Before you use a Resource Access Management (RAM) user to call a Hybrid Backup Recovery (HBR) operation, you must use an Alibaba Cloud account to create an authorization policy to grant permissions to the RAM user.

Background information

You can use a RAM user or an Alibaba Cloud account to create backup vaults, backup plans, restore jobs, and backup clients in the HBR console. The resources belong to the RAM user or the Alibaba Cloud account. By default, you have full permissions on the resources. You can use the resources by calling the related API operations.

After you create a RAM user, the RAM user does not have permissions to manage the resources of an Alibaba Cloud account. You must use the Alibaba Cloud account to grant permissions to the RAM user to manage the resources.

Note For more information about how to authorize a RAM user to access HBR resources, see Grant permissions to a RAM user and RAM role overview.

API operations and resources that can be managed by an authorized RAM user

The following table describes the API operations and resources.

API ARN Description
CreateVault acs:hbr:$regionId:$accountId:vault/* Creates a backup vault.
DeleteVault acs:hbr:$regionId:$accountId:vault/$vaultId Deletes a backup vault.
UpdateVault acs:hbr:$regionId:$accountId:vault/$vaultId Updates the settings of a backup vault.
DescribeVaults acs:hbr:$regionId:$accountId:vault/$vaultId Queries the information about one or more backup vaults that meet the specified conditions.
InstallBackupClients acs:hbr:*:$accountId:instance/* Installs a backup client on one or more Elastic Compute Service (ECS) instances.
UninstallBackupClients acs:hbr:*:$accountId:instance/* Uninstalls a backup client from one or more ECS instances.
DeleteBackupClient acs:hbr:*:$accountId:vault/*/client/$clientId Deletes a backup client.
DeleteBackupClientResource acs:hbr:*:$accountId:vault/*/client/$clientId Deletes all resources that belong to a backup client.
UpgradeBackupClients acs:hbr:*:$accountId:instance/* Upgrades a backup client that is installed on one or more ECS instances.
UpdateClientSettings acs:hbr:*:$accountId:vault/$vaultId/client/$clientId Updates the settings of a backup client.
DescribeBackupClients acs:hbr:*:$accountId:vault/$vaultId/client/$clientId Queries the information of one or more backup clients that meet the specified conditions.
CreateBackupPlan acs:hbr:$regionId:$accountId:vault/$vaultId Creates a backup plan.
DeleteBackupPlan acs:hbr:$regionId:$accountId:vault/$vaultId Deletes a backup plan.
EnableBackupPlan acs:hbr:$regionId:$accountId:vault/$vaultId Enables a backup plan.
DisableBackupPlan acs:hbr:$regionId:$accountId:vault/$vaultId Disables a backup plan.
UpdateBackupPlan acs:hbr:$regionId:$accountId:vault/$vaultId Updates a backup plan.
DescribeBackupPlans acs:hbr:$regionId:$accountId:vault/$vaultId Queries one or more backup plans that meet the specified conditions.
ExecuteBackupPlan acs:hbr:$regionId:$accountId:vault/$vaultId Immediately executes a backup plan.
DescribeBackupJobs2 acs:hbr:$regionId:$accountId:vault/$vaultId Queries one or more backup jobs that meet the specified conditions.
CreateBackupPlan acs:hbr:$regionId:$accountId:vault/$vaultId Creates a backup plan.
DeleteSnapshot acs:hbr:*:$accountId:vault/$vaultId/client/$clientId Deletes a backup file.
SearchHistoricalSnapshots acs:hbr:$regionId:$accountId:vault/$vaultId Queries one or more historical backup files that meet the specified conditions.
CreateRestoreJob acs:hbr:$regionId:$accountId:vault/$vaultId Creates a restore job.
CancelRestoreJob acs:hbr:$regionId:$accountId:vault/$vaultId Cancels a restore job.
DescribeRestoreJobs2 acs:hbr:$regionId:$accountId:vault/$vaultId Queries one or more restore jobs that meet the specified conditions.
The following table describes the parameters that are used in the policies.
Parameter Description
$regionId The ID of a region.
$accountId The ID of an Alibaba Cloud account.
$vaultId The ID of a backup vault.
$clientId The ID of a backup client.

What to do next

In actual scenarios, you may want to perform O&M operations on HBR or access HBR resources as a RAM user.

To use a RAM user to manage HBR resources, you can attach the required system policies to the RAM user. The following table describes the system policies that are supported by HBR.
Authorization policy Type Description
AliyunHBRFullAccess System policies The full permissions on HBR resources.
AliyunHBRReadOnlyAccess System policies The read-only permissions on HBR resources.

You can create custom polices. You can also use custom policies and system policies as templates to create finer-grained policies based on the RAM authorization rules. For more information, see Create a RAM user, Grant permissions to a RAM user, and Create a custom policy.