IMPORTANT CRITICAL UPDATES: Public Security Policies
You might already notice that your organization switched to Winter 21 and the public site security policies are enforced and can no longer be disabled.
The following settings have been enabled:
- Secure guest user record access (Setup – Sharing Settings)
These sharing settings separate external org-wide defaults for registered users and guest users in Salesforce communities. The security update enforces the Private owd (org-wide default) sharing model for all objects for new and existing guest profiles and restricts the sharing mechanisms that you can use to grant record access.
As far as the “Secure guest user record access” setting enabled, the only way how you can share records with guest users is to create sharing rules in Salesforce.
To provide guest users with access to records, you should use a guest user sharing rule a special type of Salesforce criteria-based sharing rule that can grant Read-Only access.
Restrictions: guest users can no longer be members of a salesforce public group or queue, and manual sharing and Apex managed sharing is no longer available for guest users.
- Assign new records created by guest users to the default owner (Setup – Community Settings)
Guest users are no longer the records owners. New records created by guest users will be automatically assigned to a default user. The default user is the one who has created the community.
You can also change the default records owner in Experience (Community) Workspaces – Administration – Preferences.
Also, from Winter ’20, Salesforce restricted the use of standard external profiles by default. You can enable the “Allow using standard external profiles for self-registration and user creation” feature in Setup – Community Settings, however.
- Let Guest Users See Other Members of This Community Setting Disabled
The setting “Let guest users see other members of this community”, is turned off by default in all Salesforce orgs With the Winter ’21 release.
However, you can turn the setting back on in Experience (Community) Workspaces – Administration – Preferences.
In addition, the following guest user object permissions are turned off with the Winter ’21 release and removed with the Spring ’21 release.
- Edit
- Delete
- Modify All
- View All
The preceding permissions are turned off for custom objects and the following standard objects: Order, Survey Response, ProfileSkillUser, and ProfileSkillEndorsement.
Potential Impact to Your Org with the Winter ’21 Release
All mentioned public security policies that have been enforced may affect your organizations and public communities in the following scenarios:
- Guest users may lose access to data.
- Guest users can no longer update or delete records.
- Guest users can no longer complete forms using Flows.
- Guest users may lose visibility to other users of the public site.
- Guest users can no longer upload files.
- The apex:inputField and other similar standard markup components, may no longer render for guest users on custom Visualforce pages or Lightning components.
- The lightning:outputField doesn’t render correctly for guest users if they no longer have edit permissions.
To avoid any potential impact on your organizations, check and prepare for upcoming release updates in Setup – Release Updates.
