Salesforce is planning to start a phased deployment of Guest User Security updates on all public sites (sites accessed by guest/unauthenticated users). At this time, the changes will be auto-enabled, however, you will have the ability to "opt-out” by disabling the new settings. In the Summer '20 release, these changes will be mandatory and there will no longer be an opt-out option. Visit the "Securing Community Cloud" Trailblazer group for additional roll-out plan details.
What does this mean for Salesforce customers?
All customers and ISVs who use guest user access for their public sites and communities, for example Survey, Site login, Password Change etc. will be impacted due to this security changes.
Impact on BMC Helix Remedyforce
If this Security change gets deployed, then, as specified in one of the Security steps, enable "Secure guest user record access" setting, all the objects in the org will be considered Private for Guest users and an access Sharing rule will need to be created to open up access.
In case of BMC Helix Remedyforce, in order for the Self Service site login page to work for Guest users, those users will need access to the Themes object. However even after enabling the "Secure guest user record access" setting and creating sharing rule on the Themes object for Guest user, the Self Service site login page is still not accessible.
This document provides the necessary steps to prepare for this security update along with the workaround for the Self Service Site login issue.
NOTE: WE HIGHLY RECOMMEND YOU TEST AND CONFIRM IN A SANDBOX FIRST.
Prepare for the security updates
Salesforce recommends to follow the mentioned steps to make yourself prepared for this security update.
- Navigate to Setup and type Security Alerts.
- From the Security Alerts page, click each individual security update listed below and follow the recommendations to reach 100% completion.
1. Remove View all Users permissions from Guest user profile
- Perform all mentioned steps under this security alert.
2. Assign records created by Guest users to default Owner
- Perform all mentioned steps
- For setting the Default Owner, navigate to Setup > Sites
- Open Active Site and enable the setting Assign new records created by Salesforce Sites guest users to a default owner in the org.
3. Secure guest users org-wide defaults and sharing models
- Perform all mentioned steps
- As per this update after enabling Secure guest user record access setting, we need to create the Sharing rule for the object if guest user needs access to them.
For Self Service Site login please create the sharing rule for SelfService Theme. For example -
- Note: the warning message will disappear once you complete all security updates.
- Customers can run the utility Guest User Access Report to check the impact on their org.
After preparing for the Security updates
After successful completion of above steps for all three updates please verify following functionalities are working as earlier/as expected:
- Site Login
- Password Change
1. If the Guest User/Client is not able to access the Self Service Site login page, even after adding sharing rule, then as a workaround, please provide the “View All” permission to the Guest user on SelfService Theme object. (This is a known issue and we are working with Salesforce to resolve it)
- Navigate to Setup > Sites > select <SelfService site> from the list > click on Public Access settings
- Search for SelfService Themes > click on Edit and select View All permission and Save
2. If you face issue for Password change (Forgot Password) then please refer the following troubleshooting doc link
For the Salesforce Known Issue details refer to the following link
For more information please refer to the following
- Read our Secure Your Community or Portal article to identify concrete action steps for enhancing the security of your site.
- Use our Guest User Access Report Package to assist in testing the impact of changes prior to enforcement.
- Read our Everything You Need to Know about Securing Public Sites blog for additional FAQs.
- Go over Guest User Record Access Development Best Practices