The integration user is defined within the
Configuration > Setup tab. The GRAX application will use this user to log in and query metadata and data for backup and archives. It is also the user that restores data. For more general Salesforce best practices on creating integration users, see here.
We recommend the following perissions for the integration user:
|View All Data (or equivalent)||Ensures all objects and records in the org hierarchy can be backed up|
|Modify All Data (or equivalent)||Ensures all objects and records in the org hierarchy can be restored or archived|
|View Encrypted Data||Ensures even encrypted values can be backed up|
|Query All Files||Ensures that no files get missed and cascade deleted during backups or archives|
|API Enabled||Mandatory for login|
|Proper Licensing for Managed Packages||Some packages requires licenses for object access|
|Necessary for GRAX interactions, or GRAX Support LMA|
|View Setup and Configuration||For troubleshooting by GRAX Support|
Always ensure the integration user has access to all data, objects, and fields that you intended to need backed up with GRAX. The integration user does the actual API queries and extraction of all information, whether it is a backup or archive.
We recommend using a dedicated Salesforce user specifically for GRAX rather than sharing a user for GRAX and other integrations. This will optimize security, allow you to better audit issues, and also maximize concurrent API request limits that Salesforce imposes.
The table above may not be exhaustive if there are other permissions that are needed to view all data/fields. Thus, we recommend the user has profile/permissions that have been assessed to provide access to all records and fields. Note that some permissions, such as
View Encrypted Dataand
Query All Filesmay not be a default even for the standard System Admin profile. You will want to understand feature-specific permissions Salesforce may require as well, such as Knowledge objects.
Any user that wants to access GRAX must first have the proper Salesforce permission set assignment(s). There are 2 supported ways to assign Salesforce permission sets.
The easiest way to grant a user access is to make sure they have one of the existing GRAX permission sets that comes installed as part of the Salesforce managed package, and which some users likely already have assigned to do things within the GRAX Salesforce interface.
|Managed Package Salesforce Permission Set||Standard User Access||Power User Access||Admin Access|
Alternatively, if you'd like to provide users access to GRAX without that meaning they’ll inherently get access to certain things in the GRAX Salesforce interface as well, you can create brand new permission sets with the exact names shown here to manage things in a more flexible manner.
These permission sets below are NOT be part of the Salesforce managed package. Instead they should be created as new permission sets in your Salesforce org, as GRAX will assume they exist with the permission set API Name specified EXACTLY per below table.
|Salesforce Permission Set API Name||Standard User Access||Power User Access||Admin Access|
The following script can be used to create the 3 GRAX New Permission Sets using the Salesforce Developer
Open the Salesforce Developer Console
Open Execute Anonymous Windowmenu option (or press
CTRL + E)
Paste the following script into the
Enter Apex Codewindow:
PermissionSet pa = new PermissionSet(Name = 'GRAX_Console_Admin_User', Label = 'GRAX Console ADMIN Permission', Description='Grants users ADMIN permission(s) in the GRAX Console'); insert pa; PermissionSet pp = new PermissionSet(Name = 'GRAX_Console_Power_User', Label = 'GRAX Console POWER Permission', Description='Grants users POWER USER permission(s) in the GRAX Console'); insert pp; PermissionSet pu = new PermissionSet(Name = 'GRAX_Console_Standard_User', Label = 'GRAX Console Permission', Description='Grants users access to the GRAX Console'); insert pu;
So we've seen that you can use Salesforce permission sets to designate anyone as a GRAX Standard User, Power User, or Admin. But what specific actions can each of these user types actually perform? Let's take a closer look at the access levels:
|Access Level||Dashboard||Search||Executions||Restore||History Stream||Settings|
To summarize the main differences between these 3 access levels:
- Admin User can see and do everything
- Power User has the same access as Admin User except Power User cannot see
Settingsand cannot configure objects for Search or History Stream
- Standard User also cannot see
Settingsand cannot configure objects for Search or History Stream. Is view only for anything else.
Access Level Indicators
You will see a callout in the GRAX navigation menu stating the current logged in user's access level.
You will need a dedicated user that GRAX leverages to perform all functionality. We'll refer to this as the 'integration' user. This is the first thing an Admin will need to set up:
- Open the
https://<Domain>/web/loginpage. You will see a prompt that asks if you want to set up a Production or Sandbox environment for OAuth. This is taking you through the OAuth flow to capture the Salesforce Integration User session and store that in the application database.
- Use the
Establish OAuth Connection to Salesforcebutton and log in using the Salesforce credentials of the integration user that GRAX will leverage.
- After this OAuth flow is successful the app will automatically reboot.
- After the reboot, you will see a prompt to sign in (refresh the page if you don't see this after reboot).
The dedicated integration user, in addition to all our other best practices for integration users, must have access to query the
You'll see a screen like this when setting up the integration user for the first time, or when you're locked out of GRAX and need to re-establish the integration user.
If you have Salesforce IP Allowlisting (whitelisting) in place, it's very likely that GRAX will not be able to connect even after you've set up your integration user. You will need to make sure you allowlist the following 2-3 IPs:
18.104.22.168 Elastic/Static IPs of your Runtime (if you don't know this GRAX Support can help you locate)
Now that you've configured the integration user, GRAX is able to interact with the Salesforce org, and any users with the proper permission sets (per above details) can sign into GRAX.
Simply click the
Sign-in with Salesforce button. You will be directed to the Salesforce sign-in page where you can enter your Salesforce credentials. GRAX will validate that this user has the proper permission set assignments and allow or deny entry to GRAX.
All other users that have the proper permission set can log in to GRAX in the same manner: open the
https://<Domain>/web/login page and click
Sign-in with Salesforce.
Be Careful with SSO
Be careful when you have an existing Salesforce session logged in to the browser, or especially multiple sessions. When clicking
Sign-in with Salesforce, you will get logged in based on an existing session. The best practice is to ensure you are first logged out of all other browser Salesforce sessions.
Updated 23 days ago