Running the Guest User Sharing Rule Access Report is a recurring audit task, not a one-time fix. The steps below cover the audit cadence and the remediation workflow.
- Confirm Experience Cloud is enabled
The report is most relevant for orgs with active Experience Cloud sites. If you have no public-facing sites, the report is short, but still worth running once.
- Navigate to the report
Setup > Sharing Settings > Guest User Sharing Rule Access Report. The report runs on demand.
- Review the rule list
For each rule listed, examine the object, criteria, and access level. Most rules will be intentional (product catalog, public Knowledge); some may surprise you.
- Document each finding
Record the decision per rule: confirmed-intentional, needs-restriction, or remove. Build the remediation backlog from the not-intentional rows.
- Tighten or remove unintended rules
For rules to restrict, edit the criteria to scope to truly public records. For rules to remove, deactivate them. Test the Experience Cloud site after each change to confirm legitimate guest access still works.
- Enable Secure Guest User Record Access
Setup > Sharing Settings > Secure Guest User Record Access. Enable. This prevents new risky rules from being added going forward.
- Schedule recurring audits
Quarterly is the standard cadence. Re-run the report and triage any new rules that have been added since the last audit.
Single execution. Returns the current state of guest-user-relevant sharing rules.
Export the list for offline review or sharing with the security team.
Companion setting that restricts new sharing. Enable in any production Experience Cloud org.
Modern Experience Cloud audience controls. Finer-grained than sharing rules; preferred for new configurations.
Separate audit of guest user Apex code. The report does not cover this path; conduct as a parallel review.
- The report covers sharing rules only. Apex code, page layouts, and FLS can expose data through paths the report does not catch.
- Indirect exposure through nested groups is common. A public group containing a role containing the guest user creates exposure; the report follows the chain but the underlying paths can be non-obvious.
- Removing a sharing rule may break legitimate public-facing functionality. Test the Experience Cloud site after each remediation step before declaring the fix complete.
- Secure Guest User Record Access is paired with the report but is a separate setting. Enable both; one without the other leaves gaps.
- Quarterly audit cadence assumes the org is not actively adding sharing rules. For orgs with active Experience Cloud development, monthly audits or build-time checks are more appropriate.