Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile (Update, Postponed)

This update is postponed to Winter ’21. It was scheduled for auto-activation (enforcement) in Spring ’20. This update gives you more control over which guest, portal, or community users can access Apex classes containing @AuraEnabled methods. Add guest user profile access to any @AuraEnabled Apex class used by a community or portal. When this update is activated, a guest, portal, or community user can access an @AuraEnabled Apex method only when the user’s profile or an assigned permission set allows access to the Apex class.

Where: This change applies to Aura components, Lightning web components, and flows in Lightning communities, portals, and Salesforce Sites.

When: This update is enforced when a sandbox or production org is upgraded to Winter ’21. Enforcement starts for some sandboxes on August 9, 2020. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab.

Why: When this update is activated, a guest, portal, or community user can access an @AuraEnabled Apex method only when the user’s profile or a permission set allows access to the Apex class. This update enforces user profile and permission set restrictions for Apex classes used by Aura and Lightning web components.

Note

Note

To enable access to a public Apex controller that’s part of a managed package, a subscriber org must use a permission set. You can’t enable access to a public Apex controller from a managed package using a user profile.

How: To test this update, we recommend working in a sandbox. After August 12, you can continue to activate or deactivate the update from Release Updates in Setup until the update is automatically enforced when your org is upgraded to Winter ’21. After August 9, you can no longer activate or deactivate the update from Critical Updates in Setup.

  1. From Setup, enter Release Updates in the Quick Find box.
  2. Select Release Updates (Beta).
  3. Find “Restrict Access to @AuraEnabled Apex Methods for Guest and Portal Users Based on User Profile” and click View Details or click Get Started.
  4. Test that custom Aura components, Lightning web components, and flows that you’ve developed are working correctly for guest, portal, and community users.
    Note

    Note

    The Guest User Access Report available in this managed package can help you to identify guest user access to Apex classes.