Guest User Best Practices<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } What is the function of the Guest user on an instance ? Can I modify / delete it ? The Guest user on your instance is needed for login, email and many other platform features: An anonymous request cannot establish a valid impersonated session against an inactive user, so public content either errors or bounces to the login page. What breaks, with no workaround for the end user because they hold no credentials at that point: Public Knowledge [kb_knowledge] viewed without login, and public catalog items.Public Service Portal pages and widgets (sp_page / sp_widget with Public = true).External user self-registration and "Request Account" on CSM / CSP portals. The pre-account stage runs as guest. (This is the same flow you have been working in.)Self-service password reset (Forgot Password) for locked-out users, since that flow's unauthenticated stage runs as guest.Public UI Pages [sys_ui_page] and public Processors [sys_processor].Public Scripted REST resources (Requires authentication = false).SP-initiated SSO landing and other pre-auth processing. With this in mind, you should never delete or deactivate the guest user.Additionally, please don't set a password on the guest user. A user without a password is automatically barred from logging in to the instance, so a guest user without a password is not posing a security issue. Security Concerns: Deactivating or deleting the guest user is not a recommended way to secure the instance. The guest user is the account that all anonymous, unauthenticated activity runs under, so disabling or removing it would take down every piece of public-facing functionality at the same time, including public knowledge articles, any public portal pages, new external-user self-registration, and self-service password reset for users who are locked out. We recommend instead locking down exactly what is exposed to the public and tightly restricting the guest user's permissions. That approach removes the security exposure you are concerned about while keeping legitimate public functionality working. For customers where public entity is not needed, the guest account is still essential and we ask that you look at other hardening features such as IP access controls and Adaptive Authentication to have more control on hardening your instance without losing basic platform functionality.