Permissions FAQ

Common questions related to Salesforce Permissions and error messages

Can I use the System Administrator Profile for the Integration User? Can I use another Profile instead of the GRAX Permission Set?

A common mistake is to assign the standard System Administrator profile to GRAX and assume that gives it access to everything. The standard System Administrator profile doesn't guarantee record/field access. Some permissions, such as View Encrypted Data and Query All Files are not a default and Field Level Security still applies to the profile.

Another common mistake is to share a custom profile between GRAX and other SFDC end users. It's common for a Salesforce administrator to periodically modify these profiles for other business and security objectives and to "break" GRAX's permissions for backup, archive, and restore. Therefore, we recommend using an isolated Permission Set for GRAX to manage the unique needs of a data-management system.

Finally, creating a Permission Set with the name GRAX_Integration_User allows the GRAX system to offer advanced monitoring, alerting and tooling to avoid common permission problems over time.

What does an error running the Field Level Permission Apex script mean?

The FLS Apex script needs to list every object, field and field permission in your org and update FieldPermissions records for anything missing. This must be run by a System Administrator or else it will encounter an error. For orgs with many objects or many missing field permissions the script may take a while and encounter Apex timeout errors.

If you hit an error with the script, please open a support ticket with these details:

  • Subject: FLS Permission Script Errors
  • Your Salesforce Org ID
  • Your Salesforce System Administrator email address
  • Details of what script you ran and how
  • The full error message you received

What if my permissions were incomplete during Auto Backup?

To avoid having to redo work due to incomplete permissions, GRAX automatically checks and enforces permissions before you can start Auto Backup. However if a permission problem did affect backup data you can:

  1. Fix the permission problem, e.g. grant missing Field Level Security
  2. Browse to /web/tools in the GRAX web app (Settings --> Diagnostics and Tools)
  3. Select the Reset Auto Backup objects tool
  4. Click on the object that needs to be reset
  5. Review the confirmation message
  6. Click "Proceed" to reset the object as if it has never been backed up with GRAX
  7. Repeat step 4-6 as needed for all affected objects

This is non-destructive, and will redo the object backfill with the correct permissions, "fixing" your backup data set.

What if I can't grant 'View All Data'/'Modify All Data' or remove Field Level Restrictions?

GRAX goal is to provide the best Recovery Point Objective (RPO) possible. To support data recovery, GRAX must:

  • Read all records and their relationships frequently for backup
  • Write any record and its relationships at any time from backup data for restore

If GRAX can not read some objects or records entirely, or some records partially due to field restrictions, its backup data set is incomplete. If GRAX can not write some objects or records entirely, its ability to restore data is incomplete. Therefore, any permissions that deny access to read or write any object, record or field can lead to a total inability to recover data.

The Create a secure Salesforce API user guide specifically calls out "Modify All Data", which implicitly includes "View All Data", as critical for an integration:

Modify All Data - Specifies that the user can view any data stored in the database and edit any field with the editable flag... This permission is also required for any user who wants to upsert non-unique external IDs through the API. When this permission is not enabled and if the user tries an upsert using non-unique external ID the error seen is as follows : INSUFFICIENT_ACCESS: Upsert requires view all data on a non-unique custom index