Salesforce Summer ’20: New Security and Sharing Policies for Guest Users
Salesforce has implemented significant changes to security and sharing policies for guest users with the Summer '20 release. These updates aim to enhance data protection by enforcing more controlled access for external users in your Salesforce organization. At Addax, our Salesforce security specialists have prepared this comprehensive guide to understanding and implementing these critical security changes.
New Org-Wide Defaults and Sharing Model for Guest Users
Starting with the Salesforce Summer '20 release, the org-wide default sharing model for external users will be restricted to read-only or create access for all standard and custom objects. This setting will be automatically implemented for:
- All new Salesforce organizations
- Existing organizations that already comply with the security requirements
- Organizations where guest users don't have View All Data, Modify All Data, or delete permissions on any object
If your organization currently has less restrictive sharing policies, you'll receive a security alert prompting you to review potential impacts and take necessary actions.
Three-Step Approach to Ensure Compliance
Step 1: Organization Assessment
For Salesforce orgs with significant external user bases in Communities or portals, you likely have custom security settings for guest users. To review your current status:
- Navigate to Setup > Security Alert
- Search for 'Secure Guest Users' Org-Wide Defaults and Sharing Model'
- Review the alert details and recommended actions
Step 2: Impact Analysis
To thoroughly understand how these changes will affect your organization:
- Install the 'Guest user access report' from AppExchange
- Use this report to review objects with less restricted permissions for guest users
- Examine external org-wide default public groups, queues, manual sharing, and Apex managed sharing rules created for external users
- Test the impact in your Sandbox environment, as Salesforce has already auto-enabled some of these security settings by removing certain permissions for guest users
Step 3: Best Practices Implementation
After ensuring compliance with the new security requirements:
- Establish processes to assign default owners for any records created by guest users
- Create a monitoring system to track further sharing settings that might be removed for guest users in future updates
- Document all guest user permission configurations for easier maintenance
Temporary Opt-Out Option
If your business has essential use cases requiring more liberal access levels for guest users, you can temporarily opt out of these security settings. However, compliance will be mandatory by the Winter '21 release, when Salesforce will enforce these settings across all organizations.
Recommended Actions
We recommend proactively addressing these security changes to avoid disruption to your business processes:
- Conduct a thorough review of all guest user permissions in your organization
- Test the impact of these changes in your Sandbox environment
- Implement necessary adjustments to maintain functionality while adhering to the new security policies
- Document and track all changes to ensure ongoing compliance
For detailed guidance on implementing these changes or to discuss specific concerns related to your Salesforce organization, contact the Addax team for personalized support.
