Avoid a Potential Security Vulnerability
The guest and member user profile contains the Exchange Viewer permission that gives access to all assets in Exchange with this visibility. An impersonated user can potentially exploit this visibility and access assets that are not intended for them.
To troubleshoot this issue, ensure that guest and community users can only access intended and required assets.
-
Create a new team in Access Management called Guest Community Users and create a new mapping for External Idp Groups called Community Guest.
-
In Salesforce, change the Named Credential authentication information.
-
In Exchange, share the assets for the Everyone visibility with the Guest Community Users team and share assets for the Members only visibility with the Community Users team.
-
In Access Management, remove the Exchange Viewer permission and the inherited permissions of the guest user and the Community Users team.
To avoid a potential security vulnerability:
-
Create a new team in Access Management called Guest Community Users and create a new mapping for External Idp Groups called Community Guest:
-
Go to Access Management.
-
In the Access Management navigation menu, click Teams.
-
Click Create Team and enter
Guest Community Users
. -
Select External Idp Groups and enter the following fields:
-
In Group Name, enter
Community Guest
. -
In Provider Name, select a provider.
-
-
Click Save Changes.
-
-
In Salesforce, change the Named Credential authentication information:
-
Go to Salesforce > *Setup.
-
In the Quick Find search box, enter
Named Credentials
and select it. -
Click Anypoint.
-
In the Authentication section, go to the Per User Subject field.
-
In the Formula Editor field change
& "|[\"Community User\"]"
to& "|" & IF($User.Alias = "guest", "[\"Community Guest\"]", "[\"Community User\"]")
. -
Click Save.
-
-
In Exchange, share the asset with the Guest Community Users or the Community Users team. Repeat these steps for each asset you want to share with guest community users or the community users:
-
Go to Exchange and select the asset.
-
Click Share.
-
In the Collaborators tab, enter
Guest Community Users
orCommunity Users
. -
Click Save.
-
-
In Access Management, remove the ability for users to see the inherited permissions from the Exchange Viewer permission:
-
Go to Access Management > Users.
-
Select the guest user.
-
In Permissions, move the slider to disable showing inherited permissions.
-
Click Permissions > Remove all permissions.
-