# Permissions and Access
For information on common topics, expand the related section below.
Integration User Permission Requirements
The GRAX "Integration User" is the Salesforce User entity that GRAX performs all operations against your org as. This means that data is created, read, updated, and deleted in the context of this user's permissions. To best protect your org and its data, a high degree of access is required, often including permissions that are not commonly granted to Salesforce integrations that operate in a more focused capacity.
For more information on how to set up an Integration User or its profile/permission sets, as well as how to use the Missing Field Permissions and Auto Config tools, see the [Integration User](/other/permissions-and-access/integration-user.md) page.
Connecting a GRAX application to a Salesforce org with an Integration User also depends on the GRAX OAuth Connected app being properly configured, which is explained on the [Connected App](/other/permissions-and-access/connected-app.md) page.
Role Based Access Control for End Users
Whether monitoring Backup progress, managing Archive jobs, running Searches, viewing the Lightning Web Components, or otherwise using the application, every end-user will need to log in. For typical use, this is accomplished by Single Sign On via the Salesforce Org that is attached to the app. To control the features that each user can access, GRAX supports Role Based Access Control via assigning special Permission Sets to each Salesforce user.
For more information on the available roles, the features each role has access to, and how to manage the required Permission Sets with Auto Config, see the [Roles for End Users](/other/permissions-and-access/roles-for-end-users.md) page.
The ability for users to SSO within the GRAX application also depends on the GRAX OAuth Connected app being properly configured, which is explained on the [Connected App](/other/permissions-and-access/connected-app.md) page.
Tokens for API Access
For integration with third-party systems or the construction of customized user experiences that include GRAX data, developers can take advantage of the APIs served on every GRAX application server. These APIs are private per application. Administrators can:
* Create named tokens with different feature access levels
* Exclude a token from Field Level Security restrictions
* Review all existing tokens, who created them, and their permissions
* Disable an existing token immediately
For more information on API Tokens including how to create them and how to use them, see the [API Tokens](/other/permissions-and-access/api-tokens.md) page.
For more information on the GRAX API including an OpenAPI specification, see . For an interactive version of this documentation, add `/scalar` to your app's domain.
Local Users
Under normal conditions, the GRAX application depends on Salesforce to serve as an identity provider for the purposes of login and authentication. For the purposes of recovery when disconnected from Salesforce, access when running in "disconnected" mode, and access by teams that may not have Salesforce users, GRAX allows the creation of "Local" users.
For more information about local users including how to create them and delete them, see the [Local Users](/other/permissions-and-access/local-users.md) page.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://documentation.grax.com/other/permissions-and-access.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.