Salesforce’s Spring ‘20 Release: Changes regarding guest users starting March 1, 2020

Karen WaldschmittKaren Waldschmitt Skuid Mod, Admin 🛠️ 
edited June 26 in Announcements

Issue

In the Spring ‘20 Salesforce release, Salesforce is modifying what guest users are able to do using out of the box Salesforce in order to secure communities and force.com sites. As noted in this documentation and further explained in this documentation, although the changes are part of the Spring ‘20 release, they will not be automatically enabled in orgs until March 1st. 

Who Will be Affected by This:

Any clients who utilize guest users in your Salesforce org may be affected by this depending on what your guest users do.

How Does this Affect My Use of Skuid and What is Skuid Doing About It? 

Salesforce’s change also impacts Skuid’s File Upload component for site guest users. The Skuid Product Engineering team is working on a product change to restore the ability for Guest Users to use Skuid’s File Upload component to upload attachments to records. This change will be available in 11.2.30 and 12.2.14. 

What Do I Need to Do? 

As soon as possible, any clients who utilize guest users in your Salesforce org need to thoroughly test all functionality that your guest users can currently do in your prod org against what they can do in a sandbox with the ”Secure guest user record access” enabled

1. If you are using Skuid’s File Upload component for site guest users: 

  1. Upgrade a sandbox to either 11.2.29 or 12.2.13 per these instructions. This way, you will be prepared to move quickly when the upcoming Skuid release that contains the fix is available (11.2.30 or 12.2.14) 

  2. Thoroughly test that version to ensure there are no adverse changes to any of your mission critical functionality

  3. Upgrade that sandbox to 11.2.30 or 12.2.14 when it is available and test again

  4. Upgrade your production org to 11.2.30 or 12.2.14 when everything checks out in your sandbox. 

Please note that even on Skuid version 11.2.30 or 12.2.14, you will still need to use Salesforce’s new Guest User Sharing Rules to grant record level access to the records your Guest Users should be able to access. 

For example, if your Guest Users currently use Skuid to create a record and then upload a file as an attachment to that record, you will need to create one or more Guest User Sharing Rules to share these newly-created records to your site’s Guest User. If you do not create the requisite sharing rules, you will still be unable to use Skuid’s File Upload component to upload attachments to those records, even with 11.2.30 or 12.2.14 installed.

2. If your guest users need to access records they have created, such as allowing Guest Users to create a record and then additional “detail” records related to that first record, you have several options: 

  1. Try to achieve the record access for your site guest user using Site Guest User Sharing Rules

  2. Modify your Skuid Page to either 

    1. Invoke Apex that runs an update in a “without sharing” context to perform the record linkages. 

    2. Run a Flow that runs in system context. 

    3. For more details on a or b, please see this article on how Salesforce recommends that customers write Apex to work outside of the security model you have configured for your Org.

  3. If you continue to have problems either:

    1. Open a case with Salesforce detailing your use case and how it works currently in winter ’20 and what you need it to continue to do. Our understanding is that Salesforce has a task force to help clients work through any issues related to this release.

    2. Sign up for Salesforce’s office hours to ask questions of the experts live. 

Other Salesforce Resources That May be Helpful

Here are also some resources Salesforce provided: 

Salesforce Winter ‘20 release notes also include changes regarding guest users: 

Tagged:
«1

Comments

  • Karen WaldschmittKaren Waldschmitt Skuid Mod, Admin 🛠️ 
    edited February 13
    Quick update: 11.2.30 and 12.2.14 are both now live from the Skuid releases page
  • Karen WaldschmittKaren Waldschmitt Skuid Mod, Admin 🛠️ 
    edited February 13

    One addition to the previously stated "What Do I Need To Do:" 

    If none of the above resolved the issue for you, the final option is for you to request that Salesforce delay auto activating the guest user change in your org until summer ‘20 to give yourself more time to get situated as explained in this documentation

  • DaveDave Member ✭✭
    edited April 9
    Hey out of curiosity,
     Has anyone figured out how to still give permission to Edit Access to guest users?

    I have Skuid pages exposed to our partners/clients through Site's guest users which allow them to edit some records, and this is going to have a huge impact on us, and looking for solutions.

    Anything would be appreciated greatly!

    Tahnk you


  • Anna WiersemaAnna Wiersema Skuid Mod, Admin 🛠️ 
    edited February 18
    Hi Dave, with the guest user secure record access settings in place, you do have to write some Apex to allow guest users to edit records (see #2 above for more details and Salesforce best practices to enable guest users to update records.)

    Be very precise with this because you are intentionally allowing guest users to circumvent the Salesforce security model that you configured. Make triple sure that you are tightly controlling what that Apex is doing and make it really super specific to exactly what you need guest users to be able to do, no more.

    As per #3, if you run into trouble on the Apex side of things and/or would like to more time before these changes are applied to your orgs, reach out to Salesforce with details of your use case and their task force should be able to assist you and give you recommendations.

    If you run into issues with the Apex/Skuid integration, check out the docs on Skuid and Apex and as always you can post any questions here on the community.
  • Tami LustTami Lust Member
    edited February 18
    Hey Dave,

    We had this same issue. I had a call with SalesForce on Friday and I was told that if you give the Site Guest User profile "modify all" access to the objects that you need access to, the site guest user can edit.

    I tried it and it worked in our sandbox org. 
  • DaveDave Member ✭✭
    edited February 18
    Hi, and Thank you for the info,
    But that's not in line with I was reading online, apparently the Modify ALL will be disabled as well

    “Guest cannot be granted ‘View All Data’ or ‘Modify All Data’ access on objects” security policy will be enforced in Summer’20 release across Salesforce sites

    Tami, Did SF tell you this is good temporarily only?

    Thank you!
  • DaveDave Member ✭✭
    edited February 18
    @anna will the apex code work even if the guest user uses a skuid page to 'Edit record"?


  • Tami LustTami Lust Member
    edited February 18
    @Dave on my call with SalesForce they said it will work permanently. With that said when it comes to this issue I am having a really hard time getting consistant information from SalesForce when I reach out to them for info and help.
  • DaveDave Member ✭✭
    edited February 19
    @karen

    Somehow in my production org the Secure guest user record access got turned on, and now the Guest User profile can no longer see any skuid pages...

    I checked all possible settings but i get the same message

    I believe the Guest user no longer have access to skuid pages, even though a License is assigned to this Guest Profile

    We cannot share the pages manually , as Secure guest user record access = true and SF does not allow to add to public groups, queues or share manually

    Any help please???

    This is affecting us a lot, as we were not ready for that feature to be turned on , and SF is not responding to us so far


    You've been INKED! (Something went wrong)
    We were unable to find a Skuid Page named Site_offers. The Page is either inaccessible or does not exist. If you believe you should be able to view this Skuid Page, ask your System Administrator to check the Sharing Model for the Page object to ensure that you have access to this Skuid Page.
  • Anna WiersemaAnna Wiersema Skuid Mod, Admin 🛠️ 
    edited February 20
    Hey Dave, sorry to hear that.
    • What version of Skuid are you using?  (See this announcement - Spring 20 also made changes that affect Skuid permission sets in versions before 12.2.9 and 11.2.28)
    • You said that the site Guest User has a license, will you double check that they are assigned the Skuid Page Viewer Permission set?

  • Tami LustTami Lust Member
    edited February 20
    @Dave you have two options 

    1. You can disable "Secure guest user record access" by
    • Navigate to--> Settings-->Sharing Setting
    • Ensure you don't have any Sharing Rules set up. 
    • Click [Edit] scroll all the way to the down. On the bottom left you should be able to uncheck "Secure guest user record access"
    2. Set up Sharing Rules for your Skuid pages that the guest user accesses.
    • Navigate to--> Settings-->Sharing Setting
    • Look for "Page Sharing Rules"
    • Click [New]
    • Fill in the Label & Rule Name
    • Select the radio button "Guest user access, based on"
    • In the Criteria section: Field: Page Name; Operator: equals; Value: "Enter the name of the Skuid Page you are sharing".
    • Click [Save]
    • You should be able to see/read the page.
    •  If you need to edit the page, you need to give "modify all" access to the guest user profile for the requested objects in the skuid page.
    Hope that helps!

  • DaveDave Member ✭✭
    edited February 20
    @tami

    Hey thank you very much, Salesforce finally reached out last night and told me exactly those steps for disabling the modify all, it was sharing rules the issue that was not letting me uncheck that setting!

    And thank you for Sharing rule of pages.

    You are very knowledgable and thank you for sharing that knowledge!

    I appreciate the help :)


  • Anna WiersemaAnna Wiersema Skuid Mod, Admin 🛠️ 
    edited June 26
    Checklist for using Skuid's file upload component in communities or sites where guest user secure record access is activated:
    1. Does your version of Skuid include updated version of the file upload component? To use the file upload component with guest user secure record access activated, you need to be on 11.2.30 or later or 12.2.14 or later.  Remember to always test new versions in a Sandbox environment before installing them in production; links available at skuid.com/releases.
    2. Does the guest user have access to the record they need? Use sharing rules to grant read-only access to the Salesforce object & record, e.g. share all records where Created By Id is the site guest user's Id.
    3. Does the guest user have access to Skuid? Make sure the the guest user profile has been assigned a Skuid license and the Skuid Page Viewer permission set.
    4. Make sure the site has access to the UploadImage Visualforce page. If you are using the skuid:page component in your Visualforce or Lightning page, you must include the UploadImage Visualforce page in the list of pages your site has access to.

  • Tami LustTami Lust Member
    edited February 25
    @dave happy to help! 
  • Tami LustTami Lust Member
    edited March 5
    @Dave not sure if you have this all figured out in your org but I am still a bit confused and SalesForce keeps giving me different answers every day whether this disable sharing rules and site guest users can still edit. With that said, I wanted to share  couple of links with you that SF shared with me and ask if you get any new info if you wouldn't mind sharing it.

    Secure Guest User Sharing Settings: https://help.salesforce.com/articleView?id=networks_secure_guest_user_sharing.htm&type=5

    Community Discussion: https://success.salesforce.com/_ui/core/chatter/groups/GroupProfilePage?g=0F93A0000004mDI

    Thanks!
  • DaveDave Member ✭✭
    edited March 5
    @tami I tried in sandbox with your suggestion of using modify all and it works fine.

    But I had a case open with salesforce and cannot get a clear answer whether we will be able to give modify all in summer 20... So far you are the only one I've heard this from and so far it works. 

    I've been watching the community thread you mentionned above and from I see there: Guest cannot be granted ‘View All Data’ or ‘Modify All Data’ access on objects” security policy will be enforced in Summer’20 release across Salesforce sites

    Salesforce has given our org until June 1st (or summer 20 release) to find a solution

    The other solution would be to do it with Apex Code, but my Dev is not sure on how to write this apex code, as it's skuid making the 'changes' to SF and skuid being a managed package cannot edit/view the classes he needs

    Overall we are all just as confused if not more lol

    This is possibly useful if we decide to go Apex Way: https://www.learncommunitycloud.com/s/news/guest-user-record-access-development-best-practices-20Y1U000000UkITUA0

    I will keep updating here as I get more info!



  • Tami LustTami Lust Member
    edited March 5
    @Dave thanks for making me feel like I am not going nuts with this. 

    Thanks for sharing that article, I have seen it before but we are not lightening enabled so it won't work for us.

    To add more complexity to this issue I talked to a SF Dev today that said that what we currently have in place for edit access won't work after summer release (as you know) but an Apex class/trigger won't give edit access to guest users after the summer release either.

    So my question was how do I give them edit access, she said you won't be able to after the summer release.

    I asked if we will be able to disable "Secure Guest Access" flag after Summer release so that our guest users can have edit access. Her reply was they don't know yet. 

    The plot thickens!
  • DaveDave Member ✭✭
    edited March 5
    @ tami

    We have not moved to lightning yet either, but from what I Understood from my Dev is that:

    Guest User will do the changes as usual on the public-facing skuid page, and then the apex will basically do the following: 

    1- 'Capture all the changes of that session'
    2- Open a session under a SF user for authentication
    3- this user will be the one 'Updating record' with all the changes guest user made

    Dev told me it should be straightforward if i was using a VF page let's say instead of Skuid

    The issue with Skuid, is that he does not know how Skuid captures and sends the changes to SF, and not sure how he would be able to do step 1. As skuid is a managed package he cannot dig deeper or change any skuid classes.

    @anna is there some documentation/ideas on how we would be able to do step 1? (capture all changes made on skuid page, and use apex to update record)

    Hopefully that helps, especially if Skuid can help us with that step 1






  • DaveDave Member ✭✭
    edited March 5
    @ tami

    We have not moved to lightning yet either, but from what I Understood from my Dev is that:

    Guest User will do the changes as usual on the public-facing skuid page, and then the apex will basically do the following: 

    1- 'Capture all the changes of that session'
    2- Open a session under a SF user for authentication
    3- this user will be the one 'Updating record' with all the changes guest user made

    Dev told me it should be straightforward if i was using a VF page let's say instead of Skuid

    The issue with Skuid, is that he does not know how Skuid captures and sends the changes to SF, and not sure how he would be able to do step 1. As skuid is a managed package he cannot dig deeper or change any skuid classes.

    @anna is there some documentation/ideas on how we would be able to do step 1? (capture all changes made on skuid page, and use apex to update record)

    Hopefully that helps, especially if Skuid can help us with that step 1






  • Anna WiersemaAnna Wiersema Skuid Mod, Admin 🛠️ 
    edited March 6
    Hi Dave, let me check with the team and get back to you.

  • Tami LustTami Lust Member
    edited March 23
    @Anna any update on Dave's request?
  • Brian LeeBrian Lee Skuid Mod ✭✭
    edited March 23
    Hello Tami and Dave! The team and I are currently looking into the matter and will update you with what we are able to find.
  • Tami LustTami Lust Member
    edited March 23
    Thank you!
  • BillBill Member ✭✭
    edited May 12
    HELP. HELP. HELP. Did not pay attention to this issue until today when my site  http://my.dorothy.com is receiving

    "You've been INKED! (Something went wrong)
    We were unable to find a Skuid Page named M1_Person. The Page is either inaccessible or does not exist. If you believe you should be able to view this Skuid Page, ask your System Administrator to check the Sharing Model for the Page object to ensure that you have access to this Skuid Page."

    Tried following the directions at https://help.salesforce.com/articleView?id=security_sharing_rules_create.htm&type=5

    When I try to follow their directions:

    1. From Setup, enter Sharing Settings in the Quick Find box.
    2. Select Sharing Settings

    “Sharing settings” does not exist.

    I went to renew my license this morning and happen to have a member call and say there was an issue.

    Ben Marshall sent the following

    Hi Bill,

    Happy to help, but I am just outside of my depth on the technical aspects. 

     You might be able to see if Tami or Dave can answer your questions if you reply to that community thread. It seems like Tami worked on this with SF directly. 

     Best of luck. 

    Ben

    I know it is Saturday, but can anyone help?

    Cheers,
    Bill
    727-400-3201

  • Tami LustTami Lust Member
    edited May 11
    Hey Bill,

    You have two options to get your external page working for your guest users. You either create a sharing rule for the Skuid page or disable "Secure guest user record access"


    To add Skuid page to sharing rules
    1. From Setup, enter "Sharing Settings" in the Quick Find box.
    2. Select Sharing Settings. (Navigate to Administer-->Security Controls--> Sharing Settings)
    3. Find the "Page Sharing Rules" section
    4. Click [New]
    5. Create a Label and Rule Name
    6. Rule Type: "Guest user access, based on criteria"
    7. Set up the criteria: Field: Page Name ; Operator: equals; Value "The name of the skuid page"
    8. Share with: "Guest User"




    To turn off "Secure guest user record access"


    1. From Setup, enter "Sharing Settings" in the Quick Find box.
    2. Select Sharing Settings. (Navigate to Administer-->Security Controls--> Sharing Settings)
    3. Remove all sharing rules that are set up for each object.
    4. Then Click "Edit" next to Organization-Wide Defaults
    5. Scroll all the way down to the bottom
    6. Uncheck "Secure guest user record access"



  • BillBill Member ✭✭
    edited March 29
    what are the "Pros" and "Cons" of either method 
  • Anna WiersemaAnna Wiersema Skuid Mod, Admin 🛠️ 
    edited April 9
    Hi all, just wanted to close the loop here — the Support team followed up with Dave via email.
  • edited May 8
    I had a similar issue as Bill Fox above. But not sure how or why a guest user is trying to access a skuid page. We do not allow any functionality to guest user. All they see is a login page. Any insights on why a skuid page would be exposed before logging in?
  • edited May 11
    I figured out the issue. Salesforce apparently is checking if the Community Home page is accessible by the guest user even before logging in. In our case the Home Page is a visualforce page calling a skuid page hence the access was needed.
  • Anna WiersemaAnna Wiersema Skuid Mod, Admin 🛠️ 
    edited May 11
    Glad you were able to figure it out, Jayesh! Thanks for sharing what you discovered here.
Sign In or Register to comment.