IMPORTANT CRITICAL UPDATES: Guest User Record Access
You might already notice that your organization switched to Summer 20 and some new security policies have been enabled and probably affected your public communities.
This Summer 20 Release Salesforce enabled some public site security policies. During Summer 20, you can still disable these settings. However, the public site security policies are enforced with the Winter ’21 release and can no longer be disabled.
The following settings have been enabled:
- Secure guest user record access (Setup – Sharing Settings)
This setting separates external org-wide defaults for registered users and guest users. The security update enforces Private org-wide defaults for all objects for new and existing guest profiles and restricts the sharing mechanisms that you can use to grant record access.
As far as the “Secure guest user record access” setting enabled, the only way you can share records to guest users is via the sharing rule.
A guest user sharing rule is a criteria-based rule type that can grant Read-Only access.
Restrictions: guest users can no longer be members of a public group or queue, and manual sharing and Apex managed sharing is no longer available for guest users.
- Assign new records created by guest users to the default owner (Setup – Community Settings)
Guest users are no longer the records owners. New records created by guest users will be automatically assigned to a default user. The default user is the one who has created the community.
You can also change the default records owner in Experience (Community) Workspaces – Administration – Preferences.
Also, from Winter ’20, Salesforce restricted the use of standard external profiles by default. You can enable the “Allow using standard external profiles for self-registration and user creation” feature in Setup – Community Settings, however.
In Spring ’20, Salesforce rolled out two critical updates that remove read access to custom settings and custom metadata types for users without the Customize Application permission.
These changes affect:
- Lightning components
- Visualforce pages
- Applications that require direct API access
Now admins who have Customize application permission can grant users access to custom settings and metadata types via profile or permission sets. You can also reverse granted permissions in Setup – Schema Settings. Read more about Custom Settings Access and Custom Metadata Types Access.