Loading

Enhancing Security of Guest, Community and Portal Users

Publiseringsdato: Oct 13, 2022
Beskrivelse
As part of our focus on continuous improvement, we released changes to enhance the security of your org. These changes could potentially impact your Salesforce guest, community and portal users.
Løsning

Lightning Controller Object Access Allowed List Change For Guest, Community and Portal Users

 

Prior to the change, customers with Lightning communities could use Lightning components (including record home, list view, global search, lookup, etc.) or Lightning Data Service to allow their guest, community and portal users to access a range of Salesforce standard objects and custom objects.


Standard Objects:
After this update, guest, portal and community users who previously could access Salesforce objects using Lightning components or Lightning Data Service can now access only a limited list.

 

Custom Objects:
Depending upon a customer’s settings, access to all custom object types may have been allowed for guest, portal and community user profiles. After the update, these users will not have access to the following custom object types:

 

  • Custom Settings
  • Custom Metadata
  • Salesforce to Salesforce
  • Proxy Historical Data
  • Big Object
  • Platform Event

The above changes affect Lightning communities only, and do not affect communities built using Salesforce Tabs + Visualforce.


If you face issues after this change, update your implementation using custom Lightning components and Apex controllers.


---------------------------------------------------------------------------------------------------------------------------------------------------

Guest and Portal User Entity Allowed List Change [Implemented, April 2019]

Prior to the change, unless prevented by a customer’s settings, guest and portal users could access Salesforce objects that didn’t have object permissions, org preferences, user permissions or preferences that control visibility. These were primarily standard objects in the enterprise or partner API.

After this update, guest and portal users who could previously access the standard objects in the enterprise or partner API without org controls will only be able to access a subset. This change affects standard objects only, and doesn’t affect custom, external, or big objects.

 

API-Enabled Permission Change [Implemented, April 2019]

Salesforce has disabled the API-enabled permission on all standard external profiles and cloned external profiles of the following license types (API names in parentheses):

  • Customer Community Plus (CustomerCommunityPlus)
  • Customer Community Plus Login (CustomerCommunityPlusLogin)
  • Customer Portal Manager (CustomerPortalManager)
  • Customer Portal Manager Custom (CustomerPortalManagerCustom)
  • Customer Portal Manager Standard (CustomerPortalManagerStandard)
  • Customer Portal User (CustomerPortalUser)
  • Ideas Only Portal (IdeasOnlyPortal)
  • Limited Customer Portal Manager Custom (LimitedCustomerPortalMgrCustom)
  • Limited Customer portal Manager Standard (LimitedCustomerPortalMgrStandard)
  • Overage Customer Portal Manager Custom (OverageCustomerPortalMgrCustom)
  • Overage Customer Portal Manager Standard (OverageCustomerPortalMgrStandard)
This update removed the ability for external profile users to use the API; however this does not prevent your org from using API clients.
Below please find additional details and recommendations based on your implementation:

Standard external profiles:

We strongly recommend that all customers review the external profiles in their org to determine if any require the API-enabled permission for their use cases. If your users still need the permission, clone the standard profile and select the API-enabled permission. The customer must reassign the users to the new cloned profile, and add the profile to the correct community memberships. You can use Dataloader or Workbench to mass reassign users, or create a permission set with the API enabled permission and assign it to the users who need it.

Cloned external profiles:

We strongly recommend that all customers review the external profiles in their org to determine if any require the API-enabled permission for their use cases. If not, we recommend turning off the API-enabled permission. Should you decide that only a subset of your users need the API-enabled permission, you can create two profiles, one with the permission enabled, and one without. Alternatively, use a permission set to assign the permission to the users that need it.

Validate API-Enabled User Permissions

For customers having cloned external profiles with the API-enabled permission turned on, please note that the API-enabled permission allows external applications or connectors to use the API to authenticate or access Salesforce data.

Please review the cloned external profiles in your org and ensure this is necessary for your business needs. If not, we recommend turning off the API-enabled permission.

Recommendations and Support

We suggest you conduct a comprehensive review of your internal and external org-wide sharing defaults for Community, portal, and guest users, and set the most restrictive authorization rules appropriate for your business needs. In addition, we recommend restricting access to your connected apps and API data management tools.

More information on recommended sharing settings in Communities can be found in this Help topic: Sharing CRM Data in a Portal or Community.

If you have questions regarding your community or portal users, please contact Support by logging a case via Salesforce Help.

 

Knowledge-artikkelnummer

000384887

 
Laster
Salesforce Help | Article