All Products
Search

This Product

    Cloud Backup:Create a RAM user and authorize the RAM user to access Cloud Backup

    Document Center

    Cloud Backup:Create a RAM user and authorize the RAM user to access Cloud Backup

    Last Updated:Sep 21, 2023

    To reduce the security risks for your Alibaba Cloud account, you can manage Cloud Backup resources as a RAM user. This topic describes how to create a RAM user and authorize the RAM user to access Cloud Backup.

    Background information

    In actual scenarios, you may need to perform O&M operations on Cloud Backup or access Cloud Backup resources as a RAM user. In the preceding scenarios, you can create a RAM user and grant the RAM user the permissions to access or manage Cloud Backup resources. To ensure data security, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to the RAM user. For more information about RAM users, see Introduction.

    Step 1: Create a RAM user

    To manage user permissions by using Resource Access Management (RAM), you must first create RAM users. Then, you must grant different permissions to each RAM user.

    To create a RAM user, perform the following steps:

    Procedure

    1. Log on to the RAM console with your Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, click Create User.

    4. In the User Account Information section of the Create User page, configure the following parameters:

      • Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).

      • Display Name: The display name can be up to 128 characters in length.

      • (Optional) Tag: You can click the edit icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.

      Note

      You can click Add User to create multiple RAM users at a time.

    5. In the Access Mode section, select an access mode and configure the required parameters.

      To ensure the security of your Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This way, the RAM user for an individual is separated from the RAM user for a program.

      • Console Access

        If the RAM user represents an individual, we recommend that you select Console Access for the RAM user. This way, the RAM user can use a username and password to access Alibaba Cloud. If you select Console Access, you must configure the following parameters:

        • Console Password: You can select Automatically Regenerate Default Password or Reset Custom Password. If you select Reset Custom Password, you must specify a password. The password must meet the complexity requirements. For more information, see Configure a password policy for RAM users.

        • Password Reset: specifies whether the RAM user is required to reset the password upon the next logon.

        • Multi-factor Authentication: specifies whether to enable multi-factor authentication (MFA) for the RAM user. If you select Required to Enable MFA for the RAM user, the RAM user must bind an MFA device when the RAM user logs on to the Alibaba Cloud Management Console. For more information, see Bind an MFA device to a RAM user.

      • OpenAPI Access

        If the RAM user represents a program, we recommend that you select OpenAPI Access for the RAM user. This way, the RAM user can use an AccessKey pair to access Alibaba Cloud. If you select OpenAPI Access, the system automatically generates an AccessKey ID and AccessKey secret for the RAM user. For more information, see Create an AccessKey pair.

    6. Click OK.

    Step 2: Grant permissions to the RAM user

    By default, a new RAM user has no permissions. Before you can use the RAM user to perform operations in the Cloud Backup console or call API operations, you must grant the required permissions to the RAM user.

    Cloud Backup provides two system policies:

    • AliyunHBRFullAccess: grants a RAM user the full access permissions on Cloud Backup.

    • AliyunHBRReadOnlyAccess: grants a RAM user the read-only permissions on Cloud Backup.

    You can also attach custom policies to the RAM user in the RAM console to achieve fine-grained access control. For more information, see Create a custom policy.

    In this example, the AliyunHBRReadOnlyAccess policy is attached to a RAM user.

    1. Log on to the RAM console with an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Users.

    3. On the Users page, find the required RAM user, and click Add Permissions in the Actions column.

    4. In the Add Permissions panel, go to the Select Policy section. Select System Policy, enter AliyunHBRReadOnlyAccess in the search box, and then press Enter. Click AliyunHBRReadOnlyAccess to add the policy to the Selected section, and then click OK.

      Note

      In the Selected section on the right, you can click the cross sign (×) next to a policy to remove the policy.

    5. Confirm the authorization result and click Complete.

    What to do next

    You can grant a RAM user the permissions on a backup vault. The permissions allow the RAM user only to back up or restore the backup vault.

    You can grant permissions by using the following sample policies. To create a custom policy, copy one of the scripts and paste the script in the RAM console. Then, attach the custom policy to the RAM user. For more information, see Grant backup permissions and recovery permissions to different RAM users.

    • To disallow a RAM user to restore a backup vault, use the following sample policy: 

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "hbr:CreateRestore",
                "hbr:CreateRestoreJob",
                "hbr:CreateHanaRestore",
                "hbr:CreateUniRestorePlan",
                "hbr:CreateSqlServerRestore"
            ],
            "Resource": [
                "acs:hbr:*:1178******531:vault/v-000******blx06",
                "acs:hbr:*:1178******531:vault/v-000******blx06/client/*"
            ]
        }
    ]
}

    • To disallow a RAM user to back up a backup vault, use the following sample policy: 

      {
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "hbr:CreateUniBackupPlan",
                "hbr:UpdateUniBackupPlan",
                "hbr:DeleteUniBackupPlan",
                "hbr:CreateHanaInstance",
                "hbr:UpdateHanaInstance",
                "hbr:DeleteHanaInstance",
                "hbr:CreateHanaBackupPlan",
                "hbr:UpdateHanaBackupPlan",
                "hbr:DeleteHanaBackupPlan",
                "hbr:CreateClient",
                "hbr:CreateClients",
                "hbr:UpdateClient",
                "hbr:UpdateClientSettings",
                "hbr:UpdateClientAlertConfig",
                "hbr:DeleteClient",
                "hbr:DeleteClients",
                "hbr:CreateJob",
                "hbr:UpdateJob",
                "hbr:CreateBackupPlan",
                "hbr:UpdateBackupPlan",
                "hbr:ExecuteBackupPlan",
                "hbr:DeleteBackupPlan",
                "hbr:CreateBackupJob",
                "hbr:CreatePlan",
                "hbr:UpdatePlan",
                "hbr:CreateTrialBackupPlan",
                "hbr:ConvertToPostPaidInstance",
                "hbr:KeepAfterTrialExpiration"
            ],
            "Resource": [
                "acs:hbr:*:1178******9531:vault/v-000******blx06",
                "acs:hbr:*:1178******9531:vault/v-000******blx06/client/*"
            ]
        }
    ]
}

    What to do next

    Log on to the Alibaba Cloud Management Console as a RAM user