Prerequisites Required: One or more Salesforce certifications recommended.
About This Certification
Certified System Architects focus on off-platform systems, integration, and securing access between systems. They are also skilled at managing governance and testing capabilities for deployment and ongoing Salesforce modification requirements.
Salesforce-certified practitioner since 2015 ·
6 active certifications: Administrator, Platform App Builder, Platform Developer I, Sales Cloud Consultant, Service Cloud Consultant, AI Associate ·
Based in Hyderabad, India · All guides updated each Salesforce release cycle (Spring, Summer, Winter).
Prerequisites: Salesforce Administrator + Platform Developer I (both active)
Difficulty: Advanced — focuses on org strategy, integration patterns, and identity. Expect deep SSO and OAuth knowledge.
Exam Domain Breakdown
Domain
Weight
Governance and Lifecycle Management
23%
Identity and Access Management
27%
Integration
27%
Mobile
8%
Platform
15%
Practice Exam Questions — Salesforce System Architect
Scenario-based questions reflecting the style and difficulty of the actual Salesforce System Architect exam. Updated for Winter '26.
Q1. What is the primary responsibility difference between an Application Architect and a System Architect in the Salesforce CTA track?
A) Application Architects focus on UI; System Architects focus on integrations
B) Application Architects design within Salesforce (data model, security, automation); System Architects design the end-to-end ecosystem (integrations, identity, governance, DevOps, and cross-system architecture)
C) System Architects only work on MuleSoft
D) There is no difference — they are the same role
► Show Answer
✓ Correct: B — Application Architect = within Salesforce. System Architect = Salesforce in the broader enterprise context, including identity/SSO, integration patterns, DevOps, multi-org strategy, data governance, and environment management.
Q2. Universal Containers uses Salesforce, SAP ERP, and a legacy billing system. What is the recommended integration architecture?
A) Direct point-to-point API calls between all systems
B) API-led connectivity (MuleSoft or equivalent) with a Process API for Salesforce orchestration, System APIs for each backend, and Experience APIs for consumers
C) Batch file export/import between systems nightly
D) Use Salesforce as the single database for all systems
► Show Answer
✓ Correct: B — API-led connectivity reduces point-to-point spaghetti by introducing reusable System APIs (one per backend), Process APIs (orchestration), and Experience APIs (consumer-specific). Changes to one system only require updating its System API.
Q3. Universal Containers employees need to log into Salesforce using their corporate Active Directory credentials. What is the correct identity architecture?
A) Create duplicate users in both AD and Salesforce with the same password
B) Configure SAML 2.0 SSO with AD FS (or Azure AD) as the Identity Provider and Salesforce as the Service Provider
C) Use the Salesforce Mobile App with biometric authentication
D) Create a custom login page in Visualforce
► Show Answer
✓ Correct: B — SAML 2.0 SSO delegates authentication to the corporate IdP (Active Directory via AD FS or Azure AD). Users authenticate once to the IdP; Salesforce trusts the SAML assertion and logs them in without a separate Salesforce password.
Q4. What is "Connected App" OAuth used for in enterprise Salesforce architecture?
A) Connecting AppExchange apps to Salesforce
B) Enabling external applications to authenticate to Salesforce on behalf of a user (Authorization Code) or as themselves (Client Credentials) using OAuth 2.0 flows
C) Creating custom Salesforce mobile apps
D) Connecting two Salesforce orgs directly
► Show Answer
✓ Correct: B — Connected Apps define OAuth 2.0 integration points. Authorization Code flow: end-user grants access. Client Credentials (JWT/secret): server-to-server without user interaction. They manage scopes, IP restrictions, and refresh token policies.
Q5. What does Salesforce's "Shield Platform Encryption" protect against that standard AES encryption does not?
A) Brute-force attacks on password hashes
B) Salesforce employees and insiders accessing sensitive field data — Shield encrypts at the platform level so even Salesforce storage-layer access cannot read plaintext field values
C) Man-in-the-middle attacks on API traffic
D) SQL injection attacks on SOQL queries
► Show Answer
✓ Correct: B — Shield Platform Encryption encrypts field values at the Salesforce storage layer using tenant-specific keys (managed in the Encryption Key Management tool). Even Salesforce administrators accessing raw storage cannot read encrypted values without the key.
Q6. Universal Containers needs audit trails for all record access — not just changes. What Salesforce capability provides this?
A) Setup Audit Trail
B) Field History Tracking
C) Salesforce Shield Event Monitoring — tracks login, API, and page/record access events
D) Debug Logs
► Show Answer
✓ Correct: C — Event Monitoring (Shield) captures granular event logs: LoginEvent, ApiEvent, LightningPageViewEvent, ReportEvent, and more. These provide audit trails of WHAT users accessed, not just what they changed.
Q7. What is the recommended pattern for deploying configuration changes across 50 Salesforce sandboxes to production?
A) Manual change sets for each sandbox
B) Salesforce DX with version-controlled metadata, scratch org development, and a CI/CD pipeline (Jenkins/GitHub Actions/Copado) that automatically validates and deploys
C) Request Salesforce to push changes across all orgs
D) Use the Setup menu "Copy Settings" feature
► Show Answer
✓ Correct: B — At scale, manual change sets are error-prone and slow. Salesforce DX enables source-driven development: metadata in Git, automated tests in scratch orgs, and pipeline-managed deployments with consistency across all environments.
Q8. What is a "Named Credential" in Salesforce used for?
A) Naming a Salesforce Community URL
B) Securely storing external endpoint URLs and authentication credentials so Apex callouts reference the Named Credential instead of hardcoded URLs/secrets
C) Defining the credentials for a Salesforce Connected App
D) Setting up an authenticated Experience Cloud guest user
► Show Answer
✓ Correct: B — Named Credentials store the endpoint URL and authentication settings (Basic Auth, OAuth, certificate) for external systems. Apex callouts use Named Credentials so credentials are never hardcoded in code and are managed by admins.
Q9. Universal Containers needs to ensure a Salesforce deployment doesn't break existing integrations. What is the recommended governance step?
A) Deploy to production first and monitor for errors
B) Maintain an API contract (OpenAPI spec or WSDL) for all integration endpoints, run regression tests in a full-copy sandbox before production deployment, and version APIs
C) Document all APIs in Confluence after deployment
D) Use sandbox refreshes to test deployments
► Show Answer
✓ Correct: B — API contracts define the expected interface. Integration tests in a full-copy sandbox (with production-like data) verify that the deployment doesn't break consumers. API versioning ensures backwards compatibility.
Q10. What does "multi-tenancy" mean in the context of Salesforce's architecture?
A) Salesforce provides a separate server for each customer
B) Multiple customers share the same underlying infrastructure and platform code, with strict logical data isolation enforced by Salesforce
C) Customers can choose which data centre hosts their data
D) Salesforce allows customers to customise the core platform code
► Show Answer
✓ Correct: B — Salesforce is a multi-tenant platform: all customers share the same application code, database infrastructure, and servers. Customer data is logically isolated by org ID but physically co-located. This enables economies of scale.
Q11. What is the Salesforce "Metadata API" used for in enterprise deployment processes?
A) Querying Salesforce record data at scale
B) Retrieving, deploying, and modifying Salesforce configuration and code metadata (objects, fields, Apex classes, Flows, page layouts) between orgs programmatically
C) Managing Salesforce user metadata (user records, roles, profiles)
D) Accessing marketing metadata in Marketing Cloud
► Show Answer
✓ Correct: B — Metadata API is the backbone of Salesforce DevOps tooling. Salesforce DX (sf deploy), Change Sets, Gearset, Copado all use Metadata API under the hood to move configuration (not data) between orgs.
Q12. Universal Containers wants to test Salesforce changes with 100% production-equivalent data. Which sandbox type is required?
A) Developer Sandbox
B) Partial Copy Sandbox
C) Full Copy Sandbox
D) Developer Pro Sandbox
► Show Answer
✓ Correct: C — Full Copy Sandboxes are an exact copy of the production org including all data and metadata. They support comprehensive integration testing and performance testing with production data volumes. They take longer to refresh (typically weekly max).
Q13. What is the purpose of "Identity and Access Management" (IAM) design in a System Architecture review?
A) Only to configure Salesforce Profiles and Permission Sets
B) To define the end-to-end authentication (who are you?) and authorisation (what can you do?) architecture across all systems, including SSO, MFA, OAuth scopes, and least-privilege access
C) To manage Salesforce password policies
D) To design the Salesforce role hierarchy
► Show Answer
✓ Correct: B — IAM in enterprise architecture covers: authentication standards (SAML, OAuth, OIDC), identity propagation across systems, MFA enforcement, session management, privilege management (least-privilege principle), and audit logging.
Q14. Which Salesforce environment management strategy reduces cost while maximising development velocity?
A) One full-copy sandbox for all developers to share
B) Salesforce DX with developer-specific scratch orgs (short-lived, source-driven) for feature development, integration sandboxes for testing, and a staging sandbox for pre-production validation
C) Developers test directly in production
D) Use free Developer Edition orgs for all development
► Show Answer
✓ Correct: B — Scratch orgs are disposable, version-controlled environments that each developer creates and destroys independently. This eliminates sandbox contention, enforces source-driven development, and dramatically reduces environment management cost.
Q15. What is "Change Data Capture" (CDC) in Salesforce and when should a System Architect use it?
A) A tool for tracking admin configuration changes
B) A Streaming API feature that publishes near-real-time change events (create, update, delete, undelete) on Salesforce records to external subscribers — ideal for keeping external systems in sync
C) A Salesforce Shield feature for encrypting changed data
D) A batch process for exporting changed records daily
► Show Answer
✓ Correct: B — CDC publishes change events on CometD channels when Salesforce records change. External systems subscribe and process changes in near real time. This is more efficient than polling (frequent API queries) for keeping external systems synchronised.
Frequently Asked Questions — System Architect
What does the System Architect exam test?
System Architect tests integration patterns (REST/SOAP/Platform Events/CDC), identity and SSO (OAuth, SAML, Named Credentials), Salesforce DX and release management, and mobile strategy.
What prerequisites are needed for System Architect?
No formal prerequisites, but in practice you need Salesforce Administrator and Platform Developer I active. Most candidates also hold App Builder before attempting System Architect.
What is the passing score for System Architect?
The passing score is 63% — slightly lower than most Salesforce exams at 65%, reflecting the exam difficulty.
How is System Architect different from Integration Architect?
System Architect is broader — it covers integration, identity, and platform governance. Integration Architect goes deeper specifically into integration patterns, middleware, and API design. System Architect is required as part of the CTA path; Integration Architect is an optional add-on.