为提升数据备份的安全管理水平,防止来自企业内部的意外操作或者被未授权用户备份和恢复数据,满足安全合规要求。云备份提供备份恢复权限分离功能。本文介绍配置备份恢复权限分离的操作方法。
背景信息
给指定RAM用户添加RAM权限,使得该RAM用户对此备份库只能进行备份或者恢复操作,避免未经授权的误操作。
分离备份和恢复权限
获取禁止备份和恢复的权限策略。
登录云备份Cloud Backup控制台。
在左侧导航栏,单击存储库管理。
找到目标备份库。在其右侧的操作栏,选择。
在备份库设置面板的权限设置区域,选择禁止备份和恢复的权限策略。
禁止恢复/取回的权限策略
单击脚本左上角复制按钮,快速复制脚本。例如:
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "hbr:CreateRestore", "hbr:CreateRestoreJob", "hbr:CreateHanaRestore", "hbr:CreateUniRestorePlan", "hbr:CreateSqlServerRestore" ], "Resource": [ "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu", "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*" ] } ] }说明v-0000ryfi******piu为目标备份库ID。
禁止备份/归档的权限策略
单击脚本左上角复制按钮,快速复制脚本。例如:
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "hbr:CreateUniBackupPlan", "hbr:UpdateUniBackupPlan", "hbr:DeleteUniBackupPlan", "hbr:CreateHanaInstance", "hbr:UpdateHanaInstance", "hbr:DeleteHanaInstance", "hbr:CreateHanaBackupPlan", "hbr:UpdateHanaBackupPlan", "hbr:DeleteHanaBackupPlan", "hbr:CreateClient", "hbr:CreateClients", "hbr:UpdateClient", "hbr:UpdateClientSettings", "hbr:UpdateClientAlertConfig", "hbr:DeleteClient", "hbr:DeleteClients", "hbr:CreateJob", "hbr:UpdateJob", "hbr:CreateBackupPlan", "hbr:UpdateBackupPlan", "hbr:ExecuteBackupPlan", "hbr:DeleteBackupPlan", "hbr:CreateBackupJob", "hbr:CreatePlan", "hbr:UpdatePlan", "hbr:CreateTrialBackupPlan", "hbr:ConvertToPostPaidInstance", "hbr:KeepAfterTrialExpiration" ], "Resource": [ "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu", "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*" ] } ] }说明v-0000ryfi******piu为目标备份库ID。
登录RAM控制台,创建自定义权限策略。
更多信息,请参见创建自定义权限策略。
选择权限分离的RAM用户,分别授予您在步骤2中创建的禁止备份或者禁止恢复权限。