Salesforce Sharing-and-Visibility-Architect Salesforce Certified Sharing and Visibility Architect (SP23) Exam Practice Test

Setting the Field Level Security for the Date of Birth field to be Visible to Customer Support Rep Profile, and set the Date of Birth Field Visible and Read-only to Banking Rep profile is the best approach to meet this requirement, as it allows admins to control who can see and edit a specific field on an object. Creating a Validation rule in the Data of Birth field so the rule returns true only when user.profilename matches Customer Support Rep will work, but it will require additional logic and error handling. Adding Date of Birth field to the Search layout of the Contact Object and modifying the Page layout assigned to Customer Support Rep and adding Date of Birth field as Required will not work, as it will only affect how the field is displayed and searched, not who can edit it.

Public groups are used to grant access to a set of users who do not have a predefined relationship in the role hierarchy or territory hierarchy. Sharing sets are used for community users, not internal users. Role hierarchy is used to grant access based on the user’s position in the organization.

Public Groups and Roles and Subordinates are two options for sharing the List View with certain groups of users. Profiles and Manual Sharing are not valid options for sharing List Views

A sales rep who is added to an opportunity team with Read/Write permissions can perform actions such as updating opportunity fields, adding products, creating tasks, and logging calls4. Therefore, updating opportunity stage is an action that she is allowed to perform in the opportunity. Adding or removing members in the opportunity team is an action that only the opportunity owner or users above the owner in the role hierarchy can perform. Replacing opportunity owner is an action that only the current owner or users above the owner in the role hierarchy can perform.

The correct security settings to achieve this are to set all Organization-Wide Default security to be Private for both internal and external users and use Sharing Rules to grant the desired access. This way, internal users can access all survey responses through the account object, and external users can only access survey responses that belong to their own account through the custom object.

The three options that can change the owner of the opportunity are B, C, and E. The current opportunity owner can transfer the ownership to another user by editing the record or using the change owner button. The system administrator or a user with the “Transfer Records” permission can also change the owner of any record, regardless of the sharing settings. Someone above the opportunity owner in the role hierarchy can also change the owner, as they have full access to the records owned by users below them in the hierarchy. The other options are either incorrect or not possible.

Three advanced tools that Salesforce can enable for large-scale role hierarchy realignments in organizations with large data volumes are partitioning by divisions, deferred sharing calculation, and skinny table indexing. Partitioning by divisions allows the organization to segment data into logical sections based on business criteria, which reduces the number of records that need to be recalculated when role hierarchy changes. Deferred sharing calculation allows the organization to postpone the sharing recalculation until a scheduled time, which avoids impacting users during peak hours. Skinny table indexing allows the organization to create custom indexes on frequently used fields, which improves query performance and reduces locking contention

Storing the value in a text field on a protected custom setting in the package is the best way to support this requirement. Protected custom settings are not visible to subscribers, but they can be accessed by the package code and support representatives. The other options either expose the value to subscribers (B and C) or do not allow support representatives to access it (D).

Private Account Sharing with Sharing Rules from Commercial Sales Group(s) to Commercial Support Group(s) and Consumer Sales Group(s) to Consumer Support Group(s) is the recommended Org-Wide Sharing Default for Accounts and the way to enable proper Commercial and Consumer Sales to Support Account Sharing for this scenario. This way, the sales and support departments can share their customers with each other, but not with the other departments. The other options are incorrect because they either do not allow the sales and support departments to share their customers (A and B) or they allow too much access to the accounts ©.

The record owner and any user above the external user in the role hierarchy have access to opportunity records owned by an external user. This is because external users are always at the bottom of the role hierarchy and do not grant access to users below them. The record owner and all internal users do not have access to opportunity records owned by an external user unless they have other sharing mechanisms such as sharing rules or manual sharing

The recommended way for the architect to implement this is to create an AccountShare record associated to a public group containing the role. This way, the architect can use Apex Managed Sharing to share certain account records with all users who are assigned to a specific role in the role hierarchy. Creating an AccountShare record associated to a public group containing the users in the role is not possible because public groups can only contain users, roles, or other public groups, but not a combination of them. Creating an AccountShare record associated to each user who is assigned to the role is not efficient because it requires more sharing records and maintenance. Creating an AccountShare record associated to the required role is not valid because AccountShare records can only be associated to users or groups, not roles1

 Instituting a business process that calls for the account manager to be added to the account team once the account becomes a customer, and creating a criteria-based sharing rule that shares the account to the account management group when the type is customer are two methods that could be used to enable this sharing requirement, assuming a private sharing model for accounts. These methods would ensure that only accounts with type customer are shared with the account management users, and only when they are involved in the account team. Creating a public list view, where accounts of type customer are included and share the list view with account management public group is not a method to enable sharing, as it only filters the records that are already visible to the users, not grant access to new ones. Creating an account sharing rule that shares all accounts owned by sales to be shared with account management roles and subordinates is not a method to enable this sharing requirement, as it would share all accounts regardless of their type

Setting the Field Level Security for the VIP Flag field so that it is visible to Private Banking Rep Profile is the simplest and most effective way to meet this requirement, as Field Level Security controls whether a user can see, edit, and delete the values for a particular field on an object. Defining a page layout for Contact Object and adding the VIP Flag field will not work, as page layouts do not control field visibility, only field placement. Creating a criteria-based sharing rule for Contact Object and adding the VIP Flag field as a condition will not work, as sharing rules do not control field visibility, only record visibility.

Two platform features that can be used to support the requirements for granting access to Job records are “View All” profile settings and manual sharing. The “View All” profile setting can be enabled for the Delivery profile to grant them View access to all Job records regardless of ownership or role hierarchy. The manual sharing feature can be used by the Delivery user who owns a job to grant access to a Product Development user on a case-by-case basis

The Field Accessibility Viewer is a tool that allows you to see how a field is visible or editable for a specific profile or permission set. You can also see which page layouts and record types include the field. This is a quick way to determine the field accessibility settings for different users without logging in as each user profile or clicking on each profile.

The potential vulnerabilities in the code snippet are SOQL Injection and Data Access Control. SOQL Injection is a technique that exploits a security vulnerability in a database layer of an application. It occurs when user input is directly appended to a SOQL query string, which allows attackers to execute arbitrary SOQL commands2. Data Access Control is a mechanism that ensures that users have appropriate permissions to access data in Salesforce. It involves checking the object-level, field-level, and record-level access of the user before performing any data operation3. The code snippet does not perform any FLS check or data access control check, which could expose sensitive data to unauthorized users or allow them to modify data without proper permissions3. Arbitrary Redirects are not a vulnerability in this code snippet, as they occur when a web application accepts untrusted input that could cause the web browser to redirect the user to a malicious website

Using the {!$ObjectType.lead.accessible} expression within the Visualforce page is the best way to ensure that object-level security is enforced within a custom Visualforce application that uses a standard Apex controller on the Lead object. This expression evaluates to true if the user has read access to the Lead object, and false otherwise. The Visualforce page can use this expression to conditionally render components based on the user’s permissions. Option A is incorrect, as the runAs() method is only available in test methods and does not change the user’s permissions. Option B is incorrect, as the Schema.DescribeSObjectResultisAccessible() method returns true if the user has any access (read, create, edit, or delete) to the object, not just read access. Option D is incorrect, as using the “With Sharing” keyword when defining the Visualforce page does not affect object-level security, but record-level security.

 To prevent orders from being deleted in the future, a Salesforce Architect should recommend removing Order delete permission from profiles and permission sets, and changing the record type/page layout assignment for orders to be read only. Removing Order delete permission will prevent users from deleting any order records, regardless of their ownership or sharing. Changing the record type/page layout assignment will prevent users from editing any order fields, regardless of their field-level security. Implementing a sharing rule that changes access for order to read will not work, as it will only affect the record-level access, not the field-level access or the delete permission. Removing the Delete button from the order page layout will not work, as it will only affect the user interface, not the API or other ways of deleting records.

 The option that supports this requirement is B. To restrict users’ access to export reports, the administrator can remove the “Export Reports” user permission from their profile or permission set. The “Report Manager” user permission is not related to exporting reports, but to creating and managing report folders.

The user can filter by owner using Queue or My Case Teams options when creating a list view on the Case object, as these are related to the Case team feature

The system permission in their profile that enabled the users to see all list views is manage public list views. This permission allows users to create, edit, and delete public list views, as well as view all list views shared with them or with their groups. To restrict visibility to the respective list views, the system administrator should remove this permission from the users’ profiles and assign it only to those who need to manage public list views

 Using a visualforce override or a custom LWC override for Opportunity view action will require additional development and maintenance, and may not be compatible with all devices. The best option is to use Dynamic Form to define different field sections applicable for different form factors of devices, as Dynamic Form is a declarative feature that allows admins to customize record detail pages without writing code.

According to this source, Apex managed sharing is the best way to share records based on complex logic that can’t be handled by declarative sharing. In this case, the architect can use Apex code to create a trigger on the Job Interview object that will create a share record for the interviewer user when the lookup field is populated. The other options are not feasible or scalable.

To implement Filter-Based Opportunity Territory Assignment, you need to define a Territory assignment rule with filter criteria for Filter-Based Opportunity Territory Assignment1. This will allow you to assign opportunities to territories based on field values of the opportunity or its related account1. Defining an account assignment, a custom Apex class, or an opportunity assignment rule are not required for this feature.

Deferred Sharing Recalculation is a feature that allows admins to postpone the recalculation of sharing rules until a scheduled maintenance window, which can improve performance and avoid locking issues when making changes to roles or account owners3. This is the best feature to recommend to avoid problems with this operation. Skinny table is a feature that improves performance by storing frequently used fields in a separate table, but it does not affect sharing recalculation. Partition data using Divisions is a feature that allows admins to segment data into logical subsets for reporting and searching purposes, but it does not affect sharing recalculation.

The two different approaches that the architect should consider when designing this enhancement are A and B. Option A ensures that the custom account team object data is consistent with the standard account team member object data, which is used for implicit sharing. Option B ensures that the account share object, which stores the sharing records for accounts, is updated based on the custom account team object data. The other options are either not necessary or not possible.

To reduce redundant leads and restrict their editing and reassignment, a Salesforce Architect should recommend implementing a private OWD on Lead. A private OWD means that only the owner of the lead record and users above them in the role hierarchy can view, edit, or transfer the lead. This will prevent duplicate leads from being created by other users, and also ensure that only the lead owner can modify or reassign the lead. Implementing a public read only OWD on Lead will not work, as it will allow other users to view the lead records, which may lead to duplication. Implementing a public read only/transfer OWD on Lead will not work, as it will allow other users to transfer the lead records to themselves or others. Implementing a public read/write OWD on Lead will not work, as it will allow other users to edit or reassign the lead records.

Disabling “Grant Access Using Hierarchies” and disabling the “View All” permission on all other profiles are two options that would ensure access only to the record owner and the administrator for a custom object with private sharing settings. Disabling “Grant Access Using Hierarchies” would prevent users above the record owner in the role hierarchy from accessing the record. Disabling the “View All” permission on all other profiles would prevent users with other profiles from accessing all records of that object. Disabling the “Create” permission on all other profiles would prevent users with other profiles from creating new records of that object, but not from accessing existing ones. Disabling the “Read” permission on all other profiles would prevent users with other profiles from accessing any record of that object, but also prevent them from creating or modifying records.

According to this source, users with access to a child case have read-only access to the parent account by default, and owners of a parent account have access to child opportunities by default. The other options are not implicit record access mechanisms.

The best practice for testing sharing and visibility changes is to use the login as feature for a sample user in each role and profile. This allows the tester to see exactly what the user can see and do in the org, and verify that the sharing settings are working as expected. The other options are either not comprehensive or not relevant.

The employees who will have access to the NewWorld account are A, Bob and Phil. Bob will have access because he is above Phil in the role hierarchy, and Phil will have access because he is the new owner of the account. Richard and Kevin will not have access because they are not related to Phil by role or account team, and Karen will not have access because she has moved to a new role and lost her manual sharing access.

 Territory Model State is the feature that can help UC stay within their org limits. It allows them to create multiple territory models and activate only one at a time. The inactive models do not count towards the org limit

Two options that the user can see while adding account team members to the account are case access and opportunity access. This is because these are the two objects that have public read only sharing settings and allow users to specify different levels of access for account team members. Contact access and activity access are not options because these objects have controlled by parent sharing settings and inherit their access from the account

Using Account teams, Opportunity teams, and Case teams is the best way to achieve these requirements. Account teams allow you to share accounts and related records with a group of users. Opportunity teams allow you to share opportunities with a group of users who can have different levels of access. Case teams allow you to share cases and related records with a group of users who can have different roles and levels of access. Using Sharing rules to share cases with sales associates will not work, because sharing rules can only be based on record owner or criteria, not on account team membership. Using Account Teams to define access to accounts as well as opportunities and cases related to accounts will not work, because account team members can only have read-only access to cases by default.

 Account records can be accessed due to implicit sharing from Opportunity and Account records can be accessed due to role hierarchy are two reasons that could be causing this issue. Implicit sharing grants access to parent records when a user has access to a child record. For example, if a user has access to an opportunity, they also have access to its related account and contract records. Role hierarchy grants access to records owned by or shared with users who are below in the hierarchy. For example, if a user is above another user in the role hierarchy, they can access any records that the lower user can access. Option A is incorrect, since contact records cannot be accessed due to implicit sharing from account, as implicit sharing does not grant access to child records. Option C is incorrect, since contact records cannot be accessed due to implicit sharing from opportunity, as implicit sharing does not grant access to child records.

Only Bob can view the file that he uploads to his Files Home private library. Users above Bob in the role hierarchy, users with View All Data permission, or users with Modify All Data permission cannot access the file unless Bob explicitly shares it with them

 Creating a Permission Set that grants “View All” permission for Opportunity is the best approach to meet the requirements. This will allow the Sales Reporting team to view all Opportunity records without changing their profile or OWD settings. Creating a Permission Set that grants “View All Data” permission would give them access to all data in the org, which is not necessary. Making Opportunity OWD read-only would affect all users in the org, which may not be desirable. Giving “View All Data” permission to the Sales Reporting Profile would also give them access to all data in the org, which is not necessary

The OWD for pricebook should be set to Use, which means that users can only view and use price books that are shared with them. This way, sales agents can have access to products and create opportunities for their customers. Option A is incorrect, since Public Read Only would give access to all price books to all users. Option B is incorrect, since Public Read Write would give access and edit rights to all price books to all users. Option C is incorrect, since View is not a valid OWD setting for pricebook.

Reviewing the user provisioning process to not automatically create a user role for any new user and contacting Salesforce support and requesting to increase the number of users’ roles allowed are two recommendations that could solve this problem. Salesforce has a limit on the number of roles that can be created in an organization, which depends on the edition and the number of licenses. If this limit is reached, no more roles can be created unless the limit is increased by Salesforce support. Therefore, it is not advisable to create a new role for every new user, as this would quickly exhaust the limit and cause the “User Role Limit Exceeded” error. Option B is incorrect, since removing role hierarchy from Salesforce org and controlling the record access using Apex managed sharing would be a complex and custom solution that would not address the root cause of the problem. Option D is incorrect, since creating an Apex class to replace the User Roles by generic one as soon as they are created would be unnecessary and inefficient.

Lead and Case are two objects that support creating queues. Queues are used to route records to a group of users who share workloads. Queues are available for standard objects such as Lead and Case, and custom objects that have a queue-supported lookup field. Option A is incorrect, since Account does not support creating queues. Option B is incorrect, since Opportunity does not support creating queues.

Setting the organization-wide default on Shipment to Private, creating a trigger to update the Account record with the shipment information, and using a lookup relationship to Account are the best recommendations to accomplish this requirement. This way, the Marketing team can see the shipment information on the Account record, but not the Shipment records themselves. Option A is incorrect, since setting the organization-wide default on Shipment to Public would give access to all Shipment records to all users. Option B is incorrect, since using a master-detail relationship to Account would inherit the sharing settings from Account, which may not be Private. Option C is incorrect, since using a master-detail relationship to Account and setting the organization-wide default on Shipment to Controlled by Parent would have the same effect as option B.

Using bind variables or the escapeSingleQuotes() method are two techniques that can prevent SOQL Injection attacks by ensuring that user input is treated as literal strings rather than part of the query9. Bind variables are preferred over escapeSingleQuotes(), as they also improve performance and readability of the code10. Option A is incorrect, since escaping double quotes in the user input does not prevent SOQL Injection. Option D is incorrect, since using the with Sharing keyword on the controller does not affect SOQL Injection, but rather enforces record-level access based on the user’s profile and sharing rules.

The territory with the highest territory type priority is automatically assigned to the opportunity when an account meets criteria for multiple territories4. Option A is incorrect, since creating a process builder process to update the territory field on the opportunity would be unnecessary and complex. Option C is incorrect, since creating an Apex class that implements Filter-Based Opportunity Territory Assignment would be an advanced and custom solution that is not required in this scenario. Option D is incorrect, since creating a criteria-based sharing rule on the opportunity to assign it to a territory would not work, as sharing rules do not assign territories5.

The action that Mary can take on Joe’s Invoice records is none. This is because Mary’s profile does not have the Read permission for the Invoice object, which means she cannot view any Invoice records, regardless of the OWD or role hierarchy settings. Profile permissions override any other access settings3. Read/Write, Edit Only, and View Only are not possible actions for Mary.

A sharing set is the best way to share cases with partner users based on a common account. Sharing sets are available for Partner Community licenses and can grant access to related records using predefined criteria1. Option A is incorrect, since changing the external OWD to public read only would give access to all cases to all partner users, not just the ones related to their account. Option B is incorrect, since sharing rules are not available for partner users. Option C is incorrect, since the role hierarchy does not apply to partner users

Setting the Request object’s OWD to Public Read/Write is the simplest and most efficient way to allow all employees to collaborate on requests. Option B is incorrect, since granting Modify All Data permission on all profiles would give too much access and affect other objects as well. Option C is incorrect, since creating a criteria-based sharing rule to share all records with all users would be redundant and inefficient. Option D is incorrect, since setting the OWD to Public Read Only would not allow users to edit requests3.

Setting the External OWD to Private for the Delivery object is the best approach to limit the records a distributor can see, since it will restrict the access to only the records they own or are shared with them. Option A is incorrect, since ownership-based sharing rules are not available for partner community users. Option B is incorrect, since removing Read permission from the distributor profile would prevent them from accessing any delivery records. Option D is incorrect, since criteria-based sharing rules are not available for partner community users.

The Grant Access Using Hierarchies option on Shipment Sharing Settings allows users above the owner in the role hierarchy to have the same level of access as the owner. If this option is disabled, the role hierarchy will not grant access to the Shipment records, even if it is configured correctly. Therefore, the answer A is correct and the other options are incorrect

 The development team missed using the with Sharing keyword in Apex classes to enforce sharing rules evaluation, and the isAccessible() method in Apex classes to check field accessibility. The with Sharing keyword ensures that the Apex code respects the sharing rules defined for the current user, while the isAccessible() method checks if the user has read access to a specific field1. The run as method in test class is used to test whether a user can perform certain actions, not to enforce permissions2. The isSharable keyword in Apex classes does not exist.

 A sharing set is the best way to share cases with customer community users based on a common account. Sharing sets are available for Customer Community licenses and can grant access to related records using predefined criteria1. Option A is incorrect, since writing an Apex class to create manual shares for these users would be complex and unnecessary. Option B is incorrect, since criteria-based sharing rules are not available for customer community users. Option D is incorrect, since upgrading the licenses to Customer Community Plus would be costly and not required in this scenario

A sharing set is the best way to share cases with community users based on a common account. Sharing sets are available for Customer Community licenses and can grant access to related records using predefined criteria. Option A is incorrect, since sharing rules are not available for community users. Option B is incorrect, since there is no such thing as a share group in Salesforce. Option D is incorrect, since Apex sharing is complex and requires code maintenance

Granular locking is an advanced tool that Salesforce can enable for large-scale role hierarchy realignments. Granular locking allows finer-grained locking for certain operations that affect large data sets, such as bulk loading or updating. Granular locking can reduce the locking time and avoid performance issues when changing role hierarchy or ownership. Therefore, the answer C is correct and the other options are incorrect

 Creating an ownership-based sharing rule is the best way to achieve the requirements. Ownership-based sharing rules allow administrators to automatically grant access to records owned by certain users or roles to other users or roles2. This way, the sales manager in Australia can access the deals owned by the sales manager in Japan. Using sharing set, using opportunity teams, and assigning View All on the opportunity object are not options that can achieve the same result.

The runAs() method can be used to verify the enforcement of a user’s record sharing, which determines what records they can view and edit. Option A is incorrect, since public group assignments are not enforced by runAs(). Option B and C are incorrect, since field-level security and permissions are not affected by runAs()

Organization-wide defaults (OWD) are a way to set the baseline level of access for each object in the organization. OWD can be set to Private, Public Read Only, Public Read/Write, or Public Read/Write/Transfer for different objects. In this case, setting OWD to Public Read Only for Lead object will allow all full-time internal employees to view all leads, but not edit them. A subset of employees can be granted additional access to leads using other mechanisms such as profiles, permission sets, or sharing rules. Therefore, the answer B is correct and the other options are incorrect .

To implement Apex managed sharing, a Salesforce Developer should consider using the with Sharing keyword and the runAs system method. The with Sharing keyword ensures that the Apex class respects the record visibility rules of the current user context, which can help prevent unauthorized access to records that are not shared with the user1. The runAs system method allows testing the code as different users with different profiles and permissions, which can help verify that the sharing logic is working as expected2.

Creating a Sharing set for the Distributor profile to grant access to the Delivery object is the correct way to share records with users in a partner community. Sharing sets allow you to share records based on a common account or contact2. Criteria-based sharing rules are not available for partner communities3.

SOQL injection is a vulnerability that can exist when controllers use dynamic rather than static queries and bind variables. SOQL injection is a technique that exploits a security vulnerability by inserting malicious SOQL statements into an existing query. This can result in data loss, data exposure, or unauthorized access1. Buffer overflow attacks, cross-site scripting, and record access override are not vulnerabilities related to dynamic queries and bind variables.

 Setting the OWD for internal users to Public Read Only is the simplest and most efficient way to give access to all internal employees to the ServiceFeedback object. Option A is incorrect, since creating a trigger on ServiceFeedback to change ownership to an internal employee would be complicated and affect the data quality. Option B is incorrect, since ensuring all the internal users are above the partners in the role hierarchy would not work, as the role hierarchy does not apply to partner users. Option C is incorrect, since creating an owner-based sharing rule for all ServiceFeedback records owned by partners would be redundant and inefficient

 Profiles can control the login hours for users, which can restrict their access to Salesforce based on their time zone. Option A is incorrect, since login hours are not set on user records. Option B and C are incorrect, since permission sets and custom permissions do not control login hours

The Apex method that must be used to make sure only allowed fields are shown to the users is isAccessible(). This method returns true if the user has read access to the field, and false otherwise2. isReadable(), isShowable(), and isViewable() are not valid Apex methods for checking field-level security.

 Partner super user is the only feature that supports the requirement of granting specific community users (agents) to view cases submitted by other agents of the same distributor. Partner super users are community users who can access and edit data owned by other partner users in their account. They can also access reports and dashboards that display data from their account1. Permission set to grant community admin permission, delegate external user, and partner community admin are not features that can achieve the same result.

Roles and Public Groups are two options that can be selected to share data with when creating a sharing rule. Sharing rules can grant additional access to records based on the owner’s role or public group membership. Option C is incorrect, since Users are not an option for sharing rules. Option D is incorrect, since Profiles are not an option for sharing rules.

The two options to propose a solution to meet the requirements are Scheduled Apex job to remove access and Opportunity team to share opportunities with sales managers. Scheduled Apex job allows developers to run Apex code at a specified time, which can be used to revoke the sharing access after two weeks. Opportunity team allows users to grant access to other users who work on the same opportunity1. Apex Sharing and Sharing Rules are not suitable options because they do not support automatic expiration of sharing.

 Ownership-based sharing rules are a way to grant access to records based on the record owner’s role or public group membership. Ownership-based sharing rules can be used to share records with Partner Community users, who are not supported by sharing sets. In this case, ownership-based sharing rules can be used to share Case and Container records owned by partner managers and partner users with other partner managers at the same distributor. Therefore, the answer D is correct and the other options are incorrect .

 Using the IsUpdateable() Apex method to test each field prior to allowing updates is the best way to fix this problem. This method returns true if the user has permission to edit a specific field on a specific object, and false otherwise. Option A is incorrect, since putting the code in a class that uses the With Sharing keyword would not affect field-level security permissions, but rather record-level access based on sharing rules. Option C is incorrect, since using the with SECURITY_ENFORCED keyword in the SOQL statement would not prevent updates on fields that are read-only for certain profiles, but rather enforce field- and object-level data protection. Option D is incorrect, since adding with Sharing keyword to the class would have the same effect as option A.

To audit user setup in Salesforce, the team needs to have both View Setup and Configuration and View All Users permissions. View Setup and Configuration allows them to access the setup menu and see the user profiles, roles, and permission sets. View All Users allows them to see all the user records and their details, such as login history and assigned licenses