Security for Your Salesforce Public Site

by | Dec 5, 2024 | Security

Security for your Salesforce Guest user and Public site are your responsibility as a system administrator. At AdmiralBridge, we’re driven by a mission to help organizations prevent losses, manage incidents, and elevate security. One key way we achieve this is by equipping you with the kowledge and understanding of the Salesforce platform to manage and secure guest users effectively.

For more details on securing the guest user directly from Salesforce, download the Share Securely with Guest
Users report for Winter ’25.

What is a Guest User?

In many digital ecosystems, especially within tools like Salesforce’s Experience Cloud, guest users are unauthenticated visitors. Specifically, these users can browse publicly available content, submit forms, or access specific resources without logging in. To illustrate, think of them as individuals casually walking into a store to gather information without needing to show ID.

For instance, a guest user might visit a customer support portal to view FAQs, log an issue, or track an order. However, while this open access can provide value, it also introduces inherent risks if not managed properly.

Moreover, if you’re working with a third party to manage your Salesforce instance, it’s essential to understand whether guest users are being utilized and, if so, how they’re being monitored and secured. However, if you’re unsure whether your instance has guest users, reach out to us today for a free security checkup.

The Importance of Securing Guest Users

Because guest users don’t authenticate, they share a single, generic profile for access. While convenient and possible a cheaper approach, this can create vulnerabilities. Misconfigured permissions might inadvertently expose sensitive data or allow unwanted interactions. If data is exposed to the guest user, it means it’s accessible to the public—even if you can’t see it through the designed user interface.

Here’s why securing guest users is vital:

  1. Protect Sensitive Data: Public data sharing should be intentional. Ensuring guest users only access what they need prevents data breaches.
  2. Prevent Misuse: Without proper configurations, a guest user might accidentally (or maliciously) manipulate records or view information they shouldn’t.
  3. Compliance and Trust: Regulatory standards require organizations to safeguard user and organizational data. Proper security instills confidence in your stakeholders.

Best Practices for Managing Guest Users

Follow these steps to securely manage guest users while maintaining the flexibility they bring:

  • Limit Permissions: Keep guest user access at a strict “read-only” level whenever possible. Furthermore, if forms or records need to be submitted, ensure these are routed securely to authenticated owners.
  • Monitor and Review Access: Regularly audit guest user activities and permissions. Furthermore, Salesforce provides tools to check what data is accessible to these users.
  • Avoid Ownership by Guest Users: Assign a default owner for records created by guest users, ensuring better control and accountability.
  • Use Sharing Rules Wisely: Be intentional with guest user sharing rules. Avoid exposing more data than necessary, and regularly review these configurations.

Enable and Configure Guest User Access

Image of Salesforce setup for guest user security

In Salesforce Lightning

  1. Access Experience Builder
    • Go to Setup, enter “Digital Experiences” and then in the Quick Find box, and select All Sites.
    • Click Builder next to the site you want to configure.
    • In Experience Builder, click the gear icon (Settings) and then select Guest users can see and interact with the site without logging in.
  2. Adjust Guest User Profile Permissions
    • Access Guest User Profile:
      • In Setup, and then go to Digital Experiences > All Sites.
      • Select the site, click Workspaces, and then go to Administration > Pages > Go to Force.com.
      • Select Public Access Settings and then edit the guest user profile.
    • Update Object Permissions:
      • Grant only necessary Read or Create permissions and then avoid View All, Modify All, Edit, or Delete permissions.
  3. Secure Record Ownership
    • Assign records created by guest users to a default user:
      • In Setup, go to Digital Experiences > All Sites.
      • Then click Workspaces and select Administration > Preferences.
      • Finally, Assign a Default Record Owner.
  4. Set Sharing Rules for Guest Users
    • Create guest user sharing rules in Sharing Settings, ensuring they only access necessary records.
  5. Audit and Test Access
    • Use the Guest User Sharing Rule Access Report in Setup to review access levels.
    • Test configurations in a sandbox environment before deployment.

In Salesforce Classic Sites

  1. Enable Public Access for a Site
    • Go to Setup, enter Sites in the Quick Find box, and click the Site Label.
    • Under Public Access Settings, click View Public Access Settings.
  2. Edit Guest User Profile Permissions
    • Grant minimum permissions (e.g., Read access).
    • Configure field-level security to hide sensitive fields.
  3. Secure Record Ownership
    • Prevent guest users from owning records by enabling the default owner setting.
  4. Define and Apply Sharing Rules
    • Create guest user-specific rules to restrict access to sensitive data.
  5. Review and Test Access
    • Use the Preview feature in Sites to verify configurations.

Moving Forward with Confidence

At AdmiralBridge, we understand that balancing accessibility and security isn’t just a technical challenge, it’s a strategic one. Equally important, by prioritizing the secure management of guest users, you can offer a seamless experience without compromising data integrity or organizational standards.

Have questions about optimizing your platform’s security? Reach out to us. Together, let’s build solutions that empower and protect.