Salesforce Winter 2020 introduced several security alerts, which add default security to the records that power a storefront and therefore restrict what guest users can access on the storefront.
An optional sharing setting, Secure guest user record access, is available that affects guest user access in the following ways:
Changes the organization-wide default (OWD) external access settings to apply only to community users. By default, guest users have no access to any records used for the storefront.
Adds a sharing rule type, Guest user access, based on criteria, which can grant only Read access to records, based on criteria you specify.
Restricts guest users from being included in public groups.
Restricts records from being manually shared with a guest user.
An optional Communities setting, Reassign new records created by guest users to the default owner, is available that restricts a guest user from owning any Object records, such as Apttus_Config2__ProductConfiguration__c. This means that, after enabling the setting, a guest user can only view or add to a cart created before the setting was enabled, and cannot create a cart.
An optional Communities setting, Let guest users see other members of this community, is available that is disabled by default. This setting does not affect any storefront functionality.
The View All Users permission is disabled by default for any new org.
To resolve this, security alerts are mandatory since February 2020. The security alerts are opt-in until that date.
Guest User Access
If you allow guest users to perform any of the following tasks, we recommend that you install the appropriate patch for your version of Digital Commerce and immediately complete the following required workaround steps to maintain guest user access on your storefront.
Browse your storefront
Add products to a cart
The solution for all versions of Digital Commerce involves creating a dedicated licensed user to act on behalf of the guest users for a storefront. The standard Community guest user can still be used, however, those users cannot perform the actions mentioned above.
In newly spun orgs, due to Salesforce upgrade, site guest users do not have access to some user fields like Alias. This is fixed by using userType on a user record to generate a token. For new orgs, you must add the following permissions on the storefront object to site guest user at profile level (E-Commerce Profile).
Object level access : Read
Read access on the following fields:
- Cache Size
- Enable API Filters
- Guest Username
- Guest Password2
To maintain guest user access on your storefront
Click All tabs and click Storefronts.
In the Storefront record, enter the Guest Username and Guest Password for the guest user account. These fields are used for all guest users.
- Assign the Digital Commerce permission set to the user you created in Step 2. This grants access to the various objects and fields necessary to perform the actions within the storefront.
- Add a remote site setting with your community URL as the approved domain.
- Create storefront sharing rules to allow the guest user to read the username and password from the storefront object for the guest user.
Create all the above-mentioned sharing rules for both Digital Commerce and Partner Commerce storefronts.