Guest User Security Policies and Timelines

The Salesforce security policy encompasses all public sites created in a Salesforce org, including Lightning Platform, Site.com, or Experience Cloud. When this policy is fully enforced, any public-facing site must follow these rules.

• Securing access to records by guest users
  • Guest user external org-wide defaults are always set to private.
  • Guest users can’t have more than read access to data.
  • Guest users can’t be members of public groups or queues.
    • Guest users that were added to public groups or queues before this policy was enabled aren’t removed automatically. You must remove these guest users manually.
  • Guest users can’t access records via manual sharing.
  • Guest users can only get access to records through guest user sharing rules, a special type of criteria-based sharing rule.
    • The maximum access granted to guest users via sharing rules is read.
  • Guest users can’t have the update or delete permissions on objects. Guest users can only update or delete records in System Mode.
  • Guest users can’t have View All Records or Modify All Records access on objects.
• Assigning new records created by guest users to a default owner in your org
  • Guest users can’t be the owner for newly created records.
  • Guest users can’t be given ownership of existing records.
  • Ownership of records created by guest users must be transferred to a default owner, who is an active user in your org.
• Viewing other members of a publicly available site
  • Guest users can’t be assigned the View All Users permission.
  • Your org can assess member visibility on a site by site basis.

Timelines for Enforcing Public Site Security Policies

Settings have been enabled every release since Summer ’20. Check to see what release your org is running on Salesforce Status.

Details of the Spring ’25 Updates

During the Spring ’25 release, Salesforce is removing the Assign new records created by guest users to the default owner and the Assign new records created by the Salesforce Sites guest users to a default owner in the org settings. With the removal, the settings can't be disabled, and are on by default in the org.

Details of the Summer ’23 Updates

During the Summer ’23 release, Salesforce enforces the Restrict Emails Sent from the Guest User release update. Salesforce blocks any emails sent from an unverified email address in the guest user record. Orgs with a verified organization-wide email address aren’t affected by this release update, since the “sent from” email address defaults to the org’s verified email address. To avoid disruptions to emails sent from the guest user record, create a verified email address for your org. The email address must have the Allow All Profiles to Use this From Address option enabled. If you don’t want to enable the Allow All Profiles to Use this From Address option, simply update the guest user record email field with your org’s verified organization-wide email address.

Details of the Winter ’23 Updates

During the Winter ’23 release, Salesforce enforces the Remove Guest User Assignments from Permission Sets Associated with Permission Set Licenses with Restricted Object Permissions release update. Salesforce removes guest user assignments from permission sets and permission set groups associated with permission set licenses that contain the View All Records, Modify All Records, edit, and delete standard object permissions. If you’re affected, Salesforce Customer Support will contact you directly about the process and timeframe for enforcing this update in your org.

Details of the Spring ’22 Updates

Salesforce removed the setting Enforce secure record access for guests accessing products. The setting was intended for use in testing guest user sharing rules on the Product2 object during Winter ’22. For guest users, org-wide defaults are set to Private for the Product2 object, and this access level can't be changed. To grant guest users access to product records, you must create guest user sharing rules.

Starting in Spring ’22, Salesforce began taking steps to secure permission set license assignments for guest users. You can no longer assign guest users permission sets or permission set groups associated with permission set licenses that contain the View All Records, Modify All Records, edit, and delete standard object permissions. In Winter ’23, Salesforce is removing guest user assignments from permission sets and permission set groups associated with permission set licenses that contain these restricted object permissions. The only object permissions allowed for guest users are read and create. To help you prepare, Salesforce introduced the Remove Guest User Assignments from Permission Sets Associated with Permission Set Licenses with Restricted Object Permissions release update in Spring ’22.

Note This update originally was called Remove Permission Set Licenses with View All, Modify All, Edit, and Delete Object Permissions from Guest Users. We changed the update to remove guest user assignments of permission sets and permission set groups that are associated with permission set licenses that contain the restricted permissions. This removal of permission set and permission set group assignments is instead of removing assignments of the permission set licenses themselves. Permission set license assignments aren’t removed automatically from guest users, but we encourage you to remove them yourself as a security best practice.

For more information on permission sets vs permission set licenses, see Permission Set Licenses in Salesforce Help.

Details of the Winter ’22 Updates

Salesforce added the setting Enforce secure record access for guests accessing products to use in testing guest user sharing rules for the Product2 object during Winter ’22. Turn the setting on or off in Setup | Product.

The setting will be removed with the Spring ’22 release. The Secure guest user record access setting will also be applied to products in Spring ’22. For guest users, org-wide defaults are set to Private for the Product2 object, and this access level can't be changed. To grant guest users access to product records, you must create guest user sharing rules.

Details of the Winter ’21 Updates

In the Winter ’21 release, Salesforce enabled the following three settings. These settings can't be disabled.

• Setting name: Secure guest user record access
  • To access this setting, from Setup enter Sharing Settings in the Quick Find box.
  • Select Sharing Settings.
• Setting name: Assign new records created by guest users to the default owner
  • To access this setting, from Setup enter Digital Experiences in the Quick Find box.
  • Select Digital Experiences | Settings.
• Setting name: Assign new records created by the Salesforce Sites guest users to a default owner in the org
  • To access this setting, from Setup enter Sites in the Quick Find box.
  • Select Sites and Domains | Sites.

Details of the Spring ’21 Updates

The following guest user object permissions are removed with the Spring ’21 release.

• Edit
• Delete
• Modify All Records
• View All Records

The preceding permissions are turned off for custom objects and the following standard objects: Order, Survey Response, ProfileSkillUser, and ProfileSkillEndorsement.

Important With the Spring ’21 release, Salesforce is removing the View All Records, Modify All Records, edit, and delete permissions for guest users in all orgs.

If a permission set or permission set group is assigned to the guest user and grants Modify All Records, View All Records, edit, or delete, to custom objects, or Order, Contract, Survey Response, ProfileSkillUser, and ProfileSkillEndorsement, then the guest user is removed from the permission set or permission set group. If any other permissions were granted using the same permission set or permission set group, the guest user can’t access them. If you have permission sets or permissions set groups that have Modify All Records, View All Records, edit, or delete permissions on objects, and other permissions, we recommend that you clone the permissions sets and remove Modify All Records, View All Records, edit, or delete permissions. You can then reassign the cloned permission sets and permission set groups to guest users. With the Spring '21 release, you can no longer assign Modify All Records, View All Records, edit, or delete permissions to guest users, even with a permission set or permission set group.

These obsolete permissions, with no app logic tied to them, were also removed from guest user profiles:

• Enable UI Tier Architecture
• Remove People from Direct Messages
• View Topics
• Send Non-Commercial Email
• Share internal Knowledge articles externally
• Hide the Seen By List
• Enable RecordVisibility API
• Assign Topics
• Verify Answers to Chatter Questions
• Close Conversation Threads
• Edit Topics
• Create Topics
• Delete Topics
• Merge Topics
• Allow user to access privacy data
• Modify Data Classification
• Use Any API Client
• Can Approve Feed Post and Comment

Moreover, the following changes were enforced:

• The View All Users permission was disabled for all guest users with the Summer ’20 release. Use the site-specific Let guest users see other members of this site setting instead. The permission is removed from all guest users permanently with the Winter ’21 release.

Potential Impact to Your Org with the Spring ’21 Release

The enforcements of the public site security policies affect all customer orgs with Salesforce public sites built on Lightning Platform, Site.com, Lightning Platform, or Experience Cloud.

With the enforcement of the new security policy, your guest users’ access to your public sites may change. Potential impact includes the following scenarios:

• Guest users may lose access to data.
• Guest users can no longer update or delete records.
• Guest users can no longer complete forms using Flows.
• Guest users may lose visibility to other users of the public site.
• Guest users can no longer upload files.
• The apex:inputField and other similar standard markup components, may no longer render for guest users on custom Visualforce pages or Lightning components.
• The lightning:outputField doesn’t render correctly for guest users if they no longer have edit permissions.