Out with Communities, In with Experience Cloud: How To Prepare for the New Security Updates

The Spring ‘21 release is coming soon, and it brings a fresh start for Community Cloud with a brand-new name — Experience Cloud. The purpose of the new design is to better reflect the many types of connected digital experiences you can create, including portals, websites, help centers, forums, and mobile apps. However, as part of this rename, there were also critical security updates made to the Guest User Profiles for public sites that may affect your business’s customer experience if you are not on top of them. 

First, once the new release goes into effect, public sites will need to abide by the following policies:

• The security model for guest users will be Private;
• Guest users can only have Read and Create permission on any object;
• Guest users sharing rules will be the only mechanism to give access to records and the permission will be Read-Only;
• Guest users cannot be the owner of any record; and, 
• The View All, Modify All, Edit, and Delete object permissions on all objects must be removed for guest users in new and existing orgs. 

How to prepare:

1. Complete the relevant release updates (previously known as security alerts) (Setup 🡪 Release Updates). The Release Updates page in Setup gives a list of security alerts that affect your org. Each alert comes with step-by-step recommendations for actions to take in your org.
   
2. Install the Guest User Access Report app from the AppExchange. The report will provide an assessment of the potential impact of security updates on your Salesforce environment.

For more information on how to install and set up this app, click here. 

How to test the impact of changes from Guest User security changes:

To test and determine the impact of guest user security changes, follow the step-by-step instructions on the Guest User Security Test Plan. 

What are Guest User Sharing Rules?

Guest User Sharing Rules are a type of criteria-based sharing rule that can grant Read-Only access to guest users. In the Spring ‘20 release, Salesforce enforced private org-wide defaults for guest users to increase the security of your Salesforce data. This means that the only way to share records with unauthenticated users is by using Guest User Sharing Rules.

How to reassign owner to records when created by Guest User:

When a guest user creates a record, the record is assigned to a default active user in the org, who becomes the owner. Here’s how to select a default owner in your org.

1. 1. From Setup, enter Digital Experiences in the Quick Find box, then select All Sites
   2. Click Workspaces for the community you would like to access
   3. Click Administration | Preferences
   4. Select a default user in the record ownership lookup
   5. Click Save

How to allow Guest Users to update records:

1. For guest users to continue editing records from your community or site, Salesforce recommends executing these updates using Apex methods in classes running in “without sharing” mode. While this approach has been deemed secure by Salesforce, it must be done with extreme caution. At Plative, we have experts who can help you navigate this situation. Get in touch with us!
2.  Alternatively, guest users can set their flows to run in system context without sharing. Flows running with this setting ignore object-level security, field-level security, org-wide default settings, role hierarchies, sharing rules, manual sharing, teams, and territories.

The functionality outlined above has allowed our clients to continue using Plative’s Volunteer Check-In/Check-Out app.

Summary

• Set “Read” and “Create” permissions on the Guest User profile
• To address record visibility leverage the Guest User Sharing Rules
• To allow update operations use Apex methods residing in classes running in without sharing mode or running flows in system mode without sharing. 

As a reminder

Users with Standard External Profiles can no longer log in to Experience Cloud sites such as communities and portals. To give access to your Experience Cloud users, clone the standard external profile that they are assigned to and change object permissions to meet your business needs. Then, assign the cloned profile to the users who access the site.

If you run into trouble…

Get in touch with us! We have experts standing by to help you optimize your Salesforce environment and reap all the benefits of Experience Cloud.