Guest User Sharing Rule Access Report
The Guest User Sharing Rule Access Report is a Salesforce Setup tool that audits which records are accessible to the guest user (the unauthenticated user serving Experience Cloud sites, Sites, and public Communities) through sharing rules.
Definition
The Guest User Sharing Rule Access Report is a Salesforce Setup tool that audits which records are accessible to the guest user (the unauthenticated user serving Experience Cloud sites, Sites, and public Communities) through sharing rules. The report surfaces every active sharing rule that grants access to the guest user role or to any group containing the guest user, helping administrators identify unintended public exposure of sensitive data. The tool was introduced as part of Salesforce's 2020 guest user security tightening initiative, after several high-profile breaches involving guest user records.
The report is critical because guest user access has historically been one of the most common sources of accidental data exposure. A sharing rule that looks reasonable for internal users may inadvertently grant unauthenticated visitors access to customer data when the sharing target includes the guest user role. The report makes the audit tractable: rather than reviewing every sharing rule across every object manually, an administrator runs the report and sees a focused list of guest-user-relevant rules.
How the guest user audit report works
Why guest user security matters
Guest users represent unauthenticated visitors to your Experience Cloud sites, Force.com Sites, and public Communities. The guest user has its own User record (one per site) and is assigned to a guest user profile. Records the guest user can access through sharing rules become publicly visible to anyone visiting the site. Misconfigured sharing rules have caused multiple high-profile breaches where customer data was exposed to the internet through legitimate Experience Cloud paths.
What the report shows
The report lists active sharing rules across all objects where the access target includes the guest user. Each row shows the object, the rule name, the criteria, and the access level (Read or Read/Write). The output is the inventory you need to triage: review each rule, confirm the exposure is intentional, and tighten or remove rules that should not apply to unauthenticated visitors.
How guest users appear in sharing rule targets
Guest user appears as a target in several forms. The most direct is a sharing rule sharing with the "Guest User License" public group or with the guest user profile. The indirect form is sharing with a public group that contains a role or another group that includes the guest user. The report follows the chain and surfaces both direct and indirect grants.
Running the report
Setup > Security > Sharing Settings > Guest User Sharing Rule Access Report. The report runs on-demand and returns immediately. Output is a list view of matching rules with download options. Schedule a recurring run if your security policy requires regular review; quarterly is a common cadence for Experience Cloud orgs.
Remediation patterns
For each rule the report flags, decide: (a) confirm the exposure is intended (a public-facing product catalog deliberately accessible to guests), (b) restrict the rule (limit the records it shares through tighter criteria), or (c) remove the rule entirely if guest access is not actually needed. Replace broad sharing rules with explicit Experience Cloud audience-targeting where possible; the modern tooling provides finer control than legacy sharing rules.
Secure Guest User Record Access
Salesforce introduced the Secure Guest User Record Access setting alongside this report. With it on, guest user record access is restricted regardless of what sharing rules say; some advanced configurations are blocked. The report and the setting work together: the report identifies the rules, the setting prevents new sharing that would expose guest users to risky access patterns. Both should be enabled in any Experience Cloud org handling sensitive data.
Limitations of the report
The report covers sharing rules but not all paths through which guest users can access data. Apex code running in guest user context can access records the sharing rules would not grant. Custom permissions, page layouts, and field-level security can also create exposure that the sharing rule report does not catch. Treat the report as a critical but not sole audit tool; complement with code reviews and broader Experience Cloud security audits.
Run the Guest User Sharing Rule Access Report
Running the Guest User Sharing Rule Access Report is a recurring audit task, not a one-time fix. The steps below cover the audit cadence and the remediation workflow.
- Confirm Experience Cloud is enabled
The report is most relevant for orgs with active Experience Cloud sites. If you have no public-facing sites, the report is short, but still worth running once.
- Navigate to the report
Setup > Sharing Settings > Guest User Sharing Rule Access Report. The report runs on demand.
- Review the rule list
For each rule listed, examine the object, criteria, and access level. Most rules will be intentional (product catalog, public Knowledge); some may surprise you.
- Document each finding
Record the decision per rule: confirmed-intentional, needs-restriction, or remove. Build the remediation backlog from the not-intentional rows.
- Tighten or remove unintended rules
For rules to restrict, edit the criteria to scope to truly public records. For rules to remove, deactivate them. Test the Experience Cloud site after each change to confirm legitimate guest access still works.
- Enable Secure Guest User Record Access
Setup > Sharing Settings > Secure Guest User Record Access. Enable. This prevents new risky rules from being added going forward.
- Schedule recurring audits
Quarterly is the standard cadence. Re-run the report and triage any new rules that have been added since the last audit.
Single execution. Returns the current state of guest-user-relevant sharing rules.
Export the list for offline review or sharing with the security team.
Companion setting that restricts new sharing. Enable in any production Experience Cloud org.
Modern Experience Cloud audience controls. Finer-grained than sharing rules; preferred for new configurations.
Separate audit of guest user Apex code. The report does not cover this path; conduct as a parallel review.
- The report covers sharing rules only. Apex code, page layouts, and FLS can expose data through paths the report does not catch.
- Indirect exposure through nested groups is common. A public group containing a role containing the guest user creates exposure; the report follows the chain but the underlying paths can be non-obvious.
- Removing a sharing rule may break legitimate public-facing functionality. Test the Experience Cloud site after each remediation step before declaring the fix complete.
- Secure Guest User Record Access is paired with the report but is a separate setting. Enable both; one without the other leaves gaps.
- Quarterly audit cadence assumes the org is not actively adding sharing rules. For orgs with active Experience Cloud development, monthly audits or build-time checks are more appropriate.
About the Author
Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.
Test your knowledge
Q1. In which area of Salesforce would you typically find Guest User Sharing Rule Access Report?
Q2. What is the primary benefit of Guest User Sharing Rule Access Report for Salesforce administrators?
Q3. Why is understanding Guest User Sharing Rule Access Report important for Salesforce admins?
Discussion
Loading discussion…