Skip to main content

Set Your Org's External Org-Wide Defaults

Follow Along with Trail Together

Want to follow along with an expert as you work through this step? Take a look at this video, part of the Trail Together series.

(This clip starts at the 22:17 minute mark, in case you want to rewind and watch the beginning of the step again.)

External Org-Wide Defaults

External org-wide defaults give you full control over the baseline record access for site and portal users. This layer of protection ensures that you can define separate record access policies for internal users and external users.

Check out this video for a quick overview of external org-wide defaults and how they work with external users.

For example, you may have public read-only access on opportunities for all your internal users and set the external org-wide defaults to private so that partners do not see each others’ opportunities.

External Org-Wide Defaults Considerations

Here are some things you need to consider when using external org-wide defaults. External org-wide defaults affect all Experience Cloud and legacy portal licenses. Not all objects can have an external sharing model. Here are the ones that can.

  • Accounts and their associated contracts and assets
  • Assets
  • Cases
  • Contacts
  • Individuals
  • Opportunities
  • Orders
  • Custom Objects
  • Users

We highly recommend setting the default external access to private for all objects, and then opening up access using other means. Also, if you want to expose reports and dashboards on any objects to external users (such as a partner), you must set the external org-wide default to private.

Another thing to keep in mind is that the external org-wide default can’t be more permissive than the internal one. What does that mean? That if your internal Salesforce users have Public Read/Write access on cases, your external users can’t have Public Read/Write/Transfer access.


If the Secure guest user record access setting is enabled, guest users aren't considered external users. Guest users’ org-wide defaults are set to Private for all objects, and this access level can’t be changed. You can open up access to guest users with other sharing mechanisms, such as sharing rules.

Setting and Testing External Org-Wide Defaults

Since Ursa Major has decided to expand sales via partners, setting external org-wide defaults is a must.

Maria wants to restrict external access to opportunities, while allowing internal Ursa Major Salesforce users the flexibility to see any opportunity.

In order to meet that requirement, Maria changes the default internal and external access settings.

  1. From Setup, enter Sharing Settings in the Quick Find box, then select Sharing Settings.
  2. Click Edit in the Organization-Wide Defaults area.
  3. For the Opportunity and Account and Contract objects, set the Default Internal Access to Public Read Only and the Default External Access to Private. Click OK if you get any popups or warnings.
  4. Click Save.

Now, let’s see how this external org-wide default change affects what folks actually see in the Salesforce org and in the Ursa Major Partner portal.

Add Opportunities to the Navigation Menu

In order to see opportunities in the Ursa Major Partner portal, we first have to add the opportunity object to the portal’s navigation menu.

  1. From Setup, enter Digital Experiences in the Quick Find box, then select All Sites.
  2. Click Builder next to the Ursa Major portal.
  3. Click anywhere on the Navigation Menu bar (1) and then click the Edit Default Navigation button (2). Detail of the navigation menu
  4. Click Add Menu Item. Drag the new menu item so that it’s nested under Sales.
  5. Change the following properties:
    • Name: Opportunities
    • Type: Salesforce Object
    • Object Type: Opportunity
    • Default List View: All Opportunities

  1. Click Save Menu.
  2. Click Publish and then Got it.

Test Opportunity Visibility in the Ursa Major Partner Portal

Log in to the Ursa Major Partner Portal as your system administrator. The easiest way to do this is from Salesforce Setup > Digital Experiences > All Sites>[site URL] . Navigate to the Opportunities menu item we just added.

Look at all the opportunities you can see!

Log in to the portal as Josh Davis. You can either use the credentials sent to you when you set up Josh as a site user, or use the Log in to Experience as User option on his contact record.

Navigate to the same Opportunities menu item, and select the All Opportunities list view. You shouldn’t be able to see any opportunities.

Good job! Give yourself a pat on the back, because you’ve passed your first test as a portal security guru.

Keep learning for
Sign up for an account to continue.
What’s in it for you?
  • Get personalized recommendations for your career goals
  • Practice your skills with hands-on challenges and quizzes
  • Track and share your progress with employers
  • Connect to mentorship and career opportunities