Permissions

To perform backup and restore operations, Veeam Backup for Salesforce requires the following permissions to be provided.

Salesforce API Integration

Account	Required Permissions
Salesforce User	Veeam Backup for Salesforce requires a Standard User with the Salesforce license type to connect to a Salesforce organization to perform backup and restore operations for Salesforce resources. Note that free Salesforce Integration Users cannot perform backup and restore operations. The user whose credentials are used to authorize the connection must be assigned full permissions required to read and modify data: System Administrator profile (grants broad permissions immediately, but not all the required ones). Permission set that has the following permissions enabled: Query All Files permission to back up all files. View and Edit Converted Leads permission to restore converted leads. Permissions for all custom record types of objects to restore records of custom types. Set Audit Fields upon Record Creation permission to restore original values in audit fields when restoring deleted records. Update Records with Inactive Owners permission to restore deleted records owned by inactive users. Update Email Messages permission to restore attachments of email messages. Permission set licenses for any managed application license that is required for accessing the data (for example, HVS, CPQ). Feature-based user permissions: Marketing User, Service Cloud User, Knowledge User, Salesforce CRM Content User. For sandboxes, any managed application needs to be enabled and license provided to the user. For example, High Velocity Sales requires application activation.
Salesforce Connected App	Veeam Backup for Salesforce establishes secure and encrypted connections to Salesforce using tokens of Connected Apps. When creating and configuring a Connected App, make sure the following OAuth scopes are added to the app: Full access (full) Perform requests at any time (refresh_token, offline_access) Access unique user identifiers (openid) To learn how to create the app, see Performing Initial Configuration. Note: The Access unique user identifiers (openid) option applies only if you use Salesforce as an identity provider. For more information on OAuth scopes in Salesforce, see Salesforce Documentation.

Account

Required Permissions

Salesforce User

Veeam Backup for Salesforce requires a Standard User with the Salesforce license type to connect to a Salesforce organization to perform backup and restore operations for Salesforce resources. Note that free Salesforce Integration Users cannot perform backup and restore operations.

The user whose credentials are used to authorize the connection must be assigned full permissions required to read and modify data:

System Administrator profile (grants broad permissions immediately, but not all the required ones).
Permission set that has the following permissions enabled:

Query All Files permission to back up all files.
View and Edit Converted Leads permission to restore converted leads.
Permissions for all custom record types of objects to restore records of custom types.
Set Audit Fields upon Record Creation permission to restore original values in audit fields when restoring deleted records.
Update Records with Inactive Owners permission to restore deleted records owned by inactive users.
Update Email Messages permission to restore attachments of email messages.

Permission set licenses for any managed application license that is required for accessing the data (for example, HVS, CPQ).
Feature-based user permissions: Marketing User, Service Cloud User, Knowledge User, Salesforce CRM Content User.

For sandboxes, any managed application needs to be enabled and license provided to the user. For example, High Velocity Sales requires application activation.

Salesforce Connected App

Veeam Backup for Salesforce establishes secure and encrypted connections to Salesforce using tokens of Connected Apps. When creating and configuring a Connected App, make sure the following OAuth scopes are added to the app:

Full access (full)
Perform requests at any time (refresh_token, offline_access)
Access unique user identifiers (openid)

To learn how to create the app, see Performing Initial Configuration.

Note: The Access unique user identifiers (openid) option applies only if you use Salesforce as an identity provider. For more information on OAuth scopes in Salesforce, see Salesforce Documentation.

Veeam Backup for Salesforce Components

Account	Required Permissions
PostgreSQL Database User	Veeam Backup for Salesforce creates databases and database schemas to store Salesforce data and metadata. Therefore, the database user must be granted permissions to create schemas and databases. Note: If you do not grant the user permissions to create databases, you will have to manually create databases on PostgreSQL servers first, and then add databases to Veeam Backup for Salesforce as described in section Adding Databases, before you create any backup policies.

Account

Required Permissions

PostgreSQL Database User

Veeam Backup for Salesforce creates databases and database schemas to store Salesforce data and metadata. Therefore, the database user must be granted permissions to create schemas and databases.

Note: If you do not grant the user permissions to create databases, you will have to manually create databases on PostgreSQL servers first, and then add databases to Veeam Backup for Salesforce as described in section Adding Databases, before you create any backup policies.