Guest user security changes

The Guest User Security changes will be auto-enabled in the Salesforce Summer '20 release. Salesforce is planning to start a phased deployment of Guest User Security updates on all public sites (sites accessed by guest/unauthenticated users). As a result of this change, the following settings are auto-enabled:

• Secure guest user record access
• Assign new records created by guest users to the default owner

However, you will have the ability to opt-out by disabling the new settings. In the Summer '20 release, these changes will be mandatory with an opt-out option. For additional roll-out plan details, visit the  Securing Community Cloud  Trailblazer group.

Note that these settings will be enforced in the Winter '21 release without opt-out and disable options. For more details about this change, visit  Guest User Security Policy Resource Center

For more details about this security change, refer the following topics:

What does this mean for Salesforce customers?

All customers and ISVs who use guest user access for their public sites and communities, such as Survey, Site login, and Password Change, will be impacted due to this security changes.

Impact on BMC Helix Remedyforce

If this security change gets deployed, after enabling the Secure guest user record access setting as specified in one of the Security steps, all the objects in the organization are considered to be private for guest users. To open up the access, an access sharing rule is required.

In case of BMC Helix Remedyforce, guest users require access to the Themes object for the Self Service site login page to work. However, once the Secure guest user record access setting gets enabled as a part of this security update, even after creating an access sharing rule on the Themes object for guest users, the Self Service site login page is still not accessible.

This document provides the required steps to prepare for this security update along with the workaround for the Self Service site login issue.

Preparation for security update 

Salesforce recommends the following steps to prepare for the security update:

1. Navigate to Setup and type Security Alerts.
2. From the Security Alerts page, click each individual security update listed below and follow the recommendations to reach 100% completion.
   
3. Remove View all Users permissions from Guest user profile
   1. Perform all mentioned steps under this security alert.
4. Assign records created by Guest users to default Owner
   1. Perform all mentioned steps
   2. For setting the Default Owner, navigate to Setup > Sites
   3. Open Active Site and enable the setting Assign new records created by Salesforce Sites guest users to a default owner in the org.
      
5. Secure guest users org-wide defaults and sharing models.
   1. Perform all mentioned step.
   2. As per this update after enabling Secure guest user record access setting, we need to create the Sharing rule for the object if guest user needs access to them.
      
      
6. For Self Service Site login please create the sharing rule for SelfService Theme as shown in the following image:
   
   

Note that the warning message disappears once you complete all security updates.

You can run the utility Guest User Access Report  to check the impact on your organization.

Steps to perform post security update preparation

After successful completion of above steps for all three updates, verify that the following functionalities are working as earlier or as expected:

• Site Login
• Password Change
• Survey

Workarounds

If a guest user or a client is not able to access the Self Service site login page even after adding the sharing rule, then perform any of the following workarounds to provide the access.

Note that Workaround #1 is only for organizations that have upgraded from previous versions. Workaround #2, which is also recommended by BMC, is available for both fresh installation and upgraded organizations.

However, for a fresh installation, the View All option will not be available from 20.20.02 release onward.

Workaround #1

1. Navigate to Setup > Sites.
2. Select <SelfService site> from the list.
3. Click Public Access settings.
   
4. Search for SelfService Themes.
5. Click Edit and select View All permission and Save.
   
   

If you face issue for password change, (Forgot Password) then click here .

Workaround #2

If you do not want to provide the View All permission to guest users on SelfService Theme object, then change the owner of the default theme record (OOTB theme shipped with package) from Special User “BMC Helix Remedyforce” to any active internal user (Salesforce will document this behaviour, that is, Sharing Rule with respect to guest users will not be honoured or applied in case of the records owned by special users. Once this behaviour is available in the Salesforce documentation, we will update this KB with the reference link.)

Perform the following steps:

1. Navigate to the SelfService Themes tab.
2. Open the default theme record (OOTB theme shipped with package). If you are using Self Service 2.0, then the default theme name is BMC SelfService Theme. If you are using Self Service 3.0, then the default theme name is BMC Theme.
3. Click the Change link next to the Owner > BMC Helix Remedyforce.
4. Select any active internal user and save the changes.
   
   
   

Salesforce known issue details

For the Salesforce known issue details, refer the following link.

Everything You Need To Know About Securing Public Sites

Related links

• Read our  Secure Your Community or Portal  article to identify concrete action steps for enhancing the security of your site
• Use our  Guest User Access Report Package  to assist in testing the impact of changes prior to enforcement
• Read our  Everything You Need to Know about Securing Public Sites  blog for additional FAQs
• Go over  Guest User Record Access Development Best Practices