Set Up Security for an Admissions Connect Portal

Understand the Basics of Portal Security

The first step in setting up your portal is to design and implement a security model that works for your institution. There are a lot of ways to approach security. You’ll probably use a combination of org-wide default sharing settings, permission sets, sharing sets, and more.

Note

Portals only support external users who don't work for your institution, like alumni reviewers and applicants. Make sure that your security model accounts for these users.

This article will help you get started, but for detailed considerations on portal security, see Secure Your Experience Cloud Sites in Salesforce Help.

Set Up Portal Users

Everyone who uses a portal must be identified as a User in your org.

For instructions on how to create external users, see Create Users for Admissions Connect.

Note External Users must have a Customer Community Plus license. Don’t assign internal users a community-based license.

Keep in mind that Customer Community Plus licenses require Roles to be associated with an Account. When portals support more than 50,000 Users at a time, consider optimizing Account Roles for external Users, if appropriate for your security model. The Use person role for first site user in partner and customer accounts setting controls this optimization and you enable it before creating your portal Users. Once you enable role optimization, portal Users that belong to Accounts owned by the same Salesforce User share the same role. This consideration makes role-based sharing risky because doing so means that portal Users can access each other’s records. If you plan to optimize Account Roles, we recommend that you don’t use role-based sharing.

For full details, see Optimize Account Roles to Improve Performance and Scale Your Org in Salesforce Help. Also consider the limits on the number of Roles and community-based Users that you can have in your org. For limitation details, see Communities User Licenses in Salesforce Help.

Assign Permission Sets to Portal Users

A permission set is one way to assign object and field permissions so that reviewers and applicants can use Admissions Connect components in a portal. Permission sets can also control membership for your portal.

Each portal User must be assigned the required permission sets and an appropriate role-based permission set. Admissions Connect provides an unmanaged permission set for external reviewers (Admissions Connect - Review Applications for External Users) and applicants (Admissions Connect - Submit Applications). For detailed information about the required permission sets and how to assign them, see Assign the Admissions Connect Permission Sets.

Important

The provided permission sets include the minimum required access to use Admissions Connect in a portal. These permission sets are unmanaged, which means you must keep them up-to-date, using the information in Admissions Connect Permission Set Details.

Don't forget that applicants and reviewers need field-level access for all the fields in Action Plan Items that are Tasks. If you plan to allow applicants to edit fields, make sure you grant Edit access, too. Add this access to the default permission sets, or create an additional permission set just for this access. Without access to these fields, portal Users see an error.

Also make sure to review automation for Admissions Connect and your portal carefully, as additional User permissions can sometimes be required that aren't provided in our default permission sets. For example, if you allow applicants to create Application records and automation is triggered that assigns Action Plan Templates (including child Tasks and Document Checklist Items), additional Create and Edit permissions on various objects (such as Action Plan Templates, Action Plans, and Document Checklist Items) can be required.

After you've assigned portal Users a permission set, you can use the permission set to control portal membership. For instructions, see Add Members to Your Experience Cloud Site in Salesforce Help.

Update Org-Wide Default External Sharing Settings

Sharing settings ensure that portal Users can see Application data and documents in the portal. The external sharing settings specified in your org-wide defaults apply to Users with a Customer Community Plus license.

Review Configure Sharing Settings for Admissions Connect to see our recommendations for external sharing settings.

Extend Record Access for Portal Users

After you set up your org-wide default sharing settings, extend your sharing model for external Users to give them access to Applications, Application Reviews, and other EDA records as appropriate. You can use sharing sets, Apex managed sharing, or even manually share records. You want to ensure that applicants can only access their own application information and that external reviewers only see application information that they’re assigned to review.

Important Our security recommendations assume that applicants don't own their Application record. If applicants do own their Application records, there's an increased security risk if you're using role-based sharing.

For Applicants

Here’s a sample sharing set for applicants that provides access based on the external User’s Contact record.

Object	Access Determined By	Access Level
Application	User:Contact = Application:hed__Applicant__c	Read/Write
Contact	User:Contact = Contact:Id	Read/Write
Education History	User:Contact = Education History:hed__Contact__c	Read Only
Relationship	User:Contact = Relationship:hed__Contact__c	Read Only
Test	User:Contact = Test:hed__Contact__c	Read Only

Note Typically, Application object access is required in all sharing sets for applicants. However, Education History, Relationship, and Test are just examples of Child Objects that could be specified in Application Material Type records. Make sure your sharing set includes object access for each Child Object in your Application Material Types, otherwise applicants see an error when viewing the portal.