LogoLogo
TrustAPI Docs
  • Application
  • Support
  • Platform
  • Infrastructure
  • Security
  • Notices
  • Overview
  • Protect Data
    • Auto Backup
      • Auto Backup API Usage
      • Supported Objects
      • Delete Tracking
      • Salesforce Metadata Backup
      • Missing Field Permissions
      • Viewing Records
      • Viewing Files
    • Archive
    • Restore
      • Restore Best Practices
    • Purge
  • Reuse Data
    • Data Replication
      • Data Replication API Usage
      • Supported Objects
      • Delete Tracking
      • Missing Field Permissions
      • Viewing Records
      • Viewing Files
    • Global Search
    • Data Lake (formerly History Stream)
      • AWS Data Lakehouse
      • DuckDB Data Lake
      • Heroku Data Lakehouse
      • Azure Data Lake
      • Data Lake FAQ
      • Data Lake v1 (formerly History Stream)
    • Salesforce Sandbox Seeding
      • Sandbox Seeding Walkthrough
    • Public API
    • Managed Package
      • Second Generation
        • Features
        • Install
        • Update
        • Uninstall
      • First Generation
        • Features
        • Configure
        • Uninstall
        • Migrate
      • Frequently Asked Questions
  • Other
    • Settings
      • Connecting Salesforce
      • Connecting Storage
      • Sandbox Refresh
    • Notifications
    • Permissions
      • Integration User
      • Integration User Scripts
    • Troubleshooting
      • Debugging Salesforce Triggers
    • Auto Updates

Copyright © 2025 GRAX, Inc.

On this page
  • What are the GRAX permission sets and what do they do?
  • How do I create the GRAX permission sets?
  • Why are there additional GRAX permission sets beyond those listed above?
  • Field Level Permissions
  • Next Steps
  • Frequently Asked Questions

Was this helpful?

Export as PDF
  1. Other

Permissions

GRAX controls access levels via permission set assignments. Any user that wants to access GRAX must first have the proper Salesforce permission set assignments.

What are the GRAX permission sets and what do they do?

The following permission sets grant the access detailed in the table below:

  • GRAX Console Standard Permission: Standard User access per the table below

  • GRAX Console Seeding Permission: Seeding User access per the table below

  • GRAX Console Purge Permission: Purge User access per the table below

  • GRAX Console Power Permission: Power User access per the table below

  • GRAX Console Admin Permission: Admin User access per the table below

  • GRAX Console View All Fields: Do not apply Field Level Security checks to this user in the GRAX Application (see below for more details)

The GRAX Console Admin Permission permission set is assigned to the GRAX Integration user account automatically otherwise these are created but not assigned. Please be sure to assign the proper level of access to all users that you want to access the GRAX Application.

Feature
Standard User
Seeding User
Power User
Purge User
Admin User

Auto Backup Dashboard

None

None

View

None

View and Configure

Archive

None

None

View and Run

None

View and Run

Restore

None

None

View and Run

None

View and Run

Delete Tracking

None

None

View

None

View

Sandbox Seeding

None

View and Run

View and Run

None

View and Run

Search

View and Run

View and Run

View and Run

None

View and Run

Purge

None

None

None

View and Run

View and Run

Data Lake

None

None

View

None

View and Configure

Settings

None

None

None

None

View and Configure

To summarize the main differences between these 4 access levels:

  • Standard User can lookup records by the ID and see record details, but cannot see any other features

  • Purge User can purge records from the GRAX Data Vault

  • Seeding User can run Global Search and Seed records into a sandbox

  • Power User has nearly the same access as Admin User, but cannot see Settings and cannot configure objects for Search or Data Lake

  • Admin User can see and do everything

You can find a call-out in the GRAX navigation menu stating the current logged in user's access level. Note that the permission sets are cumulative, such that the user has the highest level of access granted.

How do I create the GRAX permission sets?

There are 2 supported ways to assign Salesforce permission sets.

Creating the GRAX Permission Sets via Auto Config

  • GRAX Console Standard Permission

  • GRAX Console Seeding Permission

  • GRAX Console Purge Permission

  • GRAX Console Power Permission

  • GRAX Console Admin Permission

  • GRAX Console View All Fields

Creating the GRAX Permission Sets Manually

The following script can be used to create GRAX permission sets using the Salesforce Developer Console:

  1. Open the Debug menu

  2. Select Open Execute Anonymous Window (or press CTRL + E)

  3. Copy the script below into the Enter Apex Code dialog

  4. Select the Open Log checkbox

  5. Click Execute

PermissionSet pa = new PermissionSet(Name = 'GRAX_Console_Admin_User', Label = 'GRAX Console Admin Permission', Description='Grants users Admin User permissions to the GRAX console');
insert pa;

PermissionSet pf = new PermissionSet(Name = 'GRAX_View_All_Fields', Label = 'GRAX Console View All Fields', Description='Grants users access to view all fields in GRAX regardless of their Field Level Security permissions');
insert pf;

PermissionSet pp = new PermissionSet(Name = 'GRAX_Console_Power_User', Label = 'GRAX Console Power Permission', Description='Grants users Power User permissions to the GRAX console');
insert pp;

PermissionSet pr = new PermissionSet(Name = 'GRAX_Console_Purge_User', Label = 'GRAX Console Purge Permission', Description='Grants users Purge permissions to the GRAX console');
insert pr;

PermissionSet ps = new PermissionSet(Name = 'GRAX_Console_Seeding_User', Label = 'GRAX Console Seeding Permission', Description='Grants users Sandbox Seeding permissions to the GRAX console');
insert ps;

PermissionSet pu = new PermissionSet(Name = 'GRAX_Console_Standard_User', Label = 'GRAX Console Standard Permission', Description='Grants users Standard User permissions to the GRAX console');
insert pu;

Why are there additional GRAX permission sets beyond those listed above?

Permission sets that do not begin with GRAX Console are legacy permission sets that have been replaced with the GRAX Console permissions detailed above.

Some of the legacy GRAX permission sets you may see are:

  • GRAX - Admin

  • GRAX - Archive Master

  • GRAX - Community User

  • GRAX - Data Admin

  • GRAX - Datahub Search Permission

  • GRAX - Limited Admin

These legacy permission sets are installed when you install the GRAX Managed Package for Salesforce. They control user access within the managed package, as well as within the GRAX Application and embedded experiences. The following 3 legacy permission sets can still control user access. Please see the equivalency table below for more details:

Managed Package Salesforce Permission Set
Standard User Access
Power User Access
Admin Access

GRAX_Configuration_Admin

GRAX_Advanced_User

GRAX_User

Field Level Permissions

In addition to the Access Levels above, GRAX applies field level permissions to all users logged in via SSO. This means you can restrict what fields they see in the GRAX Application the same way you'd do for any Salesforce user. The "View All Fields" modifier allows a user to see add fields on an object in GRAX, regardless of their Salesforce Field Level Security or the current object schema.

The following script can be used to create this GRAX permission set using the Salesforce Developer Console:

  1. Open the Debug menu

  2. Select Open Execute Anonymous Window (or press CTRL + E)

  3. Copy the script below into the Enter Apex Code dialog

PermissionSet pv = new PermissionSet(Name = 'GRAX_View_All_Fields', Label = 'GRAX Console View All Fields', Description='Grants users access to view all fields in GRAX regardless of their Field Level Security permissions');
insert pv;

Next Steps

Frequently Asked Questions

Can I use the System Administrator profile for the Integration User?

Yes, but keep in mind that the standard System Administrator profile does not automatically grant full access to all records and fields. Certain permissions, like View Encrypted Data and Query All Files, are not enabled by default, and Field Level Security still applies.

Can I use a custom profile instead of the GRAX permission sets?

A custom profile can be used alongside the GRAX permission sets, but it cannot replace them. To ensure proper functionality and access control, GRAX permission sets must remain in place.

Can I rename the GRAX permission sets?

No. Renaming GRAX permission sets can disrupt essential functions like monitoring, alerting, and troubleshooting. It may also affect Missing Field Permissions detection and GRAX Lightning Web Components (LWCs). To ensure system stability, please refrain from renaming the GRAX permission sets.

What does an error running the Field Level Permission Apex script mean?

The FLS Apex script needs to list every object, field and field permission in your org and update FieldPermissions records for anything missing. This must be run by a System Administrator or else it is likely to encounter an error. For orgs with many objects or many missing field permissions the script may take a while and encounter Apex timeout errors.

  • Subject: FLS Permission Script Errors

  • Your Salesforce org ID

  • Your Salesforce System Administrator email address

  • Details of what script you ran and how

  • The full error message you received

What if my permissions were incomplete during Auto Backup?

To avoid having to redo work due to incomplete permissions, GRAX automatically checks and enforces permissions before you can start Auto Backup. However if a permission problem did affect backup data you can:

  1. Fix the permission problem, for example grant missing Field Level Security

  2. Browse to /web/tools in the GRAX Application (Settings --> Diagnostics and Tools)

  3. Select the Reset Auto Backup objects tool

  4. Click on the object that needs to be reset

  5. Review the confirmation message

  6. Click "Proceed" to reset the object as if it has never been backed up with GRAX

  7. Repeat step 4-6 as needed for all affected objects

This is non-destructive, and re-does the object backfill with the correct permissions, "fixing" your backup data set.

What if I can't grant 'View All Data'/'Modify All Data' or remove Field Level Restrictions?

GRAX goal is to provide the best Recovery Point Objective (RPO) possible. To support data recovery, GRAX must:

  • Read all records and their relationships frequently for backup

  • Write any record and its relationships at any time from backup data for restore

If GRAX can not read some objects or records entirely, or some records partially due to field restrictions, its backup data set is incomplete. If GRAX can not write some objects or records entirely, its ability to restore data is incomplete. Therefore, any permissions that deny access to read or write any object, record, or field can lead to a total inability to recover data.

Modify All Data - Specifies that the user can view any data stored in the database and edit any field with the editable flag. This permission is also required for any user who wants to upsert non-unique external IDs through the API. When this permission isn't enabled and if the user tries an upsert using non-unique external ID the error seen is as follows : INSUFFICIENT_ACCESS: Upsert requires view all data on a non-unique custom index

Last updated 1 month ago

Was this helpful?

GRAX creates the following user access permission sets in Salesforce when you connect the GRAX Application to your Salesforce org the first time.

Open the

Open the

To proceed with connecting GRAX to Salesforce and your storage platform of choice, start with our .

If you hit an error with the script, with these details:

The specifically calls out "Modify All Data," which implicitly includes "View All Data," as critical for an integration:

Salesforce Developer Console
Salesforce Developer Console
connection documentation
Create a secure Salesforce API user guide
✅
✅
✅
✅
✅
✅
Auto Config
please open a support ticket