Sharing: Sharing Set Support for More Licenses and More Objects, Clickjack Protection for
Use sharing sets with all Customer and Partner Community licenses and
with more objects. Use Google’s IP Anonymization to help with privacy concerns. Protect your
community from clickjack attacks.
Improve Security for Sites and Communities by Restricting Record Access for Guest Users
To address potential security vulnerabilities, we applied a critical update to Salesforce sites and communities on October 5, 2018. This update removed default record access for guest users so that they can no longer create, read, update, or delete Salesforce records. You can give guest users access to your Salesforce records by editing your object permissions.
Limit Guest User Access to Activities
Ensure that the work your reps and agents do remains private. With the Access Activities permission, users, such as guest users in communities, don’t have access to any tasks, events, and emails.
Use Sharing Sets with All Customer and Partner Licenses (Generally Available)
Previously, when you upgraded to Customer Community Plus, you lost sharing access via sharing sets because they were limited to Customer Community users. Now your Customer Community users retain sharing sets after upgrading and you can also use sharing rules and role-based sharing to control access to data. And you can even use sharing sets with users who have Partner Community licenses.
Use the New Content Security Policy to Better Protect Your Community
New settings give you the option to apply different levels of Content Security Policy (CSP) to your community, including strict CSP. Strict CSP standards protect you and your customers by allowing content only from explicitly whitelisted external hosts to display in your communities and by blocking all inline scripts.
Enable Users to Log In with Their Email, Phone Number, or Any Identifier You Choose
In just a few clicks, you can deploy login pages that simplify how external users log in to your community. With the Login Discovery feature, you can let your external users identify themselves using something other than a username, such as a phone number. Instead of a password, they can verify their identity with a code sent to their email or mobile device. And, if your org is enabled with multiple Identity Providers (IdPs), login is a one-step process—users bypass verification altogether.
Allow Visitors to Join Your Community by Email or Phone
Make it easy for customers to join your community. Instead of requiring a username and password to register, let them join by entering their email address or phone number. Configurable self-registration simplifies the sign-up process. It allows you to register users quickly and with minimal information. After the user is created, you can build the user’s profile progressively when logging in later. For example, you can collect more user information based on context or the type of interaction.