After you create a RAM user and authorize the RAM user to access Hybrid Backup Recovery (HBR), you can use the RAM user to manage your resources in Hybrid Backup Recovery (HBR). This topic describes how to create a RAM user and authorize the RAM user to access Hybrid Backup Recovery (HBR).

Background information

You may need to grant O&M staff the permissions to manage your Hybrid Backup Recovery (HBR) resources and grant other staff the permissions to access Hybrid Backup Recovery (HBR) resources based on your business requirements. In this case, you can create RAM users and grant required permissions to the RAM users. Then, the related staff such as the O&M staff can access Hybrid Backup Recovery (HBR) resources as RAM users. For data security reasons, we recommend that you follow the principle of least privilege (PoLP) when you grant permissions to RAM users. For more information about RAM users, see Introduction.

Step 1: Create a RAM user

To manage user permissions by using RAM, you must create RAM users. Then, you need to grant different permissions to each RAM user.

If you have multiple RAM users within your Alibaba Cloud account, you can create RAM user groups to classify and authorize these RAM users. This simplifies the management of RAM users and permissions. For more information, see Create a user group.

To create a RAM user, perform the following steps:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, click Create User.
  4. In the User Account Information section of the Create User page, configure the Logon Name and Display Name parameters.
    Note You can click Add User to create multiple RAM users at a time.
  5. In the Access Mode section, select an access mode.
    • Console Access: If you select this option, you must complete the logon security settings. These settings specify whether to use a system-generated or custom logon password, whether the password must be reset upon the next logon, and whether to enable multi-factor authentication (MFA).
      Note If you select Custom Logon Password in the Console Password section, you must specify a password. The password must meet the complexity requirements. For more information about the complexity requirements, see Configure a password policy for RAM users.
    • OpenAPI Access: If you select this option, an AccessKey pair is automatically created for the RAM user. The RAM user can call API operations or use other development tools to access Alibaba Cloud resources.
    Note To ensure the security of the Alibaba Cloud account, we recommend that you select only one access mode for the RAM user. This prevents the RAM user from using an AccessKey pair to access Alibaba Cloud resources after the RAM user leaves the organization.
  6. Click OK.

Step 2: Grant permissions to a RAM user

By default, a new RAM user has no permissions. You must grant permissions to the RAM user before the RAM user can be used to perform operations in the console or call API operations.

Hybrid Backup Recovery (HBR) provides two system policies:
  • AliyunHBRFullAccess: grants a RAM user the full access permissions on HBR.
  • AliyunHBRReadOnlyAccess: grants a RAM user the read-only permissions on HBR.

You can also attach custom policies to the RAM user in the RAM console to achieve fine-grained access control. For more information, see Create a custom policy.

To attach the AliyunHBRReadOnlyAccess policy to a RAM user, perform the following steps:

  1. Log on to the RAM console by using your Alibaba Cloud account.
  2. In the left-side navigation pane, choose Identities > Users.
  3. On the Users page, find the RAM user to which you want to grant permissions and click Add Permissions in the Actions column.
  4. In the Add Permissions panel, find and select AliyunHBRReadOnlyAccess under System Policy and click OK.
    Note In the Selected section on the right, you can click the cross sign (×) next to a policy to remove the policy.
  5. Confirm the authorization result and click Complete.

What to do next

You can grant the permissions on a backup vault to a specified RAM user. These permissions allow the RAM user only to back up or restore the backup vault.

You can grant permissions by using the following sample policies. You can copy the script and paste the script in the RAM console to create a custom policy, and then attach the custom policy to the RAM user. For more information, see Isolate backup permissions and recovery permissions.

  • To disallow a RAM user to restore a backup vault, use the following sample policy:
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "hbr:CreateRestore",
                    "hbr:CreateRestoreJob",
                    "hbr:CreateHanaRestore",
                    "hbr:CreateUniRestorePlan",
                    "hbr:CreateSqlServerRestore"
                ],
                "Resource": [
                    "acs:hbr:*:1178******531:vault/v-000******blx06",
                    "acs:hbr:*:1178******531:vault/v-000******blx06/client/*"
                ]
            }
        ]
    }
  • To disallow a RAM user to back up a backup vault, use the following sample policy:
    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Deny",
                "Action": [
                    "hbr:CreateUniBackupPlan",
                    "hbr:UpdateUniBackupPlan",
                    "hbr:DeleteUniBackupPlan",
                    "hbr:CreateHanaInstance",
                    "hbr:UpdateHanaInstance",
                    "hbr:DeleteHanaInstance",
                    "hbr:CreateHanaBackupPlan",
                    "hbr:UpdateHanaBackupPlan",
                    "hbr:DeleteHanaBackupPlan",
                    "hbr:CreateClient",
                    "hbr:CreateClients",
                    "hbr:UpdateClient",
                    "hbr:UpdateClientSettings",
                    "hbr:UpdateClientAlertConfig",
                    "hbr:DeleteClient",
                    "hbr:DeleteClients",
                    "hbr:CreateJob",
                    "hbr:UpdateJob",
                    "hbr:CreateBackupPlan",
                    "hbr:UpdateBackupPlan",
                    "hbr:ExecuteBackupPlan",
                    "hbr:DeleteBackupPlan",
                    "hbr:CreateBackupJob",
                    "hbr:CreatePlan",
                    "hbr:UpdatePlan",
                    "hbr:CreateTrialBackupPlan",
                    "hbr:ConvertToPostPaidInstance",
                    "hbr:KeepAfterTrialExpiration"
                ],
                "Resource": [
                    "acs:hbr:*:1178******9531:vault/v-000******blx06",
                    "acs:hbr:*:1178******9531:vault/v-000******blx06/client/*"
                ]
            }
        ]
    }

What to do next

Log on to the Alibaba Cloud Management Console as a RAM user