Sharing-and-Visibility-Architect Salesforce Certified Sharing and Visibility Architect (SP23) Question and Answers

Private Account Sharing with Sharing Rules from Commercial Sales Group(s) to Commercial Support Group(s) and Consumer Sales Group(s) to Consumer Support Group(s) is the recommended Org-Wide Sharing Default for Accounts and the way to enable proper Commercial and Consumer Sales to Support Account Sharing for this scenario. This way, the sales and support departments can share their customers with each other, but not with the other departments. The other options are incorrect because they either do not allow the sales and support departments to share their customers (A and B) or they allow too much access to the accounts ©.

Using Encryption Policy and contacting Salesforce to update the existing records so that their field values are encrypted is the best way to proceed with this new policy change, as it allows admins to encrypt standard and custom fields using Platform Encryption without changing existing business processes3. Using Classic Encryption will not work, as it only supports a limited number of fields and requires changes to the data model and code. Waiting for an email from Salesforce indicating the field values are encrypted will not work, as encryption policy does not automatically encrypt existing records.

The reason why there are many duplicate Account records and numerous sharing rules created in Salesforce is that the Organization-Wide Default for the Account object is Private4. This means that users can only see their own accounts and those shared with them explicitly by sharing rules or other means. This could lead to users creating duplicate accounts without knowing that they already exist in Salesforce. If the Organization-Wide Default for the Account object is Public Read/Write or Public Read Only, users would be able to see all accounts in Salesforce and avoid creating duplicates. The Object permissions for the Account object are not relevant for this question.

 When a sharing rule grants access to a public group, the access is also extended to the subordinates of the users in that group, according to the role hierarchy1. Therefore, subordinates of managers who have sales engineers in the public group will also have access to these records. Other sales engineers who are in the same role hierarchy as the sales engineers of the public group will not have access to these records, unless they are subordinates or managers of the users in the public group. Sales engineers and their managers in the role hierarchy will not have access to these records, unless they are part of the public group or its subordinates.

The best option for the architect to make sure Universal Health stays compliant is B. Enabling Salesforce Shield Platform Data Encryption and marking the patient notes field as encrypted will ensure that the data is encrypted at rest as well as in transit, using a tenant secret that only Universal Health can access. This will also allow them to use standard Salesforce features and functionality with the encrypted data. The other options are either incorrect or not optimal.

The system permission in their profile that enabled the users to see all list views is manage public list views. This permission allows users to create, edit, and delete public list views, as well as view all list views shared with them or with their groups. To restrict visibility to the respective list views, the system administrator should remove this permission from the users’ profiles and assign it only to those who need to manage public list views

Organization-wide defaults (OWD) are a way to set the baseline level of access for each object in the organization. OWD can be set to Private, Public Read Only, Public Read/Write, or Public Read/Write/Transfer for different objects. In this case, setting OWD to Public Read Only for Lead object will allow all full-time internal employees to view all leads, but not edit them. A subset of employees can be granted additional access to leads using other mechanisms such as profiles, permission sets, or sharing rules. Therefore, the answer B is correct and the other options are incorrect .

 Adding the product specialist and solution engineer to the opportunity team is the optimal way for the junior account manager to share the opportunity, given the private sharing model. Opportunity teams are groups of users who work together on sales opportunities. Adding users to an opportunity team grants them access to the opportunity and related records. This way, the junior account manager can collaborate with the product specialist and solution engineer on the complex deal, and when the account is reassigned to a senior account manager, the opportunity team members will retain their access. Option A is incorrect, since manual sharing on the opportunity would be removed when the account owner changes. Option C is incorrect, since manual sharing on the account would not grant access to the opportunity, as it does not roll up from account to opportunity. Option D is incorrect, since creating an owner-based sharing rule would be unnecessary and inefficient.

Using opportunity team and creating an assistant field, using Apex to share opportunities with the assistant agent is the optimum solution to meet the requirements. Opportunity teams are groups of users who work together on sales opportunities. By creating an assistant field on the opportunity object, the sales reps can specify an assistant agent who can help them with their deals. By using Apex, the system can automatically share the opportunity with the assistant agent based on the value of the assistant field, and remove access from the previous assistant if the field value changes. Option A is incorrect, since using share group to share opportunities with the assistant agent would require manual configuration and maintenance. Option C is incorrect, since using sharing rule to share opportunities with the assistant agent would not allow dynamic sharing based on the assistant field value. Option D is incorrect, since using Apex sharing to share and unshare opportunities with the assistant agent would be similar to option B, but without using opportunity teams.

The license recommendation that will meet distributor needs is Partner Community. Partner Community licenses are designed for users who are not employees of UC, but are part of their partner ecosystem, such as distributors, resellers, or suppliers. Partner Community users can access standard CRM objects such as accounts, contacts, leads, opportunities, cases, and campaigns. They can also collaborate with other partners and UC employees using Chatter and Communities. Sales Cloud licenses are for internal sales users who need full access to standard CRM and custom objects. Customer Community Plus licenses are for high-volume customers who need access to standard CRM objects and custom objects, but not opportunities. Customer Community licenses are for low-volume customers who need access only to custom objects and a subset of standard CRM objects.

Setting the organization-wide default to Private and unchecking the Access Using Hierarchies option for the NPS object will prevent the managers from accessing the NPS records of their subordinates. This is because the access using hierarchies option allows users above the owner in the role hierarchy to have the same level of access as the owner

Apex sharing is a way to programmatically grant access to records for users or groups of users. Apex sharing can be used to share records with Customer Community Plus users, who are not supported by other declarative sharing options such as sharing sets or sharing rules. Apex sharing uses the Account__Share table to store the sharing information for the Account object. Therefore, the answer A is correct and the other options are incorrect

 Leveraging default Account team is the best way to help improve sales reps productivity by granting access to supporting internal users for customer records when they need help. Default Account teams are predefined groups of users who work together on an account. When a user creates or owns an account, Salesforce automatically adds the default Account team to the account team related list on the account2. Creating a permission set with “view all data” and assigning it to supporting users would give them too much access to data that they may not need. Creating a public group and replacing the account ownership with it would not be feasible or scalable. Creating a criteria-based sharing rule to grant access to other users would require manual maintenance and may not reflect the changes in the account team.

The internal Pre-Sales users will no longer have access to the opportunity after the ownership transfer, since manual sharing is removed when a record owner changes. Option A is incorrect, since inherited sharing does not apply to manual sharing. Option B is incorrect, since implicit sharing does not apply to internal users. Option D is incorrect, since team access does not apply to manual sharing.

The Apex method that must be used to make sure only allowed fields are shown to the users is isAccessible(). This method returns true if the user has read access to the field, and false otherwise2. isReadable(), isShowable(), and isViewable() are not valid Apex methods for checking field-level security.

 Profiles can control the login hours for users, which can restrict their access to Salesforce based on their time zone. Option A is incorrect, since login hours are not set on user records. Option B and C are incorrect, since permission sets and custom permissions do not control login hours

 Using a visualforce override or a custom LWC override for Opportunity view action will require additional development and maintenance, and may not be compatible with all devices. The best option is to use Dynamic Form to define different field sections applicable for different form factors of devices, as Dynamic Form is a declarative feature that allows admins to customize record detail pages without writing code.

 Configuring organization-wide defaults of the Account object and creating sharing rules are two options that should be used together to achieve the requirements, as they allow admins to set the baseline level of access for accounts and then grant additional access based on criteria such as geographic location2. Creating the Account Team and adding branch manager team members will not work, as it will require manual maintenance and will not grant access to UC branch staff. Configuring Role Hierarchy will not work, as it will grant access based on the user’s position in the organization, not their geographic location

The feature in Salesforce that is needed to restrict access to a custom object that has public read/write access is profile. Profile settings can control the create, read, edit, and delete permissions for a custom object at the user level, regardless of the organization-wide default settings. The other options are either not related to object access or not restrictive enough.

Using a lightning component as an override for the “Edit” action on mobile view would allow field consultants to capture images while editing the case record, without affecting the desktop users. Using a lightning component as an override for the “Edit” action on lightning experience would affect both mobile and desktop users, which is not desirable. Creating a separate button for “Edit in Mobile” would require additional customization and user training.

Using the {!$ObjectType.lead.accessible} expression within the Visualforce page is the best way to ensure that object-level security is enforced within a custom Visualforce application that uses a standard Apex controller on the Lead object. This expression evaluates to true if the user has read access to the Lead object, and false otherwise. The Visualforce page can use this expression to conditionally render components based on the user’s permissions. Option A is incorrect, as the runAs() method is only available in test methods and does not change the user’s permissions. Option B is incorrect, as the Schema.DescribeSObjectResultisAccessible() method returns true if the user has any access (read, create, edit, or delete) to the object, not just read access. Option D is incorrect, as using the “With Sharing” keyword when defining the Visualforce page does not affect object-level security, but record-level security.

Validation rules and page layout settings are two options that the architect can use to prevent users from editing encrypted fields, assuming no customizations are implemented. Validation rules can be used to display an error message when a user tries to edit an encrypted field, and page layout settings can be used to make an encrypted field read-only or hidden from the user interface. Apex triggers and workflow rules are not options to prevent users from editing encrypted fields, as they are executed after the user has already modified the field

The term that describes the situation when you make changes to roles and groups Salesforce locks the entire group membership table is Granular Locking. Granular Locking is a feature that improves the concurrency and performance of sharing operations by locking only the affected nodes in the role or territory hierarchy, instead of locking the entire hierarchy. This allows multiple sharing operations to run in parallel without causing lock contention or blocking each other.

The best solution for this scenario is to grant managers access to the fields using field-level security, and do not add them to a page layout. This way, the managers can see the fields in reports, but not on the account record detail page. The other options are either not feasible or not effective.

The two methods that would be used to enforce this requirement are A and D. Schema.DescribeFieldResult and Schema.DescribeSObjectResult can be used to check the user permissions for creating records and accessing certain fields, even if the Visualforce controller is written with “Without Sharing”. The other options are either not related to field or object permissions, or not sufficient to enforce them.

Public groups are used to grant access to a set of users who do not have a predefined relationship in the role hierarchy or territory hierarchy. Sharing sets are used for community users, not internal users. Role hierarchy is used to grant access based on the user’s position in the organization.

 Roles is an option that can be selected to share data when creating a sharing rule, as it allows admins to grant access to users who have a specific role or roles below that role in the hierarchy2. Users is not an option that can be selected to share data when creating a sharing rule, as sharing rules are based on groups, not individuals. Profiles is not an option that can be selected to share data when creating a sharing rule, as sharing rules are based on record ownership or criteria, not profiles.

The expected behavior if a user without FLS accesses the VF page is that the field is automatically removed from the page. This is because apex:outputField respects FLS settings and will not render any field that the user does not have read access to. The user will not encounter any error, see the output field, or enter any value into the phone field

According to this source, Apex managed sharing is the best way to share records based on complex logic that can’t be handled by declarative sharing. In this case, the architect can use Apex code to create a trigger on the Job Interview object that will create a share record for the interviewer user when the lookup field is populated. The other options are not feasible or scalable.

Inherited access grants and group membership grants are two types of access grants that are stored in the group maintenance tables. These tables store information about which users belong to which groups (group membership grants) and which groups inherit access from which groups (inherited access grants). Explicit grants and implicit grants are not stored in the group maintenance tables, but in other tables such as share tables and role hierarchy tables.

The Internal Default sharing settings for a custom object can be either Public Read/Write or Public Read Only if the External Default sharing setting is set to Public Read Only1. Controlled by Parent and Private are not valid options because they would not allow external users to access the custom object records.

The user who posted the file and users with access to the record can view the file by default, as files posted to a record’s feed inherit the record’s sharing settings3. Users with a shared chatter post link to the file will not be able to view the file by default, unless they also have access to the record. Only the user who posted the file will not be able to view the file by default, as other users who have access to the record can also view it.

 The access levels that can be set on the Account Team Member are Account Access, Opportunity Access, and Case Access2. Contact Access and Contract Access are not available options for Account Team Members.

According to this source, submitting to Force.com Security Scanner, using web application security tools, and using debug logs to check hijacked requests are some of the ways to make sure Visualforce pages are secure. The other options are not sufficient or recommended.

Two platform features that can be used to support the requirements for granting access to Job records are “View All” profile settings and manual sharing. The “View All” profile setting can be enabled for the Delivery profile to grant them View access to all Job records regardless of ownership or role hierarchy. The manual sharing feature can be used by the Delivery user who owns a job to grant access to a Product Development user on a case-by-case basis

The user will not be able to see the junction object records or the field values if their profile allows access to the Job object but not to the Production Facility object. This is because junction objects inherit the sharing and security settings from both master objects, and users need access to both master objects to access the junction object records. If a user does not have access to one of the master objects, they will not see any records or fields from the junction object

Three advanced tools that Salesforce can enable for large-scale role hierarchy realignments in organizations with large data volumes are partitioning by divisions, deferred sharing calculation, and skinny table indexing. Partitioning by divisions allows the organization to segment data into logical sections based on business criteria, which reduces the number of records that need to be recalculated when role hierarchy changes. Deferred sharing calculation allows the organization to postpone the sharing recalculation until a scheduled time, which avoids impacting users during peak hours. Skinny table indexing allows the organization to create custom indexes on frequently used fields, which improves query performance and reduces locking contention

To support the requirements with the minimum amount of effort, three platform security features that are required are criteria-based sharing rules, role hierarchy, and permission sets. Criteria-based sharing rules can be used to share all accounts with the custom field “Kay Customer” to all senior account managers based on a filter condition. Role hierarchy can be used to grant access to accounts that users or their subordinates own based on the ownership and role level. Permission sets can be used to grant view and edit access to the custom field that contains sensitive information to the three designated users, regardless of their user groups or profiles

Creating a territory is an activity that can happen in parallel to changing a community account owner without risking group membership lock errors, assuming granular locking is enabled. Granular locking is a feature that allows for concurrent sharing operations on different objects or groups, reducing lock contention and improving performance. Deletion or creation of a role is an activity that can cause group membership lock errors, as it affects the role hierarchy and all the groups that are associated with it. Deletion of a territory is also an activity that can cause group membership lock errors, as it affects the territory hierarchy and all the groups that are associated with it

To ensure the data security of the custom web service, the Architect should consider the following design elements:

Query the Orders object with Dynamic SOQL based on the fulfillment ID: This will allow the web service to filter the orders based on the input parameter and return only the relevant records to the business partner.

Set the Orders object’s sharing settings to Private in the Org-Wide Defaults: This will restrict access to the Orders object to only the owner and users above them in the role hierarchy by default, and prevent unauthorized access from other internal or external users.

Develop a custom Apex web service using the “With Sharing” keyword: This will enforce the sharing rules defined for the Orders object and respect the record-level access of the web service user.

The probable cause for this error is lock contention due to system-initiated sharing rule recalculation. When there are mass updates to fields that affect sharing rules, such as territory or role fields, Salesforce automatically recalculates the sharing rules to reflect the changes. This can cause lock contention on group membership records, which store the users and groups that have access to records through sharing rules. The other options are not likely to cause this error.

SOQL injection is a vulnerability that can exist when controllers use dynamic rather than static queries and bind variables. SOQL injection is a technique that exploits a security vulnerability by inserting malicious SOQL statements into an existing query. This can result in data loss, data exposure, or unauthorized access1. Buffer overflow attacks, cross-site scripting, and record access override are not vulnerabilities related to dynamic queries and bind variables.

The Referral object OWD is public Read/Write, which could be the technical reason for the recruiter not finding the share button. When an object’s OWD is public Read/Write, all users can view and edit all records of that object, so there is no need for manual sharing. The share button only appears when an object’s OWD is private or public Read Only. Option A is incorrect, since the Referral object OWD is not private. Option C is incorrect, since the Referral object OWD is not public Read Only. Option D is incorrect, since public Full Access is not a valid OWD setting.

To give users in the partner user role access to all Case and Container records owned by any user at the same distributor, an Architect can give super user permission to the individual partner users. Super user permission allows partner users to access data owned by other partner users belonging to the same account or below them in the role hierarchy. Creating an ownership-based sharing rule will not work, as it will share records based on the owner’s role or territory, not their account. Creating sharing sets will not work, as they are only available for Customer Community licenses, not Partner Community licenses. Creating a Permission Set granting “View All” permission to Case and Container records will not work, as it will give access to all records in those objects, regardless of their owner or account.

 Cross-Site Scripting (XSS) and SOQL Injection are two common types of security vulnerabilities that can affect Salesforce applications. XSS occurs when malicious code is injected into a web page that can execute in the browser of a user who visits that page6. SOQL Injection occurs when user input is used to construct a SOQL query without proper validation or escaping, which can allow an attacker to manipulate the query and access unauthorized data7. To prevent XSS, developers should use appropriate encoding methods when displaying user input on custom pages8. To prevent SOQL Injection, developers should use bind variables or the escapeSingleQuotes() method when building SOQL queries with user input9. Option A is incorrect, since Apex queries are not vulnerable to XSS. Option D is incorrect, since testing for invalid user access attempts is not related to security vulnerabilities within the Salesforce organization.

The Grant Access Using Hierarchies option on Shipment Sharing Settings allows users above the owner in the role hierarchy to have the same level of access as the owner. If this option is disabled, the role hierarchy will not grant access to the Shipment records, even if it is configured correctly. Therefore, the answer A is correct and the other options are incorrect

 Creating an ownership-based sharing rule is the best way to achieve the requirements. Ownership-based sharing rules allow administrators to automatically grant access to records owned by certain users or roles to other users or roles2. This way, the sales manager in Australia can access the deals owned by the sales manager in Japan. Using sharing set, using opportunity teams, and assigning View All on the opportunity object are not options that can achieve the same result.

To make the sensitive fields accessible to the Human Resource team, other than field level security, another option is to create a new custom object with private OWD and Lookup relationship to Employee to store new restricted information. This will allow creating a separate security model for the new custom object, which can be shared with the Human Resource team using sharing rules or permission sets. Creating a new custom object controlled by parent and a Master-Detail relationship to Employee will not work, as it will inherit the same OWD as Employee, which is Public Read Only. Changing OWD of Employee custom object to private and a Lookup self-relationship to store only new restricted information will not work, as it will make all employee records inaccessible to other users who need them.

Creating a criteria-based sharing rule that shares delivery records matching the Distributor to users of a Public Group created for the distributor is the correct solution for this scenario. This will allow all users at a distributor to access delivery records for all customer accounts associated with that distributor. Creating a Sharing set for the Distributor profile will not work, because sharing sets are only available for portal or community users, not internal users. Giving ownership of the delivery record to a distributor user will not work, because it will limit the access to only one user per record. Creating a criteria-based sharing rule that shares delivery records matching the Distributor to user distributor will not work, because it will not share records with other users at the same distributor.

The license type that must be used by community users who want to collaborate on opportunities is Partner Community. As mentioned above, Partner Community licenses allow users to access standard CRM objects such as opportunities and collaborate with other partners and internal users using Chatter and Communities. Sales Community licenses do not exist as a separate license type. Customer Community and Customer Community Plus licenses do not allow users to access opportunities, as they are intended for customer service scenarios rather than sales scenarios.

 Controlling the invoices object permission on the sales manager’s profile is how the architect can grant the sales managers access to the customer invoices data. Object permissions determine whether a user can create, read, edit, or delete any record of that object. Since invoice data is surfaced in Salesforce using external objects, sales managers need to have at least read permission on the invoice object to view the customer invoices data. Option A is incorrect, since sharing rules are not available for external objects. Option B is incorrect, since manual sharing is not available for external objects. Option D is incorrect, since sharing sets are not available for external objects.

There is an Account ownership data skew problem, which could be the reason for this problem. Data skew occurs when a large number of records (more than 10,000) are owned by a single user or belong to a single role. This can cause performance issues when accessing or updating those records, as well as when recalculating sharing rules or changing ownership. In this scenario, since each donation rep owns over 50,000 donor accounts, there is a significant data skew that affects the system performance. Option A is incorrect, since the donation reps access to the assigned accounts is not a problem by itself, but rather a consequence of data skew. Option B is incorrect, since Salesforce sharing recalculation kicked off is not a problem by itself, but rather a consequence of data skew. Option D is incorrect, since the Account (donor) object OWD being Private is not a problem by itself, but rather a consequence of data skew.

 Searching for external users is the community functionality that is impacted by having the customer user visibility turned off. When customer user visibility is turned off, community users cannot find or interact with other community users in global search, people search, or chatter. Option B is incorrect, since updating their user profile is not affected by customer user visibility. Option C is incorrect, since creating new customer community users is not affected by customer user visibility. Option D is incorrect, since searching for internal users is not affected by customer user visibility.

 By default, three roles are created when the first external user is created on a partner account. These roles are Executive, Manager, and User. They form a role hierarchy that determines the level of access to data for the partner users

Profiles and Permission Sets can be used to control the object-level and field-level access for different types of users. For example, sales reps can have read/write access to Account object but not to the segment field, while service reps can have read-only access to Account object and all fields. Role Hierarchy can be used to control the record-level access for users based on their position in the organization. For example, sales managers can access and modify any account of reps reporting to them, while service managers can access and modify any account regardless of ownership. Field-Level Security can be used to override the profiles and permission sets for specific fields on specific records. For example, service managers can edit the segment field on any account, even if their profile does not allow it. Therefore, the answer D is correct and the other options are incorrect3

Deleting the public link is the best way to ensure that the potential customers do not have access to the file after the meeting. Renaming the file, deleting the file, or moving the file to another folder will not affect the public link, which will still point to the file

To implement Apex managed sharing, a Salesforce Developer should consider using the with Sharing keyword and the runAs system method. The with Sharing keyword ensures that the Apex class respects the record visibility rules of the current user context, which can help prevent unauthorized access to records that are not shared with the user1. The runAs system method allows testing the code as different users with different profiles and permissions, which can help verify that the sharing logic is working as expected2.

 A sharing set is the best way to share cases with customer community users based on a common account. Sharing sets are available for Customer Community licenses and can grant access to related records using predefined criteria1. Option A is incorrect, since writing an Apex class to create manual shares for these users would be complex and unnecessary. Option B is incorrect, since criteria-based sharing rules are not available for customer community users. Option D is incorrect, since upgrading the licenses to Customer Community Plus would be costly and not required in this scenario

Roles and Public Groups are two options that can be selected to share data with when creating a sharing rule. Sharing rules can grant additional access to records based on the owner’s role or public group membership. Option C is incorrect, since Users are not an option for sharing rules. Option D is incorrect, since Profiles are not an option for sharing rules.

 Order, Asset, and Contact are the three objects that can be configured as “Controlled by Parent” in Sharing Settings when Person Account is enabled in a Salesforce organization. Controlled by Parent means that the sharing setting for the object is determined by the parent record. For example, an order’s sharing setting is determined by its associated account. Opportunity and Case are not objects that can be configured as “Controlled by Parent” in Sharing Settings.

The side effect of this approach is that sales reps on the same team will have read access to the accounts for opportunities owned by their team members. This is because owner-based sharing rules grant access to both the parent and child records of the same object. For example, if a sharing rule grants access to opportunities owned by a certain role, it also grants access to the accounts associated with those opportunities. All sales reps will not have read access to accounts for all opportunities, as the sharing rules are based on ownership. Sales reps on the same team will not have edit access to the accounts for opportunities owned by their team members, as owner-based sharing rules only grant read or read/write access to child records, not parent records. All sales reps will not have read access to all accounts, as the account organization-wide default is private.

 Creating a criteria-based sharing rule to give access to the public group for high-value opportunities and creating a public group and assigning the auditors to the group are the best options to give access to high-value opportunities to a team of auditors distributed through the organization. Option A is incorrect, since putting the auditors as the highest level of the role hierarchy would give them access to all opportunities, not just high-value ones. Option B is incorrect, since adding the auditors to the default opportunity team would require manual configuration and maintenance

Assigning users profiles and unlocking users are two capabilities that the delegated administrator permission provides. Delegated administrators are users who can perform certain administrative tasks on behalf of administrators. These tasks include assigning users to specified profiles or permission sets, creating and editing users in specified roles or groups, unlocking users who have exceeded their login attempts limit, resetting passwords for users in specified roles or groups, logging in as users who have granted login access to administrators. Option C is incorrect, since setting OWD is not a capability that delegated administrators have. Option D is incorrect, since creating profiles is not a capability that delegated administrators have.

The report owner is the only one who can view and run the report that is saved in the “Private Reports” folder. Option A is incorrect, since there is no such thing as the “My Private Reports” folder in Salesforce. Option B is incorrect, since the role hierarchy does not affect the access to private reports. Option D is incorrect, since the “View All Data” permission does not grant access to private reports.

 Setting the case organization-wide default to Private and adding the specialized marketing consultants to the account team with Read/Edit permission are the best recommendations to allow this scenario. This way, only the support rep who owns the case and the marketing consultants who are related to the account can see and edit the case records of VIP customers. Option B is incorrect, since setting the case organization-wide default to Public Read Only would give access to all cases to all users. Option C is incorrect, since using a role hierarchy and a read-only ownership-based sharing rule would not give edit access to the marketing consultants. Option D is incorrect, since adding the marketing consultants to the case team would require manual configuration and maintenance.