By activating this update, you opt out of turning off the community-specific Let guest users see other members of this community setting in the Winter ’21 release.

Where: The update is visible in Salesforce orgs with active public communities in Enterprise, Essentials, Unlimited, Performance, and Developer editions.

When: The Let guest users see other members of this community setting is automatically disabled in all communities in Winter ’21. This update gives you the extra time you may need to get ready.

How: Before Winter ’20, the Community User Visibility setting, when enabled, allowed guest users and authenticated community users to see each other within the community. In the Winter ’20 release, we introduced a new community-specific setting, Let guest users see other members of this community, that lets admins control guest user visibility independently from community user visibility.

Depending on your security configuration, this setting might allow a guest user, essentially anyone on the internet, to access community users’ personally identifying information. This can include first and last name, email, custom, and other fields.

To protect your customer data and privacy, Salesforce is turning off the Let guest users see other members of this community setting for all communities.

Depending on your business needs, enabling this setting and allowing guest users to see one another may be required for your site to function properly. Therefore, we are asking that you reassess and validate the need to enable Let guest users see other members of this community for each community. If you have one or more communities that must have this setting turned on, activate this update to opt out of the Winter ’21 update. However, we encourage you to work towards modifying your site’s customization to allow this setting to be disabled. Limiting guest user visibility is a Salesforce security best practice.

If you don’t activate this update, the Let guest users see other members of this community setting is turned off on all your communities (not just the ones created after Winter ’20). Make sure to assess all the communities in your org, including the ones created after Winter ’20.

https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_GUV_opt_out.htm&release=226&type=5

With the Winter ’21 release, Salesforce is removing the View All Data, Modify All Data, and delete permissions for guest users, and they can never be used for guest users on any objects. If a custom or standard object has View All Data, Modify All Data, or delete permissions for guest users, all the permissions are turned off with the Winter ’21 release. Reduce object permissions for guest users if they have View All Data, Modify All Data, or delete permissions on a standard or custom object.

Where: This change applies to all Salesforce orgs with one or more standard or custom objects with View All Data, Modify All Data, update, or delete permissions enabled for guest users.

How: Follow the step-by-step recommendations of the security alert if it appears in your org.

If a security alert appears in your org, your org data may be exposed to guest users because you have one or more standard or custom objects with View All Data, Modify All Data, update, or delete permissions enabled for guest users.

https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_reduce_object_perms.htm&release=226&type=5

In orgs created before the Summer ’20 release, we’re removing the View All Data, Modify All Data, and delete permissions on custom and standard objects for guest users, but only if they were never enabled on the guest profile or permission sets for guest users. In orgs created before the Summer ’20 release, guest user profiles retain guest edit permissions on all custom objects and the following standard objects: Order, Contract, and Survey Response. Guest users only had edit permissions on the three standard objects mentioned, and this behavior has not changed. If your org was created before the Summer ’20 release, and you have View All Data, Modify All Data, edit, or delete permissions on any object for a guest user, you’re notified by a Security Alert to make the necessary changes to your org.

Where: This change applies to all orgs with guest user profiles for communities, Site.com sites, and Salesforce Sites.

https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_guest_only_read_create.htm&release=226&type=5

Orgs created in the Summer ’20 release don’t have Modify All Data, View All Data, or delete permissions on any standard or custom objects for guest user profiles. Guest users in orgs created in Summer ’20 still have edit permissions for custom objects and the following three standards objects: Order, Contract, and Survey Response.

Where: This change applies to all orgs with guest user profiles for communities, Site.com sites, and Salesforce Sites.

https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_guest_new_orgs_CRUD.htm&release=226&type=5

Guest users typically don’t need access to view all users in a Salesforce org, so to promote data security, we disabled the View All Users permission in guest user profiles. If you have a production org that was created before Winter ’20, we recommend that you check guest user access and deselect the View All Users permission in all your guest user profiles. To enhance security, we also removed these permissions from the guest user profile: Can Approve Feed Post and Comments, Enable UI Tier Architecture, Remove People from Direct Messages, View Topics, and Send Non-Commercial Email.

Where: This change applies to orgs with active communities in Enterprise, Essentials, Unlimited, Performance, and Developer editions.

When: The timelines for the rollout and enforcement of this setting are published in Guest User Security Policies and Timelines.

How: These changes are auto-enabled in your org. However, you can opt out. In the Summer ’20 release, these changes are mandatory and you no longer have the option to opt out.

https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_guest_perms_removed.htm&release=226&type=5

Learn about the Secure guest user record access setting in this security alert, and how to safeguard your org’s data. This setting enforces private org-wide defaults for guest users and restricts the sharing mechanisms that you can use to grant record access to guest users. If you have a Salesforce org created before Winter ’20, we recommend that you review the external org-wide defaults, public groups, queues, manual sharing, and Apex managed sharing that you use to grant access to guest users. Then replace the access previously granted by these sharing mechanisms with guest user sharing rules before the security alert is enforced.

Where: This change applies to orgs with active communities and sites in Enterprise, Essentials, Unlimited, Performance, and Developer editions.

When: The timelines for the rollout and enforcement of this setting are published in Guest User Security Policies and Timelines.

How: Review the required actions before this security alert is enforced. From Setup, enter Security Alerts in the Quick Find box, then select Security Alerts. For Secure Guest Users’ Org-Wide Defaults and Sharing Model, click Get Started. Follow the instructions in the step-by-step guides for reviewing guest user sharing settings and creating guest user sharing rules.

https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_guest_sharing_security_alert.htm&release=226&type=5

Before the Summer ’20 release, guest users couldn’t be assigned as owners of newly created records. Starting in Summer ’20, guest users can’t be assigned as owners of records already existing in the org.

Where: This change applies to all orgs with guest user profiles for communities, Site.com sites, and Salesforce Sites.

How: This change is enforced in new orgs created after the Summer ’20 release. Check out Opt Out of Guest User Security Policies Before Summer ’20 (Critical Update) for orgs created before the Summer ’20 release.

https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_guest_as_owner.htm&release=226&type=5

By activating this update, you opt out of three policies aimed at increasing your data security for guest, or unauthenticated, users. Activating this update opts your org out of having the following settings automatically enabled with the Summer ’20 release: Secure guest user record access, Assign new records created by guest users to the default owner, and Assign new records created by Salesforce Sites guest users. If your org already has these settings enabled, activating this update doesn’t change your configuration.

Where: The release update is visible in orgs with active communities in Enterprise, Essentials, Unlimited, Performance, and Developer editions.

When: The Secure guest user record access, Assign new records created by guest users to the default owner, and Assign new records created by Salesforce Sites guest users settings are automatically enabled with the Summer ’20 release. This update gives you the extra time to get ready. If you opt out of these settings for the Summer ’20 release, you must comply with our new guest security policies before Winter ’21, when they are enforced on all orgs.

How: To opt out of automatically enabling these settings, activate the update. To access the settings in the UI to see if they are enabled or not:

• From Setup, enter Sharing Settings in the Quick Find box. Select Sharing Settings. You can see the Secure guest user record access checkbox on the page.
• From Setup, enter Communities Settings in the Quick Find box, then select Communities Settings. You can see the Assign new records created by guest users to the default owner checkbox on the page.
• From Setup, enter Sites in the Quick Find box, then select Sites. You can see the Assign new records created by Salesforce Sites guest users checkbox on the page.

https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_guest_opt_out.htm&release=226&type=5

To increase the security of your Salesforce data, set up your org so that guest users are no longer automatically the owner of records they create. Instead, when a guest user creates a record, the record is assigned to a default active user in the org, who becomes the owner.

Where: This change applies to orgs with active communities in Enterprise, Essentials, Unlimited, Performance, and Developer editions.

Why: Having an internal org user be the owner of records created by guest users is a Salesforce security best practice. While we strongly encourage you to assign a default owner, changing record ownership can affect your guest users’ ability to access records. Test all changes in a sandbox environment to see the effects on data sharing and visibility before you change your implementation in production.

How: From Setup, enter Communities Settings in the Quick Find box, then select Communities Settings. Select Assign new records created by guest users to the default owner. Click Save.

In newly created communities, Salesforce automatically assigns the user that created the community as the default owner of all records created by guest users. Change the default owner in the Administration workspace of your community, under Preferences.

https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_reassign_guest_records.htm&release=226&type=5

Salesforce is giving customers the option to enable a user setting that allows the hiding of certain personal information fields on the user records in orgs with communities or portals. The fields are hidden from view when external users are accessing user records. External users can still see their own user records. This change doesn’t apply to queries running in System Mode.

Where: This change applies to all orgs with communities or portals.

When: This update was activated automatically on January 5, 2020 in production orgs.

How: Salesforce is introducing an org setting that allows for the hiding of other users’ personal information in pages showing the user record to external user profiles, and in SOSL and SOQL queries that run as external users.

The affected fields are

• Alias
• EmployeeNumber
• FederationIdentifier
• SenderEmail
• Signature
• Username
• Division
• Title
• Department
• Extension

Admins can enable the setting Hide Personal Information for the org under User Management Settings. After enabling the setting, searches on user records don’t show the affected fields of other users to external users.

https://help.salesforce.com/s/articleView?id=release-notes.rn_networks_user_profile_cruc.htm&release=226&type=5