This topic describes how to use a Resource Access Management (RAM) policy to prevent RAM users from mistakenly deleting data stored in backup vaults. The purpose is to more effectively protect your data.

RAM is a resource access control service provided by Alibaba Cloud. You can configure RAM policies based on the responsibilities of users. Using the configured RAM policies, you can manage users such as employees, systems, or applications. For example, you can control which resources under your Alibaba Cloud account are accessible to RAM users and prevent RAM users from mistakenly deleting backup data.

Note If you use RAM policies, we recommend that you use RAM Policy Editor to generate required RAM policies. For more information, see RAM Policy Editor.

The following example shows a RAM policy that can prevent RAM users from mistakenly deleting backup data:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "hbr:DeleteVault",
                "hbr:DeleteClient",
                "hbr:DeleteClients",
                "hbr:DeleteHanaInstance",
                "hbr:DeleteSqlServerInstance",
                "hbr:DeleteServer",
                "hbr:DeleteSnapshot"
            ],
            "Resource": [
                "acs:hbr:*:{uid}:vault/{vaultId}",
                "acs:hbr:*:{uid}:vault/{vaultId}/*"
            ]
        }
    ]
}
Note
  • In the preceding RAM policy, vaultId specifies the ID of the backup vault to be protected. To protect all backup vaults, enter an asterisk (*).
  • For more information about how to use the elements in the preceding RAM policy, such as Effect, Action, and Resource, see Policy elements.

After you configure the preceding RAM policy, an error message appears when a RAM user attempts to delete a protected backup vault, as shown in the following figure.

error1

After you configure the preceding RAM policy, an error message appears when a RAM user attempts to delete a backup client, for example, an Elastic Compute Service (ECS) file backup client, as shown in the following figure.

delete

After the user clicks Delete in the Actions column of the target ECS instance, the following message appears: "Deleting a client deletes the existing backup data and causes the backup and recovery tasks that are being executed to fail. Before deleting a client, please ensure that the backup data of this client is no longer needed, and that there are no backup and recovery tasks being performed on the client." After the user reads the message and clicks OK, an error message appears, as shown in the following figure.

error2