# Permission Sets The package includes permission sets to control access to Onboarded™ functionality and data. ## Onboarded™ Admin **Intended For:** Salesforce administrators, integration specialists, and users who configure and manage the Onboarded™ integration. ### Object Permissions Full CRUD (Create, Read, Update, Delete) access to: - `Onboarded_Employee__c` - `Onboarded_Employer__c` - `Onboarded_Client__c` - `Onboarded_Job__c` - `Onboarded_Placement__c` - `Onboarded_Task__c` - `Onboarded_Form__c` - `Onboarded_Placement_Form__c` - `Onboarded_Error_Log__c` - `Onboarded_Sync_Queue__c` ### Apex Class Access - All sync batch classes (`EmployeeSyncBatch`, `EmployerSyncBatch`, etc.) - `OnboardedSyncScheduler` for job scheduling - `OnboardedAuthController` for authentication configuration - All service, domain, and selector classes - Invocable actions for Flow integration ### Additional Access - Onboarded™ Setup tab and Lightning pages - All custom fields on Onboarded™ objects ## Onboarded™ HR Representative **Intended For:** HR representatives and staff who work with Onboarded™ data on a daily basis, viewing employee onboarding status and managing records. ### Object Permissions Create, Read, and Edit access to: - `Onboarded_Employee__c` - `Onboarded_Employer__c` - `Onboarded_Client__c` - `Onboarded_Placement__c` - `Onboarded_Task__c` - `Onboarded_Form__c` - `Onboarded_Sync_Queue__c` Full CRUD (Create, Read, Edit, Delete) access to: - `Onboarded_Job__c` - `Onboarded_Placement_Form__c` Read-only access to: - `Onboarded_Error_Log__c` ### Apex Class Access - `MassActionController` and `MassActionService` - `OnboardedEmployeeController` - `OnboardedErrorService` - `OnboardedPermissionCheck` - `OnboardedQueryService` - `PlacementComponentController` - `TaskFileDownloadController` ### Excluded Access - Cannot delete most records (except Jobs and Placement Forms) - Cannot run sync operations or schedule batch jobs - Cannot access the Onboarded™ Setup configuration interface ## Onboarded™ Encryption Access **Intended For:** Administrators and support personnel who need to troubleshoot failed sync operations by viewing the encrypted payload data in the Sync Queue. > **Security Warning:** This permission set grants access to view decrypted Sync Queue payloads which may contain sensitive PII (Personally Identifiable Information). Assign only to users with legitimate troubleshooting or audit needs. ### Object Permissions Read-only access to: - `Onboarded_Sync_Queue__c` (View All Records) ### Field Permissions Read-only access to all Sync Queue fields: - `Error_Message__c` - `Onboarded_Object_Type__c` - `Payload__c` (encrypted payload data) - `Record_Ids__c` - `Retry_Count__c` - `Sync_Type__c` ### Custom Permission - **Onboarded_Encryption_View:** Enables the View Decrypted Payload button on Sync Queue records ### Assignment Criteria Assign this permission set when users need to: - Troubleshoot failed outbound sync operations - Audit data being sent to the Onboarded™ API - Investigate data transformation issues ## Permission Set Assignment 1. **Navigate to Permission Sets.** **Setup** → **Users** → **Permission Sets**. 2. **Select the Permission Set.** Click on **Onboarded™ Admin**, **Onboarded™ HR Representative**, or **Onboarded™ Encryption Access**. 3. **Manage Assignments.** Click **Manage Assignments** → **Add Assignment**. 4. **Select Users.** Select the users who need access and click **Assign**. > **Important:** If you map Onboarded™ data to your own custom objects instead of the package objects, you must ensure users have appropriate permissions on those objects through their profile or additional permission sets.