Permissions

To perform backup and restore operations, Veeam Backup for Salesforce requires the following permissions to be provided.

Salesforce API Integration

Account

Required Permissions

Salesforce User

Veeam Backup for Salesforce requires a Standard User with the Salesforce license type to connect to a Salesforce organization to perform backup and restore operations for Salesforce resources. Note that free Salesforce Integration Users cannot perform backup and restore operations.

The user whose credentials are used to authorize the connection must be assigned full permissions required to read and modify data:

  • System Administrator profile (grants broad permissions immediately, but not all the required ones).
  • Permission set that has the following permissions enabled:
  • Permission set licenses for any managed application license that is required for accessing the data (for example, HVS, CPQ).
  • Feature-based user permissions: Marketing User, Service Cloud User, Knowledge User, Salesforce CRM Content User.
  • Record-based user permissions: for correct archival of different types of object records, the user must have permissions to modify each of those types of records.

For sandboxes, any managed application needs to be enabled and license provided to the user. For example, High Velocity Sales requires application activation.

AWS Key Management Service

The IAM and key policies that Veeam Backup for Salesforce uses when encrypting data with AWS KMS keys must provide permissions to perform the following operations:

  • ListKeys operation to get the list of available keys.
  • Encrypt operation to encrypt data with AWS KMS keys.
  • Decrypt operation to decrypt data with AWS KMS keys.
  • DescribeKey operation to retrieve information about AWS KMS keys.

For more information on the IAM and key policies, see AWS Documentation.

Salesforce Connected App

Veeam Backup for Salesforce establishes secure and encrypted connections to Salesforce using tokens of Connected Apps. When creating and configuring a Connected App, make sure the following OAuth scopes are added to the app:

  • Full access (full)
  • Perform requests at any time (refresh_token, offline_access)
  • Access unique user identifiers (openid)

To learn how to create the app, see Performing Initial Configuration.

Note: The Access unique user identifiers (openid) option applies only if you use Salesforce as an identity provider. For more information on OAuth scopes in Salesforce, see Salesforce Documentation.

Veeam Backup for Salesforce Components

Account

Required Permissions

PostgreSQL Database User

Veeam Backup for Salesforce creates databases and database schemas to store Salesforce data and metadata. Therefore, the database user must be granted permissions to create schemas and databases.

Note: If you do not grant the user permissions to create databases, you will have to manually create databases on PostgreSQL servers first, and then add databases to Veeam Backup for Salesforce as described in section Adding Databases, before you create any backup policies.

Page updated 11/5/2024

Page content applies to build 3.1.0.2378