships
  3. Do licenses cater for it?
  4. Satisfies solution requirements?
  5. Satisfies sharing requirements

Save time by having ready made patterns for objects

  1. Lead, Opp, Order for sales. 
  2. Probably need Account, Contact (And/ Or Person Account), Case at a minimum
  3. Record types for the key objects
  4. External objects with their considerations

Additional clues in sharing and reporting sections. 

  1. Missing objects
  2. Field with FLS v/s custom object
  3. Denormalized objects for better reporting?

Try not to miss any objects. If there are very few objects in your DM, chances are that you are missing some.  

  1. Solve for the scope of the requirements. Don’t over analyse.

When presenting, you have to weave a compelling story with your data model that explains end-to-end business requirements. 

  1. CTA mocks in APEX hours.

Remember you can change the DM in Q&A. Don’t be afraid to do so. 

Data Model – Sample

Data Migration – Tips

Please check this post to learn about Data Migration Tips and trick here. Here is some data migration tips.

  1. First stage of life cycle of your data. How is it entering SF and what is it used for?
  2. Have a template and describe the overarching plan. Include:
    1. Key objects and estimated volume. 
    2. Don’t forget files and Knowledge Articles
    3. How data is prepared prior to load?
    4. Testing the data load in sandboxes
    5. Go-live plan – Big bang v/s Staggered incremental approach (Don’t forget the why?)
    6. Best practices
  3. Do not forget the archival process.
    1. Where is the data archived to? – With justifications
      1. EDW
      2. Big Objects
      3. Heroku
      4. AppExchange backup/recovery
    2. How is the archival process done and what is the frequency?
    3. How much data should reside on platform – Review reporting requirements
    4. How is external data accessed in SF when required?
  4. Do not forget individual requirements. Tie back the solution to the requirement.
  5. Options to verify that the data migration was successful?
  6. Governance, reporting and other project requirements may have an impact.

Data Migration – Sample

Large Data Volumes (LDV) in Salesforce

A “large data volume” is an imprecise, elastic term. These large data volumes (LDV) can lead to sluggish performance, including slower queries, slower search and list views, and slower sandbox refreshing. Probably the easiest section in Data.

  1. Identify the LDV objects. Pay attention to the junction objects.
  2. Estimate the volume based on future growth
    1. Do the math
    2. Leverage Google sheets to do the calculations
      1. Have templates ready  – YoY growth over X years
  3. Provide mitigations with relevant justifications. Be prescriptive.
    1. Indexes – Be specific. Standard v/s custom fields. 
    2. Make queries selective / filters
    3. Archival – Be specific. 
    4. Skinny tables etc
  4. Read up and learn the following:
    1. Query optimisation and review this
    2. Query plan tool
    3. Read the LDV whitepaper and review again. 
    4. Ownership and lookup skews
    5. Another whitepaper to review
      1. Parallel sharing rule recalculation
      2. Deferred sharing maintenance
      3. Granular locking


Security – Exam Outline 

Given a set of requirements, architect a solution that utilizes the appropriate platform security mechanisms. Given a scenario, identify the security considerations and risks, and leverage the appropriate security capabilities to design a secure portal architecture including access by both internal and external users.

Given a scenario, identify the declarative platform security features that can be used to meet record-level security requirements. Given a scenario, identify the programmatic platform security features that can be used to meet security requirements.

Given a scenario, describe how to incorporate the platform security features into a solution to give users the appropriate object and field access permissions. Given a set of requirements, design and justify an end-to-end identity management solution.


Security – Where to Start?

A formidable opponent in the CTA.

  1. Like the Data section, it also encompasses almost all areas of your solution.
  2. Secure your data in the org
    1. Object level security – CRUD / FLS
    2. Record level security using the the most optimal options.
  3. Secure data in transit
    1. Security for integrations
      • 2 way SSL for inbound v/s outbound using certificates
      • Payment gateways and PII compliance
  4. Secure data at rest
    1. Options to encrypt data and files
    2. Classic v/s Platform Encryption
    3. How does Shield PE work? What else can it protect? 
  5. IDAM
    1. Super important. No need to say anything here.
  6. Monitoring
    1. Event Monitoring
    2. Enhanced Transaction Policies

Secure data in SF

  1. Keep tracking the sharing reqs for key objects and denote the OWD in the data model.
    1. Who owns it and who will it be shared with and how?
  2. Be well versed in all the declarative SF sharing features
    1. OWD
    2. Role Hierarchy is important
    3. OBSR, CBSR, Public Groups, Territories and their limits. They should match the RH. 
    4. Everything should work together and scale!
  3. Experience Site (Community) access is critical
    1. Sharing Sets and groups
    2. Customer Community license
    3. Case ownership, access and routing
    4. Delegated ext admin and Super user
  4. Know all the features in and out.
    1. Implicit sharing, M-D relationship
    2. Manual sharing and Teams
    3. Account Data relationship rules
  5. Keep it simple but do not ignore Programmatic sharing
  6. Practice how you will solve and present precisely and succinctly
  7. Do not duplicate answers (Example: SSO slide will cover IDAM)

Security – Some things to ponder

  1. How are customer accounts created and who owns them?
  2. How do partners get access to customer data?
  3. How is an Opportunity record shared between two or more partners?
  4. How do you give and take away temporary access to a record?
  5. How is the OWD of some standard objects controlled?
    1. Example: Contact, Quote etc
  6. New features and updates (which are GA) such as:
    1. Restriction Rules 
    2. OWD for Product (Enforced Summer’ 22)
    3. Threat Detection

IDAM – Key things to know

  1. Authentication and single sign-on
    1. Propose a SSO solution with an IdP and justify – MS Azure AD v/s ADFS v/s Ping /Okta and when to use each? 
    2. SF as IdPSF as SP , SF as both? , myDomain
    3. Types: Federated with SAML and Delegated
    4. Review all the SSO flows. Make sure to explain the context of your scenario. 
    5. Hands-on practice with Azure AD / Ping, Okta etc. How to set up?
    6. Provisioning and de-prov
    7. Canvas and its authentication flows
  2. Social Sign On
    1. OpenID Connect
    2. How to set up
      1. Auth Provider
      2. Reg Handler (know key use cases)
      3. Config in the exp site
  3. Authorisation
    1. How does Salesforce support OAuth 2.0? Basics here in my DF video from 2017
    2. Connected App and all the options and scope?
    3. Review the OAuth flows and know them well. Key entities that are exchanged? 
    4. What are the different tokens and which flows support them?
    5. Connected Apps have a section to enable SAML. What use case does it solve?
  4. SSO + OAuth
    1. Understand how nested flows work
    2. Practice drawing and explaining them well. 
    3. I practiced every flow from this. Thank you Lawrence Newcombe.

Misc security topics

  1. In additional to everything covered in the Sharing and Visibility cert, you need to review and know the Salesforce Security Guide
  2. Key additional topics that I focussed on include:
    1. MFA and the different ways to achieve this. 
    2. SF session security and options
    3. Review Cryptography basics
    4. How do login flows work?
    5. How does SF health check and portal health check work?
    6. Vulnerabilities like XSS, CSRF, SOQL injection etc and how to mitigate
    7. SF Shield PE in-depth and what does it protect against? 
    8. Real time event monitoring and what options exist for transaction security? 
    9. Options to monitor SF security such as logins, set up audit trail etc
    10. Secure Apex, VF and LWC coding practices. (Ex: With Sharing v/s Without sharing, inherited sharing etc)
    11. Apex Crypto functions and when to use
    12. Protected Custom Settings and Custom Metadata types
    13. Understand how record sharing works in-depth.
  3. Create flashcards using any of your favorite methods (ANKI or anything other tool you prefer) to review important stuff.
  4. Practice and test as many security features as you can in your dev sandbox or TH playground! 

Core study material

  1.  Salesforce help articles –
  2.  Salesforce whitepapers – Sharing Architecture
  3. Salesforce Architect blog
  4. Salesforce Architect site
  5. The CTA mock scenarios
  6. CTA exam guide
  7. Youtube is a treasure chest
    1. Apex Hours


YouTube video


Data and security are two of the most important sections in the CTA. I suggest to prioritise your preparation strategies to ensure good coverage of important topics. Study extensively for the domain certs. Don’t do it only for the passing score. Solving these sections correctly and then presenting them confidently will go a long way in your CTA board. Keep it simple with good justifications. Assumptions are your friend. Thank you and all the best for your #JourneyToCTA!

Amit Chaudhary
Amit Chaudhary

Amit Chaudhary is Salesforce Application & System Architect and working on Salesforce Platform since 2010. He is Salesforce MVP since 2017 and have 17 Salesforce Certificates.

He is a active blogger and founder of Apex Hours.

Articles: 452

Leave a Reply

Your email address will not be published. Required fields are marked *