All Products
Search
Document Center

Cloud Backup:Isolate backup permissions and recovery permissions

Last Updated:Sep 21, 2023

To improve the security management level of data backup and meet security compliance requirements, you must prevent accidental operations from within your enterprise or unauthorized users from backing up and restoring data. Cloud Backup allows you to isolate backup permissions and recovery permissions. This topic describes how to grant backup permissions and recovery permissions to different RAM users.

Background information

You can grant a RAM user only the permissions to perform backup operations on a backup vault and grant another RAM user only the permissions to perform recovery operations on the backup vault. This prevents unauthorized operations.

Grant backup permissions and recovery permissions to different RAM users

  1. Obtain the policy document that denies backup operations and the policy document that denies recovery operations.

    1. Log on to the Cloud Backup console.

    2. In the left-side navigation pane, choose Backup Appliance > Storage Vaults.

    3. Find the backup vault that you want to manage. In the Actions column, choose More > Modify Backup Vault.

    4. In the RAM Permission Policy section of the Modify Backup Vault panel, click "RAM Policy that deny restore" or "RAM Policy that deny backup".

      • Policy document that denies recovery operations

        Click the Copy button in the upper-left corner of the script to quickly copy the script. Example:

        {
            "Version": "1",
            "Statement": [
                {
                    "Effect": "Deny",
                    "Action": [
                        "hbr:CreateRestore",
                        "hbr:CreateRestoreJob",
                        "hbr:CreateHanaRestore",
                        "hbr:CreateUniRestorePlan",
                        "hbr:CreateSqlServerRestore"
                    ],
                    "Resource": [
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu",
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*"
                    ]
                }
            ]
        }
        Note

        v-0000ryfi******piu is the ID of the backup vault.

      • Policy document that denies backup operations

        Click the Copy button in the upper-left corner of the script to quickly copy the script. Example:

        {
            "Version": "1",
            "Statement": [
                {
                    "Effect": "Deny",
                    "Action": [
                        "hbr:CreateUniBackupPlan",
                        "hbr:UpdateUniBackupPlan",
                        "hbr:DeleteUniBackupPlan",
                        "hbr:CreateHanaInstance",
                        "hbr:UpdateHanaInstance",
                        "hbr:DeleteHanaInstance",
                        "hbr:CreateHanaBackupPlan",
                        "hbr:UpdateHanaBackupPlan",
                        "hbr:DeleteHanaBackupPlan",
                        "hbr:CreateClient",
                        "hbr:CreateClients",
                        "hbr:UpdateClient",
                        "hbr:UpdateClientSettings",
                        "hbr:UpdateClientAlertConfig",
                        "hbr:DeleteClient",
                        "hbr:DeleteClients",
                        "hbr:CreateJob",
                        "hbr:UpdateJob",
                        "hbr:CreateBackupPlan",
                        "hbr:UpdateBackupPlan",
                        "hbr:ExecuteBackupPlan",
                        "hbr:DeleteBackupPlan",
                        "hbr:CreateBackupJob",
                        "hbr:CreatePlan",
                        "hbr:UpdatePlan",
                        "hbr:CreateTrialBackupPlan",
                        "hbr:ConvertToPostPaidInstance",
                        "hbr:KeepAfterTrialExpiration"
                    ],
                    "Resource": [
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu",
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*"
                    ]
                }
            ]
        }
        Note

        v-0000ryfi******piu is the ID of the backup vault.

  2. Log on to the RAM console and create two custom policies based on the policy documents obtained in the preceding step.

    For more information, see Create a custom policy.

  3. Attach the custom policies that you created in Step 2 to two different RAM users. This way, one RAM user is disallowed to perform backup operations and the other RAM user is disallowed to perform recovery operations.