Loading
Salesforce now sends email only from verified domains. Read More
Manage Users and Data Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Considerations for the Convert External User Access Wizard

            You are here:

            1. Salesforce Help
            2. Docs
            3. Manage Users and Data Access

            Considerations for the Convert External User Access Wizard

            Keep these considerations and limitations in mind when using the Convert External User Access Wizard.

            Required Editions

            Available in: both Salesforce Classic (not available in all orgs) and Lightning Experience
            Available in: Enterprise, Performance, Unlimited, and Developer Editions
            Note
            Note In Salesforce orgs created before February 8, 2024 that enabled digital experiences before the “Enable Secure Roles Behavior and Update Sharing Group References in Production” release update was enforced in Winter ’26, you must use the Convert External User Access Wizard to secure record access for external users. Records that were previously accessible to Roles and Subordinates were made available to Roles, Internal and Portal Subordinates after you enabled digital experiences.

            In all orgs created on February 8, 2024 or later and in all orgs that enabled digital experiences after Winter ’26, records shared with the Roles and Internal Subordinates group through sharing rules or other mechanisms remain accessible only to these internal users. You aren’t required to use the Convert External User Access Wizard to secure access.

            Features Covered by the Convert External User Access Wizard

            The wizard affects the following features in your Salesforce org:

            Sharing Rules
            The Convert External User Access wizard can convert any owner-based or criteria-based sharing rules that include the Roles, Internal and Portal Subordinates to include the Roles and Internal Subordinates instead.
            The Roles and Internal Subordinates data set category allows you to create sharing rules that include all users in a specified role plus all users in roles below that role, excluding any site roles.
            Note
            Note After running the Convert External User Access wizard, you must recalculate the sharing rules to apply the changes. From Setup, in the Quick Find box, enter Sharing Settings. On each object’s sharing rule section, click Recalculate, then click OK.

            The Roles, Internal and Portal Subordinates data set category is only available in your organization after you create at least one role in the role hierarchy.

            The Roles and Internal Subordinates data set category is only available in your organization after you create at least one role in the role hierarchy and enable digital experiences.

            Folder Sharing

            The Convert External User Access wizard also enables you to automatically convert the access levels of any report, dashboard, or document folders that are accessible to Roles, Internal and Portal Subordinates to a more restrictive access level: Roles and Internal Subordinates. This helps prevent external users from accessing folders. Using the wizard is more efficient than locating various folders in Salesforce and setting their access levels individually.

            The wizard doesn’t convert folders that are accessible to all users or accessible to public groups. You must manually update the access levels on those folders.

            Features Not Covered by the Convert External User Access Wizard

            The wizard doesn’t convert access for the following features or sharing mechanisms, but you can follow these recommendations to manually secure external users’ access to your org’s data.

            Manual Sharing
            Remove Roles, Internal and Portal Subordinates from the Share With list of your manual shares, and add Roles and Internal Subordinates instead.
            To identify manual shares that are shared with Roles, Internal and Portal Subordinates, use this SOQL query:
            Select Id, UserOrGroupId from AccountShare where UserOrGroupId IN (SELECT Id FROM Group 
WHERE Type = 'RoleAndSubordinates') AND RowCause = 'Manual'
            Replace AccountShare with the share object that you’re querying.
            Apex Managed Sharing
            Update your Apex code so that it creates shares to the Role and Internal Subordinates group. Because this conversion is a large-scale operation, consider using batch Apex.
            Public Groups
            Review public groups that contain Roles, Internal and Portal Subordinates members. Remove these members and replace with Role and Internal Subordinates as required.
            To identify public groups that contain Roles, Internal and Portal Subordinates members, use this SOQL query:
            Select Id, GroupId, UserOrGroupId from GroupMember where GroupId in (SELECT Id FROM Group WHERE Type = 'Regular') AND UserOrGroupId in (SELECT Id FROM Group 
WHERE Type = 'RoleAndSubordinates')
            Queues
            Review queues that contain Roles, Internal and Portal Subordinates members. Remove these members and replace with Role and Internal Subordinates as required.
            To identify queues that contain Roles, Internal and Portal Subordinates members, use this SOQL query:
            Select Id, GroupId, UserOrGroupId from GroupMember where GroupId in (SELECT Id FROM Group WHERE Type = 'Queue') AND UserOrGroupId in (SELECT Id FROM Group 
WHERE Type = 'RoleAndSubordinates')
            List Views
            Update list views to be shared with Role and Internal Subordinates instead of Roles, Internal and Portal Subordinates.
             
            Loading
            Salesforce Help | Article