View All Users and Other Permissions Disabled in Guest User Profiles (Security Alert, Enforced)

Guest users typically don’t need access to view all users in a Salesforce org, so to promote data security, we disabled the View All Users permission in guest user profiles. If you have an org created before Winter ’20, we recommend that you check guest user access and deselect the View All Users permission in all your guest user profiles. To enhance security, we also removed these permissions from the guest user profile: Can Approve Feed Post and Comments, Enable UI Tier Architecture, Remove People from Direct Messages, View Topics, and Send Non-Commercial Email.

Where: This change applies to orgs with active communities in Enterprise, Essentials, Unlimited, Performance, and Developer editions.

When: The timelines for the rollout and enforcement of this setting will be published in the Securing Community Cloud group on the Trailblazer Community (Salesforce login required).

How: These changes are auto-enabled in your org. However, you have the ability to opt-out. In the Summer ’20 release, these changes are mandatory and you no longer have the option to opt out.