Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Control Authorization with Custom Profiles and Roles Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            Control Authorization with Custom Profiles and Roles Control

            This control requires Salesforce admins to clone the standard "External Identity User" profile to create a custom version.

            Control Name

            Control Authorization with Custom Profiles and Roles

            Recommended Configuration

            Clone and customize "External Identity User".

            Control Overview

            This control requires admins to clone the standard "External Identity User" profile to create a custom version, so that only the absolute minimum permissions needed for a specific community are enabled.

            Security Risk If Not Configured

            Overly permissive access controls grant unnecessary data access to unauthorized users.

            Threat Scenarios

            Experience Cloud (Community) users assigned the standard or default External Identity User profile scrape sensitive PII or perform internal member reconnaissance for spear-phishing.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Relying on uncustomized profiles leads to over-permissioning, where sensitive data is inadvertently exposed to thousands of external users, resulting in a significant breach of privacy and non-compliance with data residency laws.

            Higher Risk When

            The standard profile is used for high-traffic public portals or when the company has not yet enforced a "Private" external sharing model across all objects.

            Low Risk When

            The custom profile is paired with Permission Set Groups to add back specific access, allowing the base profile to remain "locked down" to almost zero permissions.

            Business and Integration Considerations

            Customizing profiles requires a thorough mapping of the community user's "Journey" to make sure that removing standard permissions doesn't break essential features like password resets or self-registration.

            Recommended Remediation

            Go to Profiles, clone the "External Identity User" profile, name it according to its specific function, and then systematically disable all non-essential object, field, and system permissions.

            Security Health Review Guidance

            Security Health Review identifies the use of custom, "cloned" profiles as a foundational step in creating a secure external perimeter, making sure that no guest or customer user ever inherits default Salesforce "Standard" permissions.

            See Also

             
            Loading
            Salesforce Help | Article