Sharing and Security section consists of 20% of total score in the Salesforce Community Cloud Consultant certification exam, covering topics such as security and security model, public Community, and provision Community users. Without further ado, lets get started!

NOTE: This post is written in June 2020 and content might be changed/updated overtime. The content is inspired by

Guideline for Sharing and Security

  • Determine security requirements given a scenario that includes collaboration, business process, and/or document requirements.
  • Determine the appropriate security model for a given use case (for example, - --- Sharing & Users, Person Accounts, Profiles, Objects).
  • Determine the steps to build a public Community.
  • Given a scenario, determine the steps to provision Community users.

Security Requirements and Security Model

  • Community Settings:
    • Number of customer roles: 3 (default is 1)
      • NOTE: if there is customer activated before, the available roles will still the previous settings.
        • Example: if the role is set to 1, the customer role is Customer User. If the role is changed to 2, the existing customer will not see the Customer Manager in roles. Likewise for Customer Executive if the role is changed to 3.
    • Number of partner roles: 3 (default is 1)
    • NOTE: once a customer user license is set, it cannot be downgrade.
      • Example: if a customer user license is Customer Community Plus before, it cannot be set as Customer Community.
    • Partner Super User Access can be enabled to allow partner grant access to data owned by other users on the same partner account.
      • NOTE: it can only be used with Partner Community or Customer Community Plus license.
    • Report options for external users can be enabled.
  • Sharing Rules can be set to share with Portal Roles or Portal Roles and Subordinates:
  • Sharing Rules can also be set to share with Public Groups: All Customer Portal Users, All Partner users, or All Internal Users
  • Sharing Rules cannot be used with Customer Community license.
  • Customer Community User Profile:
    • Object Settings
      • View All, Modify All and Delete permission are unavailable on most of the standard objects.
    • System Permissions:
    • App Permissions
  • Customer Community Plus User Profile:
    • App Permissions
  • Partner Community User Profile:
    • App Permissions
  • Security settings in Community Site:
    • Clickjack Protection Level
      Enable Browser Cross Site Scription Protection
  • Security settings in Experience Builder:
    • Clickjack Protection
    • Content Security Policy (CSP)
  • Sharing Settings:
    • User Visibility Settings:
      • Portal User Visibility - portal users in the same customer or partner portal account can see each other, regardless of OWD. If Community User Visibility is also selected, users from same community can see each other as well.
      • Community User Visibility - community users in the same community can see each other, regardless of OWD. If Portal User Visibility is also selected, portal users can see other portal users from the same account as well.
    • Other Settings:
      • Standard Report Visibility - users can view report based on standard report types that may expose data of users to whom they don't have access, regardless of OWD
      • Manual User Record Sharing - users can share their own user record
      • Manager Groups - users can share records with their managers and manager subordinates groups
      • Use person role for first user in community account - assign person roles to new community users in accounts without existing users. This setting also applies to High Volume Customer Portal users who upgrade to Customer Community Plus or Partner Community licenses. If this setting is disabled, portal roles are created for new users.
      • Grant community users access to related cases - users with Customer Community Plus licenses can view and edit cases in which they are listed as the contact.
      • Secure guest user record access - secure the access that guest users have to your org's data. Guest users' org-wide defaults are set to Private for all objects, and this access level can't be changed. You can create guest user sharing rules, but you can't add guest users to groups or queues or manually share records with them.
        • NOTE: when this option is set, you can use Guest user access, based on criteria:
          • NOTE: all records matching these criteria will be shared with anyone since this sharing rules grant access to guest users without login credentials.
  • Separate roles are created for each account once the community user is activated for the account.
  • Account Role Optimization will be required when there is too many roles in community.
    • Use person role for first user in community account can be enabled
    • Applies on Customer Community Plus and Partner Community licenses.
  • 'Marketing User' permission will be required to read, create and edit campaigns for Partner Community users.
  • Salesforce Knowledge and Chatter are available for all external users.
  • Salesforce App can be accessed by all external users.
  • Sharing Set can be used to grant access records to Customer Community, Customer Community Plus and Partner Community license users.
    • NOTE: only one sharing set can be used for one object on one profile.
    • NOTE: sharing sets can be for some standard objects and custom objects.
  • Share Group can be used to share records owned by Customer Community license users with internal and external users in the community.
    • Share Group Members can be:
      • Customer Portal Users
      • Partner Users
      • Portal Roles
      • Portal Roles and Subordinates
      • Public Groups
      • Roles
      • Roles and Internal Subordinates
      • Roles, Internal and Portal Subordinates
      • Territories
      • Territories and Subordinates
      • Users
    • NOTE: Share Group needs to be activated to grant access.
  • Account Relationship Data Sharing Rule
    • Account Relationship Data Sharing Rule can be used to control which records an account is sharing with another account, and the level of access granted.
    • Account Relationship Data Sharing Rule is associated to an account relationship by the account relationship type field value.
    • Account Relationship Data Sharing Rules allow records to be shared to multiple accounts.
    • Account Relationship Data Sharing Rule can be set up in Setup > Account Relationship Data Sharing Rule:
    • Create new Account Relationship Data Sharing Rule:
      • Rule Details - the criteria used to determine which object records are shared and what level of access an account has
      • Account Relationship Type - describe the relationship between the accounts that are sharing information. This is the same type used to associate this sharing rule with the account relationship.
      • Access Level - the level of access that an account has to the shared object records
      • Object Type - the object that is shared when an account relationship is created
      • Account To Criteria Field - the field that determines how object records are shared. Only User and Account Lookup fields can be used.
      • Advanced Formula - add formula to the sharing rule to further refine how records are shared
    • Account Relationships need to be enabled in Setup > Communities Settings:
    • Account Relationships From and To on Account record page:
    • Account Relationship needs to be created in a Partner account record:
  • Super User Access can be used with Partner Community or Customer Community Plus users to grant access to external users' data and records.
  • Data owned by other partner users who have the same role or a role below them can be shared.
  • NOTE: Super User Access only applies to Case, Lead, Opportunity and custom objects.
  • In order to grant Super User Access to partner users, Partner Super User Access needs to be enabled in Setup > Communities Settings.
  • Portal Super User permission can be enabled for Customer Community Plus user to grant Super User Access.

Public Community

  • Public Community will allow guest users to access a community without logging in or registration.
  • Guest User Profile is automatically created when a new community is created.
  • Guest User Profile can be accessed in Experience Builder > Settings > General:
  • Preview as Authenticated User or Guest User:
  • Guest users must have access to Chatter before accessing to public community.
  • Public Access can be set in Experience Builder > Settings > General to allow guest users to access a community without logging in.
  • Page-level access can be set in Experience Builder > Page Properties:
    • Community Default Setting: Public
    • Public
    • Requires Login
  • 'Allow site guest users to upload files' can be set to allow guest users to upload files in Community in Setup > Salesforce Files Settings:
  • Guest users can view asset files and CMS content and other members of the community by setting them in Experience Workspace > Administration > Preferences:
  • Guest users are always active and you basically don't want guest users to own records in your org, hence setting a default owner for guest user-created records is necessary.
  • Some pages in community is always public:
    • Login Page
    • Register Page
    • Forgot Password Page
    • Login Error Page
    • Check Password Page
  • Some pages in community is always private:
    • Message Page (direct message)
  • Page variation can be set

Provisioning Community Users

  • Members can be provisioned in Experience Workspace > Adminstration > Members:
    • All Profile
    • Customer Profile
    • Internal Profile
    • Partner Profile
  • A contact must be associated with account in order to enable Customer User or Partner User.
  • Once the user is enabled, the user will be receiving a welcome email with their username and password.
  • Community Members Related List can be added on the Account Record Page:
  • However, the Community Members Related List can only have Add Member button on community page:
  • Add Member button can be used to create a member associated with the account:
  • The admin can Deactivate, Edit Member, Reset Password and Manage Permission Sets:
  • External users can self-register by checking Allow external users to self-register in Experience Workspace > Administration > Login & Registration:
    • NOTE: a default Profile and Account must be set to all users who self-register.
    • However, self registration process can be further customized in Apex using CommunitiesSelfRegController.
    • Salesforce will automatically create the user contact record and associate with designated account.
  • Manage External Users permission can be used to provision users on Account for Salesforce license.
  • Delegated External Users permission can be used to provision usesr on Account for Customer Communities Plus, Partner Community, Customer Portal Manager and Partner Portal licenses.
  • Data Loader can be used to provision multiple users with the following field on User:
    RoleId (optional, otherwise default to user role)
    ContactId (use the contact id of previously created contact)

That's all for this post. Thanks for reading!

Post was published on , last updated on .

Like the content? Support the author by!