DEVELOPMENT CONSIDERATIONS FOR GUEST USER

DEVELOPMENT CONSIDERATIONS FOR GUEST USER

Major considerations of "Secure Guest Users’ Sharing Settings and Record Access" Setting.

• Guest users can be granted Read Only access to records, even that only through guest user sharing rules.
• Guest users can’t have the update or delete permissions on objects. Guest users can only update or delete records in System Mode.
• Guest users can’t have View All or Modify All access on objects.
• Guest users can’t be the owner for newly created records; it's assigned to a default owner in your org.

Link

• https://help.salesforce.com/s/articleView?id=sf.networks_secure_guest_user_sharing.htm&type=5

Resolution

• Update the records using System mode flows.
• If needed, extend the record read access through guest user sharing rules.
• Make sure end users have visibility of guest user created records.

To access this setting, from Setup enter All Sites in the Quick Find box. Site's Workspaces | Administration | Preferences | Record Ownership

Project Status

• We are already using System Mode flows to update the records.
• We need to investigate more on how default owner Unsubscribe__c records are shared with end users.

Prevent Guest User from Editing or Deleting Approval Requests

After Spring ’24, Guest users are no longer able to edit, reassign, or delete approval requests.

Link

• https://help.salesforce.com/s/articleView?id=release-notes.rn_automate_flow_release_update_limit_guest_access_to_approvals.htm&release=244&type=5

Resolution

• Possible Solution to use System Mode flows.

Project Status

• We are not using the Guest Approval Requests on the package so we are good here.

Run Flows permission disabled for the Guest User.

Since Spring ’23, Run Flows permission disabled for the Guest User. To allow guest users access your flows, you need to grant individual access to each flow that you want them to access.

Link

• https://help.salesforce.com/s/articleView?id=000394651&type=1

Resolution

• Individually grant access for each flow that guest users need access.
• To be able to individually grant access, Manage Packager needs to add isAdditionalPermissionRequiredToRun=true on guest user specific flows. Eg. <isAdditionalPermissionRequiredToRun>true</isAdditionalPermissionRequiredToRun>

Project Status

• We already have instructions to educate customers to provide flow access to guest user profiles.
• We have already set isAdditionalPermissionRequiredToRun=true on flows that need the guest user access so the customer can add them to the guest user profile.

Guest user Unverified email address behavior

Since Summer ’23, Salesforce blocks any emails sent from an unverified email address in the guest user record.

The email address must have the Allow All Profiles to Use this From Address option enabled. If you don’t want to enable the Allow All Profiles to Use this From Address option, simply update the guest user record email field with your org’s verified organization-wide email address.

Link

• https://help.salesforce.com/s/articleView?id=release-notes.rn_experiences_email_update.htm&release=244&type=5

Resolution

• Create verified organization-wide email address for guest users to send email.

Project Status

• We already have instructions to educate customers to create organization-wide email addresses for guest users.
• We need to investigate more if the organization-wide email address is not set-up properly.

Reference Links.

• Guest User Security Policies and Timelines
• Guest User Setup Checklist
• Best Practices and Considerations When Configuring the Guest User Profile
• Guest User Record Access Development Best Practices
• Limit User Access to Execute Flows
• Develop Secure Sites: Authenticated and Guest Users