If the system policies of Cloud Backup do not meet your requirements, you can create custom policies to implement the principle of least privilege. Custom policies allow you to achieve fine-grained control over permissions and improve resource access security. This topic describes the scenarios where custom policies are used for Cloud Backup and provides sample custom policies.
What are custom policies
Resource Access Management (RAM) policies are classified into system policies and custom policies. You can create, update, and delete custom policies. You must manage the version updates of custom policies.
After you create a custom policy, you must attach the policy to a RAM user, RAM user group, or RAM role. This way, the permissions that are specified in the policy can be granted to the principal.
You can directly delete a RAM policy that is not attached to a principal. If a RAM policy is attached to a principal, you must detach the RAM policy from the principal before you can delete the RAM policy.
Custom policies support version control. You can manage the versions of custom policies based on the version management mechanism provided by RAM.
Procedures
Scenarios and examples of custom policies
Cloud Backup lets you isolate backup permissions and restoration permissions. You can grant a RAM user only the permissions to perform backup operations on a backup vault and grant another RAM user only the permissions to perform restoration operations on the backup vault. This prevents unauthorized operations.
Policy that prohibits restoration or retrieval
Click the Copy button in the upper-left corner of the script to quickly copy the script. Sample code:
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "hbr:CreateRestore", "hbr:CreateRestoreJob", "hbr:CreateHanaRestore", "hbr:CreateUniRestorePlan", "hbr:CreateSqlServerRestore" ], "Resource": [ "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu", "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*" ] } ] }Notev-0000ryfi******piu is the ID of the backup vault.
Policy that prohibits backup or archiving
Click the Copy button in the upper-left corner of the script to quickly copy the script. Sample code:
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "hbr:CreateUniBackupPlan", "hbr:UpdateUniBackupPlan", "hbr:DeleteUniBackupPlan", "hbr:CreateHanaInstance", "hbr:UpdateHanaInstance", "hbr:DeleteHanaInstance", "hbr:CreateHanaBackupPlan", "hbr:UpdateHanaBackupPlan", "hbr:DeleteHanaBackupPlan", "hbr:CreateClient", "hbr:CreateClients", "hbr:UpdateClient", "hbr:UpdateClientSettings", "hbr:UpdateClientAlertConfig", "hbr:DeleteClient", "hbr:DeleteClients", "hbr:CreateJob", "hbr:UpdateJob", "hbr:CreateBackupPlan", "hbr:UpdateBackupPlan", "hbr:ExecuteBackupPlan", "hbr:DeleteBackupPlan", "hbr:CreateBackupJob", "hbr:CreatePlan", "hbr:UpdatePlan", "hbr:CreateTrialBackupPlan", "hbr:ConvertToPostPaidInstance", "hbr:KeepAfterTrialExpiration" ], "Resource": [ "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu", "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*" ] } ] }Notev-0000ryfi******piu is the ID of the backup vault.
The following example shows a RAM policy that can prevent RAM users from mistakenly deleting backup data.
{ "Version": "1", "Statement": [{ "Effect": "Deny", "Action": [ "hbr:DeleteBackupClient", "hbr:DeleteContact", "hbr:DeleteContactGroup", "hbr:DeleteVault", "hbr:DeleteJob", "hbr:DeleteClient", "hbr:DeleteHanaBackupPlan", "hbr:DeleteClients", "hbr:DeleteBackupSourceGroup", "hbr:DeleteBackupPlan", "hbr:DeleteHanaInstance", "hbr:DeleteSqlServerInstance", "hbr:DeleteSnapshot", "hbr:DeleteSqlServerSnapshot", "hbr:DeleteSqlServerLog", "hbr:DeleteVcenter", "hbr:DeleteUdmEcsInstance", "hbr:DeleteAppliance", "hbr:DeleteUniBackupClient", "hbr:DeleteUniBackupPlan", "hbr:DeleteUniBackupCluster", "hbr:DeleteUniRestorePlan" ], "Resource": [ "acs:hbr:*:{uid}:vault/{vaultId}", "acs:hbr:*:{uid}:vault/{vaultId}/*" ] }] }NoteIn the preceding RAM policy, vaultId specifies the ID of the backup vault to be protected. To protect all backup vaults, enter an asterisk (*).
References
To use custom policies, you must understand the permission requirements for your business and the authorization information for Cloud Backup. For more information, see Authorization information.