diff --git a/pom.xml b/pom.xml
index fb149cdbf87..7db515fcba7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -54,6 +54,7 @@
         <sonar.organization>apache</sonar.organization>
         <sonar.host.url>https://sonarcloud.io</sonar.host.url>
         <sonar.exclusions>engine/schema/src/main/java/org/apache/cloudstack/backup/BackupOfferingDetailsVO.java</sonar.exclusions>
+        <sonar.exclusions>api/src/main/java/org/apache/cloudstack/api/response/BackupOfferingResponse.java</sonar.exclusions>
 
         <!-- Build properties -->
         <cs.jdk.version>11</cs.jdk.version>
diff --git a/server/src/test/java/com/cloud/acl/DomainCheckerTest.java b/server/src/test/java/com/cloud/acl/DomainCheckerTest.java
index a5ec41306d8..c88b2e02d5a 100644
--- a/server/src/test/java/com/cloud/acl/DomainCheckerTest.java
+++ b/server/src/test/java/com/cloud/acl/DomainCheckerTest.java
@@ -18,6 +18,9 @@ package com.cloud.acl;
 
 import org.apache.cloudstack.acl.ControlledEntity;
 import org.apache.cloudstack.acl.SecurityChecker;
+import org.apache.cloudstack.backup.BackupOfferingVO;
+import org.apache.cloudstack.backup.dao.BackupOfferingDetailsDao;
+import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
@@ -35,6 +38,8 @@ import com.cloud.user.AccountVO;
 import com.cloud.user.dao.AccountDao;
 import com.cloud.utils.Ternary;
 
+import java.util.Collections;
+
 @RunWith(MockitoJUnitRunner.class)
 public class DomainCheckerTest {
 
@@ -46,6 +51,8 @@ public class DomainCheckerTest {
     DomainDao _domainDao;
     @Mock
     ProjectManager _projectMgr;
+    @Mock
+    BackupOfferingDetailsDao backupOfferingDetailsDao;
 
     @Spy
     @InjectMocks
@@ -163,4 +170,44 @@ public class DomainCheckerTest {
         domainChecker.validateCallerHasAccessToEntityOwner(caller, entity, SecurityChecker.AccessType.ListEntry);
     }
 
+    @Test
+    public void testBackupOfferingAccessRootAdmin() {
+        Account rootAdmin = Mockito.mock(Account.class);
+        Mockito.when(rootAdmin.getId()).thenReturn(1L);
+        BackupOfferingVO backupOfferingVO = Mockito.mock(BackupOfferingVO.class);
+        Mockito.when(_accountService.isRootAdmin(rootAdmin.getId())).thenReturn(true);
+
+        boolean hasAccess = domainChecker.checkAccess(rootAdmin, backupOfferingVO);
+        Assert.assertTrue(hasAccess);
+    }
+
+    @Test
+    public void testBackupOfferingAccessDomainAdmin() {
+        Account domainAdmin = Mockito.mock(Account.class);
+        Mockito.when(domainAdmin.getId()).thenReturn(2L);
+        BackupOfferingVO backupOfferingVO = Mockito.mock(BackupOfferingVO.class);
+        AccountVO owner = Mockito.mock(AccountVO.class);
+        Mockito.when(_accountService.isDomainAdmin(domainAdmin.getId())).thenReturn(true);
+        Mockito.when(domainAdmin.getDomainId()).thenReturn(10L);
+        Mockito.when(owner.getDomainId()).thenReturn(101L);
+        Mockito.when(_domainDao.isChildDomain(100L, 10L)).thenReturn(true);
+        Mockito.when(backupOfferingDetailsDao.findDomainIds(backupOfferingVO.getId())).thenReturn(Collections.singletonList(100L));
+
+        boolean hasAccess = domainChecker.checkAccess(domainAdmin, backupOfferingVO);
+        Assert.assertTrue(hasAccess);
+    }
+
+    @Test
+    public void testBackupOfferingAccessNoAccess() {
+        Account normalUser = Mockito.mock(Account.class);
+        Mockito.when(normalUser.getId()).thenReturn(3L);
+        BackupOfferingVO backupOfferingVO = Mockito.mock(BackupOfferingVO.class);
+        Mockito.when(_accountService.isRootAdmin(normalUser.getId())).thenReturn(false);
+        Mockito.when(_accountService.isDomainAdmin(normalUser.getId())).thenReturn(false);
+        Mockito.when(backupOfferingDetailsDao.findDomainIds(backupOfferingVO.getId())).thenReturn(Collections.singletonList(100L));
+
+        boolean hasAccess = domainChecker.checkAccess(normalUser, backupOfferingVO);
+        Assert.assertFalse(hasAccess);
+    }
+
 }