Secure Object Permissions for Guest Users

Secure Object Permissions for Guest Users

Salesforce has introduced new security and sharing policies for external/guest users. Starting with Summer 20 release, Salesforce will be actively promoting relatively controlled access for external users in your Salesforce org. Here is everything you need to know about the change. 

Updated org-wide defaults and sharing model for guest users

Starting with the Summer’20 release, the org-wide default sharing model for external users in most Salesforce org will be limited to read-only or create access for all standard and custom objects. Salesforce will be introducing the setting automatically for all new orgs and orgs that are in compliance with the expectations (i.e. customer orgs that do not have View All Data, Modify All Data, or delete permissions for guest users on any object).

If you have relatively less restricted sharing policies defined in your Salesforce org, you will receive a security alert. You can access the security alert to review the actions to be taken as an admin to assess the likely impact of the new sharing policy setting and enable it in your org. Below is a step by step approach that you can use to ensure compliance with the new security policy in your org. with minimum impact.

Step 1 - Org. assessment: If you have a decent user base of external users within your Salesforce org Community or portal, there are good chances you have some custom security settings enabled for the guest users. You can refer the security alert by going to Set Up > Security Alert and then searching for “Secure Guest Users’ Org-Wide Defaults and Sharing Model”

Step 2 - Impact analysis: You can review the objects with less restricted object permissions for guest users by installing the “Guest user access report” from AppExchange. The report will contain details on guest access configured for all objects in your Salesforce org. We recommend reviewing any external org-wide default public groups, queues, manual, or Apex managed sharing rules that you have created for external users in your org. Salesforce has auto-enabled the security setting in Sandbox by removing some permissions for all guest users. You can test the impact of the changes in your Sandbox and make relevant changes in production to ensure adherence to the new security policy. 

Step 3 - Best practice:  Once you have ensured that your org settings are in compliance with the new settings, you should be following a few best practices that ensure correct guest user access in your org moving ahead. The best practices include making sure that any records still created by guest users in your org have to be assigned a default owner and keeping track of further sharing settings that might be removed for guest users in future

Opting out of the setting

We understand that your business needs might have some essential use cases that require guest users to have more liberal access levels than what is allowed according to the new settings. You can temporarily opt-out of the below security settings being enabled by Salesforce as a critical update for Summer’20 release. However, you will still have to make sure that your Salesforce org is in compliance with the expected security policy for guest users by Winter’21 release when the settings will be enforced for all orgs. Further details on opting out are available here