FAQ-000403 - Community and Experience Cloud Security / Guest User Security

Current Status:VALID_RESPONSEErrorUnable to AnswerSuggests Case

← Back to List View Prompt Template

Current FAQ

Question
What are the security best practices for providing guest users with controlled access to records and handling their permissions and limitations in Experience Cloud Sites?
Answer
Here are the security best practices for providing guest users with controlled access to records and handling their permissions in Experience Cloud Sites: **Access Control:** 1. **Guest User Sharing Rules**: Use these rules to grant Read-Only access to records, ensuring guest users can view but not modify them. 2. **Guest User Profile Configuration**: Limit permissions to only what's necessary, such as Read and Create, and avoid granting Edit or Delete permissions. 3. **Object Permissions**: Grant "Create" permissions to allow anonymous record creation. However, guest users cannot edit or delete records due to the removal of write sharing access. **Secure Record Operations:** 4. **Secure Record Modifications**: For scenarios requiring guest users to modify records, use Apex methods in classes running in "without sharing" mode to maintain control. 5. **Data Encryption**: Encrypt and decrypt sensitive data, like record IDs, using tools like the System.Crypto Apex library. 6. **Avoid Manual Sharing**: Do not use manual or Apex sharing directly with guest users, as these practices are not recommended. 7. **Automated Record Reassignment**: Implement automated processes to reassign records created by guest users to a default owner, as manual sharing is unsupported. **System-Level Controls:** 8. **System Mode for Flows**: Utilize the system mode introduced in Summer '20 to allow flows to bypass user permissions for actions like "Get Records" and "Update Records" for guest users. 9. **Read-Only Access**: Use Guest User Sharing Rules to provide read-only access to records. These practices help maintain security while enabling controlled functionality for guest users and ensure secure and controlled access for guest users.

Enhancing FAQ with AI recommendations...

AI Recommended Enhancement

Related Security Rules (click to view)
ApexSharingViolationsApexCRUDViolation
Question
What are the security best practices for providing guest users with controlled access to records and handling their permissions and limitations in Experience Cloud Sites?
Recommended Answer Update
Here are the security best practices for providing guest users with controlled access to records and handling their permissions in Experience Cloud Sites: **Access Control:** 1. **Guest User Sharing Rules**: Use these rules to grant Read-Only access to records, ensuring guest users can view but not modify them. 2. **Guest User Profile Configuration**: Limit permissions to only what's necessary, such as Read and Create, and avoid granting Edit or Delete permissions. 3. **Object Permissions**: Grant "Create" permissions to allow anonymous record creation. However, guest users cannot edit or delete records due to the removal of write sharing access. **Secure Record Operations:** 4. **Secure Record Modifications**: For scenarios requiring guest users to modify records, use Apex methods in classes running in "without sharing" mode to maintain control. 5. **Data Encryption**: Encrypt and decrypt sensitive data, like record IDs, using tools like the System.Crypto Apex library. 6. **Avoid Manual Sharing**: Don't use manual or Apex sharing directly with guest users, as these practices aren't recommended. 7. **Automated Record Reassignment**: Implement automated processes to reassign records created by guest users to a default owner, as manual sharing is unsupported. **System-Level Controls:** 8. **System Mode for Flows**: Utilize the system mode introduced in Summer '20 to allow flows to bypass user permissions for actions like "Get Records" and "Update Records" for guest users. 9. **Read-Only Access**: Use Guest User Sharing Rules to provide read-only access to records. These practices help maintain security while enabling controlled functionality for guest users.
Reasoning
I made minimal wording improvements for clarity and conciseness without changing the content or structure. Changed "do not use" to "don't use" and removed redundant ending phrase for better readability. The content remains accurate and complete. For security rules: - ApexSharingViolations: This rule directly relates to the FAQ's discussion of sharing rules, "without sharing" mode usage, and manual sharing practices. The FAQ specifically mentions using "without sharing" mode (point 4) and avoiding manual sharing (point 6), which are core concerns of this rule. - ApexCRUDViolation: This rule applies to the FAQ's coverage of object permissions and record access controls. The FAQ discusses granting Create permissions and controlling Edit/Delete access (points 2-3), which directly relates to CRUD security enforcement that this rule addresses.
Reasoning References
Recommended Related Articles