Step 3. Define Operations
[This step applies only if you have selected the Specify granular roles check box at the Service Account step of the wizard]
At the Roles step of the wizard, define operations that Veeam Backup for Google Cloud will be able to perform for the resources managed by the project or folder: choose whether Veeam Backup for Google Cloud will be able to protect VM, Cloud SQL and Cloud Spanner instances that belong to this project or folder using cloud-native snapshots and image-level backups, to deploy backup repositories and workers in the project or folder, and to restore VM and Cloud SQL and Cloud Spanner instances to this project or folder from the created backups and snapshots.
In the Veeam management permissions section, choose a type of the account role:
- Repository access role — permissions of this account role will be used to create new repositories in target Google Cloud buckets and further to access the repositories during data protection and disaster recovery operations. If you create an account role of this type, you will be able to select it when configuring repository settings.
- Worker deployment role — permissions of this account role will be used to launch worker instances in the worker project. If you create a role of this type, you will be able to select it when adding worker configurations.
- File-level recovery to original location — permissions of this account role will be used to launch worker instances during file-level restore operations. If you create a role of this type, you will be able to select it when performing file-level restore.
In the Workload permissions section, choose workloads that will be protected using permissions of the account role, and operations that will be performed with these workloads:
- If you select the Backup and Snapshot operations, you will be able to specify the service account when performing VM backup, SQL backup and Spanner backup.
- If you select the Restore operation, you will be able to specify the service account when performing entire VM instance restore, disk-level restore, entire SQL instance restore, SQL database restore, entire Spanner instance restore and Spanner database restore.
- If you select the File-level recovery to original location operation, you will be able to specify the service account when performing file-level recovery to the original location.
Keep in mind that the specified options apply only to the role selection for restore operations — they do not grant any permissions (unless you have selected the Create new account option at step 2 of the Adding Service Account wizard). That is why it is recommended that you check whether the added service account has all the permissions required to perform operations with the selected workloads.