TrustAPI Docs

Frequently Asked Questions

Why do users need to consent to and authorize "GRAX OAuth" the first time they log in?

By default, connected apps are configured to allow all users to self-authorize that connected app when they start the OAuth process. When a user logs in to GRAX for the first time, they must tell Salesforce that they approve of the connected app and the access it is asking for to their user.

If you would like to avoid this prompt, use the "Permitted Users" setting within the connected app policies. Administrators can pre-authorize users based on assigned profile, which skips this per-user popup.

For more information, see the Connected App page.

Why does GRAX need Manage User Permissions for "Intelligent archive recommendations"?

Salesforce requires the "Manage Users" Permissions to track Object Data and File Storage Usage. GRAX uses these metrics to ensure your organization's storage is within limits, salesforce performance is optimized and to track overall performance of the GRAX Archives.

To resolve:

  • Enable GRAX Auto Fix to allow GRAX to repair any issues with the GRAX Integration User:

    • In the GRAX Application, open the Settings page

    • Expand the "General Settings" Section

    • Edit the "Auto Fix Integration User Permission issues"

    • Select "Fix All Issues" and click "Save"

  • To manually grant GRAX access:

    • In the Salesforce Application, Open "Setup"

    • Use Quick Find to search for "Permission Sets"

    • Find and open the "GRAX Integration User Permission" permission set

    • Use "Find Setting..." to search for "Manage Users"

    • Click the Edit button at the top of the Permissions page

    • Check the box next to "Manage Users"

    • Click "Save"

Can I use the System Administrator profile for the Integration User?

Yes, but keep in mind that the standard System Administrator profile does not automatically grant full access to all records and fields. Certain permissions, like View Encrypted Data and Query All Files, are not enabled by default, and Field Level Security still applies.

Can I use a custom profile instead of the GRAX permission sets?

A custom profile can be used alongside the GRAX permission sets, but it cannot replace them. To ensure proper functionality and access control, GRAX permission sets must remain in place.

Can I rename the GRAX permission sets?

No. Renaming GRAX permission sets can disrupt essential functions like monitoring, alerting, and troubleshooting. It may also affect Missing Field Permissions detection and GRAX Lightning Web Components (LWCs). To ensure system stability, please refrain from renaming the GRAX permission sets.

What does an error running the Field Level Permission Apex script mean?

The FLS Apex script needs to list every object, field and field permission in your org and update FieldPermissions records for anything missing. This must be run by a System Administrator or else it is likely to encounter an error. For orgs with many objects or many missing field permissions the script may take a while and encounter Apex timeout errors.

If you hit an error with the script, please open a support ticket with these details:

  • Subject: FLS Permission Script Errors

  • Your Salesforce org ID

  • Your Salesforce System Administrator email address

  • Details of what script you ran and how

  • The full error message you received

What if my permissions were incomplete during Backup?

To avoid having to redo work due to incomplete permissions, GRAX automatically checks and enforces permissions before you can start Backup. However if a permission problem did affect backup data you can:

  1. Fix the permission problem, for example grant missing Field Level Security

  2. Browse to /web/tools in the GRAX Application (Settings --> Diagnostics and Tools)

  3. Select the Reset Backup objects tool

  4. Click on the object that needs to be reset

  5. Review the confirmation message

  6. Click "Proceed" to reset the object as if it has never been backed up with GRAX

  7. Repeat step 4-6 as needed for all affected objects

This is non-destructive, and re-does the object backfill with the correct permissions, "fixing" your backup data set.

What if I can't grant 'View All Data'/'Modify All Data' or remove Field Level Restrictions?

GRAX goal is to provide the best Recovery Point Objective (RPO) possible. To support data recovery, GRAX must:

  • Read all records and their relationships frequently for backup

  • Write any record and its relationships at any time from backup data for restore

If GRAX can not read some objects or records entirely, or some records partially due to field restrictions, its backup data set is incomplete. If GRAX can not write some objects or records entirely, its ability to restore data is incomplete. Therefore, any permissions that deny access to read or write any object, record, or field can lead to a total inability to recover data.

The Create a secure Salesforce API user guide specifically calls out "Modify All Data," which implicitly includes "View All Data," as critical for an integration:

Modify All Data - Specifies that the user can view any data stored in the database and edit any field with the editable flag. This permission is also required for any user who wants to upsert non-unique external IDs through the API. When this permission isn't enabled and if the user tries an upsert using non-unique external ID the error seen is as follows : INSUFFICIENT_ACCESS: Upsert requires view all data on a non-unique custom index

Last updated

Was this helpful?