Controllare l'accesso al servizio di backup e DR con IAM

Questa pagina descrive i ruoli e le autorizzazioni IAM necessari per Google Cloud Backup and DR Service. Quando aggiungi nuove entità al progetto, puoi utilizzare una policy Identity and Access Management (IAM) per assegnare all'entità uno o più ruoli IAM. Ogni ruolo IAM contiene autorizzazioni che concedono alle entità l'accesso per eseguire azioni specifiche su risorse specifiche. Per un elenco di riferimento delle autorizzazioni IAM che si applicano al servizio di backup e DR, consulta Autorizzazioni IAM per il servizio di backup e DR.

Come IAM controlla l'accesso

Se un'entità, ovvero un utente, un gruppo o un account di servizio, chiama un'API Google Cloud , deve disporre delle autorizzazioni IAM appropriate per utilizzare la risorsa. Per concedere a un'entità le autorizzazioni richieste, devi assegnarle un ruolo IAM. Scopri di più sulle entità in IAM.

Tipi di ruoli IAM

Il servizio di backup e DR dispone di ruoli predefiniti, ovvero autorizzazioni raggruppate da assegnare a diversi principal. Gli utenti possono anche definire ruoli personalizzati che possono avere una combinazione di singole autorizzazioni per concedere l'accesso per eseguire un flusso di lavoro o un'azione di backup e DR specifici.

Autorizzazioni IAM

Le autorizzazioni consentono agli utenti di eseguire azioni specifiche su risorse specifiche. Possono essere raggruppati per formare ruoli. Ogni autorizzazione si riferisce a un'azione specifica che l'utente può eseguire o a un accesso di cui dispone.

Autorizzazioni a livello di progetto e di risorsa

Le autorizzazioni possono essere concesse a livello di progetto o di risorsa. Ad esempio, un amministratore di Backup e RE può scegliere di concedere solo determinate autorizzazioni a livello di bucket di archiviazione anziché all'intero progetto, a seconda dei criteri. La concessione di ruoli a livello di risorsa non influisce sui ruoli esistenti che hai concesso a livello di progetto e viceversa.

Ruoli IAM predefiniti per il servizio di Backup e DR

Il servizio di backup e DR dispone di un insieme di ruoli IAM predefiniti descritti in questa pagina. Puoi anche creare ruoli personalizzati che contengono sottoinsiemi di autorizzazioni che corrispondono direttamente alle tue esigenze.

La tabella seguente descrive i ruoli IAM associati al servizio Backup and DR ed elenca le autorizzazioni contenute in ciascun ruolo. La descrizione di ogni autorizzazione è elencata nella sezione Autorizzazione IAM per il servizio Backup e DR.

Role Permissions

(roles/backupdr.admin)

Provides full access to all Backup and DR resources.

backupdr.backupPlanAssociations.*

  • backupdr.backupPlanAssociations.createForAlloydbCluster
  • backupdr.backupPlanAssociations.createForCloudSqlInstance
  • backupdr.backupPlanAssociations.createForComputeDisk
  • backupdr.backupPlanAssociations.createForComputeInstance
  • backupdr.backupPlanAssociations.createForFilestoreInstance
  • backupdr.backupPlanAssociations.deleteForAlloydbCluster
  • backupdr.backupPlanAssociations.deleteForCloudSqlInstance
  • backupdr.backupPlanAssociations.deleteForComputeDisk
  • backupdr.backupPlanAssociations.deleteForComputeInstance
  • backupdr.backupPlanAssociations.deleteForFilestoreInstance
  • backupdr.backupPlanAssociations.fetchForAlloydbCluster
  • backupdr.backupPlanAssociations.fetchForCloudSqlInstance
  • backupdr.backupPlanAssociations.fetchForComputeDisk
  • backupdr.backupPlanAssociations.fetchForComputeInstance
  • backupdr.backupPlanAssociations.fetchForFilestoreInstance
  • backupdr.backupPlanAssociations.getForAlloydbCluster
  • backupdr.backupPlanAssociations.getForCloudSqlInstance
  • backupdr.backupPlanAssociations.getForComputeDisk
  • backupdr.backupPlanAssociations.getForComputeInstance
  • backupdr.backupPlanAssociations.getForFilestoreInstance
  • backupdr.backupPlanAssociations.list
  • backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
  • backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
  • backupdr.backupPlanAssociations.triggerBackupForComputeDisk
  • backupdr.backupPlanAssociations.triggerBackupForComputeInstance
  • backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
  • backupdr.backupPlanAssociations.updateForAlloydbCluster
  • backupdr.backupPlanAssociations.updateForComputeDisk
  • backupdr.backupPlanAssociations.updateForComputeInstance
  • backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

  • backupdr.backupPlanRevisions.get
  • backupdr.backupPlanRevisions.list

backupdr.backupPlans.*

  • backupdr.backupPlans.create
  • backupdr.backupPlans.delete
  • backupdr.backupPlans.get
  • backupdr.backupPlans.list
  • backupdr.backupPlans.update
  • backupdr.backupPlans.useForAlloydbCluster
  • backupdr.backupPlans.useForCloudSqlInstance
  • backupdr.backupPlans.useForComputeDisk
  • backupdr.backupPlans.useForComputeInstance
  • backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.*

  • backupdr.backupVaults.associate
  • backupdr.backupVaults.create
  • backupdr.backupVaults.delete
  • backupdr.backupVaults.get
  • backupdr.backupVaults.list
  • backupdr.backupVaults.update

backupdr.bvbackups.*

  • backupdr.bvbackups.delete
  • backupdr.bvbackups.fetchForCloudSqlInstance
  • backupdr.bvbackups.fetchForComputeDisk
  • backupdr.bvbackups.fetchForComputeInstance
  • backupdr.bvbackups.get
  • backupdr.bvbackups.list
  • backupdr.bvbackups.restore
  • backupdr.bvbackups.update
  • backupdr.bvbackups.useReadOnlyForAlloydbCluster
  • backupdr.bvbackups.useReadOnlyForCloudSqlInstance
  • backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.*

  • backupdr.bvdataSources.abandonBackup
  • backupdr.bvdataSources.fetchAccessToken
  • backupdr.bvdataSources.finalizeBackup
  • backupdr.bvdataSources.get
  • backupdr.bvdataSources.initiateBackup
  • backupdr.bvdataSources.list
  • backupdr.bvdataSources.remove
  • backupdr.bvdataSources.setInternalStatus
  • backupdr.bvdataSources.update
  • backupdr.bvdataSources.useReadOnlyForAlloydbCluster
  • backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.*

  • backupdr.managementServers.access
  • backupdr.managementServers.accessSensitiveData
  • backupdr.managementServers.assignBackupPlans
  • backupdr.managementServers.backupAccess
  • backupdr.managementServers.create
  • backupdr.managementServers.createConnection
  • backupdr.managementServers.createDynamicProtection
  • backupdr.managementServers.delete
  • backupdr.managementServers.deleteDynamicProtection
  • backupdr.managementServers.get
  • backupdr.managementServers.getDynamicProtection
  • backupdr.managementServers.getIamPolicy
  • backupdr.managementServers.list
  • backupdr.managementServers.listDynamicProtection
  • backupdr.managementServers.manageApplications
  • backupdr.managementServers.manageBackupPlans
  • backupdr.managementServers.manageBackupServers
  • backupdr.managementServers.manageBackups
  • backupdr.managementServers.manageClones
  • backupdr.managementServers.manageExpiration
  • backupdr.managementServers.manageHosts
  • backupdr.managementServers.manageInternalACL
  • backupdr.managementServers.manageJobs
  • backupdr.managementServers.manageLiveClones
  • backupdr.managementServers.manageMigrations
  • backupdr.managementServers.manageMirroring
  • backupdr.managementServers.manageMounts
  • backupdr.managementServers.manageRestores
  • backupdr.managementServers.manageSensitiveData
  • backupdr.managementServers.manageStorage
  • backupdr.managementServers.manageSystem
  • backupdr.managementServers.manageWorkflows
  • backupdr.managementServers.refreshWorkflows
  • backupdr.managementServers.runWorkflows
  • backupdr.managementServers.setIamPolicy
  • backupdr.managementServers.testFailOvers
  • backupdr.managementServers.viewBackupPlans
  • backupdr.managementServers.viewBackupServers
  • backupdr.managementServers.viewReports
  • backupdr.managementServers.viewStorage
  • backupdr.managementServers.viewSystem
  • backupdr.managementServers.viewWorkflows

backupdr.operations.*

  • backupdr.operations.cancel
  • backupdr.operations.delete
  • backupdr.operations.get
  • backupdr.operations.list

backupdr.serviceConfig.initialize

backupdr.trial.*

  • backupdr.trial.get
  • backupdr.trial.subscribe

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.backupConfigViewer)

Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.

backupdr.locations.list

backupdr.resourceBackupConfigs.*

  • backupdr.resourceBackupConfigs.get
  • backupdr.resourceBackupConfigs.list

(roles/backupdr.backupUser)

Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.

backupdr.backupPlanAssociations.*

  • backupdr.backupPlanAssociations.createForAlloydbCluster
  • backupdr.backupPlanAssociations.createForCloudSqlInstance
  • backupdr.backupPlanAssociations.createForComputeDisk
  • backupdr.backupPlanAssociations.createForComputeInstance
  • backupdr.backupPlanAssociations.createForFilestoreInstance
  • backupdr.backupPlanAssociations.deleteForAlloydbCluster
  • backupdr.backupPlanAssociations.deleteForCloudSqlInstance
  • backupdr.backupPlanAssociations.deleteForComputeDisk
  • backupdr.backupPlanAssociations.deleteForComputeInstance
  • backupdr.backupPlanAssociations.deleteForFilestoreInstance
  • backupdr.backupPlanAssociations.fetchForAlloydbCluster
  • backupdr.backupPlanAssociations.fetchForCloudSqlInstance
  • backupdr.backupPlanAssociations.fetchForComputeDisk
  • backupdr.backupPlanAssociations.fetchForComputeInstance
  • backupdr.backupPlanAssociations.fetchForFilestoreInstance
  • backupdr.backupPlanAssociations.getForAlloydbCluster
  • backupdr.backupPlanAssociations.getForCloudSqlInstance
  • backupdr.backupPlanAssociations.getForComputeDisk
  • backupdr.backupPlanAssociations.getForComputeInstance
  • backupdr.backupPlanAssociations.getForFilestoreInstance
  • backupdr.backupPlanAssociations.list
  • backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
  • backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
  • backupdr.backupPlanAssociations.triggerBackupForComputeDisk
  • backupdr.backupPlanAssociations.triggerBackupForComputeInstance
  • backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
  • backupdr.backupPlanAssociations.updateForAlloydbCluster
  • backupdr.backupPlanAssociations.updateForComputeDisk
  • backupdr.backupPlanAssociations.updateForComputeInstance
  • backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

  • backupdr.backupPlanRevisions.get
  • backupdr.backupPlanRevisions.list

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForAlloydbCluster

backupdr.backupPlans.useForCloudSqlInstance

backupdr.backupPlans.useForComputeDisk

backupdr.backupPlans.useForComputeInstance

backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackups

backupdr.managementServers.manageHosts

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.backupvaultAccessor)

Allows the Backup Appliance permissions to create and manage backups in a backup vault.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.delete

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.update

backupdr.bvdataSources.abandonBackup

backupdr.bvdataSources.fetchAccessToken

backupdr.bvdataSources.finalizeBackup

backupdr.bvdataSources.get

backupdr.bvdataSources.initiateBackup

backupdr.bvdataSources.list

backupdr.bvdataSources.remove

backupdr.bvdataSources.setInternalStatus

backupdr.bvdataSources.update

backupdr.operations.*

  • backupdr.operations.cancel
  • backupdr.operations.delete
  • backupdr.operations.get
  • backupdr.operations.list

(roles/backupdr.backupvaultAdmin)

Allows the Backup Appliance full administrative control of backup vault resources.

backupdr.backupVaults.*

  • backupdr.backupVaults.associate
  • backupdr.backupVaults.create
  • backupdr.backupVaults.delete
  • backupdr.backupVaults.get
  • backupdr.backupVaults.list
  • backupdr.backupVaults.update

backupdr.bvbackups.delete

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.update

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.update

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.operations.*

  • backupdr.operations.cancel
  • backupdr.operations.delete
  • backupdr.operations.get
  • backupdr.operations.list

(roles/backupdr.backupvaultLister)

Allows the Backup Appliance permission to list backup vaults in a given project.

backupdr.backupVaults.list

(roles/backupdr.backupvaultViewer)

Allows read-only permissions to access backup vault resources and backups.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.operations.get

backupdr.operations.list

(roles/backupdr.cloudSqlOperator)

Allows a Backup and DR service account to discover and backup Cloud SQL instances.

cloudsql.instances.createBackupDrBackup

cloudsql.instances.get

(roles/backupdr.cloudStorageOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

(roles/backupdr.computeEngineOperator)

Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.

backupdr.managementServers.createConnection

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.pscInterfaceCreate

compute.instances.setDeletionProtection

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.updateDisplayDevice

compute.instances.useReadOnly

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.resourcePolicies.use

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.diskOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Disk.

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.useReadOnly

compute.regionOperations.get

compute.resourcePolicies.use

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.storagePools.use

compute.zoneOperations.get

(roles/backupdr.filestoreOperator)

Allows a Backup and DR service account to discover and backup Filestore instances.

file.backups.create

file.instances.get

(roles/backupdr.managementServerAccessor)

Grants the Backup and DR management server access role to Backup Appliances.

backupdr.managementServers.createConnection

(roles/backupdr.mountUser)

Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.restoreUser)

Allows the user to restore or mount from a backup. This role cannot create a backup plan.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.useReadOnlyForAlloydbCluster

backupdr.bvbackups.useReadOnlyForCloudSqlInstance

backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.useReadOnlyForAlloydbCluster

backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.serviceAgent)

Grants the Backup and DR Service access to protect Compute Engine instances.

alloydb.operations.get

cloudsql.instances.createBackupDrBackup

cloudsql.instances.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.useReadOnly

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

file.backups.create

file.instances.get

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.user)

Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.updateForComputeInstance

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.userv2)

Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.

backupdr.backupPlanAssociations.*

  • backupdr.backupPlanAssociations.createForAlloydbCluster
  • backupdr.backupPlanAssociations.createForCloudSqlInstance
  • backupdr.backupPlanAssociations.createForComputeDisk
  • backupdr.backupPlanAssociations.createForComputeInstance
  • backupdr.backupPlanAssociations.createForFilestoreInstance
  • backupdr.backupPlanAssociations.deleteForAlloydbCluster
  • backupdr.backupPlanAssociations.deleteForCloudSqlInstance
  • backupdr.backupPlanAssociations.deleteForComputeDisk
  • backupdr.backupPlanAssociations.deleteForComputeInstance
  • backupdr.backupPlanAssociations.deleteForFilestoreInstance
  • backupdr.backupPlanAssociations.fetchForAlloydbCluster
  • backupdr.backupPlanAssociations.fetchForCloudSqlInstance
  • backupdr.backupPlanAssociations.fetchForComputeDisk
  • backupdr.backupPlanAssociations.fetchForComputeInstance
  • backupdr.backupPlanAssociations.fetchForFilestoreInstance
  • backupdr.backupPlanAssociations.getForAlloydbCluster
  • backupdr.backupPlanAssociations.getForCloudSqlInstance
  • backupdr.backupPlanAssociations.getForComputeDisk
  • backupdr.backupPlanAssociations.getForComputeInstance
  • backupdr.backupPlanAssociations.getForFilestoreInstance
  • backupdr.backupPlanAssociations.list
  • backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
  • backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
  • backupdr.backupPlanAssociations.triggerBackupForComputeDisk
  • backupdr.backupPlanAssociations.triggerBackupForComputeInstance
  • backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
  • backupdr.backupPlanAssociations.updateForAlloydbCluster
  • backupdr.backupPlanAssociations.updateForComputeDisk
  • backupdr.backupPlanAssociations.updateForComputeInstance
  • backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

  • backupdr.backupPlanRevisions.get
  • backupdr.backupPlanRevisions.list

backupdr.backupPlans.*

  • backupdr.backupPlans.create
  • backupdr.backupPlans.delete
  • backupdr.backupPlans.get
  • backupdr.backupPlans.list
  • backupdr.backupPlans.update
  • backupdr.backupPlans.useForAlloydbCluster
  • backupdr.backupPlans.useForCloudSqlInstance
  • backupdr.backupPlans.useForComputeDisk
  • backupdr.backupPlans.useForComputeInstance
  • backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.associate

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.useReadOnlyForAlloydbCluster

backupdr.bvbackups.useReadOnlyForCloudSqlInstance

backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.useReadOnlyForAlloydbCluster

backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.backupAccess

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackupPlans

backupdr.managementServers.manageBackups

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageJobs

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.viewer)

Provides read-only access to all Backup and DR resources.

backupdr.backupPlanAssociations.fetchForAlloydbCluster

backupdr.backupPlanAssociations.fetchForCloudSqlInstance

backupdr.backupPlanAssociations.fetchForComputeDisk

backupdr.backupPlanAssociations.fetchForComputeInstance

backupdr.backupPlanAssociations.fetchForFilestoreInstance

backupdr.backupPlanAssociations.getForAlloydbCluster

backupdr.backupPlanAssociations.getForCloudSqlInstance

backupdr.backupPlanAssociations.getForComputeDisk

backupdr.backupPlanAssociations.getForComputeInstance

backupdr.backupPlanAssociations.getForFilestoreInstance

backupdr.backupPlanAssociations.list

backupdr.backupPlanRevisions.*

  • backupdr.backupPlanRevisions.get
  • backupdr.backupPlanRevisions.list

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

Ruoli di base

I ruoli di base sono ruoli a livello di progetto precedenti a IAM. Per ulteriori dettagli, consulta la sezione Ruoli di base.

Anche se Backup e RE supporta i seguenti ruoli di base, ti consigliamo di utilizzare uno dei ruoli predefiniti, se possibile. I ruoli di base includono autorizzazioni generali che si applicano a tutte le tue risorse Google Cloud ; al contrario, i ruoli predefiniti di Backup e RE includono autorizzazioni granulari che si applicano solo a Backup e RE.

Ruolo IAM di base Descrizione
Editor
(roles/editor)		 Fornisce l'accesso completo a tutte le risorse di Backup e DR.
Proprietario
(roles/owner)		 Fornisce l'accesso completo a tutte le risorse di Backup e DR.

Autorizzazioni IAM per il servizio di Backup e DR

La tabella seguente elenca le autorizzazioni IAM associate al servizio di backup e DR. Le autorizzazioni IAM sono raggruppate in ruoli e tu assegni ruoli a utenti e gruppi.

La tabella seguente elenca la descrizione di ciascuna autorizzazione Backup and RE.

Nome autorizzazione Descrizione
backupdr.managementServers.manageClones Fornisce le autorizzazioni per creare e gestire cloni dai backup.
backupdr.managementServers.manageLiveClones Fornisce le autorizzazioni per creare e gestire LiveClone dai backup.
backupdr.managementServers.manageMounts Fornisce le autorizzazioni per creare e gestire i montaggi attivi dai backup.
backupdr.managementServers.manageRestores Fornisce le autorizzazioni necessarie per il ripristino dai backup.
backupdr.managementServers.manageBackups Fornisce le autorizzazioni per eseguire operazioni di backup: Esegui backup ora.
backupdr.managementServers.viewSystem Fornisce l'accesso per visualizzare la configurazione dell'appliance di backup/ripristino.
backupdr.managementServers.manageSystem Fornisce le autorizzazioni per configurare le appliance di backup/recupero e Report Manager.
backupdr.managementServers.viewStorage Fornisci l'accesso per visualizzare le configurazioni di archiviazione e dei pool di dischi.
backupdr.managementServers.manageStorage Fornisce le autorizzazioni per aggiungere, modificare, rimuovere e visualizzare pool di archiviazione e dischi.
backupdr.managementServers.viewBackupPlans Fornisce l'accesso per visualizzare i piani di backup, i modelli di backup e i profili delle risorse.
backupdr.managementServers.assignBackupPlans Fornisce le autorizzazioni per assegnare piani di backup preconfigurati (modelli di backup e profili delle risorse) ad applicazioni o workload.
backupdr.managementServers.manageBackupPlans Fornisce le autorizzazioni per creare, modificare, eliminare, visualizzare e assegnare piani di backup, ovvero modelli di backup e profili delle risorse.
backupdr.managementServers.testFailOvers Fornisce le autorizzazioni per eseguire il failover di test ed eliminare le operazioni di failover di test su un backup StreamSnap remoto.
backupdr.managementServers.viewWorkflows Fornisci l'accesso per visualizzare i flussi di lavoro di backup e DR che automatizzano l'accesso per copiare i dati all'interno del servizio di Backup e DR.
backupdr.managementServers.runWorkflows Fornisce le autorizzazioni per eseguire un flusso di lavoro Backup e DR preconfigurato che automatizza l'accesso per copiare i dati all'interno del servizio Backup e DR.
backupdr.managementServers.refreshWorkflows Fornisce le autorizzazioni per aggiornare un clone creato da un flusso di lavoro di backup di Backup e DR che automatizza l'accesso per copiare i dati all'interno del servizio Backup e DR.
backupdr.managementServers.manageWorkflows Fornisce le autorizzazioni per aggiungere, modificare, rimuovere, eseguire e visualizzare il flusso di lavoro di backup di Backup e DR che automatizza l'accesso per copiare i dati all'interno del servizio di Backup e DR.
backupdr.managementServers.manageMirroring Fornisce le autorizzazioni per eseguire operazioni di failover, sincronizzazione inversa, pulizia, failback, test di failover ed eliminazione del test di failover su un backup StreamSnap remoto.
backupdr.managementServers.manageHosts Fornisce le autorizzazioni per aggiungere, modificare, rimuovere e visualizzare host, macchine fisiche e virtuali
backupdr.managementServers.manageApplications Fornisce le autorizzazioni per gestire tutti gli aspetti delle applicazioni, inclusi gruppi logici e gruppi di coerenza, eseguire backup on demand ed esportare modelli.
backupdr.managementServers.manageSensitiveData Fornisce le autorizzazioni necessarie per contrassegnare applicazioni e backup come dati sensibili o non sensibili.
backupdr.managementServers.accessSensitiveData Fornisce l'accesso ad applicazioni e backup contrassegnati come sensibili.
backupdr.managementServers.manageBackupServers Fornisce le autorizzazioni necessarie per eseguire le API del server di backup tramite la console di gestione.
backupdr.managementServers.manageExpiration Fornisce le autorizzazioni necessarie per far scadere i backup.
backupdr.managementServers.access Fornisce l'accesso alla console di gestione e alle API associate.
backupdr.managementServers.onpremUsageUpload Fornisce l'accesso a tutti gli endpoint necessari per caricare l'utilizzo in un adattatore on-premise.
backupdr.managementServers.viewReports Fornisce l'accesso a Report Manager per eseguire i report e visualizzare o scaricare l'output.
backupdr.managementServers.manageJobs Fornisce le autorizzazioni per annullare i job e modificare la priorità dei job.
backupdr.managementServers.manageMigrations Fornisce le autorizzazioni per gestire la migrazione dei dati montati come passaggio finale di un'operazione di ripristino o clonazione.

Autorizzazioni richieste per l'utilizzo di CMEK

Per informazioni sulle autorizzazioni richieste per utilizzare CMEK, consulta Chiavi di crittografia gestite dal cliente (CMEK).