Guest Site User Policies

Publiceringsdatum: Oct 13, 2022

Beskrivning

To ensure that you are not inadvertently permitting guest users access to your data, you should review the following best practices and configure your implementation of the Guest User Security Policy according to your business requirements and as part of a zero-trust approach to security. Doing so is critical to protecting your business and customer data from human error and misconfiguration.

Lösning

Org Settings

Ensure List Views are shared only with certain groups or set to private.
Set internal and external organization-wide sharing defaults to ‘private’ on all objects with non-public data. Alternate sharing models may be permitted with proper justification (e.g., adequate restrictions at the create, read, update and delete [CRUD] level).
Set all Sharing rules to not share any data with the Site Guest User.
Apply the Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile Critical Update .

Site Guest User Profile(s)

Set the Organization Wide Defaults (OWD) to ‘private’.
Review field-level security for each object - Site Guest Users should have access to only the Custom/Standard objects that are required for their business function, that contain only public data.
Configure Sharing Rules/Permission sets to not open access for Custom/Standard object.
Ensure all active profiles have no access to standard or custom objects that could contain personal information, per the Best Practices and Considerations When Configuring the Guest User Profile documentation
Confirm the View All Users, Object access, and API Enabled checkboxes are not enabled.
Transfer ownership of sensitive records created by the Site Guest User profile to an internal user by following the steps outlined in the Assign Records Created by Guest Users to a Default User in the Org documentation , and ensure ownership of all existing records are also transferred to an internal user.

Additional Steps

Review any custom Apex code
- Check for public API methods returning data, and confirm methods cannot be used to exfiltrate object records
- Enforce field-level security for all Apex classes/methods
- Ensure all controllers are respecting permissions of the current user, per the following Help documentation:
  - Using the with sharing, without sharing, and inherited sharing Keywords
  - Enforcing Object and Field Permissions
Maintain a process to keep JavaScript libraries in static resources continually updated to the latest security patch
Reset the exposed API key credentials

Additional Resources

Knowledge-artikelnummer

000390407

Löste denna artikel ditt problem?

Berätta för oss vad vi kan förbättra!

Guest Site User Policies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List