Security Audit of public access data and pages for Salesforce Commmunities / Portal users and Site Guest users.

3:26 PM

Reviewing the data and pages you expose for external access ( Community users and Site Guest User) is an essential and critical piece to maintaining a healthy Salesforce instance. Here are a few suggestions that might help you get started.

Start with the Portal Health Check


Setup -> Security -> Health Check




Review the External Object Access 

While under the health check window. Scroll down to locate the number of objects that are exposed to external users.

 
This particular screen denotes that 85 objects have a default sharing model of either Public Read/Write or Public Read Only. This means that if the Community profile has 'Read', 'Edit' Access to the object  they get to read / edit all records of that object.

Keep in mind that any newly created custom object has a OWD of 'Public Read/Write' by default. As part of the deployment always ensure the OWD is always set appropriately.

 Fixing External Object Access

Setup -> Security -> Sharing Settings

Enable 'External Sharing Model' if not enabled already
 


Modify the External Sharing and set it preferably to 'Private'. It is always best to keep the OWD as 'Private' for external access. Create object specific sharing rules, or set 'Read All' / 'Edit All' on the profile level if you need to share with External users. 

 

 What about publicly available pages? or Data available for not-logged-in users.

Community pages that are marked as 'Public' are accessible without a login. The default is login required. Find out the pages in your community that are marked as publicly available as below.

 

  What data is exposed to a not logged-in user?


Data access for publicly visible pages is controlled using the Site Guest User profile. Access this profile in the following ways

Setup -> Sites -> Site corresponding with Community -> Public Access Settings

Setup -> All Communities -> Your Community -> Workspace -> Administration -> Pages -> go to Force.com -> Public Access Settings

Control object and data level access using this profile. 

 

Note: You could click on 'Assigned Users' to set the timezone, locale and other settings for the default user.

0 comments