experience-cloud-guest-access

Use when designing or configuring public pages on an Experience Cloud site — guest user profile setup, page-level access settings in Experience Builder, object/field visibility for unauthenticated visitors, and explicit sharing rules that expose data on public pages. Triggers: 'configure public pages Experience Cloud', 'guest user profile setup', 'unauthenticated site access', 'public community page visibility', 'make page visible without login'. NOT for authenticated user features (use admin/experience-cloud-member-management). NOT for security hardening or remediation of guest user exposure (use security/guest-user-security).

Best use case

experience-cloud-guest-access is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when designing or configuring public pages on an Experience Cloud site — guest user profile setup, page-level access settings in Experience Builder, object/field visibility for unauthenticated visitors, and explicit sharing rules that expose data on public pages. Triggers: 'configure public pages Experience Cloud', 'guest user profile setup', 'unauthenticated site access', 'public community page visibility', 'make page visible without login'. NOT for authenticated user features (use admin/experience-cloud-member-management). NOT for security hardening or remediation of guest user exposure (use security/guest-user-security).

Teams using experience-cloud-guest-access should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/experience-cloud-guest-access/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/admin/experience-cloud-guest-access/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/experience-cloud-guest-access/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How experience-cloud-guest-access Compares

Feature / Agentexperience-cloud-guest-accessStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when designing or configuring public pages on an Experience Cloud site — guest user profile setup, page-level access settings in Experience Builder, object/field visibility for unauthenticated visitors, and explicit sharing rules that expose data on public pages. Triggers: 'configure public pages Experience Cloud', 'guest user profile setup', 'unauthenticated site access', 'public community page visibility', 'make page visible without login'. NOT for authenticated user features (use admin/experience-cloud-member-management). NOT for security hardening or remediation of guest user exposure (use security/guest-user-security).

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Experience Cloud Guest Access

This skill activates when a practitioner needs to design, configure, or troubleshoot public-facing pages in an Experience Cloud site — pages reachable by unauthenticated visitors. It covers the one-guest-user-profile-per-site model, how to configure page access in Experience Builder, what object and field permissions the guest profile needs, and how explicit sharing rules govern which records appear on public pages.

---

## Before Starting

Gather this context before working on anything in this domain:

- Identify the site template: LWR (Lightning Web Runtime), Aura (Community), or Microsite. Page access configuration steps differ slightly across templates.
- Confirm the org is on Spring '21 or later. The Secure Guest User Record Access toggle became mandatory in Spring '21 and changes how guest record visibility works — any site designed before this release may need sharing rule restructuring.
- Know which pages must be public and which should require login. Page-level access is set in Experience Builder per page; this is the primary mechanism for controlling unauthenticated access.
- Confirm whether any public pages require guests to submit records (e.g., contact forms, case deflection). Guest Create permissions on a profile are different from Read-only object access.

---

## Core Concepts

### One Guest User Profile Per Site

Each Experience Cloud site has exactly one guest user profile, generated automatically when the site is created. This profile controls all unauthenticated access for every public page on that site. It cannot be deleted or shared with another site — if you have three sites, you have three independent guest profiles.

The guest profile lives at Setup > Digital Experiences > All Sites > [Site] > Workspaces > Administration > Guest User Profile. Changes to the profile take effect for all public pages on that site immediately.

### Page-Level Access in Experience Builder

Experience Builder controls whether an individual page is accessible to guests or requires login. The setting lives on each page under Page Properties > Page Access:

- **Public** — the page is accessible without login; the guest user profile governs what data loads.
- **Requires Login** — unauthenticated visitors are redirected to the login page.

This is the first gate. Even if the guest profile has object Read access, a page set to "Requires Login" will not render for unauthenticated visitors. The most common configuration mistake is setting the page to Public but neglecting to configure the guest profile, resulting in empty components on the page.

### Object and Field Permissions for Public Data

The guest user profile must explicitly grant Read access to any object whose records a public page displays. The principle is least-privilege:

- Grant Read on the specific objects the page needs (e.g., Knowledge__kav for a help center, Product2 for a catalog).
- Never grant Create, Edit, Delete, View All, or Modify All unless the page has a form submission use case that strictly requires Create.
- Grant field-level Read access for only the fields the page components actually display. Unused fields on the guest profile are a latent data exposure risk.

### External OWD and Explicit Sharing Rules for Public Records

For objects where external OWD is Private, guest users see zero records regardless of page or profile configuration. To expose specific records publicly:

1. Set external OWD to **Private** (recommended default — least privilege).
2. Create **Guest User Sharing Rules** (Setup > Sharing Settings > Guest User Sharing Rules for [Site]) that grant Read access to the specific records the page should display.
3. These rules evaluate against criteria or owner-based conditions, letting you expose only the records that belong on a public page (e.g., Published Knowledge articles, Featured Products).

If you set external OWD to Public Read Only, all records of that object become readable by every guest user on every site — which is almost never the right choice for custom objects.

### API Settings on the Guest Profile

Two settings on the guest profile must stay disabled for any public site:

- **API Enabled** — allows the guest user to make direct API calls. Disable unless specifically required.
- **Allow guest users to access public APIs** — a site-level setting in Administration > Preferences. Disable unless the site hosts a Force.com Site that needs REST endpoint access.

Leaving these enabled expands the attack surface of the public site beyond the pages you designed.

---

## Common Patterns

### Public Knowledge Base Page

**When to use:** A help center or support site where Knowledge articles should be readable without login.

**How it works:**
1. Set each Knowledge article page to Public in Experience Builder Page Properties.
2. On the guest user profile, grant Read on Knowledge object and Read on the fields displayed (Title, Summary, Body, Article Number).
3. Set external OWD for Knowledge to Public Read Only OR keep it Private and create a Guest User Sharing Rule based on the Publication Status = Online criteria.
4. Confirm that "Allow guest users to access public APIs" is OFF in Site Preferences.

**Why not the alternative:** Granting View All on Knowledge to bypass OWD exposes draft and archived articles to guests. The sharing rule approach lets you surface only Published/Online records.

### Public Product Catalog Without Login

**When to use:** An e-commerce or partner site where Product records should be visible to unauthenticated visitors browsing before they register.

**How it works:**
1. Set product catalog and product detail pages to Public in Experience Builder.
2. On the guest profile, grant Read on Product2, Pricebook2, and PricebookEntry for the fields shown on the page.
3. Keep external OWD on Product2 at Public Read Only (Product2 is a Salesforce object with no sensitive owner data — broadly readable is acceptable).
4. Do not grant Read on custom objects related to pricing or account-specific discounts — those should be members-only pages.
5. Test in an incognito browser before publishing; confirm only intended Product fields render.

**Why not the alternative:** Adding the product object to a page that requires login defeats the purpose of unauthenticated browsing. The combination of page-level Public access plus guest profile Read gives clean separation from authenticated catalog features.

---

## Decision Guidance

| Situation | Recommended Approach | Reason |
|---|---|---|
| Page must be visible to visitors without an account | Set Page Access = Public in Experience Builder, configure guest profile | Page-level access is the primary control gate |
| Object records must appear on a public page but external OWD is Private | Create Guest User Sharing Rules (criteria-based) | Sharing rules selectively expose only matching records |
| Object records must appear on a public page, external OWD is Public Read Only | Grant Read on guest profile; no sharing rules needed | Public OWD makes all records readable to guests |
| Guest needs to submit a form (case deflection, contact us) | Grant Create-only on the target object in guest profile | Never grant Edit or Delete for form submissions |
| Mix of public and members-only pages on the same site | Set each page individually in Experience Builder | Page access is per-page, not per-site |
| Unsure which records a public page currently exposes | Run as guest user in incognito, review guest profile permissions and sharing rules | Test first — do not guess |

---

## Recommended Workflow

Step-by-step instructions for an AI agent or practitioner activating this skill:

1. **Identify scope** — list all pages on the site and classify each as Public or Requires Login. Confirm site template (LWR vs Aura) so the correct Experience Builder navigation applies.
2. **Configure page access** — for each public page, open Page Properties in Experience Builder and set Page Access to Public. Save and publish after all pages are configured.
3. **Set guest profile permissions** — open the guest user profile for this site. Grant Read on objects and fields required by public pages. Add Create on specific objects only where a public form submission is required. Remove any permissions not directly needed.
4. **Configure sharing for public records** — review external OWD for each object the public pages display. For Private OWD objects, create Guest User Sharing Rules that expose only the intended records (e.g., criteria-based on Status = Published). For objects that should not be publicly readable, confirm external OWD is Private and no sharing rule exists.
5. **Disable API settings** — confirm API Enabled is OFF on the guest user profile. Confirm "Allow guest users to access public APIs" is OFF in Site Administration > Preferences.
6. **Test as a guest** — open the site in an incognito browser. Navigate all public pages. Confirm intended records load and no unexpected records or fields appear. Confirm members-only pages redirect to login.
7. **Handoff to security review** — if the site has custom Apex controllers called from public pages, hand off to security/guest-user-security for FLS and WITH USER_MODE review.

---

## Review Checklist

Run through these before marking work in this area complete:

- [ ] All pages intended for unauthenticated access are set to Public in Experience Builder Page Properties.
- [ ] All pages that should require login are set to Requires Login.
- [ ] Guest user profile grants Read only on the objects public pages need — no Create/Edit/Delete unless a form submission use case requires Create.
- [ ] Field-level permissions on the guest profile are limited to the fields actually displayed on public pages.
- [ ] External OWD and Guest User Sharing Rules are aligned — Private OWD objects have explicit sharing rules; no object inadvertently set to Public OWD.
- [ ] API Enabled is OFF on the guest user profile.
- [ ] "Allow guest users to access public APIs" is OFF in Site Administration > Preferences.
- [ ] Site tested in incognito browser — all public pages load expected content and no unexpected records are visible.

---

## Salesforce-Specific Gotchas

1. **Each site has exactly one guest profile — and it is shared across all public pages** — changing the guest profile to support a new public page also affects every other public page on the same site. Adding Read access to a new object on the guest profile means that object is now readable on any public page that happens to query it, not only the new one.
2. **FLS on the guest profile applies to all guest Apex calls, not just page components** — if an Apex class runs in guest context and you remove a field from the guest profile, the field will appear blank or throw an error in any public page that calls that class, not only the page you intended to change.
3. **External OWD controls record visibility for guest users — not internal OWD** — internal OWD governs authenticated user sharing. Guest users respect external OWD only. Setting internal OWD to Public Read Only does not automatically make records readable by guests if external OWD is Private.
4. **Guest User Sharing Rules for a site are site-specific** — a sharing rule created for Site A's guest user does not apply to Site B's guest user. Each site's guest user is a distinct system user and requires its own sharing rules.
5. **Page Access = Public does not override empty guest profile permissions** — a page set to Public will render for a guest, but if the guest profile has no Read access to the objects the page components query, the components will return empty results or errors. Both the page setting AND the profile permissions are required.

---

## Output Artifacts

| Artifact | Description |
|---|---|
| Public page access checklist | Completed template documenting page access settings, guest profile permissions, and sharing rule configuration for the site (see templates/) |
| Guest profile permission summary | Object-by-object and field-by-field list of what Read/Create access was granted on the guest profile and why |
| Sharing rule inventory | List of Guest User Sharing Rules configured for the site, with criteria and objects covered |

---

## Related Skills

- `security/guest-user-security` — use when the question is hardening, auditing, or remediating security exposure on the guest user profile rather than configuring public page access.
- `admin/experience-cloud-site-setup` — use when the task is creating or initially configuring an Experience Cloud site rather than configuring guest access on an existing site.
- `admin/experience-cloud-member-management` — use when the question involves authenticated external user access, sharing sets, or member profiles rather than guest access.
- `admin/sharing-and-visibility` — use when the broader sharing model design (OWD strategy, role hierarchy, internal sharing rules) is the primary question.

Related Skills

record-access-troubleshooting

8
from PranavNagrecha/AwesomeSalesforceSkills

Diagnose why a user can or cannot see/edit a record: UserRecordAccess SOQL, Why Can a User Access This Record debug log, OWD, role hierarchy, sharing rules, manual/team/apex shares, implicit parent share. NOT for field-level security (use field-level-security-audit). NOT for designing sharing (use sharing-selection decision tree).

guest-user-security

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when hardening the Experience Cloud guest user profile, controlling unauthenticated access to records and Apex, or investigating data exposure through guest SOQL. Covers object permissions, sharing model enforcement for unauthenticated users, and Apex execution context. NOT for Experience Cloud site creation (use Experience Cloud skills) or for authenticated external user security (use security/experience-cloud-security).

guest-user-security-audit

8
from PranavNagrecha/AwesomeSalesforceSkills

Auditing the security posture of an Experience Cloud (Community) site's Guest User. Covers the post-Spring '21 secure-by-default lockdown (object permissions removed, sharing rule grants required for any access), the Guest User profile permissions to remove (View All Data, Modify All Data, Manage Users, etc.), guest sharing rules, the Run-As-Guest test, OWASP A01 (Broken Access Control) mapping, and the standard set of leakage vectors (Apex with `without sharing`, Aura / LWC `@AuraEnabled` methods, public-site Visualforce, REST endpoints under `/services/apexrest`). NOT for Experience Cloud authenticated user setup (see experience/experience-cloud-user-management), NOT for general Salesforce profile design (see admin/profile-permset-design).

experience-cloud-security

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when configuring access controls, sharing, or site security for authenticated or guest Experience Cloud (community) users: external OWD, Sharing Sets, Share Groups, CSP, clickjack protection, guest user record access. NOT for internal sharing model configuration (use sharing-and-visibility).

lwc-jest-testing-with-accessibility

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when authoring or reviewing Jest unit tests for Lightning Web Components and the test plan must include explicit accessibility assertions — covers `@salesforce/sfdx-lwc-jest` setup, `createElement` / `document.body.appendChild` render harness, wire-service mocks via `@salesforce/wire-service-jest-util`, imperative Apex mocks via `jest.fn()`, simulated user interactions (`click`, `keydown`, `focus`), ARIA attribute and accessible-name assertions, focus-management tests, keyboard-navigation tests, and optional `axe-core` integration via `jest-axe`. Triggers: 'add a11y assertions to my LWC jest tests', 'how do I test focus management in LWC', 'jest test for keyboard navigation', 'integrate axe-core into sfdx-lwc-jest', 'assert ARIA attributes after interaction', 'how do I prove the LWC is accessible in CI'. NOT for general LWC jest setup without an a11y angle (use lwc/lwc-testing — this skill is the accessibility-deep-dive sibling), NOT for accessibility-pattern authoring inside the component itself (use lwc/lwc-accessibility-patterns), NOT for end-to-end UI automation via UTAM, NOT for manual screen-reader QA workflows.

lwc-accessibility

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing or reviewing Lightning Web Components for keyboard access, semantic labeling, focus management, screen-reader behavior, and WCAG-aligned UX in Salesforce. Triggers: 'lwc accessibility', 'keyboard navigation in lwc', 'screen reader labels', 'focus trap in modal'. NOT for Apex or sharing security reviews, or for purely visual SLDS styling that does not affect accessibility behavior.

lwc-accessibility-patterns

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when implementing specific ARIA attributes, keyboard navigation patterns, screen reader live regions, WCAG 2.1 compliance, focus management, or accessible data tables in Lightning Web Components. Trigger keywords: ARIA, aria-live, aria-label, aria-labelledby, role=grid, tabindex, keydown handler, WCAG AA, focus trap, accessible datatable, shadow DOM ARIA boundary. NOT for general LWC styling, visual design, SLDS theming, or CSS that does not affect assistive-technology behavior.

headless-experience-cloud

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom frontends (React, Vue, mobile, static sites) that consume Salesforce CMS content via the Connect REST API headless delivery endpoint. Triggers: 'headless Salesforce CMS', 'deliver CMS content to external frontend', 'React app Salesforce content API', 'custom frontend Experience Cloud data', 'CMS delivery channel API'. NOT for standard Experience Builder site development. NOT for CMS Connect (3rd-party CMS federation into Experience Builder). NOT for Experience Cloud LWC components rendered inside a site.

experience-cloud-search-customization

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring or extending search on an Experience Cloud site — covering Search Manager scope configuration, LWR vs Aura search component selection, federated search setup, guest user search access, and custom search result components. NOT for SOSL/SOQL query development. NOT for internal Salesforce global search or Einstein Search for agents.

experience-cloud-multi-idp-sso

8
from PranavNagrecha/AwesomeSalesforceSkills

Use this skill when configuring multiple identity providers (OIDC and/or SAML) on a single Experience Cloud site or across tenant-specific portals in the same org — covering auth provider registration, Start SSO URL routing, Federation ID mapping, RegistrationHandler implementation, and simultaneous SP+IdP topology. Trigger keywords: multiple identity providers Experience Cloud, multi-tenant SSO community portal, vendor and citizen portal same site, OIDC SAML both on login page, tenant-specific login routing community. NOT for internal Salesforce employee SSO configuration. NOT for single auth provider setups — see experience-cloud-authentication for basic SSO.

experience-cloud-lwc-components

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom LWC components for Experience Cloud (Experience Builder sites, LWR portals, Aura-based communities). Covers community context imports, guest user Apex access patterns, navigation API differences between LWR and Aura, and JS-meta.xml target configuration for Experience Builder exposure. NOT for internal LWC components deployed to Lightning App Builder or standard record pages (see lwc/lwc-development). NOT for Aura community components. Trigger keywords: build LWC for Experience Cloud, custom component community portal LWC, guest user LWC component, community context import salesforce, lightningCommunity target, @salesforce/community, guest Apex.

experience-cloud-authentication

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom login pages, social SSO flows, self-registration flows, or passwordless OTP login for Experience Cloud (community) sites. Trigger keywords: custom login page Experience Cloud, social SSO community portal, passwordless login Experience Cloud, self-registration custom flow, headless authentication community, auth provider OIDC SAML site. NOT for internal SSO configuration (use identity/sso skills). NOT for standard username/password authentication with no customization.