Loading

Ensure Digital Experience Guest Users Don’t Have Access to Event Data

Fecha de publicación: Oct 13, 2022
Descripción
Some Salesforce orgs experienced guest users potentially gaining ownership of synced events, and, if the org’s access control permissions were misconfigured being able to view this specific event data. Salesforce has taken measures to remediate this, but if your org was created prior to the Summer ’21 release, follow the steps to remove guest users' access to events.
Solución
Before making changes below please identify the Id of the Guest User/s you may need to run queries against, as below. You will only need to clean data if the included queries return records for the guest user
  • In setup, search for “ All Sites” and go to “Builder” for each Site that’s configured
  • Click Settings and find the “Guest User Profile” section and click the profile.
  • Click "View Users"
  • Select the user or users configured. If there’s more than one, make sure to do this for all.
  • Note the user or users ids from the url, as described here for use in the queries that follow

Before deleting any data Organizations should do a Weekly or Monthly export or ensure they have current backup data available, if they use some other method to backup Salesforce data.
 
1. To prevent unauthenticated guest users from accessing events, disable the Access Activities permission for the guest user profile. Review the documentation for more details on securing the guest user access.
 
2. If a guest user owns a standalone calendar event, delete or reassign the event.
 
a. Use Data Loader or Workbench to find event records that are owned by the  guest user. Query the Event records and filter by the OwnerId field. The OwnerId field should be the same as the Guest User record Id. To find the guest user id, navigate to the guest user profile as described here and for each user, follow the steps described here.
 
b. If you have more than one guest user, run the query for each guest user.

SOQL Query:

SELECT Id FROM Event WHERE OwnerId = '[GuestUserRecordId]' AND IsChild = false
 
c. Delete the records found or update the OwnerId to a non-guest user.
 
3. If a guest user is an invitee on a non-recurring calendar event or past recurring calendar event, remove them from the event:
 
a. Use Data Loader or Workbench to find event records that reference guest users as invitees. Query the EventRelation records and filter by the RelationId field. The RelationId field should be the same as the Guest User record Id.

SOQL Query:

SELECT Id FROM EventRelation WHERE RelationId = '[GuestUserRecordId]' AND (Event.IsRecurrence2 = false OR Event.StartDateTime < TOMORROW) AND Event.IsRecurrence2Exception = false

 
b. To remove single event invitations for guest users, remove them from the organizer’s event record or, delete the EventRelation records returned from the query.
 
4. For recurring series and recurring exceptions in Lightning Experience, use the UI to remove the guest user from each series or use the API to delete the guest user from the
 
- UndecidedEventInviteeIds,
- AcceptedEventInviteeIds, or
- DeclinedEventInviteeIds

fields on the Event object.
 
a. Use Data Loader or Workbench to find event records that reference guest users as invitees. Query the EventRelation (https://developer.salesforce.com/docs/atlas.en-us.232.0.api.meta/api/sforce_api_objects_eventattendee.htm ) records and filter by the RelationId field. The RelationId field should be the same as the Guest User record Id.

SOQL Query:

SELECT Event.Id, Event.Subject, Event.AcceptedEventInviteeIds, Event.DeclinedEventInviteeIds, Event.UndecidedEventInviteeIds FROM EventRelation WHERE RelationId = '[GuestUserRecordId]' AND Event.IsRecurrence2 = true AND (Event.StartDateTime >= TODAY OR Event.IsRecurrence2Exception = true)


Based on this query, use the Event.id and manually locate in the address bar of the browser to edit the records. Edit and remove the Guest User from the Invitees.

b. Alternatively remove event invitations for guest users via the API, remove them from the organizer’s event record through the JunctionIdList fields

- AcceptedEventInviteeIds,
- DeclinedEventInviteeIds, or
- UndecidedEventInviteeIds

For example, if Event.AcceptedEventInviteeIds originally equals [‘StandardUserRecordId’, ‘GuestUserRecordId’], the new Event.AcceptedEventInviteeIds would be [‘StandardUserRecordId’].
 
5. Review the best practices and considerations for configuring the Guest User profile.
 
If you encounter problems with the Resolution steps, log a Support Case with #GuestRem21 as the subject line.
Número del artículo de conocimiento

000389512

 
Cargando
Salesforce Help | Article