Secure guest user record access in Spring ’20

On March 1, 2020, the official start of Spring ’20 in our world, comes needed security improvements regarding sharing data with external users. However, you can uncheck the Secure guest user record access checkbox and test out these changes until Summer ’20. Phew.  If you’re using any Site Guest Users, and are ready to try out the new settings you’ll need to create new sharing rules. Hint: Salesforce sites are used in Volunteers for Salesforce and frequently in Communities.

cherry blossoms blooming

What’s a Salesforce Site? “Salesforce sites enables you to create public websites and applications that are directly integrated with your Salesforce.com organization—without requiring users to log in with a username and password. You can publicly expose any information stored in your organization through pages that match the look and feel of your company’s brand. Use sites to create public community sites to gather customer feedback, branded login and registration pages for your portals, Web forms for capturing leads, and so on.” — the Site setup page in Salesforce.

What’s an example of a Site Guest User? Non-Salesforce users click a link in their email which opens a Salesforce Site. This site is a visualforce page that displays a Flow. You only have to create one user record to allow anyone to view data on that Site. You control what people see with “Public Access Settings,” which is pretty much a profile. site guest user

What is Secure guest user record access? This checkbox in Sharing Settings is new and automatically checked, but you can uncheck it until Summer ’20. The checkbox means by default all guest user access is set to private, and needs to be opened up with Sharing Rules. Learn more in the release notes.

What do I set up in the profile or “public access settings”? Here you grant create, read, edit, delete (CRED) access to the user for the whole object and for specific fields. For example, I need my user to read Email and ID on contacts and leads, so I give it overall read access to those objects, and then read access to the Email field.

What do the Sharing Rules look like? Here is my lead sharing rule. I’m calling it “Unsubscribe” because that’s the name of the relevant site.  I had to give it some criteria so I am sharing all records except those whose city equals asterisk, because I want all leads shared with the user and the city should never equal *. [Best practice: add in a good description so you understand what this is for in the future.] If you have multiple guest users, choose the relevant one from the picklist. In my case I’ve set up another sharing rule for contacts.

lead sharing

What do I need to do in Sharing Settings Org-Wide Defaults? I don’t believe it matters what settings you have here. Even if accounts, contacts, and leads are set to “Default External Access” of “private”, the sharing rules will override that. Before Spring ’20, you had to share externally by using these org-wide defaults.

Is Salesforce providing any support for this? Yes! When you log in to Spring ’20, you’ll see a bar across the top that says “Salesforce is rolling out security enhancements that can impact your org. Review Security Alert.” Then follow along with many tutorials that tell you exactly what to do! Phew! Also here is helpful documentation on Volunteers for Salesforce.

Are you sure about this? I’ve done a small amount of testing on my own site to see what works for me. Please do thorough testing of your own, follow along with the tutorials in your org, and let me know what you learn!

Resources from Salesforce:

Helpful documentation on Volunteers for Salesforce.

Everything You Need to Know about Securing Public Sites

Guest User Record Access Development Best Practices

Leave a Reply