View All Users and Other Permissions Disabled in Guest User Profiles (Previously Released Security Alert, Enforced)

Guest users typically don’t need access to view all users in a Salesforce org, so to promote data security, we disabled the View All Users permission in guest user profiles. If you have a production org that was created before Winter ’20, we recommend that you check guest user access and deselect the View All Users permission in all your guest user profiles. To enhance security, we also removed these permissions from the guest user profile: Can Approve Feed Post and Comments, Enable UI Tier Architecture, Remove People from Direct Messages, View Topics, and Send Non-Commercial Email.

Where: This change applies to orgs with active communities in Enterprise, Essentials, Unlimited, Performance, and Developer editions.

When: The timelines for the rollout and enforcement of this setting are published in Guest User Security Policies and Timelines.

How: These changes are auto-enabled in your org. However, you can opt out. In the Summer ’20 release, these changes are mandatory and you no longer have the option to opt out.


These permissions are completely removed in sandboxes refreshed before the Spring '20 release. Sandboxes refreshed after the Spring '20 release mirror permissions seen in your production org.