Maintain Your Sharing & Visibility Architect Certification for Winter ’23

Learning Objectives

After completing this unit, you’ll be able to:

Control access to external object records with restriction rules.
Control the default records your users see with scoping rules.
Remove guest user assignments from permission sets associated with permission set licenses with restricted object permissions.
Set organization-wide sharing for products.
Enable stronger protection for your users’ personal information.

Important: In order to maintain your certification, you must complete all five units of this module.

Control Access to External Object Records with Restriction Rules

Restriction rules allow certain users to access only the records that are essential to their work. Set a restriction rule on external object records to apply this layer of security to data stored outside of your Salesforce org.

Where: Restriction rules are available in Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions. External objects are available with Salesforce Connect and Files Connect.

How: To create and manage restriction rules for external object records, add a restriction rule from the External Data Sources page in Setup. Only external objects created using the Salesforce Connect: OData 2.0, OData 4.0, and Cross-Org adapters support restriction rules.

External objects don’t appear in Object Manager. To navigate to an external object, from Setup, in the Quick Find box, enter External Data Sources, and then select External Data Sources. Select an external object from the list view on this page. Or find external objects in the Most Recently Used list in Setup.

Admins are responsible for ensuring that rules they create on external objects don’t negatively impact performance in Salesforce or in the external system.

Billing Considerations

It’s important to note that editing or deleting a restriction rule on an external object causes an additional database call. This can result in additional billing when the external data source bills per call.

When search is enabled for external object records, searching requires additional database calls each time. Avoid additional charges by turning off search for external object records. As with all restriction rules, using only object fields that are indexed is recommended, especially in record criteria.

Control the Default Records Your Users See with Scoping Rules

Set the scope of records that your users see based on criteria that you select. Use a scoping rule to show your users only the records that are relevant to them. A scoping rule doesn’t restrict the record access that your users already have. They can still navigate to any record that they have access to per your org’s sharing settings.

Where: This change applies to Lightning Experience in Performance and Unlimited editions.

How: Scoping rules are available for custom objects and these standard objects.

Account
Case
Contact
Event
Lead
Opportunity
Task

Scoping rules don’t support PersonAccount fields.

For information on enabling this feature, contact Salesforce Customer Support. To create a scoping rule, navigate to Object Manager in Setup. Select the object that you want to add a scoping rule for. Click Scoping Rules. You can also create and modify scoping rules using Tooling or Metadata API.

Remove Guest User Assignments from Permission Sets Associated with Permission Set Licenses with Restricted Object Permissions

To improve the security of your data, Salesforce is removing guest user assignments from permission sets and permission set groups associated with permission set licenses that contain View All, Modify All, edit, and delete standard object permissions. You can no longer assign guest users permission sets or permission set groups that are associated with permission set licenses containing the four restricted permissions. The only standard object permissions allowed for guest users are read and create.

While permission set license assignments aren’t automatically removed from guest users, we encourage you to remove them yourself as a security best practice.

For more information on permission sets vs permission set licenses, see What Are Permission Set Licenses? in Salesforce Help.

Where: This change applies to Aura, LWR, and Visualforce sites accessed through Lightning Experience and Salesforce Classic in Enterprise, Performance, Unlimited, and Developer editions.

When: Starting in Spring ’22, you can no longer assign guest users permission sets or permission set groups associated with permission set licenses that contain View All, Modify All, edit, and delete standard object permissions.

During the Winter ’23 release, Salesforce will enforce this update and remove the affected permission set and permission set group assignments from guest users. If you’re affected, Salesforce Customer Support will contact you directly about your process and timeframe for the update.

Why: This update protects the security of your data by preventing guest users from being granted object permissions not required for their business needs.

How: Customizations, such as workflows, that rely on guest users being granted these object permissions can be affected after this change. To prevent disruptions in functionality, we recommend that you review and remove overly permissive permission sets, permission set groups, and licenses from guest users before the Winter ’23 release. In the Summer ’22 release, some replacement permission set licenses that are intended for guest users and that contain only the allowed permissions became available.

To review this update, from Setup, in the Quick Find box, enter Release Updates, and then select Release Updates. For Remove Guest User Assignments from Permission Sets Associated with Permission Set Licenses with Restricted Object Permissions, follow the testing and activation steps.

To better protect your Salesforce data, there are now org-wide sharing settings for product records.

Where: This change applies to Lightning Experience and Salesforce Classic in Essentials, Professional, Enterprise, Performance, Unlimited, and Developer editions.

When: This update is postponed to Winter ’23. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab. As of Winter ’23, in new orgs only, the update sets the org-wide sharing default for products to Private for external users. Sharing rules and manual sharing aren’t supported. This update was first made available in Winter ’22 and was scheduled to be enforced in Spring '22, but we postponed the enforcement date to Winter ’23. The Spring '22 enforcement date shown in the UI is incorrect.

Why: You can now control users’ access to product records, changing the default from Public Read/Write to a more restrictive setting if desired.

How: To review this update, from Setup, in the Quick Find box, enter Release Updates, and then select Release Updates. For Set Organization-Wide Sharing for Products, follow the testing and activation steps.

If you change the default settings, we recommend testing the changes in a sandbox before the enforcement date to ensure expected behavior.

Review the sharing settings. From Setup, in the Quick Find box, enter Sharing Settings, and then select Sharing Settings. Review the org-wide defaults for Product. Decide whether to change the default sharing setting for your internal or external users.
Test the settings with all customizations, such as flows, validation rules, and Apex triggers. Sharing settings other than Public Read/Write can interfere with customizations.

When the org-wide sharing setting for products is Private, users can’t amend or renew certain records.

If the default is Private and you use the Large-Scale Amendment and Renewal service, users can’t amend or renew assets.
If the default is Private and you use the Legacy Amend/Renew service, users can’t amend or renew assets or subscriptions.

Enable Stronger Protection for Your Users’ Personal Information

Enable Enhanced Personal Information Management to prevent external users, such as portal or community users from accessing other users’ personal information. This feature, which replaces the Hide Personal Information setting, secures more personal identifiable information (PII) user record fields. You can also decide which custom and standard user fields are considered PII.

Where: This change applies to Lightning Experience in Enterprise, Performance, Unlimited, and Developer editions.

When: Salesforce enforces this update in Winter ’23. To get the major release upgrade date for your instance, go to Trust Status, search for your instance, and click the maintenance tab. This update was first available in Spring ’22.

How: From Setup, in the Quick Find box, enter User Management Settings, and then select User Management Settings. If Hide Personal Information is enabled, deselect it. Enable Enhanced Personal Information Management.

To customize the user fields that are concealed, add them to a field set.

To review this update, from Setup, in the Quick Find box, enter Release Updates, and then select Release Updates. For Enable Stronger Protection for Your Users’ Personal Information, follow the testing and activation steps.

Note: When you enable Enhanced Personal Information Management, guest users lose access to their own PII fields. For example, guest users can’t see their own email information.