Access Management

GRAX controls access levels via Permission Set assignments. At the bottom of this document, those permission sets are explained and broken down, but let's first cover what the resultant access would look like for users. Below is a summary of each high-level GRAX feature, and how access levels interact with them.

To summarize the main differences between these 3 access levels:

• Admin User can see and do everything
• Power User has nearly the same access as Admin User, but cannot see Settings and cannot configure objects for Search or History Stream
• Standard User also cannot see Settings and cannot configure objects for Search or History Stream. Is view only for anything else.

You can find a call-out in the GRAX navigation menu stating the current logged in user's access level.

Controlling Access

Any user that wants to access GRAX must first have the proper Salesforce permission set assignments. There are 2 supported ways to assign Salesforce permission sets.

Use Permission Sets Already Installed Via GRAX for Salesforce

These permission sets are installed when you install the GRAX Managed Package for Salesforce. They control user access within the managed package, as well as within the GRAX webapp and embedded experiences.

Managed Package Salesforce Permission Set	Standard User Access	Power User Access	Admin Access
GRAX_Configuration_Admin
GRAX_Advanced_User
GRAX_User

Manually Create Permission Sets Without Managed Package

Running GRAX without the managed package is possible, but requires light manual effort to create resources that would otherwise be automatically created. You can create brand new permission sets with the exact names shown below to achieve a level of access management without the Managed Package.

Each of these maps to permissions and access granted by one of the Managed Package permission sets, as below:

Salesforce Permission Set API Name	Standard User Access	Power User Access	Admin Access
GRAX_Console_Admin_User
GRAX_Console_Power_User
GRAX_Console_Standard_User

The following script can be used to create the 3 GRAX Permission Sets using the Salesforce Developer Console:

1. Open the Salesforce Developer Console
2. Open the Debug menu
3. Select Open Execute Anonymous Window (or press CTRL + E)
4. Copy the script below into the Enter Apex Code dialog
5. Select the Open Log checkbox
6. Click Execute

PermissionSet pa = new PermissionSet(Name = 'GRAX_Console_Admin_User', Label = 'GRAX Console ADMIN Permission', Description='Grants users ADMIN permission(s) in the GRAX Console');
insert pa;

PermissionSet pp = new PermissionSet(Name = 'GRAX_Console_Power_User', Label = 'GRAX Console POWER Permission', Description='Grants users POWER USER permission(s) in the GRAX Console');
insert pp;

PermissionSet pu = new PermissionSet(Name = 'GRAX_Console_Standard_User', Label = 'GRAX Console Permission', Description='Grants users access to the GRAX Console');
insert pu;

Field Level Permissions

In addition to the Access Levels above, GRAX applies field level permissions to all users logged in via SSO. This means you can restrict what fields they see in the GRAX webapp the same way you'd do for any Salesforce user. The "View All Fields" modifier allows a user to see add fields on an object in GRAX, regardless of their Salesforce Field Level Security or the current object schema.

The following script can be used to create this GRAX Permission Set using the Salesforce Developer Console:

1. Open the Salesforce Developer Console
2. Open the Debug menu
3. Select Open Execute Anonymous Window (or press CTRL + E)
4. Copy the script below into the Enter Apex Code dialog

PermissionSet pv = new PermissionSet(Name = 'GRAX_View_All_Fields', Label = 'GRAX View All Fields', Description='Grants users access to view all fields in GRAX regardless of their Field Level Security permissions');
insert pv;

Next Steps

To proceed with connecting GRAX to Salesforce and your storage platform of choice, start with our connection documentation.