How do I prevent RAM users from mistakenly deleting backup data? - Cloud Backup

This topic describes how to use a Resource Access Management (RAM) policy to prevent RAM users from mistakenly deleting data stored in backup vaults. The RAM policy helps you effectively protect your data.

Prerequisites

A RAM user is created. For more information, see Create a RAM user.

Background information

RAM is a resource access control service provided by Alibaba Cloud. You can configure RAM policies based on users. RAM policies help you manage RAM users such as employees, systems, and applications. For example, you can control which resources within your Alibaba Cloud account are accessible to RAM users and prevent RAM users from mistakenly deleting backup data.

Note

If you use RAM policies, we recommend that you use RAM Policy Editor to generate required RAM policies. For more information, see RAM Policy Editor.

Procedure

Log on to the RAM console with your Alibaba Cloud account.

Create a RAM policy to prevent RAM users from unexpectedly deleting backup data. For more information about how to create policies, see Create custom policies.

The following example shows a RAM policy that can prevent RAM users from mistakenly deleting backup data.

{
    "Version": "1",
    "Statement": [{
        "Effect": "Deny",
        "Action": [
            "hbr:DeleteBackupClient",
            "hbr:DeleteContact",
            "hbr:DeleteContactGroup",
            "hbr:DeleteVault",
            "hbr:DeleteJob",
            "hbr:DeleteClient",
            "hbr:DeleteHanaBackupPlan",
            "hbr:DeleteClients",
            "hbr:DeleteBackupSourceGroup",
            "hbr:DeleteBackupPlan",
            "hbr:DeleteHanaInstance",
            "hbr:DeleteSqlServerInstance",
            "hbr:DeleteSnapshot",
            "hbr:DeleteSqlServerSnapshot",
            "hbr:DeleteSqlServerLog",
            "hbr:DeleteVcenter",
            "hbr:DeleteUdmEcsInstance",
            "hbr:DeleteAppliance",
            "hbr:DeleteUniBackupClient",
            "hbr:DeleteUniBackupPlan",
            "hbr:DeleteUniBackupCluster",
            "hbr:DeleteUniRestorePlan"
        ],
        "Resource": [
            "acs:hbr:*:{uid}:vault/{vaultId}",
            "acs:hbr:*:{uid}:vault/{vaultId}/*"
        ]
    }]
}

Note

In the preceding RAM policy, vaultId specifies the ID of the backup vault to be protected. To protect all backup vaults, enter an asterisk (*).
For more information about how to use the elements in the preceding RAM policy, such as Effect, Action, and Resource, see Policy elements.

Attach the policy to the RAM user.
1. In the left-side navigation pane, choose Identities > Users.
2. On the Users page, find the RAM user and click Add Permissions in the Actions column.
3. In the Policy section of the Grant Permission panel, select Custom Policy from the drop-down list, select the policy that you created in Step 2, and then click Grant permissions.
4. Confirm the authorization result and click Close.

Result

After you configure the preceding RAM policy, the following error message appears when a RAM user attempts to delete a protected backup vault: You do not have the required permissions. Contact the owner of the Alibaba Cloud account to grant you the required permissions.
After you configure the preceding RAM policy, the following error message appears when a RAM user attempts to delete a backup client, for example, an Elastic Compute Service (ECS) file backup client: You do not have the required permissions. Contact the owner of the Alibaba Cloud account to grant you the required permissions.