Permissions

To perform backup and restore operations, Veeam Backup for Salesforce requires the following permissions to be provided.

Salesforce API Integration

Account	Required Permissions
Salesforce User	Veeam Backup for Salesforce requires a Standard User with the Salesforce license type to connect to a Salesforce organization to perform backup and restore operations for Salesforce resources. Note that free Salesforce Integration Users cannot perform backup and restore operations. The user whose credentials are used to authorize the connection must be assigned full permissions required to read and modify data: System Administrator profile (grants broad permissions immediately, but not all the required ones). Permission set that has the following permissions enabled: Query All Files permission to back up and archive all files. View Encrypted Data permission to back up object records with encrypted fields (Salesforce Classic encryption). Modify All Data permission to archive data. Bulk API Hard Delete permission to use Bulk API while archiving data. View and Edit Converted Leads permission to restore converted leads. Permissions for all custom record types of objects to restore records of custom types. Set Audit Fields upon Record Creation permission to restore original values in audit fields when restoring deleted records. Update Records with Inactive Owners permission to restore deleted records owned by inactive users. Update Email Messages permission to restore attachments of email messages. Permission set licenses for any managed application license that is required for accessing the data (for example, HVS, CPQ). Feature-based user permissions: Marketing User, Service Cloud User, Knowledge User, Salesforce CRM Content User. Record-based user permissions: for correct archival of different types of object records, the user must have permissions to modify each of those types of records. For sandboxes, any managed application needs to be enabled and license provided to the user. For example, High Velocity Sales requires application activation.
AWS Key Management Service	The IAM and key policies that Veeam Backup for Salesforce uses when encrypting data with AWS KMS keys must provide permissions to perform the following operations: ListKeys operation to get the list of available keys. Only symmetric keys can be used in Veeam Backup for Salesforce 3.0. Encrypt operation to encrypt data with AWS KMS keys. Decrypt operation to decrypt data with AWS KMS keys. DescribeKey operation to retrieve information about AWS KMS keys. For more information on the IAM and key policies, see AWS Documentation.
Salesforce Connected App	Veeam Backup for Salesforce establishes secure and encrypted connections to Salesforce using tokens of Connected Apps. When creating and configuring a Connected App, make sure the following OAuth scopes are added to the app: Full access (full) Perform requests at any time (refresh_token, offline_access) Access unique user identifiers (openid) To learn how to create the app, see Performing Initial Configuration. Note: The Access unique user identifiers (openid) option applies only if you use Salesforce as an identity provider. For more information on OAuth scopes in Salesforce, see Salesforce Documentation.

Account

Required Permissions

Salesforce User

Veeam Backup for Salesforce requires a Standard User with the Salesforce license type to connect to a Salesforce organization to perform backup and restore operations for Salesforce resources. Note that free Salesforce Integration Users cannot perform backup and restore operations.

The user whose credentials are used to authorize the connection must be assigned full permissions required to read and modify data:

System Administrator profile (grants broad permissions immediately, but not all the required ones).
Permission set that has the following permissions enabled:

Query All Files permission to back up and archive all files.
View Encrypted Data permission to back up object records with encrypted fields (Salesforce Classic encryption).
Modify All Data permission to archive data.
Bulk API Hard Delete permission to use Bulk API while archiving data.
View and Edit Converted Leads permission to restore converted leads.
Permissions for all custom record types of objects to restore records of custom types.
Set Audit Fields upon Record Creation permission to restore original values in audit fields when restoring deleted records.
Update Records with Inactive Owners permission to restore deleted records owned by inactive users.
Update Email Messages permission to restore attachments of email messages.

Permission set licenses for any managed application license that is required for accessing the data (for example, HVS, CPQ).
Feature-based user permissions: Marketing User, Service Cloud User, Knowledge User, Salesforce CRM Content User.

Record-based user permissions: for correct archival of different types of object records, the user must have permissions to modify each of those types of records.

For sandboxes, any managed application needs to be enabled and license provided to the user. For example, High Velocity Sales requires application activation.

AWS Key Management Service

The IAM and key policies that Veeam Backup for Salesforce uses when encrypting data with AWS KMS keys must provide permissions to perform the following operations:

ListKeys operation to get the list of available keys. Only symmetric keys can be used in Veeam Backup for Salesforce 3.0.
Encrypt operation to encrypt data with AWS KMS keys.
Decrypt operation to decrypt data with AWS KMS keys.
DescribeKey operation to retrieve information about AWS KMS keys.

For more information on the IAM and key policies, see AWS Documentation.

Salesforce Connected App

Veeam Backup for Salesforce establishes secure and encrypted connections to Salesforce using tokens of Connected Apps. When creating and configuring a Connected App, make sure the following OAuth scopes are added to the app:

Full access (full)
Perform requests at any time (refresh_token, offline_access)
Access unique user identifiers (openid)

To learn how to create the app, see Performing Initial Configuration.

Note: The Access unique user identifiers (openid) option applies only if you use Salesforce as an identity provider. For more information on OAuth scopes in Salesforce, see Salesforce Documentation.

Veeam Backup for Salesforce Components

Account	Required Permissions
PostgreSQL Database User	Veeam Backup for Salesforce creates databases and database schemas to store Salesforce data and metadata. Therefore, the database user must be granted permissions to create schemas and databases. Note: If you do not grant the user permissions to create databases, you will have to manually create databases on PostgreSQL servers first, and then add databases to Veeam Backup for Salesforce as described in section Adding Databases, before you create any backup policies.

Account

Required Permissions

PostgreSQL Database User

Veeam Backup for Salesforce creates databases and database schemas to store Salesforce data and metadata. Therefore, the database user must be granted permissions to create schemas and databases.

Note: If you do not grant the user permissions to create databases, you will have to manually create databases on PostgreSQL servers first, and then add databases to Veeam Backup for Salesforce as described in section Adding Databases, before you create any backup policies.