Can I use the System Administrator Profile for the Integration User? Can I use another Profile instead of the GRAX Permission Set?
A common mistake is to assign the standard
System Administrator profile to GRAX and assume that gives it access to everything. The standard
System Administrator profile doesn't guarantee record/field access. Some permissions, such as
View Encrypted Data and
Query All Files are not a default and Field Level Security still applies to the profile.
Another common mistake is to share a custom profile between GRAX and other SFDC end users. It's common for a Salesforce administrator to periodically modify these profiles for other business and security objectives and to "break" GRAX's permissions for backup, archive, and restore. Therefore, we recommend using an isolated Permission Set for GRAX to manage the unique needs of a data-management system.
Finally, creating a Permission Set with the name
GRAX_Integration_User allows the GRAX system to offer advanced monitoring, alerting and tooling to avoid common permission problems over time.
The FLS Apex script needs to list every object, field and field permission in your org and update
FieldPermissions records for anything missing. This must be run by a System Administrator or else it will encounter an error. For orgs with many objects or many missing field permissions the script may take a while and encounter Apex timeout errors.
If you hit an error with the script, please open a support ticket with these details:
- Subject: FLS Permission Script Errors
- Your Salesforce Org ID
- Your Salesforce System Administrator email address
- Details of what script you ran and how
- The full error message you received
To avoid having to redo work due to incomplete permissions, GRAX automatically checks and enforces permissions before you can start Auto Backup. However if a permission problem did affect backup data you can:
- Fix the permission problem, e.g. grant missing Field Level Security
- Browse to /web/tools in the GRAX web app (
Diagnostics and Tools)
- Select the
Reset Auto Backup objectstool
- Click on the object that needs to be reset
- Review the confirmation message
- Click "Proceed" to reset the object as if it has never been backed up with GRAX
- Repeat step 4-6 as needed for all affected objects
This is non-destructive, and will redo the object backfill with the correct permissions, "fixing" your backup data set.
GRAX goal is to provide the best Recovery Point Objective (RPO) possible. To support data recovery, GRAX must:
- Read all records and their relationships frequently for backup
- Write any record and its relationships at any time from backup data for restore
If GRAX can not read some objects or records entirely, or some records partially due to field restrictions, its backup data set is incomplete. If GRAX can not write some objects or records entirely, its ability to restore data is incomplete. Therefore, any permissions that deny access to read or write any object, record or field can lead to a total inability to recover data.
The Create a secure Salesforce API user guide specifically calls out "Modify All Data", which implicitly includes "View All Data", as critical for an integration:
Modify All Data - Specifies that the user can view any data stored in the database and edit any field with the editable flag... This permission is also required for any user who wants to upsert non-unique external IDs through the API. When this permission is not enabled and if the user tries an upsert using non-unique external ID the error seen is as follows : INSUFFICIENT_ACCESS: Upsert requires view all data on a non-unique custom index
Updated 8 days ago