Identity-and-Access-Management-Architect Free Practice Test

Universal Containers (UC) is using its production org as the identity provider for a new Experience Cloud site and the identity architect is deciding which login experience to use for the site. Which two page types are valid login page types for the site?
Choose 2 answers

1. A. Experience Builder Page
2. B. lightning Experience Page
3. C. Login Discovery Page
4. D. Embedded Login Page

Correct Answer: CD
Login Discovery Page and Embedded Login Page are two valid login page types for Experience Cloud sites. Login Discovery Page allows users to choose their preferred login method, such as username/password, SSO, or social sign-on. Embedded Login Page allows users to log in from any site page without being redirected to a separate login page. References: Login Discovery Page, Embedded Login

A global fitness equipment manufacturer uses Salesforce to manage its sales cycle. The manufacturer has a custom order fulfillment app that needs to request order data from Salesforce. The order fulfillment app needs to integrate with the Salesforce API using OAuth 2.0 protocol.
What should an identity architect use to fulfill this requirement?

1. A. Canvas App Integration
2. B. OAuth Tokens
3. C. Authentication Providers
4. D. Connected App and OAuth scopes

Correct Answer: D
To integrate the order fulfillment app with the Salesforce API using OAuth 2.0 protocol, the identity architect should use a Connected App and OAuth scopes. A Connected App is a framework that enables an external application to integrate with Salesforce using APIs and standard protocols, such as OAuth 2.0. OAuth scopes are permissions that define the specific data that an external application can access or modify in Salesforce. To use OAuth 2.0 protocol, the identity architect needs to configure a Connected App in Salesforce and assign the appropriate OAuth scopes to it, such as “api” or “full”. References: Connected Apps, OAuth Scopes

Universal Containers allows employees to use a mobile device to access Salesforce for daily operations using a hybrid mobile app. This app uses Mobile software development kits (SDK), leverages refresh token to regenerate access token when required and is distributed as a private app.
The chief security officer is rolling out an org wide compliance policy to enforce re-verification of devices if an employee has not logged in from that device in the last week.
Which connected app setting should be leveraged to comply with this policy change?

1. A. Scope - Deny refresh_token scope for this connected app.
2. B. Refresh Token Policy - Expire the refresh token if it has not been used for 7 days.
3. C. Session Policy - Set timeout value of the connected app to 7 days.
4. D. Permitted User - Ask admins to maintain a list of users who are permitted based on last login date.

Correct Answer: B
Refresh Token Policy - Expire the refresh token if it has not been used for 7 days is the connected app setting that should be leveraged to comply with the policy change. This setting ensures that users have to re-verify their devices if they have not logged in from that device in the last week. The other settings are either not relevant or not effective for this scenario. References: Connected App Basics, OAuth 2.0 Refresh Token Flow

Universal containers (UC) is building a mobile application that will make calls to the salesforce REST API. Additionally, UC would like to provide the optimal experience for its mobile users. Which two OAuth scopes should UC configure in the connected App? Choose 2 answers

1. A. Refresh token
2. B. API
3. C. full
4. D. Web

Correct Answer: AB
The two OAuth scopes that UC should configure in the connected app are:
Refresh token. This scope allows the mobile app to obtain a refresh token from Salesforce when it obtains an access token. A refresh token can be used to obtain a new access token when the previous one expires or becomes invalid. This scope enables UC to provide an optimal experience for its mobile users by reducing the number of login prompts and authentication failures.
API. This scope allows the mobile app to make REST API calls to Salesforce using the access token.
The REST API allows the mobile app to access or manipulate data and metadata in Salesforce using HTTP methods. This scope enables UC to build a custom mobile app that can connect to Salesforce and perform various operations on Salesforce resources.
References: [OAuth Scopes], [Connected Apps], [Refresh Token], [REST API]

Universal Containers (UC) is planning to add Wi-Fi enabled GPS tracking devices to its shipping containers so that the GPS coordinates data can be sent from the tracking device to its Salesforce production org via a custom API. The GPS devices have no direct user input or output capabilities.
Which OAuth flow should the identity architect recommend to meet the requirement?

1. A. OAuth 2.0 Asset Token Flow for Securing Connected Devices
2. B. OAuth 2.0 Username-Password Flow for Special Scenarios
3. C. OAuth 2.0 Web Server Flow for Web App Integration
4. D. OAuth 2.0 JWT Bearer Flow for Server-to-Server Integration

Correct Answer: A
OAuth 2.0 Asset Token Flow is the flow that allows connected devices to request an asset token from Salesforce. The device obtains an access token and an actor token, and uses them to create an asset token. This flow enables efficient token exchange and automatic linking of devices to Service Cloud Asset records. References: OAuth 2.0 Asset Token Flow for Securing Connected Devices, OAuth Authorization Flows