什么是自定義權限策略

在基于RAM的訪問控制體系中，自定義權限策略是指在系統權限策略之外，您可以自主創建、更新和刪除的權限策略。自定義權限策略的版本更新需由您來維護。

• 創建自定義權限策略后，需為RAM用戶、用戶組或RAM角色綁定權限策略，這些RAM身份才能獲得權限策略中指定的訪問權限。

• 已創建的權限策略支持刪除，但刪除前需確保該策略未被引用。如果該權限策略已被引用，您需要在該權限策略的引用記錄中移除授權。

• 自定義權限策略支持版本控制，您可以按照RAM規定的版本管理機制來管理您創建的自定義權限策略版本。

操作文檔

• 創建自定義權限策略

• 修改自定義權限策略內容和備注

• 刪除自定義權限策略

• 管理權限策略引用記錄

• 管理自定義權限策略版本

常見自定義權限策略場景及示例

云備份提供備份恢復權限分離功能。給指定RAM用戶添加RAM權限，使得該RAM用戶對此備份庫只能進行備份或者恢復操作，避免未經授權的誤操作。

• 禁止恢復/取回的權限策略

  單擊腳本左上角復制按鈕，快速復制腳本。例如：

  {
      "Version": "1",
      "Statement": [
          {
              "Effect": "Deny",
              "Action": [
                  "hbr:CreateRestore",
                  "hbr:CreateRestoreJob",
                  "hbr:CreateHanaRestore",
                  "hbr:CreateUniRestorePlan",
                  "hbr:CreateSqlServerRestore"
              ],
              "Resource": [
                  "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu",
                  "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*"
              ]
          }
      ]
  }

  說明

  v-0000ryfi******piu為目標備份庫ID。

• 禁止備份/歸檔的權限策略

  單擊腳本左上角復制按鈕，快速復制腳本。例如：

  {
      "Version": "1",
      "Statement": [
          {
              "Effect": "Deny",
              "Action": [
                  "hbr:CreateUniBackupPlan",
                  "hbr:UpdateUniBackupPlan",
                  "hbr:DeleteUniBackupPlan",
                  "hbr:CreateHanaInstance",
                  "hbr:UpdateHanaInstance",
                  "hbr:DeleteHanaInstance",
                  "hbr:CreateHanaBackupPlan",
                  "hbr:UpdateHanaBackupPlan",
                  "hbr:DeleteHanaBackupPlan",
                  "hbr:CreateClient",
                  "hbr:CreateClients",
                  "hbr:UpdateClient",
                  "hbr:UpdateClientSettings",
                  "hbr:UpdateClientAlertConfig",
                  "hbr:DeleteClient",
                  "hbr:DeleteClients",
                  "hbr:CreateJob",
                  "hbr:UpdateJob",
                  "hbr:CreateBackupPlan",
                  "hbr:UpdateBackupPlan",
                  "hbr:ExecuteBackupPlan",
                  "hbr:DeleteBackupPlan",
                  "hbr:CreateBackupJob",
                  "hbr:CreatePlan",
                  "hbr:UpdatePlan",
                  "hbr:CreateTrialBackupPlan",
                  "hbr:ConvertToPostPaidInstance",
                  "hbr:KeepAfterTrialExpiration"
              ],
              "Resource": [
                  "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu",
                  "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*"
              ]
          }
      ]
  }

  說明

  v-0000ryfi******piu為目標備份庫ID。

• 防止RAM用戶誤刪備份數據的RAM Policy示例如下：

  {
      "Version": "1",
      "Statement": [{
          "Effect": "Deny",
          "Action": [
              "hbr:DeleteBackupClient",
              "hbr:DeleteContact",
              "hbr:DeleteContactGroup",
              "hbr:DeleteVault",
              "hbr:DeleteJob",
              "hbr:DeleteClient",
              "hbr:DeleteHanaBackupPlan",
              "hbr:DeleteClients",
              "hbr:DeleteBackupSourceGroup",
              "hbr:DeleteBackupPlan",
              "hbr:DeleteHanaInstance",
              "hbr:DeleteSqlServerInstance",
              "hbr:DeleteSnapshot",
              "hbr:DeleteSqlServerSnapshot",
              "hbr:DeleteSqlServerLog",
              "hbr:DeleteVcenter",
              "hbr:DeleteUdmEcsInstance",
              "hbr:DeleteAppliance",
              "hbr:DeleteUniBackupClient",
              "hbr:DeleteUniBackupPlan",
              "hbr:DeleteUniBackupCluster",
              "hbr:DeleteUniRestorePlan"
          ],
          "Resource": [
              "acs:hbr:*:{uid}:vault/{vaultId}",
              "acs:hbr:*:{uid}:vault/{vaultId}/*"
          ]
      }]
  }

  說明

  其中，vaultId表示需要保護的備份庫ID，如果要保護所有倉庫，請填寫星號（*）。

授權信息參考

使用自定義權限策略，您需要了解業務的權限管控需求，并了解云備份的授權信息。詳細內容請參見授權信息。