Before you call an API operation of Cloud Backup as a RAM user, you must grant permissions to the RAM user by using your Alibaba Cloud account. This topic describes the API operations and resources on which you can grant permissions.
Background information
You can create and manage Cloud Backup resources such as backup vaults, backup plans, restore jobs, and clients. By default, you have full permissions on these resources. You can manage the resources by calling the related API operations.
After you create a RAM user, the RAM user does not have permissions on the resources of your Alibaba Cloud account. You must grant permissions to the RAM user by using your Alibaba Cloud account.
For more information about how to authorize a RAM user to access Cloud Backup resources, see Grant permissions to RAM users and Overview of RAM users.
API operations and resources that can be managed by an authorized RAM user
The following table describes the API operations and resources that can be managed by an authorized RAM user.
API operation | ARN | Description |
CreateVault | acs:hbr:$regionId:$accountId:vault/* | Creates a backup vault. |
DeleteVault | acs:hbr:$regionId:$accountId:vault/$vaultId | Deletes a backup vault. |
UpdateVault | acs:hbr:$regionId:$accountId:vault/$vaultId | Updates the configurations of a backup vault. |
DescribeVaults | acs:hbr:$regionId:$accountId:vault/$vaultId | Queries the information about one or more backup vaults that meet the specified conditions. |
InstallBackupClients | acs:hbr:*:$accountId:instance/* | Installs a backup client on one or more Elastic Compute Service (ECS) instances. |
UninstallBackupClients | acs:hbr:*:$accountId:instance/* | Uninstalls a backup client from one or more ECS instances. |
DeleteBackupClient | acs:hbr:*:$accountId:vault/*/client/$clientId | Deletes a backup client. |
DeleteBackupClientResource | acs:hbr:*:$accountId:vault/*/client/$clientId | Deletes all resources that belong to a backup client. |
UpgradeBackupClients | acs:hbr:*:$accountId:instance/* | Upgrades backup clients for one or more ECS instances. |
UpdateClientSettings | acs:hbr:*:$accountId:vault/$vaultId/client/$clientId | Updates the configurations of a backup client. |
DescribeBackupClients | acs:hbr:*:$accountId:vault/$vaultId/client/$clientId | Queries the information about one or more backup clients that meet the specified conditions. |
CreateBackupPlan | acs:hbr:$regionId:$accountId:vault/$vaultId | Creates a backup plan. |
DeleteBackupPlan | acs:hbr:$regionId:$accountId:vault/$vaultId | Deletes a backup plan. |
EnableBackupPlan | acs:hbr:$regionId:$accountId:vault/$vaultId | Enables a backup plan. |
DisableBackupPlan | acs:hbr:$regionId:$accountId:vault/$vaultId | Disables a backup plan. |
UpdateBackupPlan | acs:hbr:$regionId:$accountId:vault/$vaultId | Updates a backup plan. |
DescribeBackupPlans | acs:hbr:$regionId:$accountId:vault/$vaultId | Queries the information about one or more backup plans that meet the specified conditions. |
ExecuteBackupPlan | acs:hbr:$regionId:$accountId:vault/$vaultId | Immediately executes a backup plan. |
DescribeBackupJobs2 | acs:hbr:$regionId:$accountId:vault/$vaultId | Queries the information about one or more backup jobs that meet the specified conditions. |
CreateBackupPlan | acs:hbr:$regionId:$accountId:vault/$vaultId | Creates a backup plan. |
DeleteSnapshot | acs:hbr:*:$accountId:vault/$vaultId/client/$clientId | Deletes a backup snapshot. |
SearchHistoricalSnapshots | acs:hbr:$regionId:$accountId:vault/$vaultId | Queries the information about one or more backup snapshots that meet the specified conditions. |
CreateRestoreJob | acs:hbr:$regionId:$accountId:vault/$vaultId | Creates a restore job. |
CancelRestoreJob | acs:hbr:$regionId:$accountId:vault/$vaultId | Cancels a restore job. |
DescribeRestoreJobs2 | acs:hbr:$regionId:$accountId:vault/$vaultId | Queries the information about one or more restore jobs that meet the specified conditions. |
The following table describes the parameters that are used in the authorization policies.
Parameter | Description |
| The ID of a region. |
| The ID of your Alibaba Cloud account. |
| The ID of a backup vault. |
| The ID of a backup client. |
What to do next
In actual scenarios, you may need to perform O&M operations on Cloud Backup or access Cloud Backup resources as a RAM user.
To allow a RAM user to manage Cloud Backup resources, you can attach the required system policies to the RAM user. The following table describes the system policies that are supported by Cloud Backup.
Authorization policy | Type | Description |
AliyunHBRFullAccess | System policy | The full permissions on Cloud Backup resources. |
AliyunHBRReadOnlyAccess | System policy | The read-only permissions on Cloud Backup resources. |
You can create custom polices. You can also use custom policies and system policies as templates to create finer-grained policies. For more information, see Create a RAM user, Grant permissions to RAM users, and Create a custom policy.