如果系统权限策略不能满足您的要求,您可以创建自定义权限策略实现最小授权。使用自定义权限策略有助于实现权限的精细化管控,是提升资源访问安全的有效手段。本文介绍<云服务名称>使用自定义权限策略的场景和策略示例。
什么是自定义权限策略
在基于RAM的访问控制体系中,自定义权限策略是指在系统权限策略之外,您可以自主创建、更新和删除的权限策略。自定义权限策略的版本更新需由您来维护。
创建自定义权限策略后,需为RAM用户、用户组或RAM角色绑定权限策略,这些RAM身份才能获得权限策略中指定的访问权限。
已创建的权限策略支持删除,但删除前需确保该策略未被引用。如果该权限策略已被引用,您需要在该权限策略的引用记录中移除授权。
自定义权限策略支持版本控制,您可以按照RAM规定的版本管理机制来管理您创建的自定义权限策略版本。
操作文档
创建自定义权限策略
修改自定义权限策略内容和备注
删除自定义权限策略
管理权限策略引用记录
管理自定义权限策略版本
常见自定义权限策略场景及示例
云备份提供备份恢复权限分离功能。给指定RAM用户添加RAM权限,使得该RAM用户对此备份库只能进行备份或者恢复操作,避免未经授权的误操作。
禁止恢复/取回的权限策略
单击脚本左上角复制按钮,快速复制脚本。例如:
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "hbr:CreateRestore", "hbr:CreateRestoreJob", "hbr:CreateHanaRestore", "hbr:CreateUniRestorePlan", "hbr:CreateSqlServerRestore" ], "Resource": [ "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu", "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*" ] } ] }说明v-0000ryfi******piu为目标备份库ID。
禁止备份/归档的权限策略
单击脚本左上角复制按钮,快速复制脚本。例如:
{ "Version": "1", "Statement": [ { "Effect": "Deny", "Action": [ "hbr:CreateUniBackupPlan", "hbr:UpdateUniBackupPlan", "hbr:DeleteUniBackupPlan", "hbr:CreateHanaInstance", "hbr:UpdateHanaInstance", "hbr:DeleteHanaInstance", "hbr:CreateHanaBackupPlan", "hbr:UpdateHanaBackupPlan", "hbr:DeleteHanaBackupPlan", "hbr:CreateClient", "hbr:CreateClients", "hbr:UpdateClient", "hbr:UpdateClientSettings", "hbr:UpdateClientAlertConfig", "hbr:DeleteClient", "hbr:DeleteClients", "hbr:CreateJob", "hbr:UpdateJob", "hbr:CreateBackupPlan", "hbr:UpdateBackupPlan", "hbr:ExecuteBackupPlan", "hbr:DeleteBackupPlan", "hbr:CreateBackupJob", "hbr:CreatePlan", "hbr:UpdatePlan", "hbr:CreateTrialBackupPlan", "hbr:ConvertToPostPaidInstance", "hbr:KeepAfterTrialExpiration" ], "Resource": [ "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu", "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*" ] } ] }说明v-0000ryfi******piu为目标备份库ID。
防止RAM用户误删备份数据的RAM Policy示例如下:
{ "Version": "1", "Statement": [{ "Effect": "Deny", "Action": [ "hbr:DeleteBackupClient", "hbr:DeleteContact", "hbr:DeleteContactGroup", "hbr:DeleteVault", "hbr:DeleteJob", "hbr:DeleteClient", "hbr:DeleteHanaBackupPlan", "hbr:DeleteClients", "hbr:DeleteBackupSourceGroup", "hbr:DeleteBackupPlan", "hbr:DeleteHanaInstance", "hbr:DeleteSqlServerInstance", "hbr:DeleteSnapshot", "hbr:DeleteSqlServerSnapshot", "hbr:DeleteSqlServerLog", "hbr:DeleteVcenter", "hbr:DeleteUdmEcsInstance", "hbr:DeleteAppliance", "hbr:DeleteUniBackupClient", "hbr:DeleteUniBackupPlan", "hbr:DeleteUniBackupCluster", "hbr:DeleteUniRestorePlan" ], "Resource": [ "acs:hbr:*:{uid}:vault/{vaultId}", "acs:hbr:*:{uid}:vault/{vaultId}/*" ] }] }说明其中,vaultId表示需要保护的备份库ID,如果要保护所有仓库,请填写星号(*)。
授权信息参考
使用自定义权限策略,您需要了解业务的权限管控需求,并了解云备份的授权信息。详细内容请参见授权信息。