All Products
Search

This Product

    Cloud Backup:How do I prevent RAM users from mistakenly deleting backup data?

    Document Center

    Cloud Backup:How do I prevent RAM users from mistakenly deleting backup data?

    Last Updated:Sep 21, 2023

    This topic describes how to use a Resource Access Management (RAM) policy to prevent RAM users from mistakenly deleting data stored in backup vaults. The RAM policy helps you effectively protect your data.

    Prerequisites

    A RAM user is created. For more information, see Create a RAM user.

    Background information

    RAM is a resource access control service provided by Alibaba Cloud. You can configure RAM policies based on users. RAM policies help you manage RAM users such as employees, systems, and applications. For example, you can control which resources within your Alibaba Cloud account are accessible to RAM users and prevent RAM users from mistakenly deleting backup data.
    Note If you use RAM policies, we recommend that you use RAM Policy Editor to generate required RAM policies. For more information, see RAM Policy Editor.

    Procedure

    1. Log on to the RAM console by using your Alibaba Cloud account.
    2. Create a RAM policy to prevent RAM users from unexpectedly deleting backup data. For more information about how to create a custom policy, see Create a custom policy.
      The following example shows a RAM policy that can prevent RAM users from mistakenly deleting backup data.
      {
    "Version": "1",
    "Statement": [{
        "Effect": "Deny",
        "Action": [
            "hbr:DeleteBackupClient",
            "hbr:DeleteContact",
            "hbr:DeleteContactGroup",
            "hbr:DeleteVault",
            "hbr:DeleteJob",
            "hbr:DeleteClient",
            "hbr:DeleteHanaBackupPlan",
            "hbr:DeleteClients",
            "hbr:DeleteBackupSourceGroup",
            "hbr:DeleteBackupPlan",
            "hbr:DeleteHanaInstance",
            "hbr:DeleteSqlServerInstance",
            "hbr:DeleteSnapshot",
            "hbr:DeleteSqlServerSnapshot",
            "hbr:DeleteSqlServerLog",
            "hbr:DeleteVcenter",
            "hbr:DeleteUdmEcsInstance",
            "hbr:DeleteAppliance",
            "hbr:DeleteUniBackupClient",
            "hbr:DeleteUniBackupPlan",
            "hbr:DeleteUniBackupCluster",
            "hbr:DeleteUniRestorePlan"
        ],
        "Resource": [
            "acs:hbr:*:{uid}:vault/{vaultId}",
            "acs:hbr:*:{uid}:vault/{vaultId}/*"
        ]
    }]
}
      Note
      • In the preceding RAM policy, vaultId specifies the ID of the backup vault to be protected. To protect all backup vaults, enter an asterisk (*).
      • For more information about how to use the elements in the preceding RAM policy, such as Effect, Action, and Resource, see Policy elements.
    3. Attach the policy to the RAM user.
      1. In the left-side navigation pane, choose Identities > Users.
      2. On the Users page, find the RAM user to which you want to attach the policy, and click Add Permissions in the Actions column.
      3. Click Custom Policy in the Select Policy section, and then select the policy that you created in Step 2.
      4. Click OK.

    Result

    • After you configure the preceding RAM policy, an error message appears when a RAM user attempts to delete a protected backup vault.
    • After you configure the preceding RAM policy, an error message appears when a RAM user attempts to delete a backup client, for example, an Elastic Compute Service (ECS) file backup client.