云备份自定义权限策略参考

什么是自定义权限策略

在基于RAM的访问控制体系中，自定义权限策略是指在系统权限策略之外，您可以自主创建、更新和删除的权限策略。自定义权限策略的版本更新需由您来维护。

• 创建自定义权限策略后，需为RAM用户、用户组或RAM角色绑定权限策略，这些RAM身份才能获得权限策略中指定的访问权限。

• 已创建的权限策略支持删除，但删除前需确保该策略未被引用。如果该权限策略已被引用，您需要在该权限策略的引用记录中移除授权。

• 自定义权限策略支持版本控制，您可以按照RAM规定的版本管理机制来管理您创建的自定义权限策略版本。

操作文档

• 创建自定义权限策略

• 修改自定义权限策略内容和备注

• 删除自定义权限策略

• 管理权限策略引用记录

• 管理自定义权限策略版本

常见自定义权限策略场景及示例

云备份提供备份恢复权限分离功能。给指定RAM用户添加RAM权限，使得该RAM用户对此备份库只能进行备份或者恢复操作，避免未经授权的误操作。

• 禁止恢复/取回的权限策略

  单击脚本左上角复制按钮，快速复制脚本。例如：

  {
      "Version": "1",
      "Statement": [
          {
              "Effect": "Deny",
              "Action": [
                  "hbr:CreateRestore",
                  "hbr:CreateRestoreJob",
                  "hbr:CreateHanaRestore",
                  "hbr:CreateUniRestorePlan",
                  "hbr:CreateSqlServerRestore"
              ],
              "Resource": [
                  "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu",
                  "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*"
              ]
          }
      ]
  }

  说明

  v-0000ryfi******piu为目标备份库ID。

• 禁止备份/归档的权限策略

  单击脚本左上角复制按钮，快速复制脚本。例如：

  {
      "Version": "1",
      "Statement": [
          {
              "Effect": "Deny",
              "Action": [
                  "hbr:CreateUniBackupPlan",
                  "hbr:UpdateUniBackupPlan",
                  "hbr:DeleteUniBackupPlan",
                  "hbr:CreateHanaInstance",
                  "hbr:UpdateHanaInstance",
                  "hbr:DeleteHanaInstance",
                  "hbr:CreateHanaBackupPlan",
                  "hbr:UpdateHanaBackupPlan",
                  "hbr:DeleteHanaBackupPlan",
                  "hbr:CreateClient",
                  "hbr:CreateClients",
                  "hbr:UpdateClient",
                  "hbr:UpdateClientSettings",
                  "hbr:UpdateClientAlertConfig",
                  "hbr:DeleteClient",
                  "hbr:DeleteClients",
                  "hbr:CreateJob",
                  "hbr:UpdateJob",
                  "hbr:CreateBackupPlan",
                  "hbr:UpdateBackupPlan",
                  "hbr:ExecuteBackupPlan",
                  "hbr:DeleteBackupPlan",
                  "hbr:CreateBackupJob",
                  "hbr:CreatePlan",
                  "hbr:UpdatePlan",
                  "hbr:CreateTrialBackupPlan",
                  "hbr:ConvertToPostPaidInstance",
                  "hbr:KeepAfterTrialExpiration"
              ],
              "Resource": [
                  "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu",
                  "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*"
              ]
          }
      ]
  }

  说明

  v-0000ryfi******piu为目标备份库ID。

• 防止RAM用户误删备份数据的RAM Policy示例如下：

  {
      "Version": "1",
      "Statement": [{
          "Effect": "Deny",
          "Action": [
              "hbr:DeleteBackupClient",
              "hbr:DeleteContact",
              "hbr:DeleteContactGroup",
              "hbr:DeleteVault",
              "hbr:DeleteJob",
              "hbr:DeleteClient",
              "hbr:DeleteHanaBackupPlan",
              "hbr:DeleteClients",
              "hbr:DeleteBackupSourceGroup",
              "hbr:DeleteBackupPlan",
              "hbr:DeleteHanaInstance",
              "hbr:DeleteSqlServerInstance",
              "hbr:DeleteSnapshot",
              "hbr:DeleteSqlServerSnapshot",
              "hbr:DeleteSqlServerLog",
              "hbr:DeleteVcenter",
              "hbr:DeleteUdmEcsInstance",
              "hbr:DeleteAppliance",
              "hbr:DeleteUniBackupClient",
              "hbr:DeleteUniBackupPlan",
              "hbr:DeleteUniBackupCluster",
              "hbr:DeleteUniRestorePlan"
          ],
          "Resource": [
              "acs:hbr:*:{uid}:vault/{vaultId}",
              "acs:hbr:*:{uid}:vault/{vaultId}/*"
          ]
      }]
  }

  说明

  其中，vaultId表示需要保护的备份库ID，如果要保护所有仓库，请填写星号（*）。

授权信息参考

使用自定义权限策略，您需要了解业务的权限管控需求，并了解云备份的授权信息。详细内容请参见授权信息。