To improve the security management level of data backup and meet security compliance requirements, you must prevent accidental operations from within your enterprise or unauthorized users from backing up and restoring data. Cloud Backup allows you to isolate backup permissions and recovery permissions. This topic describes how to grant backup permissions and recovery permissions to different RAM users.
Background information
You can grant a RAM user only the permissions to perform backup operations on a backup vault and grant another RAM user only the permissions to perform recovery operations on the backup vault. This prevents unauthorized operations.
Grant backup permissions and recovery permissions to different RAM users
Obtain the policy document that denies backup operations and the policy document that denies recovery operations.
Log on to the Cloud Backup console.
In the left-side navigation pane, choose .
Find the backup vault that you want to manage. In the Actions column, choose .
In the RAM Permission Policy section of the Modify Backup Vault panel, click "RAM Policy that deny restore" or "RAM Policy that deny backup".
Policy document that denies recovery operations
Click the Copy button in the upper-left corner of the script to quickly copy the script. Example:
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "hbr:CreateRestore", "hbr:CreateRestoreJob", "hbr:CreateHanaRestore", "hbr:CreateUniRestorePlan", "hbr:CreateSqlServerRestore" ], "Resource": [ "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu", "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*" ] } ] }
Notev-0000ryfi******piu is the ID of the backup vault.
Policy document that denies backup operations
Click the Copy button in the upper-left corner of the script to quickly copy the script. Example:
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "hbr:CreateUniBackupPlan", "hbr:UpdateUniBackupPlan", "hbr:DeleteUniBackupPlan", "hbr:CreateHanaInstance", "hbr:UpdateHanaInstance", "hbr:DeleteHanaInstance", "hbr:CreateHanaBackupPlan", "hbr:UpdateHanaBackupPlan", "hbr:DeleteHanaBackupPlan", "hbr:CreateClient", "hbr:CreateClients", "hbr:UpdateClient", "hbr:UpdateClientSettings", "hbr:UpdateClientAlertConfig", "hbr:DeleteClient", "hbr:DeleteClients", "hbr:CreateJob", "hbr:UpdateJob", "hbr:CreateBackupPlan", "hbr:UpdateBackupPlan", "hbr:ExecuteBackupPlan", "hbr:DeleteBackupPlan", "hbr:CreateBackupJob", "hbr:CreatePlan", "hbr:UpdatePlan", "hbr:CreateTrialBackupPlan", "hbr:ConvertToPostPaidInstance", "hbr:KeepAfterTrialExpiration" ], "Resource": [ "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu", "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*" ] } ] }
Notev-0000ryfi******piu is the ID of the backup vault.
Log on to the RAM console and create two custom policies based on the policy documents obtained in the preceding step.
For more information, see Create a custom policy.
Attach the custom policies that you created in Step 2 to two different RAM users. This way, one RAM user is disallowed to perform backup operations and the other RAM user is disallowed to perform recovery operations.