Access Management

GRAX controls access levels via Permission Set assignments. At the bottom of this document, those permission sets are explained and broken down, but let's first cover what the resultant access would look like for users. Below is a summary of each high-level GRAX feature, and how access levels interact with them.

Access LevelDashboardSearchArchiveRestoreHistory StreamSettings
Admin UserViewView and ConfigureView and RunView and RunView and ConfigureView and Configure
Power UserViewViewView and RunView and RunViewNone
Standard UserViewViewViewViewViewNone

To summarize the main differences between these 3 access levels:

  • Admin User can see and do everything
  • Power User has nearly the same access as Admin User, but cannot see Settings and cannot configure objects for Search or History Stream
  • Standard User also cannot see Settings and cannot configure objects for Search or History Stream. Is view only for anything else.

You will see a callout in the GRAX navigation menu stating the current logged in user's access level.

Controlling Access

Any user that wants to access GRAX must first have the proper Salesforce permission set assignment(s). There are 2 supported ways to assign Salesforce permission sets.

Use Permission Sets Already Installed Via GRAX for Salesforce

These permission sets are installed when you install the GRAX Managed Package for Salesforce. They control user access within the managed package, as well as within the GRAX webapp and embedded experiences.

Managed Package Salesforce Permission SetStandard User AccessPower User AccessAdmin Access
GRAX_Configuration_Admin:white-check-mark::white-check-mark::white-check-mark:
GRAX_Advanced_User:white-check-mark::white-check-mark:
GRAX_User:white-check-mark:

Manually Create Permission Sets Without Managed Package

Running GRAX without the managed package is possible, but requires light manual effort to create resources that would otherwise be automatically created. You can create brand new permission sets with the exact names shown below to achieve a level of access management without the Managed Package.

Each of these maps to permissions and access granted by one of the Managed Package permission sets, as below:

Salesforce Permission Set API NameStandard User AccessPower User AccessAdmin Access
GRAX_Console_Admin_User:white-check-mark::white-check-mark::white-check-mark:
GRAX_Console_Power_User:white-check-mark::white-check-mark:
GRAX_Console_Standard_User:white-check-mark:

The following script can be used to create the 3 GRAX Permission Sets using the Salesforce Developer Console:

  1. Open the Salesforce Developer Console

  2. Click the Debug menu

  3. Click the Open Execute Anonymous Window menu option (or press CTRL + E)

  4. Paste the following script into the Enter Apex Code window:

    PermissionSet pa = new PermissionSet(Name = 'GRAX_Console_Admin_User', Label = 'GRAX Console ADMIN Permission', Description='Grants users ADMIN permission(s) in the GRAX Console');
    insert pa;
    
    PermissionSet pp = new PermissionSet(Name = 'GRAX_Console_Power_User', Label = 'GRAX Console POWER Permission', Description='Grants users POWER USER permission(s) in the GRAX Console');
    insert pp;
    
    PermissionSet pu = new PermissionSet(Name = 'GRAX_Console_Standard_User', Label = 'GRAX Console Permission', Description='Grants users access to the GRAX Console');
    insert pu;
    
  5. Click Execute

Field Level Permissions

In addition to the Access Levels above, GRAX applies field level permissions to all users logged in via SSO. This means you can restrict what fields they see in the GRAX console the same way you'd do for any Salesforce user. The "View All Fields" modifier will allow a user to see add fields on an object in GRAX, regardless of their Salesforce Field Level Security or the current object schema.

The following script can be used to create this GRAX Permission Set using the Salesforce Developer Console:

  1. Open the Salesforce Developer Console

  2. Click the Debug menu

  3. Click the Open Execute Anonymous Window menu option (or press CTRL + E)

  4. Paste the following script into the Enter Apex Code window:

    PermissionSet pv = new PermissionSet(Name = 'GRAX_View_All_Fields', Label = 'GRAX View All Fields', Description='Grants users access to view all fields in GRAX regardless of their Field Level Security permissions');
    insert pv;
    

Next Steps

To proceed with connecting GRAX to Salesforce and your storage platform of choice, start with our connection documentation.