UPDATE: April 23, 2020: The Guest User Security changes will be auto-enabled in the Salesforce Summer '20 release WITH opt-out and disable options available. The settings will be enforced in the Winter '21 release WITHOUT opt-out and disable options. Details can be found here: https://cloud.mail.salesforce.com/GuestUserSecurityPolicy?utm_source=trailblazer&utm_medium=community&utm_campaign=guest…
Salesforce is planning to start a phased deployment of Guest User Security updates on all public sites (sites accessed by guest/unauthenticated users). At this time, the changes will be auto-enabled, however, you will have the ability to "opt-out” by disabling the new settings. In the Summer '20 release, these changes will be mandatory and there will no longer be an opt-out option. Visit the "Securing Community Cloud" Trailblazer group for additional roll-out plan details.
What does this mean for Salesforce customers?
All customers and ISVs who use guest user access for their public sites and communities, for example Survey, Site login, Password Change etc. will be impacted due to this security changes.
Impact on BMC Helix Remedyforce
If this Security change gets deployed, then, as specified in one of the Security steps, enable "Secure guest user record access" setting, all the objects in the org will be considered Private for Guest users and an access Sharing rule will need to be created to open up access.
In case of BMC Helix Remedyforce, in order for the Self Service site login page to work for Guest users, those users will need access to the Themes object. However even after enabling the "Secure guest user record access" setting and creating sharing rule on the Themes object for Guest user, the Self Service site login page is still not accessible.
This document provides the necessary steps to prepare for this security update along with the workaround for the Self Service Site login issue.
NOTE: WE HIGHLY RECOMMEND YOU TEST AND CONFIRM IN A SANDBOX FIRST.
Prepare for the security updates
Salesforce recommends to follow the mentioned steps to make yourself prepared for this security update.
- Navigate to Setup and type Security Alerts.
- From the Security Alerts page, click each individual security update listed below and follow the recommendations to reach 100% completion.
1. Remove View all Users permissions from Guest user profile
- Perform all mentioned steps under this security alert.
2. Assign records created by Guest users to default Owner
- Perform all mentioned steps
- For setting the Default Owner, navigate to Setup > Sites
- Open Active Site and enable the setting Assign new records created by Salesforce Sites guest users to a default owner in the org.
3. Secure guest users org-wide defaults and sharing models
- Perform all mentioned steps
- As per this update after enabling Secure guest user record access setting, we need to create the Sharing rule for the object if guest user needs access to them.
For Self Service Site login please create the sharing rule for SelfService Theme. For example -
Similarly, create a sharing rule for SelfService Image also.
- Note: the warning message will disappear once you complete all security updates.
- Customers can run the utility Guest User Access Report to check the impact on their org.
After preparing for the Security updates
After successful completion of above steps for all three updates please verify following functionalities are working as earlier/as expected:
- Site Login
- Password Change
If the Guest User/Client is not able to access the Self Service Site login page, even after adding sharing rule, then as a workaround, please provide the “View All” permission to the Guest user on SelfService Theme object.
- Navigate to Setup > Sites > select <SelfService site> from the list > click on Public Access settings
- Search for SelfService Themes > click on Edit and select View All permission and Save
- Similarly, search for SelfService Image > click on Edit, select View All permission, and Save.
2. If you face issue for Password change (Forgot Password) then please refer the following troubleshooting doc link
If you do not want to provide the “View All” permission to the Guest user on SelfService Theme object then please provide Read permission and change the owner of the default theme record (two OOTB themes shipped with the package) from Special User “BMC Helix Remedyforce” to any active internal user. (Salesforce will be documenting this behaviour i.e. Sharing Rule with respect to Guest users, will not be honoured\applied in case of the records owned by Special users. Once its available in the Salesforce documentation we will update this KB with the Doc link for reference).
Steps to be performed:
- Navigate to SelfService Themes tab
- Open the default theme record (two OOTB themes shipped with the package - if you have only one out of these two, perform steps for the available theme record) i.e. “BMC SelfService Theme” and “BMC Theme”.
- Make both themes active.
- Click on the Change link next to the Owner > BMC Helix Remedyforce
- Select any active internal user and save the changes.
For the Salesforce Known Issue details refer to the following link
For more information please refer to the following
- Read our Secure Your Community or Portal article to identify concrete action steps for enhancing the security of your site.
- Use our Guest User Access Report Package to assist in testing the impact of changes prior to enforcement.
- Go over Guest User Record Access Development Best Practices