# Roles for End Users GRAX controls access levels via permission set assignments. Any user that wants to access GRAX must first have the proper Salesforce permission set assignments. ## What are the GRAX permission sets and what do they do? The following permission sets grant the access detailed in the table below: * `GRAX Console Standard Permission`: Standard User access per the table below * `GRAX Console Seeding Permission`: Seeding User access per the table below * `GRAX Console Purge Permission`: Purge User access per the table below * `GRAX Console Power Permission`: Power User access per the table below * `GRAX Console Admin Permission`: Admin User access per the table below * `GRAX Console View All Fields`: Do not apply Field Level Security checks to this user in the GRAX Application (see below for more details) The `GRAX Console Admin Permission` permission set is assigned to the GRAX Integration user account automatically otherwise these are created but not assigned. Please be sure to assign the proper level of access to all users that you want to access the GRAX Application. | Feature | Standard User | Seeding User | Power User | Purge User | Admin User | | ---------------- | ---------------- | ---------------- | ---------------- | ---------------- | ---------------------- | | Backup Dashboard | `None` | `None` | `View` | `None` | `View` and `Configure` | | Archive | `None` | `None` | `View` and `Run` | `None` | `View` and `Run` | | Restore | `None` | `None` | `View` and `Run` | `None` | `View` and `Run` | | Delete Tracking | `None` | `None` | `View` | `None` | `View` | | Sandbox Seeding | `None` | `View` and `Run` | `View` and `Run` | `None` | `View` and `Run` | | Search | `View` and `Run` | `View` and `Run` | `View` and `Run` | `None` | `View` and `Run` | | Purge | `None` | `None` | `None` | `View` and `Run` | `View` and `Run` | | Data Lake | `None` | `None` | `View` | `None` | `View` and `Configure` | | Settings | `None` | `None` | `None` | `None` | `View` and `Configure` | To summarize the main differences between these 4 access levels: * Standard User can lookup records by the ID and see record details, but cannot see any other features * Purge User can purge records from the GRAX Data Vault * Seeding User can run Global Search and Seed records into a sandbox * Power User has nearly the same access as Admin User, but cannot see `Settings` and cannot configure objects for Search or Data Lake * Admin User can see and do everything You can find a call-out in the GRAX navigation menu stating the current logged in user's access level. Note that the permission sets are cumulative, such that the user has the highest level of access granted. ## How do I create the GRAX permission sets? There are 2 supported ways to assign Salesforce permission sets. #### Creating the GRAX Permission Sets via Auto Config GRAX [Auto Config](/other/settings/connecting-salesforce.md#grax-auto-config) creates the following user access permission sets in Salesforce when you connect the GRAX Application to your Salesforce org the first time. * `GRAX Console Standard Permission` * `GRAX Console Seeding Permission` * `GRAX Console Purge Permission` * `GRAX Console Power Permission` * `GRAX Console Admin Permission` * `GRAX Console View All Fields` #### Creating the GRAX Permission Sets Manually The following script can be used to create GRAX permission sets using the Salesforce Developer Console: 1. Open the [Salesforce Developer Console](https://help.salesforce.com/s/articleView?id=sf.code_dev_console_opening.htm\&type=5) 2. Open the `Debug` menu 3. Select `Open Execute Anonymous Window` (or press `CTRL + E`) 4. Copy the script below into the `Enter Apex Code` dialog 5. Select the `Open Log` checkbox 6. Click `Execute` ```apex PermissionSet pa = new PermissionSet(Name = 'GRAX_Console_Admin_User', Label = 'GRAX Console Admin Permission', Description='Grants users Admin User permissions to the GRAX console'); insert pa; PermissionSet pf = new PermissionSet(Name = 'GRAX_View_All_Fields', Label = 'GRAX Console View All Fields', Description='Grants users access to view all fields in GRAX regardless of their Field Level Security permissions'); insert pf; PermissionSet pp = new PermissionSet(Name = 'GRAX_Console_Power_User', Label = 'GRAX Console Power Permission', Description='Grants users Power User permissions to the GRAX console'); insert pp; PermissionSet pr = new PermissionSet(Name = 'GRAX_Console_Purge_User', Label = 'GRAX Console Purge Permission', Description='Grants users Purge permissions to the GRAX console'); insert pr; PermissionSet ps = new PermissionSet(Name = 'GRAX_Console_Seeding_User', Label = 'GRAX Console Seeding Permission', Description='Grants users Sandbox Seeding permissions to the GRAX console'); insert ps; PermissionSet pu = new PermissionSet(Name = 'GRAX_Console_Standard_User', Label = 'GRAX Console Standard Permission', Description='Grants users Standard User permissions to the GRAX console'); insert pu; ``` ## Why are there additional GRAX permission sets beyond those listed above? Permission sets that do not begin with `GRAX Console` are legacy permission sets that have been replaced with the `GRAX Console` permissions detailed above. Some of the legacy GRAX permission sets you may see are: * `GRAX - Admin` * `GRAX - Archive Master` * `GRAX - Community User` * `GRAX - Data Admin` * `GRAX - Datahub Search Permission` * `GRAX - Limited Admin` These legacy permission sets are installed when you install the GRAX Managed Package for Salesforce. They control user access within the managed package, as well as within the GRAX Application and embedded experiences. **The following 3 legacy permission sets can still control user access.** Please see the equivalency table below for more details: | Managed Package Salesforce Permission Set | Standard User Access | Power User Access | Admin Access | | ----------------------------------------- | -------------------- | -------------------- | -------------------- | | GRAX\_Configuration\_Admin | :white\_check\_mark: | :white\_check\_mark: | :white\_check\_mark: | | GRAX\_Advanced\_User | :white\_check\_mark: | :white\_check\_mark: | | | GRAX\_User | :white\_check\_mark: | | | ## Field Level Permissions In addition to the Access Levels above, GRAX applies field level permissions to all users logged in via SSO. This means you can restrict what fields they see in the GRAX Application the same way you'd do for any Salesforce user. The "View All Fields" modifier allows a user to see add fields on an object in GRAX, regardless of their Salesforce Field Level Security or the current object schema. The following script can be used to create this GRAX permission set using the Salesforce Developer Console: 1. Open the [Salesforce Developer Console](https://help.salesforce.com/s/articleView?id=sf.code_dev_console_opening.htm\&type=5) 2. Open the `Debug` menu 3. Select `Open Execute Anonymous Window` (or press `CTRL + E`) 4. Copy the script below into the `Enter Apex Code` dialog ```apex PermissionSet pv = new PermissionSet(Name = 'GRAX_View_All_Fields', Label = 'GRAX Console View All Fields', Description='Grants users access to view all fields in GRAX regardless of their Field Level Security permissions'); insert pv; ``` ## Next Steps To proceed with connecting GRAX to Salesforce and your storage platform of choice, start with our [connection documentation](/other/settings/connecting-salesforce.md). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.grax.com/other/permissions-and-access/roles-for-end-users.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.