We're on the Business plan trying to lock down our External Users group so they only access the specific apps we've shared. Ideally they only reach sub.domain.com/apps/appname though currently can hit /querylibrary and /settings/... (sees other users' emails).
This & this thread exactly answer those questions, however our UI looks different and does not have those exact settings (possibly version updates).
We’ve tried to solve by creating a custom role with everything disabled except the minimum "View account details" and applied it to all relevant groups, however it doesn't take effect and external users still hit /querylibrary and /settings/. Same result with no role.
Possibly relevant: org was created before 3.259.0.
We’re likely missing something, any insight into what that is? Any guidance appreciated, thanks!
Hi @S00! Welcome to the community and thanks for reaching out!
There have been a few changes in the UI since the team posted on those two threads. Thanks for linking those here for me to look through! The user management options are no longer under “Additional” but are within roles (which you’ve attached in your screenshot).
I tried to reproduce what you’re describing, but things worked as expected on my end so I just want to confirm that our setup is aligned.
You can keep your “None” role as is, and it looks like your external-users group is configured to access 1 specific app and 2 resources. If that looks good, you can try clicking into the general tab.
Under general, in settings/groups/{{id}}/external-users, the members within that external-users group should be listed. You’ll also see “Manage Roles” and select the role you’ve created. In your case, you can select “None” because that’s the name of the group in the screenshot you attached.
Similarly, under Assignment for /settings/roles, you should see External Users. Is that also showing up?
Re UI changes: Understood, expected as such!
Re Apps & Resources: Confirmed, access is correct (and subject to change).
Re Roles & Assignment: Confirmed, in the External Users group, user is a listed member and the "None" role is selected, and it's reflecting correctly as well in the role's Assignment tab (additonally tested (1) with no role selected (2) with role “None” selected for only the external users group, and (3) with role “None” added to every group).
Despite this, the external user can still hit /querylibrary and /settings/.
Happy to share anything additional to help narrow it down. Thanks again!
