Public Access Settings for Salesforce Sites
Control what public users can do on each Salesforce Sites site.
Required Editions
| Available in: both Salesforce Classic and Lightning Experience |
| Available in: Developer, Enterprise, Performance, and Unlimited Editions |
| User Permissions Needed | |
|---|---|
| To create and edit Salesforce Sites: | Customize Application |
| To edit public access settings for Salesforce Sites: | Manage Users |
To set the public access settings for your site:
- From Setup, in the Quick Find box, enter Sites, and then select Sites.
- Click the name of the site.
- To open the Profile page for your site profile, click Public Access Settings.
From the profile page, you can view and edit profile permissions and settings. However, you can't clone or delete the profile.
From this page, you can:
- Set the object permissions for your site. You can grant Read and Create
permissions on all standard objects except products, price books, and ideas. You
can also grant Read, Create, Edit, and Delete on all custom objects. All
permissions that aren't set by default must be set manually.
Warning We recommend setting the default external access to Private for the objects on which you grant Read access for your site on the Sharing Settings Setup page. This approach ensures that users accessing your site can view and edit only the data related to your site.We also recommend securing the visibility of all list views. Set the visibility of your list views to Visible to certain groups of users, and specify the groups that you want to view this level of access.
List views with visibility set to Visible to all users can be visible to public users of your site. To share a list view with public users, create a new public group for those users and give them visibility. If the object's sharing is set to private, public users can’t see those records, regardless of list view visibility.
- Control the visibility of custom apps. If you want to expose a custom app and its associated tabs to public users, make only that app visible and make it the default to avoid exposing other pages. If any of your site pages use standard Salesforce headers, public users can see other visible applications.
- Set the login hours during which users can access the site.
- Restrict the IP address ranges from which you can access the site.
Note To set restrictions based on IP or login hours, HTTPS is required.All authenticated access requires HTTPS. Users logging into a site with a non-secure (HTTP) site URL are redirected to a secure (HTTPS) URL.
The IP addresses in a range must be either IPv4 or IPv6. In ranges, IPv4 addresses exist in the IPv4-mapped IPv6 address space
::ffff:0:0to::ffff:ffff:ffff, where::ffff:0:0is0.0.0.0and::ffff:ffff:ffffis255.255.255.255.A range can’t include IP addresses both inside and outside of the IPv4-mapped IPv6 address space. Ranges like255.255.255.255to::1:0:0:0or::to::1:0:0:0aren’t allowed. - Enable Apex controllers and methods for your site. Controllers and methods that are already associated with your site's Visualforce pages are enabled by default.
- Enable Visualforce pages for your site. Changes made here are reflected on the Site Visualforce Pages related list on the Site Details page, and vice versa.
