yes,

but that’s automatically handled.

When turning on anonymous access, you have to specify a user role. That user role defines the access rights of the anonymous user.

When a user accesses the application w/o being logged in, then a (temp) user is created, with the anonymous role assigned and a session is started for that user