如何分离备份和恢复权限

为提升数据备份的安全管理水平,防止来自企业内部的意外操作或者被未授权用户备份和恢复数据,满足安全合规要求。云备份提供备份恢复权限分离功能。本文介绍配置备份恢复权限分离的操作方法。

背景信息

给指定RAM用户添加RAM权限,使得该RAM用户对此备份库只能进行备份或者恢复操作,避免未经授权的误操作。

分离备份和恢复权限

  1. 获取禁止备份和恢复的权限策略。

    1. 登录云备份Cloud Backup控制台

    2. 在左侧导航栏,单击存储库管理

    3. 找到目标备份库。在其右侧的操作栏,选择更多 > 备份库设置

    4. 备份库设置面板的权限设置区域,选择禁止备份和恢复的权限策略。

      • 禁止恢复/取回的权限策略

        单击脚本左上角复制按钮,快速复制脚本。例如:

        {
            "Version": "1",
            "Statement": [
                {
                    "Effect": "Deny",
                    "Action": [
                        "hbr:CreateRestore",
                        "hbr:CreateRestoreJob",
                        "hbr:CreateHanaRestore",
                        "hbr:CreateUniRestorePlan",
                        "hbr:CreateSqlServerRestore"
                    ],
                    "Resource": [
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu",
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*"
                    ]
                }
            ]
        }
        说明

        v-0000ryfi******piu为目标备份库ID。

      • 禁止备份/归档的权限策略

        单击脚本左上角复制按钮,快速复制脚本。例如:

        {
            "Version": "1",
            "Statement": [
                {
                    "Effect": "Deny",
                    "Action": [
                        "hbr:CreateUniBackupPlan",
                        "hbr:UpdateUniBackupPlan",
                        "hbr:DeleteUniBackupPlan",
                        "hbr:CreateHanaInstance",
                        "hbr:UpdateHanaInstance",
                        "hbr:DeleteHanaInstance",
                        "hbr:CreateHanaBackupPlan",
                        "hbr:UpdateHanaBackupPlan",
                        "hbr:DeleteHanaBackupPlan",
                        "hbr:CreateClient",
                        "hbr:CreateClients",
                        "hbr:UpdateClient",
                        "hbr:UpdateClientSettings",
                        "hbr:UpdateClientAlertConfig",
                        "hbr:DeleteClient",
                        "hbr:DeleteClients",
                        "hbr:CreateJob",
                        "hbr:UpdateJob",
                        "hbr:CreateBackupPlan",
                        "hbr:UpdateBackupPlan",
                        "hbr:ExecuteBackupPlan",
                        "hbr:DeleteBackupPlan",
                        "hbr:CreateBackupJob",
                        "hbr:CreatePlan",
                        "hbr:UpdatePlan",
                        "hbr:CreateTrialBackupPlan",
                        "hbr:ConvertToPostPaidInstance",
                        "hbr:KeepAfterTrialExpiration"
                    ],
                    "Resource": [
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu",
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*"
                    ]
                }
            ]
        }
        说明

        v-0000ryfi******piu为目标备份库ID。

  2. 登录RAM控制台,创建自定义权限策略。

    更多信息,请参见创建自定义权限策略

  3. 选择权限分离的RAM用户,分别授予您在步骤2中创建的禁止备份或者禁止恢复权限。