Skip to content

Instructions for Salesforce Spring '21 Security Enforcement

This post contains all of the important information and instructions you need to know for the Salesforce Spring ‘21 release.

What's Changing?

Salesforce has been rolling out restrictions on Site Guest Users since their Winter 20 and Winter '21 releases. Both Salesforce and Enrollment Rx have repeatedly communicated about these. The information in this article affects FormBuilder Rx and Events Rx Sites and their pages.

Starting in Salesforce’s Spring ‘21 release, these restrictions will be strictly enforced and you will no longer be able to give any Site Guest User Edit/Delete/View All and Modify All permissions on any object; only Read and Create permissions will be available through Salesforce.

In preparation for this eventuality, ERx introduced (in our Winter ‘19 releases) functionality called “Allow Object Access” that restores these Edit/Delete/View All and Modify All permissions, provided these actions are performed through our products. Thus, any site built with Enrollment Rx’s products can be configured to continue to Edit/Delete records in unauthenticated Sites.

Although you have already taken steps to conform to the restrictions in earlier releases, since the restrictions were not strictly enforced, you may have missed or overlooked some configurations that will be required to keep your sites working in Spring ‘21. In addition there are two new configuration steps for “Allow Object Access” that you must take (see “What You Must Do”, below).

What Sites Are Affected?

FormBuilder Rx and Events Rx unauthenticated Sites pages are affected.  Examples of such sites are FormBuilder portal registration and login pages, FormBuilder Rx Request for Information pages and Recommendation submission pages, and other FormBuilder forms that don’t require login. Events Rx events registration pages are also affected.

Each site has its own site guest user; whenever anyone accesses an unauthenticated site page, they are doing so as the site guest user. This document is about configuring Site Guest Users.

What You Must Do

Enrollment Rx complies with Salesforce’s security requirements, so that, after the Salesforce Spring ‘21 release is installed, sites pages will not work unless  you have given site guest users Object Permissions (Read, Create) and Field Permissions (Read, Edit) via their Profile (or a Permission Set) and record level access via Guest User Sharing Rules to any objects/fields referenced by a FormBuilder Rx or Events Rx Site page.

Only with these things done, can you use Enrollment Rx “Allow Object Access” functionality to give Edit/Delete/View All/Modify All capabilities to your unauthenticated sites.

A new requirement for Spring ‘21 is that you must use “Allow Object Access” to give “Read” permission  (which actually means “View All” in Allow Object Access) on several objects that are both Created and Updated (edited) in a single transaction by Erx Core, since Sharing Rules do not operate quickly enough after the Create operation to share the new records in time for the Update operation. These objects are Contact and Application (EnrollmentrxRx__Enrollment_Opportunity).

Another new requirement for Spring ‘21 is that, if your applicant portal has custom fields on its registration page, these fields must be entered into Allow Object Access.

This document explains how to do all of the above.

Permissions Removed from Site Guest Users in the Salesforce Spring '21 Release

Here is an image of the profile of a site guest user before and after Spring '21, note that after Spring '21 the only options for custom objects are Read and Create.

Before Spring '21

Before Spring '21

After Spring '21 is enabled

After Spring '21 is enabled

Permissions Restored by ERX "Allow Object Access" custom setting:

Salesforce Site Guest User Profile permissions removed by Salesforce in Spring ‘21 ERX “Allow Object Access” custom setting values that can restore access (for ERX products) removed by Salesforce
Edit Update*
Delete Delete
View All Read
Modify All Update

Salesforce Spring '21 Release Dates

The release date for Spring ’21 will depend on your instance of Salesforce, but the main dates are January 16 and February 6, 12, and 13. If you already know the instance your production org is located on, you can head over to Salesforce Trust, click on your instance name and click “Maintenances.” This will show you the date of the Salesforce Spring ’21 release hitting your org.

ERX Features Affected

Features which run with respect to site guest users will be hampered and admin need to take steps mentioned in this document to avoid any disruption. The features are:

  1. Applicant Portal Registration
  2. RFI site form
  3. Recommendation site form
  4. Events Site Calendar and Registration Form
  5. Any other site form that might be used with FormBuilder

Solution

  1. The customer needs to be on Summer '19, Summer '20, Winter '21 release of ERX Core Formbuilder Rx and Events Rx. Clients can be on 2.4.9, our old version of Core.
  2. An admin needs to take the steps below to review all sites and configurations, we have included an appendix of some example common sites for your reference as well.

Action Steps You Need to Take

Attention

Please be sure to review all Action Steps below. We provide some example site configurations and the needed settings for Spring '21 in the Appendix.

Steps

  1. Identify a sandbox to test these changes, your current sandbox may have been upgraded to Spring ’21; otherwise you can manually remove Edit, Delete, View All and Modify All from all Site Guest User profiles, including your applicant portal Site Guest User profile (for portal registration). To find out if your sandbox was upgraded, you can read here.

    Tip

    If you log in to your sandbox and see a bear in the Lightning interface with a heart and Spring ’21 between page loads, that confirms you are on Spring ’21. (Note if you refresh your sandbox and it is on Spring ’21, the refreshed copy will be on Winter ’21 and will not be able to be on Spring till after production is upgraded by Salesforce.)

  2. In your sandbox, update/create the custom setting for Allow Object Access for ERX Core. Note you will need to be on a 2019 version or later. If you are on Core version 2.4.9, this step is not needed. Visit the ERX Core guide for more details. (Make sure to note the instructions, to add any object that will have an attachment to the Bypass Update. For example if you had an attachment on the Recommendation Form you would need to add that object to the Bypass Update.)

  3. Evaluate (and possibly update) your custom setting “Allow Object Access” (namespace “Erx_Forms”), to take the place of the “view all” permission that site guest users are losing from their profiles. Here are the specific updates you need to make (a video tutorial is also available below):

    • Go to Setup > Custom Settings and click “Manage” beside “Allow Object Access” (there are two of these; choose the one with Namespace Prefix “Erx_Forms”). Click the “Edit” link beside the name of your Community Guest User profile, as shown here. If there is no entry for your Community Guest User profile, then click the “New” button to create one.

    Allow Object Access - Manage

    • Once there, you need to update the Bypass Read field to include: Contact,EnrollmentrxRx__Enrollment_Opportunity__c please see the example below:

    Bypass Read field

  4. In your sandbox, review the Site Guest User Profile setting for each site following these steps:

    • Each Site Guest User Profile needs to be updated after the upgrade to include only “Read and Create” object level permissions, because all other permissions (Edit, Delete, View All, Modify All) are scheduled to be removed completely from guest user profiles in the Spring ’21 release. Every object they reference (and ONLY those permissions, because the others are going away in Spring ’21), as well as Field Level Security (FLS) Read/Edit for all the fields used on those objects. For example, for a recommendation form, the profile would need Allow Object Access Read and Create access on the Application and Recommendation objects, as well as both Read and Edit Field Level Security access for all fields being used. To ensure you have properly configured your sites please follow the instructions here.

    • Check the Site Guest User Profile for any communities, such as the applicant portal, to ensure it also has the correct permissions at the profile level. The applicant portal is an example of a community. Note, on Salesforce Spring ’21 Communities will be titled Experience Cloud: http://help.enrollmentrx.com/formbuilderrx/Communities/community_site_guest_user_permissions.html.

    • Finally, follow the instructions in the link below to make sure that for any formbuilder form button that updates a field (on a Site; not a Community), that field is included in the custom setting. A common example of this is on a Recommendation form, the submit button on the page has a field update action to update the document status to received. As noted in the link that would need to be added to the custom setting. http://help.enrollmentrx.com/formbuilderrx/Sites/configure_custom_setting_allow_object_access.html

  5. Check your portal registration forms to identify if you are using custom fields in the portal registration such as program or term. If this is the case, please follow these steps (you can also click here to jump to a video tutorial in the Appendix):

    • Navigate to Formbuilder Rx, click on the version of the applicant portal, and click Login Configuration to identify if you are using any custom fields, as shown here:

    Login configuration - custom fields

    • If you are including any custom fields (active or inactive), navigate to Setup > Search Custom Settings > Allow Object Access Erx Forms > View and find the Portal Site User profile or create a new one.

    If you are using custom fields

    Then populate the custom settings to allow access to those fields and objects as shown below:

    Populate custom settings

    If you have more than one custom field on the portal registration, please make sure to add it to the field list as in the picture where a comma separates the values.

    As an example, if Term (Academic_Term__c) was added it could look like:

    [EnrollmentrxRx__Enrollment_Opportunity__c-Academic_Program_of_Interest__c,Portal_Registration_Program_of_Interest__c,Academic_Term__c]

    In the scenario where you have two objects on the registration page, such as the contact and the application you can update the custom setting as shown below (note the text on the field list 1 has both objects and their fields in brackets):

    Two objects on registration page

  6. Review the sharing rules for Each Site Guest User Profile as outlined below.

    • Applicant Portal and Site Forms: Go to Setup→Sharing Settings and scroll down to the Sharing Rules for each of these objects and create a new rule of type “Guest user access based on criteria” as shown here:

      • Application Criteria: Application ID not equal to null, like this:

      Two objects on registration page

      • Lead Criteria: Lead Owner ID not equal to null

      • Contact (if Contact is not set to “Controlled by Parent”, i.e. controlled by Account) Criteria: Contact Owner ID not equal to null

      • Account (if Contact is set to “Controlled by Parent”) Criteria: Account Owner ID not equal to null

      • Env Criteria: Env Name not equal to null

      • Portal Package Logger Criteria: Portal Package Logger Name not equal to null

      • SiteLoginTemplate Criteria: SiteLoginTemplate Name not equal to null

      • Package Configuration Criteria: Package Configuration Name not equal to null

    If your site page is triggering a Touch Point you additionally need:

    • Touch Point Configuration, Criteria: Owner ID not equal to null
    • Touch Point, Criteria: Owner ID not equal to null
    • Touch Point Configuration Set, Criteria: Owner Id not equal to null

    If your site page is leveraging Assignment Manager for assignment rules:

    • Assignment Queue, Criteria: Owner id not equal to null
    • Assignment Rule, Criteria: Owner id not equal to null

    For Events Rx: Create Sharing Rules for the objects that the Event Listing Site Guest User must be able to read. Go to Setup→Sharing Settings and create rules (see screenshot, above) for the EventListing Site Guest User for these objects:

    • Campaign Criteria: Campaign Record Type equal to Campus Campaign

    • Activity Series Criteria: Activity Series name not equal to null

    • Activity Slot Criteria: Activity Slot No. not equal to null

    • Exception Criteria: Exception Name not equal to null

    • Visit Criteria: Vist No. not equal to null

    • Visit Series Criteria: Visit Series No. not equal to null

    • Contact Criteria: LastName not equal to null

    • Lead Criteria: LastName not equal to null

    • ERx Event Parent Section Criteria: ERx Event Parent Section Name not equal to null

    • ERx Event Registration Custom Field Criteria: Owner ID not equal to null

    • Event Registration Section Criteria: Event Registration Section Name not equal to null

    • Table Configuration Criteria: Owner ID not equal to null

    • Package Configuration Criteria: Package Configuration Name not equal to null

    If your site page is triggering a Touch Point you additionally need:

    • Touch Point Configuration, Criteria: Owner ID not equal to null
    • Touch Point, Criteria: Owner ID not equal to null
    • Touch Point Configuration Set, Criteria: Owner Id not equal to null

    If your site page is leveraging Assignment Manager for assignment rules:

    • Assignment Queue, Criteria: Owner id not equal to null
    • Assignment Rule, Criteria: Owner id not equal to null

  7. In your sandbox test all site forms, and applicant portal registration in your sandbox after reviewing each of the steps outlined above. If you are unsuccessful in your testing and followed the documentation please open up a support ticket with Enrollment Rx with the specifics.

  8. Once all testing is successful in your sandbox make sure to make those same updates in your production environment related to sharing rules, Allow Object Access custom setting and site guest user profiles including Object Permissions and Field Level Security.

Appendix: Example Configurations for Most Common Sites Pages

Applicant Portal Registration

 

1. Allow Object Access: EnrollmentrxRx custom setting

Read EnrollmentrxRx__Enrollment_Opportunity__c,Lead,Contact
Create EnrollmentrxRx__Enrollment_Opportunity__c
Update EnrollmentrxRx__Enrollment_Opportunity__c,Lead,Contact
Delete

Two objects on registration page

2. Allow Object Access: Erx_Forms

Read enrollmentrxrx__enrollment_opportunity__c,Contact,Account
Create
Update enrollmentrxrx__enrollment_opportunity__c,Contact,Account
Delete
Fields [enrollmentrxrx__enrollment_opportunity__c-enrollmentrxrx__program_of_interest__c]

Allow Object Access: ERx_Forms

Attention

When any field in the recommendation form is updated through the “button” click, that field needs to be added in the Allow Object Access FormBuilder custom settings. This is required for Summer ’20 and earlier releases only. It’s not required for the Winter ’21 Release.

3. Guest Profile Read, Create and FLS permissions for sObjects

Assigned Permission Sets to the Site Guest User: ERxFB_Sites

Read Touch Points, Touch Point Configuration, Touch Point Configuration Sets, Application, Contact,Account, Package Configuration, Program Offered
Create Application, Contact, Lead, Account, Package Configuration, Portal Login Custom Field, Portal Registration Message, Program Offered

Assigned Permission Sets

Assigned Permission Sets

Attention

Program offered needs Profile Create, Read, Update, Delete and Field Level Security permissions because it was used in the registration form. Provide Field Level Security Edit permission to fields used on the registration page. If Term or Account were used on the registration page, the same would apply.

4. Guest Sharing Rule

  • Application
  • Account
  • Env
  • Package Configuration
  • Site Login template
  • Program Offered (when used on Registration Page)

RFI Site Form

1. Allow Object Access: EnrollmentrxRx custom setting

Read Lead,Contact
Create EnrollmentrxRx__Touch_Point__c
Update Lead,Contact
Delete
Fields

Allow Object Access: EnrollmentrxRx custom setting

2. Guest Profile Read, Create and Field Level Security permissions for objects

Assigned Permission Sets to the Site Guest User: ERxFB_Sites

Read Touch Points,Touch Point Configuration,Touch Point Configuration Sets,Application ,Contact,account,,Package Configuration
Create Application, Contact, Lead,Account,Package Configuration,Portal Login Custom Field,Portal Registration Message,TouchPoint

 

3. Guest Sharing Rule

a) Env

b) Package Configuration

c) SiteLogin Template

d) Lead

e) Touch Point Configuration

f) Touch Point Configuration Set

Guest sharing rule

Guest sharing rule

Recommendation Form

1. Allow Object Access: EnrollmentrxRx custom setting

Read
Create
Update EnrollmentrxRx__Recommendation__c,EnrollmentrxRx__Enrollment_Opportunity__c
Delete
Fields

 

2. Allow Object Access: Erx_Forms

Read
Create
Update enrollmentrxrx__enrollment_opportunity__c,enrollmentrxrx__recommendation__c
Delete
Fields [EnrollmentrxRx__Recommendation__c-EnrollmentrxRx__Document_Status__c,Allow_Upload__c]

Attention

When any field in the recommendation form is updated through the “button” click, that field needs to be added in the Allow Object Access FormBuilder custom settings. This is required for Summer ’20 and earlier releases only. It’s not required for the Winter ’21 Release.

Allow Object Access: Erx_Forms

3. Guest Profile Read, Create and FLS permissions for sObjects

Assigned Permission Sets to the Site Guest User: ERxFB_Sites

Read Touch Points, Touch Point Configuration, Touch Point Configuration Sets, Application, Contact, Account, Package Configuration, Recommendations
Create Application, Contact, Lead, Account, Package Configuration, Portal Login Custom Field, Recommendations, Portal Registration Message

Permissions for sObjects

Permissions for sObjects

4. Sharing rule for recommendation form

  • Env
  • Package Configuration
  • SiteLoginTemplate

Events Site Calendar and Registration Form

1. Allow Object Access: EnrollmentrxRx custom setting

Read Lead,Contact,EnrollmentrxRx__Enrollment_Opportunity__c
Create EnrollmentrxRx__Enrollment_Opportunity__c,EnrollmentrxRx__Status_Tracking__c, EnrollmentrxRx__Touch_Point__c
Update Lead,Contact,EnrollmentrxRx__Enrollment_Opportunity__c
Delete
Fields

Events Calendar and Registration Form

2. Guest Profile Read, Create and Field Level Security permissions for objects

Assigned Permission Sets to the Site Guest User: ERxFB_Sites

Read Campaign, Visit_Activity_Series__c, Visit_Series__c, Activity_Series__c, Appointment__c, Activity_Slot__c, Visit__c, Exception__c, Contact,Leads
Create Contact,Leads

Assigned Permission Sets - Site Guest User

Assigned Permission Sets - Site Guest User

Assigned Permission Sets - Site Guest User

3. Guest Sharing Rule for event site

  • Visit series
  • Activity Series
  • Activity Slot
  • Visit
  • Exception
  • Event Registration Section
  • Account (if Contact is set to “Controlled by Parent”)

Guest sharing rules

Guest sharing rules

Guest sharing rules

Guest sharing rules

Guest sharing rules

Guest sharing rules