Answers - Salesforce Trailblazer Community
Trailblazer Community
Ask Search:
Mark OlsenMark Olsen 
I'm working with a connected app which is using the JWT Bearer Token flow for API access. Generating access tokens and using them for API calls is working fine. When I use the Token Introspection to check the status of an access token I'm getting an "invalid client credentials" error.

According to the documentation I need to pass in a client_id and client_secret value for authorization. The documentation does not clearly state where these values are defined on the connected app.
  • For the client_id I'm using the "Consumer Key" listed on the connected App's "Manage" page. The example appears to be in the same format.
  • For the client_secret I'm using the "Consumer Secret" listed on the connected App's "Manage" page. The example does not appear to be in the same format however there is no value on the App's "Manage" page that matches the format in the example.
  • For the endpoint I'm using the "my" domain for the instance:
The connected app has the setting "Introspect All Tokens" enabled.
Anyone have any experience with this and can point me in the right direction?
Best Answer chosen by Mark Olsen
Mark OlsenMark Olsen
Was able to solve this with the help of Salesforce support. I was using the correct parameters however the endpoint was not recognizing the POST payload encoding type I was using.
Best Answer chosen by vivek jadhav
Piyush SinghalPiyush Singhal
Hey Vivek,
Try this
Hope this helps,
Sankaran NepoleanSankaran Nepolean 
Sales representatives at Universal Containers need assistance from product managers when selling certain products. Product managers do not have access to opportunities, but need to gain access when they are assisting with a specific deal. How can a system administrator accomplish this?
A. Notify the product manager using opportunity update reminders.
B. Enable opportunity teams and allow users to add the product manager.
C. Use similar opportunities to show opportunities related to the product manager. D. Enable account teams and allow users to add the product manager.

This is the question from the sample paper. I'm a newbie, i couldn't understand how the answer is B.

what does 'Enable opportunity teams' mean ? && how to 'allow users to add the product manager'
Best Answer chosen by Sankaran Nepolean
Jeff MayJeff May
Congrats on starting down the certifcation path!  

Here is a link that will introduce you to Opportunity Teams: (
Rupesh JhaRupesh Jha 
As part of role hierarch i know we can open the visibility if OWD setting is more restrictive. 
What I am confused is while providing access to one of the roles I am not sure why i only happen to see for Opportunity Cases and Contact Object . 

What Happens to other objects ? 

Role Hierarchy Setting
Best Answer chosen by Rupesh Jha
Dharmendra ShekhawatDharmendra Shekhawat
Hi Rupesh,

Salesforce offers a user role hierarchy that you can use with sharing settings to determine the levels of access that users have to your Salesforce org’s data. Roles within the hierarchy affect access on key components such as records and reports.

Users at any role level can view, edit, and report on all data that’s owned by or shared with users below them in the role hierarchy, unless your Salesforce org’s sharing model for an object specifies otherwise. Specifically, in the Organization-Wide Defaults related list, you can disable the Grant Access Using Hierarchies option for a custom object. When disabled, only the record owner and users who are granted access by the organization-wide defaults receive access to the object’s records.

Roles determine user access to cases, contacts, and opportunities, regardless of who owns those records. The access level is specified on the Role Edit page. For example, you can set the contact access so that users in a role can edit all contacts associated with accounts that they own, regardless of who owns the contacts. And you can set the opportunity access so that users in a role can edit all opportunities associated with accounts that they own, regardless of who owns the opportunities.
After you share a folder with a role, it’s visible only to users in that role, not to superior roles in the hierarchy.

For more information on security model, you can refer -

Please mark this as best ans if this helps !!!


Joe MarsonJoe Marson 
Hi, one of my Users is unable to log into Salesforce. When I, an administrator, reset their password, they don't receive the verification code. Their email address is correct on their User record. This is in ProductionPost to Community. This user has checked their Inbox AND Junk Mail for a Verification Code. No Verification Code email from Salesforce in sight.

Has anyone else expereinced this issue?

A solution or some guidance would be greatly appreciated.
Best Answer chosen by Joe Marson
Daniel ProbertDaniel Probert
Hi Joe,

I had a similar issue recently and this article helped me resolve it.

Henriëtte WijneHenriëtte Wijne 
I want to make Salesforce files private (on record) with a mass update and then share them with a private chattergroup. When you upload a file to a record, the default sharing an privacy option is that the file is visible to all who has access to the object.  In our situation not everyone who has access to the object, may also see and share the uploaded file.
I find out that with dataloader I can update the records in the object contentdocument.  I can make the files private by set the sharingprivacy on P (private). But the file should not just be visible for de the owner of the file, but also for a private group. The only way to do this (as far as I can discover) is to share the file with a private chatter group. Does anyone has a solution for this? 
Best Answer chosen by Henriëtte Wijne
Manoj NambirajanManoj Nambirajan
Hi Henriette,

Can you check if below help article serves your cause. This option is via dataloader against

Its a dataloader against Content Document Link Object. Hope it helps.
Roxanne AngellRoxanne Angell 
The entire MFA issue seems over my head. I understand what MFA is - I just do not understand why we have to implement it or when.
Our users log into to our SF using lightning login. Do we still need to implement it? What will the implications be for API's built to talk to our org, such as custom API's and managed apps? 
If/When we do implement it, does that mean our users have to authenticate every time they log into SF via a different platform, including mobile?
Best Answer chosen by Roxanne Angell
Dmitry ZhagrovDmitry Zhagrov
I'm sorry for missunderstanding.
When I read that your question is " I just do not understand why we have to implement it or when."
I have tryed to explain that you need to implement it ONLY if you are interesting in extra level of security to protect your SF entity from entries by unauthorized persons.
Then one more question from your side was: if our users log into to our SF using lightning login and we implement MFA,  What will the implications be for API's built to talk to our org, such as custom API's and managed apps? 
I have tryed to answer that I never read about any negative impact of MFA to those SF features, so possible the risk to broke something after MFA is implemented is low.
I'm sorry again about your confusion from my initil answer.

Best Answer chosen by ASIF ALI
This is because of storage, Limit exceeded.
Nobady answered, I figured myself.
Eboni BlakeEboni Blake 
Hello, we're running into an issue with certificate management in Salesforce.  We would like to add a custom certificate to Salesforce (currently trying in a developer sandbox environment) that we will use in Apex code to sign a JWT for authenticating our Salesforce UI with a microservice we're developing. We are trying to import the certificate from a JKS keystore, but we're running into an error:

 Keystore file is corrupted."
Best Answer chosen by Jayson ( 
Jerry HenzelJerry Henzel
Hi Eboni - Not sure if you are still having this issue.  We do the same thing but instead of self-signed certs we use ones from Let's  Encrypt.  Downside is expiration every 3 months.  We have a script that is almost but not quite identical to what Deepali notes, i.e. just a bash shell script.  One thing we found out was that if we ran on Java 8 there was no problem.  We have multiple Java sdk's installed via SDKMan and initially tried this on Java 12 - where we got a corruption error.  Once we toggled back to Java 8 it went fine.  Good Luck

Kent ManningKent Manning 
I was trying to set up Lightning Login on my personal developer account.  I went in to the dev account and disconnected the Salesforce Authenticator from my account. I then deleted the account in the authenticator on my mobile device.  I then clicked the link enroll next to the lightning login on my user detail page.  I was asked to login to my dev org again, but now it keeps asking me for the verification code.  I can't get the verification code because the authenticator is disconnected. How am I going to get back into my developer account? This is bad, this is really bad because so much is in this developer account. Anybody have any ideas how I can get the verification code?
Best Answer chosen by Miglena ( 
Kent ManningKent Manning
I was able to resolve my locked out problem on my developer org.  I had remembered that I had a second user account in this dev org and after resetting the password on the second account, I was able to log in.  Once I logged in, I reset the profile on my primary account to not require two-factor authentication.  That allowed me to log back in with the primary account and have my verification come via text message.  If I would not have had the second log in with Administrator level access I would have probably lost everything in this org.  

Two valuable lessons here:  
  1. Always create a second administrator account on your dev org as a backup login.
  2. Use a newly created, secondary developer org to test security features as Geoffrey Flynn recommends.