Restricting Access to Standard Salesforce Pages in Communities

Disabling Standard Pages in Communities

This is an advanced process, but a CRM Admin should be able to complete these steps using Workbench and a text editor:

1. Download this file: package.xml file to use with Workbench to retrieve your Communities Site metadata. 
2. Navigate to Workbench (https://workbench.developerforce.com/login.php) and agree to the Terms of Service:

3. Retrieve your Communities Site metadata:

1. Click Migration then Retrieve
2. Click Choose File
3. Select the package.xml file that was created in step 1
4. Click Next

4. Click Retrieve

5. Click Download ZIP File

6. Change the Communities Site metadata files to disable standard Salesforce pages with a text editor.

• Extract the contents of the downloaded zip file
• In the location where you extracted the contents of the zip file, navigate to unpackaged\sites
• In the text editor, open any .site files for which you want to restrict access to standard Salesforce pages
• In the files, change the following:

<allowStandardPortalPages>true</allowStandardPortalPages>
to
<allowStandardPortalPages>false</allowStandardPortalPages>

• Save the files
• Create a new zip file ("changes.zip") with the updated contents of the downloaded and extracted zip file
  • The top level of the new zip file should contain the "unpackaged" directory and all subfolders and files within
     

7. Deploy the changes via Workbench:

• In Workbench, navigate to Migration then Deploy
• Click Choose File
• Set Rollback on Error to checked
• Set Test Level to RunLocalTests
• Click Next

8. Click Deploy


9.  On the following page, confirm you see the message "success: true" and that there are no "componentFailures"

Note: disabling standard pages breaks some aspects of Communities administration.

For example, selecting the Login page in the Communities workspace (shown below) will result in a "URL No Longer Exists" error. IF YOU GET THIS ERROR, ALL OF YOUR ABOVE STEPS ARE CORRECT.
 
To re-enable standard pages for communities, perform the above steps but use the following setting: <allowStandardPortalPages>true</allowStandardPortalPages>

Update Community Standard Page Layouts

Configure layouts for community profiles to limit what data those users can access. This can be time-consuming based on the number of objects accessible to community profiles. When complete, if a user navigates to a standard Salesforce page URL and bypasses the page blocker, they will see the following:

1. Review which objects your Community Users have access to
   • Navigate to your list of user profiles: http://login.salesforce.com/00e
   • For any profile assigned to access Communities, review the list of objects under "Object Settings" for which the profile has "Read" access listed. The following steps should be done for each object for which the profile has at least "Read" access.
2. For each object where the profile has at least Read access (example below for the TargetX packaged "Application" object)
   • Review Search Layouts:
     • Navigate to Setup > Object Manager > Application
     • Click Search Layouts

• Click Edit next to each search layout and remove sensitive fields from all search layouts.
• Create a minimal page layout for that object
  • Navigate to Setup > Object Manager > Application

Note: These changes are global and internal users will be impacted.

• Click Page Layouts

• Click New in the Page Layouts list.
• Provide a meaningful name (e.g., "Communities").

• Click Save
• Ensure all components have been removed from the layout (e.g., fields, related lists, buttons, etc.)

Note: At least one field must be present on each layout.

• Assign the layout to the Community Profile:
  • Under Page, Layouts click Page Layout Assignment

• Click Edit Assignment

• Click the name of any Profiles where you want to update the layout:
  • This will select all columns if Record Types are enabled
  • Tip: you can use "Ctrl+Click" to select multiple profiles at once
• Next to Page Layout to Use select the Communities layout that was created.

• Click Save

• Remove access to all List View layouts for that object
  • Navigate to the list view layout for that object

• For each List view:

If the List View visibility is set to Visible to all users (including partner and customer portal users) you should complete the following steps:

1. Click Edit
2. Under Restrict Visibility, ensure that Visible to all users (including partner and customer portal users) is not selected.
3. You can select Visible only to me or Visible to specific groups of users. 
4. Suppose you select Visible to specific groups of users. In that case, we recommend you choose either a public group you have previously created or the pre-delivered group All Internal Users if you want all internal users to continue seeing this list view.

• That is the final step. These steps should be repeated for all objects the profile has at least Read access.
   

Changes to client orgs to address potential vulnerabilities

IF indexPage = “TX_CommunitiesLanding” AND allowStandardPortalPages = ‘true’
SET allowStandardPortalPages = “false”