The guest user profile: protector of your SF Community
Access to your Salesforce environment is most likely appropriately secured, using technologies like Single Sign-On (SSO), Two Factor Authentication (2FA) or advanced password policies. But you may be leaving a backdoor open without realising. This backdoor, which actually looks like a fancy front door, could be your Community.
Is the security on your Salesforce Communities and public pages allowing unauthenticated visitors to see more than intended?
Guest user profile to the rescue!
What is the guest user profile, and how does it keep your data safe from malicious external visitors?
Every time you create a public site, Force.com page, Community or portal in Salesforce, a guest-user profile is created automatically. Each Community has a separate guest user profile.
The profile manages access to data, content and objects, for public or unauthenticated (not logged in) access to your Community. Out of the box, the profile does not provide access to any objects.
In the Experience Builder, you can restrict access to guest users, per page. The same counts for field-level security, which you set in the profile.
In the Sharing Settings (using Sharing Rules), you can give guest users read-only access to records.
The guest user profile looks just like any other profile but does not show in the list of profiles. Where is it then? Go to Setup > All Communities > Builder > Settings > General. Of course, there is also an actual guest user that is assigned this profile. The guest user itself has fewer fields and settings compared to a regular user, but this is where you can set things like the language, locale or time zone.
Now we know the basics about the guest-user profile. Like other functionalities in Salesforce, each new release could bring some changes.
What are the recent and upcoming changes in the releases?
The Summer ’20 release introduced quite a few changes to the guest user profile. All changes are to improve the security of your Salesforce environment and data.
The release notes and also the Release Updates (See Setup) show all the recent and upcoming changes. Please review the Release Updates as soon as you can and plan for the upcoming changes and their deadlines. Once Release Updates are activated automatically, it can cause your Communities to stop working correctly. And that causes panic or frustrated partner and customers: no one has time for that :)
This table shows an overview of the most relevant changes. While you’re going through the Release Updates, make sure to check the tabs ‘Overdue’ and ‘Due Soon’ first. The two changes with due date ‘Winter ’21’ and ‘9 August 2020’ should be looked at first since they’re the most urgent ones.
Do test this in a sandbox environment first. If you haven’t tested your Community in a sandbox before, make sure to publish the Community there before testing. More Release Updates might pop up after activating the Community.
Also, check if there are active Community-users for testing. In a sandbox without data, you might have to create these from scratch.
Happy testing!
In summary: don’t leave the front door open to malicious traffic and visitors. Go and check out the Release Updates and ensure the guest-user profile only gives access to the appropriate data.
Need help with the updates and settings? Contact me directly.