Permissions

To perform backup and restore operations of Salesforce data, Veeam Data Cloud requires the following permissions to be provided.

Salesforce API Integration

Account	Required Permissions
Salesforce User	Veeam Data Cloud requires a Standard User with the Salesforce license type to connect to a Salesforce tenant to perform backup and restore operations for Salesforce resources. Note that free Salesforce Integration Users cannot perform backup and restore operations. The user whose credentials are used to authorize the connection must be assigned full permissions required to read and modify data: System Administrator profile (grants broad permissions immediately, but not all the required ones). Permission set that has the following permissions enabled: Query All Files permission to back up and archive all files. If you do not provide the permission, file backup will be disabled in the backup policy. View Encrypted Data permission to back up object records with encrypted fields (Salesforce Classic encryption). Modify All Data permission to archive data. Bulk API Hard Delete permission to use Bulk API while archiving data. View and Edit Converted Leads permission to restore converted leads. Permissions for all custom record types of objects to restore records of custom types. Set Audit Fields upon Record Creation permission to restore original values in audit fields when restoring deleted records. Update Records with Inactive Owners permission to restore deleted records owned by inactive users. Update Email Messages permission to restore attachments of email messages. Permission set licenses for any managed application license that is required for accessing the data (for example, HVS, CPQ). Feature-based user permissions: Marketing User, Service Cloud User, Knowledge User, Salesforce CRM Content User. Record-based user permissions: for correct archival of different types of object records, the user must have permissions to modify each of those types of records. Salesforce CRM Content feature permissions: to allow VDC to restore and archive files in libraries, the user must have the Salesforce CRM Content User option enabled and permission to manage all libraries granted. For more information, see Salesforce Documentation. For sandboxes, any managed application needs to be enabled and license provided to the user. For example, High Velocity Sales requires application activation.
AWS Key Management Service	The IAM and key policies that Veeam Data Cloud uses when encrypting data with AWS KMS keys must provide permissions to perform the following operations: ListKeys operation to get the list of available keys. Encrypt operation to encrypt data with AWS KMS keys. Decrypt operation to decrypt data with AWS KMS keys. DescribeKey operation to retrieve information about AWS KMS keys. For more information on the IAM and key policies, see AWS Documentation.

Account

Required Permissions

Salesforce User

Veeam Data Cloud requires a Standard User with the Salesforce license type to connect to a Salesforce tenant to perform backup and restore operations for Salesforce resources. Note that free Salesforce Integration Users cannot perform backup and restore operations.

The user whose credentials are used to authorize the connection must be assigned full permissions required to read and modify data:

System Administrator profile (grants broad permissions immediately, but not all the required ones).
Permission set that has the following permissions enabled:

Query All Files permission to back up and archive all files. If you do not provide the permission, file backup will be disabled in the backup policy.
View Encrypted Data permission to back up object records with encrypted fields (Salesforce Classic encryption).
Modify All Data permission to archive data.
Bulk API Hard Delete permission to use Bulk API while archiving data.
View and Edit Converted Leads permission to restore converted leads.
Permissions for all custom record types of objects to restore records of custom types.
Set Audit Fields upon Record Creation permission to restore original values in audit fields when restoring deleted records.
Update Records with Inactive Owners permission to restore deleted records owned by inactive users.
Update Email Messages permission to restore attachments of email messages.

Permission set licenses for any managed application license that is required for accessing the data (for example, HVS, CPQ).
Feature-based user permissions: Marketing User, Service Cloud User, Knowledge User, Salesforce CRM Content User.

Record-based user permissions: for correct archival of different types of object records, the user must have permissions to modify each of those types of records.
Salesforce CRM Content feature permissions: to allow VDC to restore and archive files in libraries, the user must have the Salesforce CRM Content User option enabled and permission to manage all libraries granted. For more information, see Salesforce Documentation.

For sandboxes, any managed application needs to be enabled and license provided to the user. For example, High Velocity Sales requires application activation.

AWS Key Management Service

The IAM and key policies that Veeam Data Cloud uses when encrypting data with AWS KMS keys must provide permissions to perform the following operations:

ListKeys operation to get the list of available keys.
Encrypt operation to encrypt data with AWS KMS keys.
Decrypt operation to decrypt data with AWS KMS keys.
DescribeKey operation to retrieve information about AWS KMS keys.

For more information on the IAM and key policies, see AWS Documentation.