experience-cloud-security

Use when configuring access controls, sharing, or site security for authenticated or guest Experience Cloud (community) users: external OWD, Sharing Sets, Share Groups, CSP, clickjack protection, guest user record access. NOT for internal sharing model configuration (use sharing-and-visibility).

Best use case

experience-cloud-security is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Use when configuring access controls, sharing, or site security for authenticated or guest Experience Cloud (community) users: external OWD, Sharing Sets, Share Groups, CSP, clickjack protection, guest user record access. NOT for internal sharing model configuration (use sharing-and-visibility).

Teams using experience-cloud-security should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/experience-cloud-security/SKILL.md --create-dirs "https://raw.githubusercontent.com/PranavNagrecha/AwesomeSalesforceSkills/main/skills/security/experience-cloud-security/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/experience-cloud-security/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How experience-cloud-security Compares

Feature / Agentexperience-cloud-securityStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

Use when configuring access controls, sharing, or site security for authenticated or guest Experience Cloud (community) users: external OWD, Sharing Sets, Share Groups, CSP, clickjack protection, guest user record access. NOT for internal sharing model configuration (use sharing-and-visibility).

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# Experience Cloud Security

This skill activates when configuring security controls for an Experience Cloud site (formerly Community Cloud), covering external org-wide defaults, Sharing Sets, Share Groups, guest user record access restrictions, and site-level security headers. It does NOT cover internal org sharing model design.

---

## Before Starting

Gather this context before working on anything in this domain:

- Identify whether the site serves authenticated external users, guest (unauthenticated) users, or both — the security model differs significantly between these cases.
- Understand which Salesforce objects external users need to read, create, or edit — this drives external OWD and Sharing Set design.
- Confirm whether guest user access is intentional — since Spring '21, guest user record access defaults to private (all objects), and the Secure Guest User Record Access setting enforces this.

---

## Core Concepts

### External Org-Wide Defaults (External OWD)

External OWD is a separate org-wide default that applies exclusively to external users (portal users, community users, guest users). It is configured per object in Setup > Sharing Settings alongside the internal OWD. External OWD can be equal to or more restrictive than internal OWD — it can never be more permissive than the internal OWD for the same object. For example, if internal OWD is Public Read/Write, external OWD can be Public Read/Write, Public Read Only, or Private — but not more permissive.

When external OWD is set to Private for an object, external users can only access records via explicit sharing mechanisms (Sharing Sets, manual sharing, Apex sharing, or profile-level permissions with "View All").

### Sharing Sets

A Sharing Set grants access to records based on a lookup field relationship between the external user's Contact/Account record and the target record. Sharing Sets are available for Customer Community and Customer Community Plus license types only. Guest users cannot be included in Sharing Sets.

Example: A Sharing Set grants read access to Case records where `Case.AccountId = User.AccountId` — the portal user sees all cases belonging to their account.

Key constraints:
- Sharing Sets do NOT use the role hierarchy — they are purely relationship-based.
- Sharing Sets do not support all objects — only standard objects that have a supported lookup relationship to Account or Contact.
- Each Sharing Set can include multiple access mapping entries for the same site.

### Secure Guest User Record Access

The "Secure Guest User Record Access" org preference (Setup > Sharing Settings) forces all-private external OWD for guest users on all objects, regardless of what the external OWD is set to. When this toggle is enabled:
- Guest users can only access records explicitly shared via Apex sharing, guest sharing rules, or public list views.
- The toggle is enabled by default for orgs created after Spring '21 and is strongly recommended for all orgs.

### Share Groups

Share Groups allow portal users (Customer Community Plus and Partner Community licenses) to share records among themselves. A Share Group is defined per portal role and grants portal users access to records owned by users in that group. This is distinct from Sharing Sets — Share Groups address peer-to-peer sharing within the portal, not data originating from the internal org.

---

## Common Patterns

### Sharing Set for Account-Based Record Access

**When to use:** An authenticated Customer Community portal where users should see records belonging to their account — e.g., all Cases, Contracts, or Orders linked to their Account.

**How it works:**
1. Set external OWD for the target object (e.g., Case) to Private.
2. Navigate to Setup > Digital Experiences > Sharing Settings > Sharing Sets.
3. Create a Sharing Set associated with the Experience Cloud site.
4. Add an access mapping: Object = Case, Access = Read Only, User = User.Contact.Account, Target = Case.Account.
5. Save. Portal users can now see all cases where Case.AccountId matches their Contact's AccountId.

**Why not internal OWD:** Setting Case internal OWD to Public Read/Write would expose all cases to all users including internal ones — overly broad. The Sharing Set provides least-privilege access scoped to the portal context.

### Guest User Hardening

**When to use:** Any site that has a guest user profile — even sites intended only for authenticated users may have guest access enabled by default.

**How it works:**
1. Confirm "Secure Guest User Record Access" is enabled in Setup > Sharing Settings.
2. Review the Guest User profile — remove all object and field permissions that are not required for unauthenticated page display.
3. Set external OWD to Private for all objects where guest users should have no access.
4. Audit Apex classes marked `global` or `without sharing` that are accessible to the guest profile — guest users calling Apex inherit the `without sharing` context by default.
5. Enable CSP (Content Security Policy) for the site and configure trusted sites explicitly.

**Why not rely on page-level security alone:** The guest profile interacts with the Salesforce data layer directly through Apex, SOSL, and SOQL. A guest user calling an `without sharing` Apex class can potentially access records the page was never designed to expose if object permissions are too broad.

---

## Decision Guidance

| Situation | Recommended Approach | Reason |
|---|---|---|
| Authenticated portal users need access to account-related records | Sharing Set with account lookup mapping | Least-privilege, relationship-based, no role hierarchy required |
| Authenticated portal users need to share records with each other | Share Group (Customer Community Plus or Partner) | Peer-to-peer sharing scoped to portal role |
| Guest users need to create a record (e.g., case submission form) | Guest user profile Apex class with sharing enforced on insert + explicit field access | Guest can create via Apex; don't grant broad object-level Create on guest profile |
| Guest users should see NO records | Enable Secure Guest User Record Access; set external OWD to Private for all objects | Enforces platform-level restriction regardless of page configuration |
| Portal site needs to embed content from external domains | Configure CSP trusted sites in Setup > CSP Trusted Sites | CSP headers block unapproved domain resource loading |

---

## Recommended Workflow

Step-by-step instructions for an AI agent or practitioner working on this task:

1. Identify the site type and user population: authenticated portal users, guest users, or both. Confirm which license types are in use (Customer Community, Customer Community Plus, Partner Community).
2. Review external OWD for all objects the portal touches — set to Private unless there is an explicit business requirement for broader access.
3. Verify "Secure Guest User Record Access" is enabled in Setup > Sharing Settings — if not, assess guest user record exposure and enable unless there is a documented exception.
4. Configure Sharing Sets for each object where authenticated portal users need relationship-based access — map lookup fields from the portal user's Contact/Account to the target record.
5. Audit the guest user profile — remove all object permissions not required for unauthenticated display. Review Apex classes accessible to guest with `without sharing` keyword.
6. Enable site-level security headers: clickjack protection (Allow framing from same origin only), CSP with trusted sites explicitly listed, Lightning Web Security (LWS) enabled.
7. Run Security Health Check and review community-specific findings.

---

## Review Checklist

Run through these before marking work in this area complete:

- [ ] External OWD is set to Private or more restrictive for all objects not explicitly required to be broader
- [ ] "Secure Guest User Record Access" is enabled
- [ ] Sharing Sets are configured for each object that authenticated portal users need access to
- [ ] Guest user profile has minimal object and field permissions — only what is needed for unauthenticated rendering
- [ ] Apex classes accessible to guest profile reviewed for `without sharing` keyword usage
- [ ] CSP trusted sites configured and clickjack protection is set to same-origin

---

## Salesforce-Specific Gotchas

Non-obvious platform behaviors that cause real production problems:

1. **External OWD cannot be more permissive than internal OWD** — If you try to set external OWD to Public Read/Write when internal OWD is Private, Salesforce will not allow it. The UI will appear to set it but the effective value reverts. Always set internal OWD first, then configure external OWD within the allowed range.
2. **Guest users are excluded from Sharing Sets** — Sharing Sets only apply to authenticated portal users (Customer Community, Customer Community Plus, Partner Community). Attempting to grant guest users access via Sharing Sets has no effect — guest access requires explicit profile permissions, guest sharing rules, or Apex sharing.
3. **CSP and clickjack settings apply per site, not org-wide** — A change to CSP trusted sites in one Experience Cloud site does not affect other sites. Each site must be configured independently. LWS is also per-site.
4. **Changing external OWD triggers sharing recalculation** — Changing an external OWD from Public Read/Write to Private triggers a background sharing recalculation job that can take minutes to hours in large orgs. During recalculation, users may see stale sharing results.

---

## Output Artifacts

| Artifact | Description |
|---|---|
| External OWD configuration recommendation | Per-object table of recommended internal and external OWD values |
| Sharing Set configuration steps | Object, access level, and lookup mapping for each Sharing Set |
| Guest user profile audit | List of object and field permissions to remove from the guest profile |
| Site security header configuration | CSP, clickjack, and LWS settings per site |

---

## Related Skills

- guest-user-security — hardening the guest user profile itself beyond site-level controls
- sharing-and-visibility — internal org sharing model, OWD, sharing rules for internal users
- network-security-and-trusted-ips — CSP, CORS, and trusted IP configuration at the org level

Related Skills

visualforce-security-and-modernization

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when hardening or modernizing legacy Visualforce pages — covers the platform CSRF token model and when disabling it is a security regression, view state encryption guarantees and the 170 KB ceiling, FLS/CRUD enforcement gaps on `<apex:outputField>` and on getters that return sObjects, `<apex:includeScript>` interaction with the org Content Security Policy, hosting LWC inside a VF page via `lightning:container` / `lightning-out`, and the retire-vs-harden-vs-leave-alone decision for an inventory of legacy pages. Triggers: 'should I rewrite this Visualforce page in LWC', 'CSRF protection disabled on Visualforce page is that safe', 'community user sees a field they should not on a Visualforce page', 'view state encryption is that enough for sensitive data', 'how do I host an LWC inside a Visualforce page', 'apex:dynamicComponent and apex:actionFunction safe to keep'. NOT for greenfield Visualforce architecture (use apex/visualforce-fundamentals — controller types, view state pattern selection, PDF rendering); NOT for Visualforce email template authoring (use apex/visualforce-email-templates if/when that skill is authored); NOT for general Apex security review across triggers and async (use apex/soql-security and security/secure-coding-review-checklist).

transaction-security-policies

8
from PranavNagrecha/AwesomeSalesforceSkills

Transaction Security policy creation and configuration: condition builder, enhanced policies, enforcement actions (block, MFA, notification, end session), real-time monitoring mode, and policy troubleshooting. NOT for Event Monitoring log analysis or Shield Event Monitoring setup (use event-monitoring). NOT for Apex testing or debug-log analysis.

security-incident-response

8
from PranavNagrecha/AwesomeSalesforceSkills

When to use: active or suspected Salesforce org compromise, unauthorized access investigation, attacker containment, forensic evidence collection from EventLogFile/LoginHistory, session revocation, OAuth token cleanup, eradication of attacker persistence, and post-incident recovery verification. Trigger keywords: org compromised, suspicious login, attacker access, session revocation, forensic investigation, breach response, event log forensics, login anomaly investigation, incident response runbook. Does NOT cover general security setup, permission set design, field-level security configuration, or proactive security hardening — those are separate skills. NOT for general security setup.

security-health-check

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when running, interpreting, or acting on Salesforce Security Health Check results — reading the score, understanding risk categories, evaluating specific settings, creating or importing a custom baseline, querying the Tooling API programmatically, or planning remediation from findings. Triggers: 'security health check score', 'health check failing settings', 'custom baseline', 'remediate health check findings', 'fix risk'. NOT for org hardening implementation, permission model design, or broad baseline config beyond what Health Check directly measures.

network-security-and-trusted-ips

8
from PranavNagrecha/AwesomeSalesforceSkills

Configure and audit Salesforce network security controls — trusted IP ranges (org-wide Network Access), login IP ranges on profiles, CSP Trusted Sites for Lightning components, CORS allowlists for external JavaScript, and TLS requirements — and troubleshoot login-blocked-by-IP or CSP violation errors. NOT for org-wide session settings, MFA configuration, or real-time Transaction Security Policies.

guest-user-security

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when hardening the Experience Cloud guest user profile, controlling unauthenticated access to records and Apex, or investigating data exposure through guest SOQL. Covers object permissions, sharing model enforcement for unauthenticated users, and Apex execution context. NOT for Experience Cloud site creation (use Experience Cloud skills) or for authenticated external user security (use security/experience-cloud-security).

guest-user-security-audit

8
from PranavNagrecha/AwesomeSalesforceSkills

Auditing the security posture of an Experience Cloud (Community) site's Guest User. Covers the post-Spring '21 secure-by-default lockdown (object permissions removed, sharing rule grants required for any access), the Guest User profile permissions to remove (View All Data, Modify All Data, Manage Users, etc.), guest sharing rules, the Run-As-Guest test, OWASP A01 (Broken Access Control) mapping, and the standard set of leakage vectors (Apex with `without sharing`, Aura / LWC `@AuraEnabled` methods, public-site Visualforce, REST endpoints under `/services/apexrest`). NOT for Experience Cloud authenticated user setup (see experience/experience-cloud-user-management), NOT for general Salesforce profile design (see admin/profile-permset-design).

connected-app-security-policies

8
from PranavNagrecha/AwesomeSalesforceSkills

Managing OAuth policies, IP relaxation, session security, PKCE, and credential rotation for Salesforce Connected Apps. Use when hardening Connected App security, rotating client secrets, configuring IP restrictions, or requiring high-assurance sessions. NOT for basic Connected App setup or creation. NOT for OAuth flow implementation (use oauth-flows-and-connected-apps).

api-security-and-rate-limiting

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when configuring, auditing, or troubleshooting API rate limits, Connected App OAuth scope restriction, Connected App IP restrictions, API session policies, or API usage monitoring in a Salesforce org. Trigger keywords: 'API rate limit', '429 error', 'OAuth scope restriction', 'Connected App IP restriction', 'API usage monitoring', 'concurrent API limits', 'Bulk API limits'. NOT for OAuth flow implementation, token exchange mechanics, or general Connected App setup — use security/oauth-flows-and-connected-apps for those.

omnistudio-security

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing or reviewing OmniStudio security across OmniScripts, Integration Procedures, DataRaptors, custom LWCs, Apex actions, guest-user exposure, and outbound HTTP actions. Triggers: 'OmniStudio security', 'guest user omniscript', 'DataRaptor CRUD FLS', 'OmniStudio Apex security', 'HTTP action data exposure'. NOT for general portal identity architecture or generic Apex security reviews when OmniStudio is not the main surface.

lwc-security

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when designing or reviewing Lightning Web Components for DOM safety, Lightning Web Security boundaries, third-party library handling, and secure server-side data access from LWC. Triggers: 'innerHTML in lwc', 'Lightning Web Security', 'document.querySelector', 'light DOM security', 'secure apex class for lwc'. NOT for org-wide sharing architecture or Apex-only security reviews when no LWC surface is involved.

headless-experience-cloud

8
from PranavNagrecha/AwesomeSalesforceSkills

Use when building custom frontends (React, Vue, mobile, static sites) that consume Salesforce CMS content via the Connect REST API headless delivery endpoint. Triggers: 'headless Salesforce CMS', 'deliver CMS content to external frontend', 'React app Salesforce content API', 'custom frontend Experience Cloud data', 'CMS delivery channel API'. NOT for standard Experience Builder site development. NOT for CMS Connect (3rd-party CMS federation into Experience Builder). NOT for Experience Cloud LWC components rendered inside a site.