Improve Security for Sites and Communities by Restricting Record Access for Guest Users

To address potential security vulnerabilities, we applied a critical update to Salesforce sites and communities on October 5, 2018. This update removed default record access for guest users so that they can no longer create, read, update, or delete Salesforce records. You can give guest users access to your Salesforce records by editing your object permissions.

Where: This change applies to Lightning communities and Salesforce Tabs + Visualforce communities accessed through Lightning Experience and Salesforce Classic. This change applies to Enterprise, Performance, Unlimited, and Developer editions.

How: From Setup, enter Critical Updates in the Quick Find box. Then select Critical Updates. For Restrict Record Access for Guest Users, click Acknowledge.

  • For Communities

    In Community Builder, click the Settings icon, and select General. Under Guest User Profile, click the profile name. Click Edit. Under Standard Object Permissions, confirm that the profile reflects the permissions you intend for guest users to have to create, read, update, and delete Salesforce records.

  • For Salesforce Sites

    From Setup, enter Sites in the Quick Find box, then select Sites. Click the name of the site that you want to control. Click Public Access Settings. Under Standard Object Permissions, confirm that the profile reflects the permissions you intend for guest users to have to create, read, update, and delete Salesforce records.