Questions for the IDENTITY AND ACCESS MANAGEMENT ARCHITECT were updated on : Dec 01 ,2025
Northern Trail Outfitters mar ages functional group permissions in a custom security application
supported by a relational database and a REST service layer. Group permissions are mapped as
permission sets in Salesforce.
Which action should an identity architect use to ensure functional group permissions are reflected as
permission set assignments?
B
Universal Containers wants to secure its Salesforce APIs by using an existing Security Assertion
Markup Language (SAML) configuration supports the company's single sign-on process to Salesforce,
Which Salesforce OAuth authorization flow should be used?
B
An identity architect's client has a homegrown identity provider (IdP). Salesforce is used as the
service provider (SP). The head of IT is worried that during a SP initiated single sign-on (SSO), the
Security Assertion Markup Language (SAML) request content will be altered.
What should the identity architect recommend to make sure that there is additional trust between
the SP and the IdP?
D
A public sector agency is setting up an identity solution for its citizens using a Community built on
Experience Cloud and requires the new user registration functionality to capture first name, last
name, and phone number. The phone number will be used for identity verification.
Which feature should an identity architect recommend to meet the requirements?
D
Northern Trail Outfitters would like to use a portal built on Salesforce Experience Cloud for customer
self-service. Guests of the portal be able to self-register, but be unable to automatically be assigned
to a contact record until verified. External Identity licenses have bee purchased for the project.
After registered guests complete an onboarding process, a flow will create the appropriate account
and contact records for the user.
Which three steps should an identity architect follow to implement the outlined requirements?
Choose 3 answers
A, B, E
Northern Trail Outfitters (NTO) believes a specific user account may have been compromised. NTO
inactivated the user account and needs U perform a forensic analysis and identify signals that could
Indicate a breach has occurred.
What should NTO's first step be in gathering signals that could indicate account compromise?
D
When designing a multi-branded Customer Identity and Access Management solution on the
Salesforce Platform, how should an identity architect ensure a specific brand experience in Salesforce
is presented?
A
Northern Trail Outfitters (NTO) has an off-boarding process where a terminated employee is first
disabled in the Lightweight Directory Act Protocol (LDAP) directory, then requests are sent to the
various application support teams to finish user deactivations. A terminated employee recently was
able to login to NTO's Salesforce instance 24 hours after termination, even though the user was
disabled in the corporate LDAP directory.
What should an identity architect recommend to prevent this from happening in the future?
B
A university is planning to set up an identity solution for its alumni. A third-party identity provider
will be used for single sign-on Salesforce will be the system of records. Users are getting error
messages when logging in.
Which Salesforce feature should be used to debug the issue?
D
An insurance company has a connected app in its Salesforce environment that is used to integrate
with a Google Workspace (formerly knot as G Suite).
An identity and access management (IAM) architect has been asked to implement automation to
enable users, freeze/suspend users, disable users, and reactivate existing users in Google Workspace
upon similar actions in Salesforce.
Which solution is recommended to meet this requirement?
A
Universal Containers is creating a web application that will be secured by Salesforce Identity using
the OAuth 2.0 Web Server Flow uses the OAuth 2.0 authorization code grant type).
Which three OAuth concepts apply to this flow?
Choose 3 answers
B, C, D
An administrator created a connected app for a custom wet) application in Salesforce which needs to
be visible as a tile in App Launcher The tile for the custom web application is missing in the app
launcher for all users in Salesforce. The administrator requested assistance from an identity architect
to resolve the issue.
Which two reasons are the source of the issue?
Choose 2 answers
A, C
Northern Trail Outfitters (NTO) recently purchased Salesforce Identity Connect to streamline user
provisioning across Microsoft Active Directory (AD) and Salesforce Sales Cloud.
NTO has asked an identity architect to identify which salesforce security configurations can map to
AD permissions.
Which three Salesforce permissions are available to map to AD permissions?
Choose 3 answers
A, C, E
An identity architect is setting up an integration between Salesforce and a third-party system. The
third-party system needs to authenticate to Salesforce and then make API calls against the REST API.
One of the requirements is that the solution needs to ensure the third party service providers
connected app in Salesforce mini need for end user interaction and maximizes security.
Which OAuth flow should be used to fulfill the requirement?
A
Northern Trail Outfitters (NTO) uses Salesforce for Sales Opportunity Management. Okta was
recently brought in to Just-in-Time (JIT) provision and authenticate NTO users to applications.
Salesforce users also use Okta to authorize a Forecasting web application to access Salesforce records
on their behalf.
Which two roles are being performed by Salesforce?
Choose 2 answers
B, D