You can use resource groups with Resource Access Management (RAM) to isolate resources and manage permissions with fine-grained control within a single Alibaba Cloud account. This topic describes how Cloud Backup supports resource groups and provides the steps to grant permissions at the resource group level.
-
Resource group-level authorization is effective only for resource types that support resource groups and operations that support resource group-level authorization.
-
For resource types that do not support resource groups, granting permissions at the resource group level has no effect. To grant permissions for these resource types, you must select the account level as the resource scope. For more information, see Operations that do not support resource group-level authorization.
How resource group authorization works
Resource groups allow you to group and manage the resources in your Alibaba Cloud account. For example, you can create a resource group for each of your projects and move resources to the corresponding groups. This helps you manage the resources of each project in a centralized way. For more information, see What is a resource group?.
After you group resources, you can grant permissions on a specific resource group to a RAM entity, such as a RAM user, RAM user group, or RAM role. This limits the entity to managing only the resources within that group. For more information, see Resource grouping and authorization.
This authorization method has the following advantages:
-
Fine-grained permissions: Ensures that each identity has the most precise access permissions to resources. This prevents the commingled management of resources from multiple projects under one account.
-
Extensibility: When you add new resources, you can simply add them to the resource group. The RAM identity automatically gains the corresponding permissions for the new resources without requiring additional authorization.
Grant resource group-level permissions to a RAM user
The following procedure describes how to grant permissions to a RAM user on Cloud Backup resources in a specific resource group.
1. Prerequisites
-
You can create a RAM user. For more information, see Create a RAM user.
-
You can create a resource group and move existing resources to the target resource group. For more information, see Create a resource group, Automatically move resources to a resource group, and Manually move a resource to another resource group.
2. Grant resource group-level authorization
You can grant resource group-level authorization in one of the following ways.
Method 1: Grant authorization in the Resource Management console
You can grant permissions to a RAM user using the permission management feature of resource groups. For more information, see Grant permissions on a resource group.
-
Log on to the Resource Management console.
-
On the Resource Groups page, find the target resource group, and in the Actions column, click Permission Management.
-
On the Permission Management tab, click Add Permission.
-
In the Add Permission panel, you can set the principal and access policy.
-
Principal: Select an existing RAM user.
-
Access Policy: Select a system policy or a custom policy. For more information, see Create a custom policy.
-
-
Click Confirm New Authorization.
Method 2: Grant authorization in the RAM console
You can grant resource group-level permissions to a RAM user in the RAM console. For more information, see Grant permissions to a RAM user.
-
Log on to the RAM console using your Alibaba Cloud account or as a RAM administrator.
-
In the left navigation pane, choose . On the Users page, find the RAM user and click Add Permissions in the Actions column.
-
In the Add Permissions panel, grant the required permissions to the RAM user.
-
For Scope, select Resource Group.
-
Principal: Select the RAM user created in the preceding steps or another existing RAM user.
-
Access Policy: Select a system policy or a custom policy. For more information, see Create a custom policy.
-
-
Click Confirm Add Authorization.
Resource types that support resource groups
The following table lists the Cloud Backup resource types that support resource groups.
|
Alibaba Cloud service |
Service code |
Resource type |
|
Cloud Backup |
hbr |
hanainstance: SAP HANA instance |
|
Cloud Backup |
hbr |
vault: repository |
If a resource type that you need is not on this list, you can submit feedback in the Resource Management console.
Operations that do not support resource group-level authorization
The following table lists the Cloud Backup actions that do not support resource group-level authorization.
|
Action |
Description |
|
hbr:ActivateClient |
- |
|
hbr:ActivateEcsClient |
- |
|
hbr:AddContainerCluster |
Registers a container cluster. |
|
hbr:AddCrossAccount |
- |
|
hbr:AddDataSource |
- |
|
hbr:AddHanaMetadata |
- |
|
hbr:AddIndexCluster |
- |
|
hbr:AddParameter |
- |
|
hbr:AddServer |
- |
|
hbr:AddSqlServerLog |
- |
|
hbr:AddVcenter |
- |
|
hbr:BatchCountTables |
- |
|
hbr:BrowseAirFiles |
- |
|
hbr:BrowseFileDetectionRiskFiles |
- |
|
hbr:BrowseFiles |
- |
|
hbr:CallMaintenanceApi |
- |
|
hbr:CallUniGatewayApi |
- |
|
hbr:CancelBackupJob |
Cancels a backup job. |
|
hbr:CancelDiscoveringDatabase |
- |
|
hbr:CancelFileDetection |
- |
|
hbr:CancelHanaBackup |
- |
|
hbr:CancelHanaRestore |
- |
|
hbr:CancelJob |
- |
|
hbr:CancelRestore |
- |
|
hbr:CancelRestoreJob |
Cancels a restore job. |
|
hbr:CancelSqlServerRestore |
- |
|
hbr:CancelStreamFileSyncTask |
- |
|
hbr:CancelVmBackup |
- |
|
hbr:CancelVmLocalRestore |
- |
|
hbr:CancelVmMigration |
- |
|
hbr:CheckRole |
Checks whether a user has permissions to access the current resource or page. |
|
hbr:CheckSlrRole |
- |
|
hbr:ClientReceiveMessage |
- |
|
hbr:ClientSendMessage |
- |
|
hbr:CommitTestRestore |
- |
|
hbr:CompleteVmIncrementalMigration |
- |
|
hbr:ControlReplicationVault |
- |
|
hbr:ControlUniBackupJob |
- |
|
hbr:ControlUniBackupPlan |
- |
|
hbr:ConvertToPostPaidInstance |
- |
|
hbr:CreateAirEcsInstance |
- |
|
hbr:CreateAirRestoreJob |
- |
|
hbr:CreateBackupEssentialEdition |
- |
|
hbr:CreateBackupJob |
Creates a manual backup job. |
|
hbr:CreateBackupPlan |
Creates a backup plan. |
|
hbr:CreateBackupSourceGroup |
- |
|
hbr:CreateChildBackupJobs |
- |
|
hbr:CreateClient |
- |
|
hbr:CreateCluster |
- |
|
hbr:CreateContact |
- |
|
hbr:CreateContactGroup |
- |
|
hbr:CreateEcsAirBackup |
- |
|
hbr:CreateHanaRestore |
Creates a restore job for an SAP HANA database. |
|
hbr:CreateJob |
- |
|
hbr:CreateJobs |
- |
|
hbr:CreatePolicy |
- |
|
hbr:CreatePolicyBindings |
Binds one or more data sources to a policy. |
|
hbr:CreatePolicyV2 |
Creates a policy. |
|
hbr:CreateReportFileGenerateTask |
- |
|
hbr:CreateRestore |
- |
|
hbr:CreateRestoreJob |
Creates a restore job. |
|
hbr:CreateSlr |
- |
|
hbr:CreateSnapshot |
- |
|
hbr:CreateSnapshot2 |
- |
|
hbr:CreateSqlServerInstance |
- |
|
hbr:CreateSqlServerRestore |
- |
|
hbr:CreateSqlServerSnapshot |
- |
|
hbr:CreateSubTask |
- |
|
hbr:CreateTempFileUploadUrl |
Generates the parameters and signature required to create a file upload URL. |
|
hbr:CreateUniBackupPlan |
- |
|
hbr:CreateUniBackupVault |
- |
|
hbr:CreateUniRestorePlan |
- |
|
hbr:CreateUploadLogTask |
- |
|
hbr:CreateVaultTransition |
- |
|
hbr:CreateVmBackupPlan |
- |
|
hbr:CreateVmMigrationPlan |
- |
|
hbr:DeleteAirEcsInstance |
Removes a recovery-only ECS instance from ECS Backup Essential Edition. |
|
hbr:DeleteBackupClient |
Deletes a backup client. |
|
hbr:DeleteBackupClientResource |
Deletes the resources that belong to a backup client. |
|
hbr:DeleteBackupEssentialEdition |
- |
|
hbr:DeleteBackupPlan |
Deletes a backup plan. |
|
hbr:DeleteBackupSourceGroup |
- |
|
hbr:DeleteClients |
- |
|
hbr:DeleteCluster |
- |
|
hbr:DeleteContact |
- |
|
hbr:DeleteContactGroup |
- |
|
hbr:DeleteContainerCluster |
- |
|
hbr:DeleteCrossAccount |
- |
|
hbr:DeleteEcsAirBackup |
- |
|
hbr:DeleteHanaMetadata |
- |
|
hbr:DeleteJob |
- |
|
hbr:DeletePolicy |
- |
|
hbr:DeletePolicyBinding |
Detaches a data source from a policy. After the detachment, the policy can no longer protect the data source. Perform this operation with caution. |
|
hbr:DeletePolicyV2 |
Deletes a policy. |
|
hbr:DeleteServer |
- |
|
hbr:DeleteSnapshot |
Deletes a backup snapshot. |
|
hbr:DeleteSqlServerBackupJob |
- |
|
hbr:DeleteSqlServerInstance |
- |
|
hbr:DeleteSqlServerLog |
- |
|
hbr:DeleteSqlServerSnapshot |
- |
|
hbr:DeleteUdmDisk |
Stops protecting a cloud disk. |
|
hbr:DeleteUdmEcsInstance |
Stops protecting an ECS instance backup. |
|
hbr:DeleteUniBackupClient |
- |
|
hbr:DeleteUniBackupCluster |
- |
|
hbr:DeleteUniBackupPlan |
- |
|
hbr:DeleteUniBackupVault |
- |
|
hbr:DeleteUniRestorePlan |
- |
|
hbr:DeleteVcenter |
- |
|
hbr:DeleteVmBackupPlanExecution |
- |
|
hbr:DeleteVmMigrationPlan |
- |
|
hbr:DescribeAirEcsInstancesInfo |
- |
|
hbr:DescribeAirInstances |
- |
|
hbr:DescribeAirSnapshots |
- |
|
hbr:DescribeAlertConfig |
- |
|
hbr:DescribeBackupClients |
Queries information about one or more backup clients that meet the specified criteria. |
|
hbr:DescribeBackupJobStatistics |
- |
|
hbr:DescribeBackupJobs |
- |
|
hbr:DescribeBackupJobs2 |
Queries one or more backup jobs that meet the specified criteria. |
|
hbr:DescribeBackupPlans |
Queries one or more backup plans that meet the specified criteria. |
|
hbr:DescribeBackupSourceGroups |
- |
|
hbr:DescribeBackupSources |
- |
|
hbr:DescribeClientAlertConfig |
- |
|
hbr:DescribeClientVersion |
- |
|
hbr:DescribeClusters |
- |
|
hbr:DescribeContainerCluster |
Queries one or more container clusters that meet the specified criteria. |
|
hbr:DescribeContainerResource |
- |
|
hbr:DescribeCrossAccounts |
In a cross-account backup scenario, queries information about the accounts managed by the current account. |
|
hbr:DescribeDataSourceProtectionDetails |
- |
|
hbr:DescribeDataSourceProtectionStatistics |
- |
|
hbr:DescribeDataSources |
- |
|
hbr:DescribeDisks |
- |
|
hbr:DescribeEcsInstances |
- |
|
hbr:DescribeFeatureTrialInfo |
- |
|
hbr:DescribeFeatureUser |
- |
|
hbr:DescribeFileDetections |
- |
|
hbr:DescribeGatewayWaterLevel |
- |
|
hbr:DescribeHanaBackupSetting |
Queries the backup parameters of an SAP HANA database. |
|
hbr:DescribeHanaBackups |
- |
|
hbr:DescribeHanaMetadata |
- |
|
hbr:DescribeHanaRetentionSetting |
Queries the retention period of a database. |
|
hbr:DescribeIndexClusters |
- |
|
hbr:DescribeInstances |
- |
|
hbr:DescribeInstancesInVault |
- |
|
hbr:DescribeInstancesInfo |
- |
|
hbr:DescribeJobs |
- |
|
hbr:DescribeKmsAliases |
- |
|
hbr:DescribeKmsKeys |
- |
|
hbr:DescribeNasFileSystems |
- |
|
hbr:DescribeOtsInstances |
- |
|
hbr:DescribeOtsTableSnapshots |
Queries the details of a Tablestore backup. |
|
hbr:DescribeOverview |
- |
|
hbr:DescribeParameterSchemas |
- |
|
hbr:DescribeParameters |
- |
|
hbr:DescribePlans |
- |
|
hbr:DescribePolicies |
- |
|
hbr:DescribePoliciesV2 |
Queries one or more policies. |
|
hbr:DescribePolicyBindingAlertConfig |
- |
|
hbr:DescribePolicyBindings |
Queries one or more data sources that are bound to a policy, or queries one or more policies that are bound to a data source. |
|
hbr:DescribeProtectedEcsInstances |
- |
|
hbr:DescribeRecoverableOtsInstances |
Queries the data tables of a recoverable Tablestore instance. |
|
hbr:DescribeRestoreJobs |
- |
|
hbr:DescribeRestoreJobs2 |
Queries one or more restore jobs that meet the specified criteria. |
|
hbr:DescribeRestores |
- |
|
hbr:DescribeSecurityGroups |
- |
|
hbr:DescribeServers |
- |
|
hbr:DescribeSnapshotExistenceByTimeRange |
- |
|
hbr:DescribeSnapshots |
- |
|
hbr:DescribeSqlServerDatabases |
- |
|
hbr:DescribeSqlServerInstances |
- |
|
hbr:DescribeSqlServerLogs |
- |
|
hbr:DescribeSqlServerRestores |
- |
|
hbr:DescribeSqlServerSnapshots |
- |
|
hbr:DescribeStreamFileSyncTasks |
- |
|
hbr:DescribeSubTask |
- |
|
hbr:DescribeUdmDisks |
- |
|
hbr:DescribeUdmEcsInstances |
- |
|
hbr:DescribeUdmSnapshotLinks |
- |
|
hbr:DescribeUdmSnapshots |
Queries ECS instance backup snapshots. |
|
hbr:DescribeUniBackupClients |
- |
|
hbr:DescribeUniBackupCluster |
- |
|
hbr:DescribeUniBackupInstanceDetail |
- |
|
hbr:DescribeUniBackupInstances |
- |
|
hbr:DescribeUniBackupPlans |
- |
|
hbr:DescribeUniBackupTrialInfo |
- |
|
hbr:DescribeUniBackupTrialUser |
- |
|
hbr:DescribeUniBackupVault |
- |
|
hbr:DescribeUniHistories |
- |
|
hbr:DescribeUniRestoreInfo |
- |
|
hbr:DescribeUniRestorePlans |
- |
|
hbr:DescribeUserBusinessStatus |
- |
|
hbr:DescribeVSwitches |
- |
|
hbr:DescribeVcenters |
- |
|
hbr:DescribeVmBackupPlanExecution |
- |
|
hbr:DescribeVmBackupPlanExecutions |
- |
|
hbr:DescribeVmBackupPlans |
- |
|
hbr:DescribeVmClientFlowControlPolicy |
- |
|
hbr:DescribeVmIncrementalMigrationJob |
- |
|
hbr:DescribeVmIncrementalMigrations |
- |
|
hbr:DescribeVmMigrationPlans |
- |
|
hbr:DescribeVmMigrations |
- |
|
hbr:DescribeVpcs |
- |
|
hbr:DetachNasFileSystem |
Deletes an internal mount target created by Cloud Backup. |
|
hbr:DisableAirBackupPlan |
- |
|
hbr:DisableBackupPlan |
Pauses a backup plan. |
|
hbr:DisableEcsAirBackup |
- |
|
hbr:DisableJob |
- |
|
hbr:DisableVmBackupPlan |
- |
|
hbr:DiscoverDatabase |
- |
|
hbr:EnableAirBackupPlan |
- |
|
hbr:EnableBackupPlan |
Resumes a backup plan. |
|
hbr:EnableEcsAirBackup |
- |
|
hbr:EnableJob |
- |
|
hbr:EnableVmBackupPlan |
- |
|
hbr:ExecuteAirBackupPlan |
- |
|
hbr:ExecuteBackupPlan |
Executes a backup plan. |
|
hbr:ExecuteHanaBackup |
- |
|
hbr:ExecuteJob |
- |
|
hbr:ExecutePlan |
- |
|
hbr:ExecutePolicyV2 |
Executes a policy for one or all bound data sources. |
|
hbr:ExploreVcenter |
- |
|
hbr:GenerateClientToken |
- |
|
hbr:GenerateInstallLocalBackupClientScript |
- |
|
hbr:GenerateStsCredential |
- |
|
hbr:GenerateUninstallLocalBackupClientScript |
- |
|
hbr:GetAirStatistics |
- |
|
hbr:GetBasicStatistics |
- |
|
hbr:GetBucket |
- |
|
hbr:GetClientDownloadLink |
- |
|
hbr:GetClientsToRestore |
- |
|
hbr:GetDirectorySize |
- |
|
hbr:GetDiscoveredDatabase |
- |
|
hbr:GetFileDetectionStatistics |
- |
|
hbr:GetGlobalStatistics |
- |
|
hbr:GetMetrics |
- |
|
hbr:GetNasToRestore |
- |
|
hbr:GetOssBucketsToRestore |
- |
|
hbr:GetProtectedResource |
- |
|
hbr:GetReactivateUserToken |
- |
|
hbr:GetRunningAgents |
- |
|
hbr:GetSnapshotErrorFileDownloadLink |
- |
|
hbr:GetSnapshotRiskFileDownloadLink |
- |
|
hbr:GetSqlServerDatabasesToRestore |
- |
|
hbr:GetSqlServersToRestore |
- |
|
hbr:GetSyncActualSize |
- |
|
hbr:GetSystemSettings |
- |
|
hbr:GetTempFileDownloadLink |
Obtains the download URL for files such as task reports. |
|
hbr:GetTrialInfo |
- |
|
hbr:GetUniBackupInstallerToken |
- |
|
hbr:GetUserToken |
- |
|
hbr:GetValidParameter |
- |
|
hbr:GetVaultBuckets |
- |
|
hbr:GetVaultCredential |
- |
|
hbr:GetVaultList |
- |
|
hbr:GetVaultTransition |
- |
|
hbr:GetVaults |
- |
|
hbr:InitClusterForCpfs |
- |
|
hbr:InstallBackupClients |
Installs the backup client on one or more ECS instances. |
|
hbr:InstallLocalBackupClients |
- |
|
hbr:InstallUniBackupAgent |
- |
|
hbr:KeepAfterTrialExpiration |
- |
|
hbr:ListBucketInventory |
- |
|
hbr:ListGrayReleaseObjectTypes |
- |
|
hbr:ListOssBuckets |
- |
|
hbr:ListOtsInstances |
- |
|
hbr:ListOtsTables |
- |
|
hbr:ListPolicyTagDataSources |
- |
|
hbr:ListProtectedResources |
- |
|
hbr:ListReportFiles |
- |
|
hbr:ListTagKeys |
- |
|
hbr:ListTagResources |
- |
|
hbr:ListTagValues |
- |
|
hbr:ListVaultTransitions |
- |
|
hbr:LocalRestoreVms |
- |
|
hbr:OfflineAgent |
- |
|
hbr:OpenHbrService |
Activates the Cloud Backup service. |
|
hbr:OpsDescribeClientConnectionStatistics |
- |
|
hbr:OpsDescribeClientConnections |
- |
|
hbr:OpsDescribeMessageStatistics |
- |
|
hbr:OpsDescribeMessages |
- |
|
hbr:OpsDescribePolicies |
- |
|
hbr:OpsDescribePolicyBindings |
- |
|
hbr:OpsExecutePlans |
- |
|
hbr:PreCheckDatabase |
- |
|
hbr:PreCheckSourceGroup |
- |
|
hbr:PrecheckSqlServerInstance |
- |
|
hbr:QueryAvailableInstances |
- |
|
hbr:RecordSubTaskLaunch |
- |
|
hbr:RemoveDataSource |
- |
|
hbr:RemoveParameter |
- |
|
hbr:RemoveVmBackupPlan |
- |
|
hbr:RenewClientToken |
- |
|
hbr:ReportFileDetectionRiskFiles |
- |
|
hbr:ReportStatistics |
- |
|
hbr:ResumeVmMigration |
- |
|
hbr:RunVmBackupPlan |
- |
|
hbr:SearchBackupFiles |
- |
|
hbr:SearchHistoricalSnapshots |
Queries one or more historical backup snapshots that meet the specified criteria. |
|
hbr:SearchObject |
- |
|
hbr:SendEmailVerifyCode |
- |
|
hbr:SendMessage |
- |
|
hbr:SendMobileVerifyCode |
- |
|
hbr:SendSlaRecord |
- |
|
hbr:SetNasLimiterForFileSystem |
- |
|
hbr:SetSystemSetting |
- |
|
hbr:StartHanaDatabaseAsync |
Starts a database. |
|
hbr:StopHanaDatabaseAsync |
Stops an SAP HANA database. |
|
hbr:SubmitStreamFileSyncTask |
- |
|
hbr:TagResources |
- |
|
hbr:TestRestoreVmMigration |
- |
|
hbr:UninstallBackupClients |
Uninstalls the backup client from one or more ECS instances. |
|
hbr:UninstallLocalBackupClients |
- |
|
hbr:UninstallUniBackupAgent |
- |
|
hbr:UntagResources |
- |
|
hbr:UpdateAirAlertConfig |
- |
|
hbr:UpdateAirInstance |
- |
|
hbr:UpdateAlertConfig |
- |
|
hbr:UpdateBackupJob |
- |
|
hbr:UpdateBackupJobToConfirmed |
- |
|
hbr:UpdateBackupJobs |
- |
|
hbr:UpdateBackupPlan |
Updates a backup plan. |
|
hbr:UpdateBackupSourceGroup |
- |
|
hbr:UpdateClientAlertConfig |
- |
|
hbr:UpdateClientClusterForCpfs |
- |
|
hbr:UpdateCluster |
- |
|
hbr:UpdateContact |
- |
|
hbr:UpdateContactGroup |
- |
|
hbr:UpdateContainerCluster |
Updates container cluster information, such as the cluster name and network type. |
|
hbr:UpdateDataSource |
- |
|
hbr:UpdateFeatureUserTrialInfo |
- |
|
hbr:UpdateHanaBackupSetting |
Updates the backup parameters of an SAP HANA database. |
|
hbr:UpdateHanaRestore |
- |
|
hbr:UpdateHanaRetentionSetting |
Updates the retention period of an SAP HANA database backup. |
|
hbr:UpdateIndexCluster |
- |
|
hbr:UpdateJob |
- |
|
hbr:UpdateParameter |
- |
|
hbr:UpdatePlan |
- |
|
hbr:UpdatePolicy |
- |
|
hbr:UpdatePolicyBinding |
Modifies the association between a policy and a data source. |
|
hbr:UpdatePolicyBindingAlertConfig |
- |
|
hbr:UpdatePolicyV2 |
Modifies a policy. |
|
hbr:UpdateRestore |
- |
|
hbr:UpdateRestoreJob |
- |
|
hbr:UpdateServer |
- |
|
hbr:UpdateSnapshot |
- |
|
hbr:UpdateSnapshotInner |
- |
|
hbr:UpdateSqlServerInstance |
- |
|
hbr:UpdateSqlServerRestore |
- |
|
hbr:UpdateSubTask |
- |
|
hbr:UpdateUniBackupCluster |
- |
|
hbr:UpdateUniBackupInstance |
- |
|
hbr:UpdateUniBackupPlan |
- |
|
hbr:UpdateUniBackupTrialUser |
- |
|
hbr:UpdateUniBackupVault |
- |
|
hbr:UpdateVcenter |
- |
|
hbr:UpdateVmBackupPlan |
- |
|
hbr:UpdateVmBackupPlanExecution |
- |
|
hbr:UpdateVmClientFlowControlPolicy |
- |
|
hbr:UpdateVmIncrementalMigration |
- |
|
hbr:UpdateVmMigration |
- |
|
hbr:UpgradeBackupClients |
Upgrades the backup client on one or more ECS instances. |
|
hbr:UpgradeUniBackupAgent |
- |
For operations that do not support resource group authorization, selecting Resource Group Level as the resource scope is not supported. To grant a RAM user permissions for these operations, you must create a custom policy and select Account Level as the resource scope.
The following are two examples of custom policies. You can modify the policies as needed.
-
Allows all read-only operations that do not support resource group-level authorization. The
Actionelement in this policy contains a list of these operations.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "hbr:BatchCountTables", "hbr:BrowseFiles", "hbr:CheckRole", "hbr:DescribeAirEcsInstancesInfo", "hbr:DescribeAirInstances", "hbr:DescribeAirSnapshots", "hbr:DescribeAlertConfig", "hbr:DescribeBackupClients", "hbr:DescribeBackupJobStatistics", "hbr:DescribeBackupJobs", "hbr:DescribeBackupJobs2", "hbr:DescribeBackupPlans", "hbr:DescribeBackupSourceGroups", "hbr:DescribeBackupSources", "hbr:DescribeClientAlertConfig", "hbr:DescribeClientVersion", "hbr:DescribeClusters", "hbr:DescribeContainerCluster", "hbr:DescribeContainerResource", "hbr:DescribeCrossAccounts", "hbr:DescribeDataSourceProtectionDetails", "hbr:DescribeDataSourceProtectionStatistics", "hbr:DescribeDataSources", "hbr:DescribeDisks", "hbr:DescribeEcsInstances", "hbr:DescribeFeatureTrialInfo", "hbr:DescribeFeatureUser", "hbr:DescribeFileDetections", "hbr:DescribeGatewayWaterLevel", "hbr:DescribeHanaBackupSetting", "hbr:DescribeHanaBackups", "hbr:DescribeHanaMetadata", "hbr:DescribeHanaRetentionSetting", "hbr:DescribeIndexClusters", "hbr:DescribeInstances", "hbr:DescribeInstancesInVault", "hbr:DescribeInstancesInfo", "hbr:DescribeJobs", "hbr:DescribeKmsAliases", "hbr:DescribeKmsKeys", "hbr:DescribeNasFileSystems", "hbr:DescribeOtsInstances", "hbr:DescribeOtsTableSnapshots", "hbr:DescribeOverview", "hbr:DescribeParameterSchemas", "hbr:DescribeParameters", "hbr:DescribePlans", "hbr:DescribePolicies", "hbr:DescribePoliciesV2", "hbr:DescribePolicyBindingAlertConfig", "hbr:DescribePolicyBindings", "hbr:DescribeProtectedEcsInstances", "hbr:DescribeRecoverableOtsInstances", "hbr:DescribeRestoreJobs", "hbr:DescribeRestoreJobs2", "hbr:DescribeRestores", "hbr:DescribeSecurityGroups", "hbr:DescribeServers", "hbr:DescribeSnapshotExistenceByTimeRange", "hbr:DescribeSnapshots", "hbr:DescribeSqlServerDatabases", "hbr:DescribeSqlServerInstances", "hbr:DescribeSqlServerLogs", "hbr:DescribeSqlServerRestores", "hbr:DescribeSqlServerSnapshots", "hbr:DescribeStreamFileSyncTasks", "hbr:DescribeSubTask", "hbr:DescribeUdmDisks", "hbr:DescribeUdmEcsInstances", "hbr:DescribeUdmSnapshotLinks", "hbr:DescribeUdmSnapshots", "hbr:DescribeUniBackupClients", "hbr:DescribeUniBackupCluster", "hbr:DescribeUniBackupInstanceDetail", "hbr:DescribeUniBackupInstances", "hbr:DescribeUniBackupPlans", "hbr:DescribeUniBackupTrialInfo", "hbr:DescribeUniBackupTrialUser", "hbr:DescribeUniBackupVault", "hbr:DescribeUniHistories", "hbr:DescribeUniRestoreInfo", "hbr:DescribeUniRestorePlans", "hbr:DescribeUserBusinessStatus", "hbr:DescribeVSwitches", "hbr:DescribeVcenters", "hbr:DescribeVmBackupPlanExecution", "hbr:DescribeVmBackupPlanExecutions", "hbr:DescribeVmBackupPlans", "hbr:DescribeVmClientFlowControlPolicy", "hbr:DescribeVmIncrementalMigrationJob", "hbr:DescribeVmIncrementalMigrations", "hbr:DescribeVmMigrationPlans", "hbr:DescribeVmMigrations", "hbr:DescribeVpcs", "hbr:GetAirStatistics", "hbr:GetBasicStatistics", "hbr:GetBucket", "hbr:GetClientDownloadLink", "hbr:GetClientsToRestore", "hbr:GetDirectorySize", "hbr:GetDiscoveredDatabase", "hbr:GetFileDetectionStatistics", "hbr:GetGlobalStatistics", "hbr:GetMetrics", "hbr:GetNasToRestore", "hbr:GetOssBucketsToRestore", "hbr:GetProtectedResource", "hbr:GetReactivateUserToken", "hbr:GetRunningAgents", "hbr:GetSnapshotErrorFileDownloadLink", "hbr:GetSnapshotRiskFileDownloadLink", "hbr:GetSqlServerDatabasesToRestore", "hbr:GetSqlServersToRestore", "hbr:GetSyncActualSize", "hbr:GetSystemSettings", "hbr:GetTempFileDownloadLink", "hbr:GetTrialInfo", "hbr:GetUniBackupInstallerToken", "hbr:GetUserToken", "hbr:GetValidParameter", "hbr:GetVaultBuckets", "hbr:GetVaultCredential", "hbr:GetVaultList", "hbr:GetVaultTransition", "hbr:GetVaults", "hbr:ListBucketInventory", "hbr:ListGrayReleaseObjectTypes", "hbr:ListOssBuckets", "hbr:ListOtsInstances", "hbr:ListOtsTables", "hbr:ListPolicyTagDataSources", "hbr:ListProtectedResources", "hbr:ListReportFiles", "hbr:ListTagKeys", "hbr:ListTagResources", "hbr:ListTagValues", "hbr:ListVaultTransitions", "hbr:PreCheckSourceGroup", "hbr:QueryAvailableInstances", "hbr:SearchBackupFiles", "hbr:SearchHistoricalSnapshots", "hbr:SearchObject" ], "Resource": "*" } ] } -
Allows all operations that do not support resource group-level authorization. The
Actionelement in this policy contains a list of these operations.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "hbr:ActivateClient", "hbr:ActivateEcsClient", "hbr:AddContainerCluster", "hbr:AddCrossAccount", "hbr:AddDataSource", "hbr:AddHanaMetadata", "hbr:AddIndexCluster", "hbr:AddParameter", "hbr:AddServer", "hbr:AddSqlServerLog", "hbr:AddVcenter", "hbr:BatchCountTables", "hbr:BrowseAirFiles", "hbr:BrowseFileDetectionRiskFiles", "hbr:BrowseFiles", "hbr:CallMaintenanceApi", "hbr:CallUniGatewayApi", "hbr:CancelBackupJob", "hbr:CancelDiscoveringDatabase", "hbr:CancelFileDetection", "hbr:CancelHanaBackup", "hbr:CancelHanaRestore", "hbr:CancelJob", "hbr:CancelRestore", "hbr:CancelRestoreJob", "hbr:CancelSqlServerRestore", "hbr:CancelStreamFileSyncTask", "hbr:CancelVmBackup", "hbr:CancelVmLocalRestore", "hbr:CancelVmMigration", "hbr:CheckRole", "hbr:CheckSlrRole", "hbr:ClientReceiveMessage", "hbr:ClientSendMessage", "hbr:CommitTestRestore", "hbr:CompleteVmIncrementalMigration", "hbr:ControlReplicationVault", "hbr:ControlUniBackupJob", "hbr:ControlUniBackupPlan", "hbr:ConvertToPostPaidInstance", "hbr:CreateAirEcsInstance", "hbr:CreateAirRestoreJob", "hbr:CreateBackupEssentialEdition", "hbr:CreateBackupJob", "hbr:CreateBackupPlan", "hbr:CreateBackupSourceGroup", "hbr:CreateChildBackupJobs", "hbr:CreateClient", "hbr:CreateCluster", "hbr:CreateContact", "hbr:CreateContactGroup", "hbr:CreateEcsAirBackup", "hbr:CreateHanaRestore", "hbr:CreateJob", "hbr:CreateJobs", "hbr:CreatePolicy", "hbr:CreatePolicyBindings", "hbr:CreatePolicyV2", "hbr:CreateReportFileGenerateTask", "hbr:CreateRestore", "hbr:CreateRestoreJob", "hbr:CreateSlr", "hbr:CreateSnapshot", "hbr:CreateSnapshot2", "hbr:CreateSqlServerInstance", "hbr:CreateSqlServerRestore", "hbr:CreateSqlServerSnapshot", "hbr:CreateSubTask", "hbr:CreateTempFileUploadUrl", "hbr:CreateUniBackupPlan", "hbr:CreateUniBackupVault", "hbr:CreateUniRestorePlan", "hbr:CreateUploadLogTask", "hbr:CreateVaultTransition", "hbr:CreateVmBackupPlan", "hbr:CreateVmMigrationPlan", "hbr:DeleteAirEcsInstance", "hbr:DeleteBackupClient", "hbr:DeleteBackupClientResource", "hbr:DeleteBackupEssentialEdition", "hbr:DeleteBackupPlan", "hbr:DeleteBackupSourceGroup", "hbr:DeleteClients", "hbr:DeleteCluster", "hbr:DeleteContact", "hbr:DeleteContactGroup", "hbr:DeleteContainerCluster", "hbr:DeleteCrossAccount", "hbr:DeleteEcsAirBackup", "hbr:DeleteHanaMetadata", "hbr:DeleteJob", "hbr:DeletePolicy", "hbr:DeletePolicyBinding", "hbr:DeletePolicyV2", "hbr:DeleteServer", "hbr:DeleteSnapshot", "hbr:DeleteSqlServerBackupJob", "hbr:DeleteSqlServerInstance", "hbr:DeleteSqlServerLog", "hbr:DeleteSqlServerSnapshot", "hbr:DeleteUdmDisk", "hbr:DeleteUdmEcsInstance", "hbr:DeleteUniBackupClient", "hbr:DeleteUniBackupCluster", "hbr:DeleteUniBackupPlan", "hbr:DeleteUniBackupVault", "hbr:DeleteUniRestorePlan", "hbr:DeleteVcenter", "hbr:DeleteVmBackupPlanExecution", "hbr:DeleteVmMigrationPlan", "hbr:DescribeAirEcsInstancesInfo", "hbr:DescribeAirInstances", "hbr:DescribeAirSnapshots", "hbr:DescribeAlertConfig", "hbr:DescribeBackupClients", "hbr:DescribeBackupJobStatistics", "hbr:DescribeBackupJobs", "hbr:DescribeBackupJobs2", "hbr:DescribeBackupPlans", "hbr:DescribeBackupSourceGroups", "hbr:DescribeBackupSources", "hbr:DescribeClientAlertConfig", "hbr:DescribeClientVersion", "hbr:DescribeClusters", "hbr:DescribeContainerCluster", "hbr:DescribeContainerResource", "hbr:DescribeCrossAccounts", "hbr:DescribeDataSourceProtectionDetails", "hbr:DescribeDataSourceProtectionStatistics", "hbr:DescribeDataSources", "hbr:DescribeDisks", "hbr:DescribeEcsInstances", "hbr:DescribeFeatureTrialInfo", "hbr:DescribeFeatureUser", "hbr:DescribeFileDetections", "hbr:DescribeGatewayWaterLevel", "hbr:DescribeHanaBackupSetting", "hbr:DescribeHanaBackups", "hbr:DescribeHanaMetadata", "hbr:DescribeHanaRetentionSetting", "hbr:DescribeIndexClusters", "hbr:DescribeInstances", "hbr:DescribeInstancesInVault", "hbr:DescribeInstancesInfo", "hbr:DescribeJobs", "hbr:DescribeKmsAliases", "hbr:DescribeKmsKeys", "hbr:DescribeNasFileSystems", "hbr:DescribeOtsInstances", "hbr:DescribeOtsTableSnapshots", "hbr:DescribeOverview", "hbr:DescribeParameterSchemas", "hbr:DescribeParameters", "hbr:DescribePlans", "hbr:DescribePolicies", "hbr:DescribePoliciesV2", "hbr:DescribePolicyBindingAlertConfig", "hbr:DescribePolicyBindings", "hbr:DescribeProtectedEcsInstances", "hbr:DescribeRecoverableOtsInstances", "hbr:DescribeRestoreJobs", "hbr:DescribeRestoreJobs2", "hbr:DescribeRestores", "hbr:DescribeSecurityGroups", "hbr:DescribeServers", "hbr:DescribeSnapshotExistenceByTimeRange", "hbr:DescribeSnapshots", "hbr:DescribeSqlServerDatabases", "hbr:DescribeSqlServerInstances", "hbr:DescribeSqlServerLogs", "hbr:DescribeSqlServerRestores", "hbr:DescribeSqlServerSnapshots", "hbr:DescribeStreamFileSyncTasks", "hbr:DescribeSubTask", "hbr:DescribeUdmDisks", "hbr:DescribeUdmEcsInstances", "hbr:DescribeUdmSnapshotLinks", "hbr:DescribeUdmSnapshots", "hbr:DescribeUniBackupClients", "hbr:DescribeUniBackupCluster", "hbr:DescribeUniBackupInstanceDetail", "hbr:DescribeUniBackupInstances", "hbr:DescribeUniBackupPlans", "hbr:DescribeUniBackupTrialInfo", "hbr:DescribeUniBackupTrialUser", "hbr:DescribeUniBackupVault", "hbr:DescribeUniHistories", "hbr:DescribeUniRestoreInfo", "hbr:DescribeUniRestorePlans", "hbr:DescribeUserBusinessStatus", "hbr:DescribeVSwitches", "hbr:DescribeVcenters", "hbr:DescribeVmBackupPlanExecution", "hbr:DescribeVmBackupPlanExecutions", "hbr:DescribeVmBackupPlans", "hbr:DescribeVmClientFlowControlPolicy", "hbr:DescribeVmIncrementalMigrationJob", "hbr:DescribeVmIncrementalMigrations", "hbr:DescribeVmMigrationPlans", "hbr:DescribeVmMigrations", "hbr:DescribeVpcs", "hbr:DetachNasFileSystem", "hbr:DisableAirBackupPlan", "hbr:DisableBackupPlan", "hbr:DisableEcsAirBackup", "hbr:DisableJob", "hbr:DisableVmBackupPlan", "hbr:DiscoverDatabase", "hbr:EnableAirBackupPlan", "hbr:EnableBackupPlan", "hbr:EnableEcsAirBackup", "hbr:EnableJob", "hbr:EnableVmBackupPlan", "hbr:ExecuteAirBackupPlan", "hbr:ExecuteBackupPlan", "hbr:ExecuteHanaBackup", "hbr:ExecuteJob", "hbr:ExecutePlan", "hbr:ExecutePolicyV2", "hbr:ExploreVcenter", "hbr:GenerateClientToken", "hbr:GenerateInstallLocalBackupClientScript", "hbr:GenerateStsCredential", "hbr:GenerateUninstallLocalBackupClientScript", "hbr:GetAirStatistics", "hbr:GetBasicStatistics", "hbr:GetBucket", "hbr:GetClientDownloadLink", "hbr:GetClientsToRestore", "hbr:GetDirectorySize", "hbr:GetDiscoveredDatabase", "hbr:GetFileDetectionStatistics", "hbr:GetGlobalStatistics", "hbr:GetMetrics", "hbr:GetNasToRestore", "hbr:GetOssBucketsToRestore", "hbr:GetProtectedResource", "hbr:GetReactivateUserToken", "hbr:GetRunningAgents", "hbr:GetSnapshotErrorFileDownloadLink", "hbr:GetSnapshotRiskFileDownloadLink", "hbr:GetSqlServerDatabasesToRestore", "hbr:GetSqlServersToRestore", "hbr:GetSyncActualSize", "hbr:GetSystemSettings", "hbr:GetTempFileDownloadLink", "hbr:GetTrialInfo", "hbr:GetUniBackupInstallerToken", "hbr:GetUserToken", "hbr:GetValidParameter", "hbr:GetVaultBuckets", "hbr:GetVaultCredential", "hbr:GetVaultList", "hbr:GetVaultTransition", "hbr:GetVaults", "hbr:InitClusterForCpfs", "hbr:InstallBackupClients", "hbr:InstallLocalBackupClients", "hbr:InstallUniBackupAgent", "hbr:KeepAfterTrialExpiration", "hbr:ListBucketInventory", "hbr:ListGrayReleaseObjectTypes", "hbr:ListOssBuckets", "hbr:ListOtsInstances", "hbr:ListOtsTables", "hbr:ListPolicyTagDataSources", "hbr:ListProtectedResources", "hbr:ListReportFiles", "hbr:ListTagKeys", "hbr:ListTagResources", "hbr:ListTagValues", "hbr:ListVaultTransitions", "hbr:LocalRestoreVms", "hbr:OfflineAgent", "hbr:OpenHbrService", "hbr:OpsDescribeClientConnectionStatistics", "hbr:OpsDescribeClientConnections", "hbr:OpsDescribeMessageStatistics", "hbr:OpsDescribeMessages", "hbr:OpsDescribePolicies", "hbr:OpsDescribePolicyBindings", "hbr:OpsExecutePlans", "hbr:PreCheckDatabase", "hbr:PreCheckSourceGroup", "hbr:PrecheckSqlServerInstance", "hbr:QueryAvailableInstances", "hbr:RecordSubTaskLaunch", "hbr:RemoveDataSource", "hbr:RemoveParameter", "hbr:RemoveVmBackupPlan", "hbr:RenewClientToken", "hbr:ReportFileDetectionRiskFiles", "hbr:ReportStatistics", "hbr:ResumeVmMigration", "hbr:RunVmBackupPlan", "hbr:SearchBackupFiles", "hbr:SearchHistoricalSnapshots", "hbr:SearchObject", "hbr:SendEmailVerifyCode", "hbr:SendMessage", "hbr:SendMobileVerifyCode", "hbr:SendSlaRecord", "hbr:SetNasLimiterForFileSystem", "hbr:SetSystemSetting", "hbr:StartHanaDatabaseAsync", "hbr:StopHanaDatabaseAsync", "hbr:SubmitStreamFileSyncTask", "hbr:TagResources", "hbr:TestRestoreVmMigration", "hbr:UninstallBackupClients", "hbr:UninstallLocalBackupClients", "hbr:UninstallUniBackupAgent", "hbr:UntagResources", "hbr:UpdateAirAlertConfig", "hbr:UpdateAirInstance", "hbr:UpdateAlertConfig", "hbr:UpdateBackupJob", "hbr:UpdateBackupJobToConfirmed", "hbr:UpdateBackupJobs", "hbr:UpdateBackupPlan", "hbr:UpdateBackupSourceGroup", "hbr:UpdateClientAlertConfig", "hbr:UpdateClientClusterForCpfs", "hbr:UpdateCluster", "hbr:UpdateContact", "hbr:UpdateContactGroup", "hbr:UpdateContainerCluster", "hbr:UpdateDataSource", "hbr:UpdateFeatureUserTrialInfo", "hbr:UpdateHanaBackupSetting", "hbr:UpdateHanaRestore", "hbr:UpdateHanaRetentionSetting", "hbr:UpdateIndexCluster", "hbr:UpdateJob", "hbr:UpdateParameter", "hbr:UpdatePlan", "hbr:UpdatePolicy", "hbr:UpdatePolicyBinding", "hbr:UpdatePolicyBindingAlertConfig", "hbr:UpdatePolicyV2", "hbr:UpdateRestore", "hbr:UpdateRestoreJob", "hbr:UpdateServer", "hbr:UpdateSnapshot", "hbr:UpdateSnapshotInner", "hbr:UpdateSqlServerInstance", "hbr:UpdateSqlServerRestore", "hbr:UpdateSubTask", "hbr:UpdateUniBackupCluster", "hbr:UpdateUniBackupInstance", "hbr:UpdateUniBackupPlan", "hbr:UpdateUniBackupTrialUser", "hbr:UpdateUniBackupVault", "hbr:UpdateVcenter", "hbr:UpdateVmBackupPlan", "hbr:UpdateVmBackupPlanExecution", "hbr:UpdateVmClientFlowControlPolicy", "hbr:UpdateVmIncrementalMigration", "hbr:UpdateVmMigration", "hbr:UpgradeBackupClients", "hbr:UpgradeUniBackupAgent" ], "Resource": "*" } ] }
A RAM user or RAM role that is granted account-level permissions can manage all relevant resources within the account. Follow the Principle of Least Privilege (PoLP). Grant permissions with caution and make sure that the granted permissions meet your expectations.
FAQ
How do I view the resource group of a resource?
-
Method 1: Click the resource name to go to the details page of the resource. The resource group is displayed on the page.
-
Method 2: Log on to the Resource Management console. In the navigation pane on the left, choose . Select the account where the resource is located. The current account is selected by default. Use the filters to find the resource and view its resource group.
How do I view all resources of a product in a specific resource group?
-
Method 1: Log on to the Resource Management console. In the navigation pane on the left, choose . Under the account that owns the resource, click the name of the target resource group. The current account is selected by default. Then, from the Select Resource Type drop-down list on the right, select the product to view all its resources in the resource group.
-
Method 2: Log on to the Resource Management console. In the navigation pane on the left, choose . Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product drop-down list to view all of its resources in the resource group.
How do I move multiple resources to a different resource group in a batch?
Log on to the Resource Management console. In the navigation pane on the left, choose . Find the target resource group and click Manage Resources in the Actions column. On the page that appears, use filters to find the target resources. Select the check boxes for the resources in the first column, click Transfer Resource Group at the bottom of the page, and then follow the on-screen instructions to change the resource group.