Permissions
GRAX controls access levels via permission set assignments. Any user that wants to access GRAX must first have the proper Salesforce permission set assignments.
What are the GRAX permission sets and what do they do?
The following permission sets grant the access detailed in the table below:
GRAX Console Standard Permission: Standard User access per the table belowGRAX Console Seeding Permission: Seeding User access per the table belowGRAX Console Purge Permission: Purge User access per the table belowGRAX Console Power Permission: Power User access per the table belowGRAX Console Admin Permission: Admin User access per the table belowGRAX Console View All Fields: Do not apply Field Level Security checks to this user in the GRAX Application (see below for more details)
The GRAX Console Admin Permission permission set is assigned to the GRAX Integration user account automatically otherwise these are created but not assigned. Please be sure to assign the proper level of access to all users that you want to access the GRAX Application.
Auto Backup Dashboard
None
None
View
None
View and Configure
Archive
None
None
View and Run
None
View and Run
Restore
None
None
View and Run
None
View and Run
Delete Tracking
None
None
View
None
View
Sandbox Seeding
None
View and Run
View and Run
None
View and Run
Search
View and Run
View and Run
View and Run
None
View and Run
Purge
None
None
None
View and Run
View and Run
Data Lake
None
None
View
None
View and Configure
Settings
None
None
None
None
View and Configure
To summarize the main differences between these 4 access levels:
Standard User can lookup records by the ID and see record details, but cannot see any other features
Purge User can purge records from the GRAX Data Vault
Seeding User can run Global Search and Seed records into a sandbox
Power User has nearly the same access as Admin User, but cannot see
Settingsand cannot configure objects for Search or Data LakeAdmin User can see and do everything
You can find a call-out in the GRAX navigation menu stating the current logged in user's access level. Note that the permission sets are cumulative, such that the user has the highest level of access granted.
How do I create the GRAX permission sets?
There are 2 supported ways to assign Salesforce permission sets.
Creating the GRAX Permission Sets via Auto Config
GRAX Console Standard PermissionGRAX Console Seeding PermissionGRAX Console Purge PermissionGRAX Console Power PermissionGRAX Console Admin PermissionGRAX Console View All Fields
Creating the GRAX Permission Sets Manually
The following script can be used to create GRAX permission sets using the Salesforce Developer Console:
Open the
DebugmenuSelect
Open Execute Anonymous Window(or pressCTRL + E)Copy the script below into the
Enter Apex CodedialogSelect the
Open LogcheckboxClick
Execute
Why are there additional GRAX permission sets beyond those listed above?
Permission sets that do not begin with GRAX Console are legacy permission sets that have been replaced with the GRAX Console permissions detailed above.
Some of the legacy GRAX permission sets you may see are:
GRAX - AdminGRAX - Archive MasterGRAX - Community UserGRAX - Data AdminGRAX - Datahub Search PermissionGRAX - Limited Admin
These legacy permission sets are installed when you install the GRAX Managed Package for Salesforce. They control user access within the managed package, as well as within the GRAX Application and embedded experiences. The following 3 legacy permission sets can still control user access. Please see the equivalency table below for more details:
GRAX_Configuration_Admin
GRAX_Advanced_User
GRAX_User
Field Level Permissions
In addition to the Access Levels above, GRAX applies field level permissions to all users logged in via SSO. This means you can restrict what fields they see in the GRAX Application the same way you'd do for any Salesforce user. The "View All Fields" modifier allows a user to see add fields on an object in GRAX, regardless of their Salesforce Field Level Security or the current object schema.
The following script can be used to create this GRAX permission set using the Salesforce Developer Console:
Open the
DebugmenuSelect
Open Execute Anonymous Window(or pressCTRL + E)Copy the script below into the
Enter Apex Codedialog
Next Steps
Frequently Asked Questions
Can I use the System Administrator profile for the Integration User?
Yes, but keep in mind that the standard System Administrator profile does not automatically grant full access to all records and fields. Certain permissions, like View Encrypted Data and Query All Files, are not enabled by default, and Field Level Security still applies.
Can I use a custom profile instead of the GRAX permission sets?
A custom profile can be used alongside the GRAX permission sets, but it cannot replace them. To ensure proper functionality and access control, GRAX permission sets must remain in place.
Can I rename the GRAX permission sets?
No. Renaming GRAX permission sets can disrupt essential functions like monitoring, alerting, and troubleshooting. It may also affect Missing Field Permissions detection and GRAX Lightning Web Components (LWCs). To ensure system stability, please refrain from renaming the GRAX permission sets.
What does an error running the Field Level Permission Apex script mean?
The FLS Apex script needs to list every object, field and field permission in your org and update FieldPermissions records for anything missing. This must be run by a System Administrator or else it is likely to encounter an error. For orgs with many objects or many missing field permissions the script may take a while and encounter Apex timeout errors.
Subject: FLS Permission Script Errors
Your Salesforce org ID
Your Salesforce System Administrator email address
Details of what script you ran and how
The full error message you received
What if my permissions were incomplete during Auto Backup?
To avoid having to redo work due to incomplete permissions, GRAX automatically checks and enforces permissions before you can start Auto Backup. However if a permission problem did affect backup data you can:
Fix the permission problem, for example grant missing Field Level Security
Browse to /web/tools in the GRAX Application (
Settings-->Diagnostics and Tools)Select the
Reset Auto Backup objectstoolClick on the object that needs to be reset
Review the confirmation message
Click "Proceed" to reset the object as if it has never been backed up with GRAX
Repeat step 4-6 as needed for all affected objects
This is non-destructive, and re-does the object backfill with the correct permissions, "fixing" your backup data set.
What if I can't grant 'View All Data'/'Modify All Data' or remove Field Level Restrictions?
GRAX goal is to provide the best Recovery Point Objective (RPO) possible. To support data recovery, GRAX must:
Read all records and their relationships frequently for backup
Write any record and its relationships at any time from backup data for restore
If GRAX can not read some objects or records entirely, or some records partially due to field restrictions, its backup data set is incomplete. If GRAX can not write some objects or records entirely, its ability to restore data is incomplete. Therefore, any permissions that deny access to read or write any object, record, or field can lead to a total inability to recover data.
Modify All Data - Specifies that the user can view any data stored in the database and edit any field with the editable flag. This permission is also required for any user who wants to upsert non-unique external IDs through the API. When this permission isn't enabled and if the user tries an upsert using non-unique external ID the error seen is as follows : INSUFFICIENT_ACCESS: Upsert requires view all data on a non-unique custom index
Last updated
Was this helpful?