Skuid and the Salesforce Guest User

As of the Winter 2021 release, Salesforce changed the default security permissions for the guest user profile. The guest user profile controls how unauthenticated users interact with public-facing communities, portals, and sites. This default security configuration is as restrictive as possible within Salesforce’s security model.

For guest users, the following security defaults apply:

  • Access to all objects is set to Private.
  • Manual sharing or Apex managed sharing of records is no longer permitted.
  • Guest users cannot be granted permission sets with edit or delete permissions

However it is still possible allow guest users to view Skuid pages and Salesforce object records. To do so, complete the following steps:

  • Create guest user sharing rules for relevant Skuid pages and any Salesforce objects used on those pages
  • If needed, create any necessary permission sets to grant access to objects used in the Skuid page
  • Assign the guest user any necessary permission sets and a Skuid license

Why can’t guest users see my Skuid page?

Guest user access to all objects is set to private. This means that Skuid pages, which are saved as records in a custom object, cannot be viewed by a guest user with the default security settings. This also affects Salesforce data visibility in Skuid pages, as Skuid models connect to objects that are now set to Private for guest users.

Salesforce’s guest user sharing rules provide a solution for unauthenticated users.

For more information, see Salesforce’s Guest User Security Policy topic

For more information about guest user sharing settings and record access, see Salesforce’s documentation on the topic.

Creating guest user sharing rules for Skuid

To enable guest users to view Skuid page, sharing rules must be created for Skuid pages and any objects used in those pages.

Note

In this example we’ll use the Page Name field to create a sharing rule. But page names are only unique per module.

If you have different pages with the same name in separate modules, all them of will be shared unless you also specify the Module in the sharing rule criteria below.

To create a sharing rule for a Skuid pages in Salesforce Setup:

  1. Type Sharing Settings in the Quick Find box and select Sharing Settings.

  2. Select Page in the picklist labeled Manage sharing settings for.

    • Or, scroll down the All objects page until you locate Page.
  3. In the Sharing Rules section for the Page object, click New.

  4. Enter basic information for the rule:
    • Label and Rule Name: A descriptive name for the rule, such as Guest user Skuid page access. The rule name should autopopulate based on your label.
    • Rule type: Guest user access, based on criteria
  5. Specify the criteria:

    • Field: Page Name
    • Operator: equals
    • Value: The exact name of the Skuid page

    Note

    • Optionally, change the filter logic to allow for one sharing rule to allow access to multiple pages. To do so, click Add Filter Logic and change the relationship between the filters to OR, e.g. 1 OR 2 OR 3
    • Consider specifying the page’s module if you have multiple pages with the same name across different modules.
  6. In the Share with field, select the guest user to share the page record with.

  7. Verify that the level of access is set to Read Only.

  8. Click Save.

Repeat these steps for any objects used in your Skuid pages. While Skuid pages matching your sharing rule are now visible, the guest user must still have access to other objects used in the pages.

Sharing rules, modules, and a ton of Skuid pages

What if you have a lot of Skuid pages and you don’t want to create multiple sharing rules or use filter logic to string together a long sequence of OR statements?

Consider grouping pages using a module and applying the sharing rule to that module, instead of individual pages.

Follow the steps in the previous section and replace the Page Name field with Module. Enter or select the name of the module in Value. Now, the sharing rule will apply to all pages within the module.

image0

Creating permission sets for public access

While Skuid pages are now accessible and sharing rules are set for objects, the guest user still requires a permission set for object access. Grant object read access based on the data available in your Skuid page.

For detailed instructions on creating permission sets, refer to Salesforce’s documentation on the topic.

Updating the guest user

With sharing rules set and any necessary permission sets configured, the guest user must be assigned those permission sets and a Skuid license.

Site guest user record settings are updated differently than other Salesforce user types. They are not accessible from the Users menu in Salesforce Setup, but instead are found by navigating the public access settings of your site. Once you’ve found your site’s user record, you can grant the guest user permission sets and a Skuid license.

To navigate to the guest user record:

  1. Navigate to User Interface > Sites and Domains > Sites.
  2. Click the label of the site.
  3. Click Public Access Settings. The profile of the guest user appears.
  4. Click View users.
  5. Click the full name of the guest user, which looks similair to Site Guest User, <Name of site>. The guest user record page appears.

From here you can assign permission sets and a Skuid license. To assign permissions sets:

  1. In the Permission Set Assignments section, click Edit Assignments.
  2. Click the label of the permission set created earlier that grants object access.
  3. Click Add.
  4. Click Save.

To assign a Skuid license:

  1. In the Managed Packages section, click Assign Licenses.
  2. Click the checkbox on the Skuid package’s row.
  3. Click Add.

Allowing guest users to edit records

While the above instructions illustrate how to create a read-only guest user Skuid implementation, it is possible to allow guest users to edit Salesforce object records. Doing so requires use of Apex, flows, and Salesforce-specific implementation details that are outside the scope of Skuid documentation.

If your implementation requires the guest user make record updates, consult Salesforce’s Guest User Record Access Development Best Practices

Also consider alternative strategies, like purchasing Salesforce authenticated user licenses.

Troubleshooting

Skuid License errors

The following errors can occur when the guest user has not been assigned a Skuid license:

  • You are attempting to access a Skuid page, but you are not licensed to use Skuid. Please contact your Salesforce administrator.

  • Page Not Found: /001/

    Skuid license, and Skuid attempted to redirect the user to an object’s list page—resulting in an erroneous redirect for the public site.

To resolve this error, ensure that the site guest user has been assigned a Skuid license.

I see no records on my Skuid page

If no records appear on the Skuid page, the guest user may not have access to the object(s) used within the Skuid page. Ensure that a guest user access sharing rule has been set and that the guest user has been assigned a permission set granting object access.