本頁面由 Cloud Translation API 翻譯而成。

使用 IAM 控管備份和災難復原服務的存取權

本頁面列出Google Cloud 備份與 DR 服務所需的 IAM 角色和權限。在專案中新增主體時，可以使用身分與存取權管理 (IAM) 政策，為該主體提供一或多個 IAM 角色。每個 IAM 角色都包含權限，可授予主體權限，對特定資源執行特定動作。如需備份和災難復原服務適用的 IAM 權限參考清單，請參閱「備份和災難復原服務適用的 IAM 權限」。

IAM 如何控管存取權

如果主體 (使用者、群組或服務帳戶) 呼叫 Google Cloud API，該主體必須具備適當的 IAM 權限，才能使用資源。如要授予主體必要權限，請將 IAM 角色授予主體。進一步瞭解 IAM 中的主體。

IAM 角色類型

備份和災難復原服務有預先定義的角色，這些角色是權限組合，可指派給不同主體。使用者也可以定義自訂角色，這些角色可具備個別權限組合，以授予執行特定 Backup and DR 工作流程或動作的存取權。

IAM 權限

擁有權限的使用者才能對特定資源執行特定操作。權限可以分組形成角色。每項權限都代表使用者可執行的特定動作或可存取的內容。

專案層級與資源層級權限

您可以在專案層級或資源層級授予權限。舉例來說，備份和災難復原管理員可以根據政策，選擇只在儲存空間值區層級授予特定權限，而非整個專案。在資源層級授予角色不會影響您在專案層級授予的任何現有角色，反之亦然。

備份和災難復原服務的預先定義 IAM 角色

Backup and DR Service 具有一組預先定義的 IAM 角色，本頁面將說明這些角色。您也可以建立自訂角色，並為其指定符合需求的權限子集。

下表說明與 Backup and DR Service 相關聯的 IAM 角色，並列出每個角色所包含的權限。如要查看各項權限的說明，請參閱「備份與災難復原服務的 IAM 權限」一節。

Role Permissions

Role	Permissions
Backup and DR Admin (`roles/backupdr.admin`) Provides full access to all Backup and DR resources.	`backupdr.backupPlanAssociations.` `backupdr.backupPlanAssociations.createForAlloydbCluster` `backupdr.backupPlanAssociations.createForCloudSqlInstance` `backupdr.backupPlanAssociations.createForComputeDisk` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.createForFilestoreInstance` `backupdr.backupPlanAssociations.deleteForAlloydbCluster` `backupdr.backupPlanAssociations.deleteForCloudSqlInstance` `backupdr.backupPlanAssociations.deleteForComputeDisk` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.deleteForFilestoreInstance` `backupdr.backupPlanAssociations.fetchForAlloydbCluster` `backupdr.backupPlanAssociations.fetchForCloudSqlInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.fetchForComputeInstance` `backupdr.backupPlanAssociations.fetchForFilestoreInstance` `backupdr.backupPlanAssociations.getForAlloydbCluster` `backupdr.backupPlanAssociations.getForCloudSqlInstance` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.getForComputeInstance` `backupdr.backupPlanAssociations.getForFilestoreInstance` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster` `backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance` `backupdr.backupPlanAssociations.triggerBackupForComputeDisk` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance` `backupdr.backupPlanAssociations.updateForAlloydbCluster` `backupdr.backupPlanAssociations.updateForComputeDisk` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.backupPlanAssociations.updateForFilestoreInstance` `backupdr.backupPlanRevisions.` `backupdr.backupPlanRevisions.get` `backupdr.backupPlanRevisions.list` `backupdr.backupPlans.` `backupdr.backupPlans.create` `backupdr.backupPlans.delete` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.update` `backupdr.backupPlans.useForAlloydbCluster` `backupdr.backupPlans.useForCloudSqlInstance` `backupdr.backupPlans.useForComputeDisk` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupPlans.useForFilestoreInstance` `backupdr.backupVaults.` `backupdr.backupVaults.associate` `backupdr.backupVaults.create` `backupdr.backupVaults.delete` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.backupVaults.update` `backupdr.bvbackups.` `backupdr.bvbackups.delete` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.fetchForComputeDisk` `backupdr.bvbackups.fetchForComputeInstance` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvbackups.update` `backupdr.bvbackups.useReadOnlyForAlloydbCluster` `backupdr.bvbackups.useReadOnlyForCloudSqlInstance` `backupdr.bvbackups.useReadOnlyForFilestoreInstance` `backupdr.bvdataSources.` `backupdr.bvdataSources.abandonBackup` `backupdr.bvdataSources.fetchAccessToken` `backupdr.bvdataSources.finalizeBackup` `backupdr.bvdataSources.get` `backupdr.bvdataSources.initiateBackup` `backupdr.bvdataSources.list` `backupdr.bvdataSources.remove` `backupdr.bvdataSources.setInternalStatus` `backupdr.bvdataSources.update` `backupdr.bvdataSources.useReadOnlyForAlloydbCluster` `backupdr.bvdataSources.useReadOnlyForCloudSqlInstance` `backupdr.compute.restoreFromBackupVault` `backupdr.dataSourceReferences.` `backupdr.dataSourceReferences.fetchForAlloydbCluster` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForFilestoreInstance` `backupdr.dataSourceReferences.getForAlloydbCluster` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.dataSourceReferences.getForFilestoreInstance` `backupdr.dataSourceReferences.list` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.` `backupdr.managementServers.access` `backupdr.managementServers.accessSensitiveData` `backupdr.managementServers.assignBackupPlans` `backupdr.managementServers.backupAccess` `backupdr.managementServers.create` `backupdr.managementServers.createConnection` `backupdr.managementServers.createDynamicProtection` `backupdr.managementServers.delete` `backupdr.managementServers.deleteDynamicProtection` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageBackupPlans` `backupdr.managementServers.manageBackupServers` `backupdr.managementServers.manageBackups` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageExpiration` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageInternalACL` `backupdr.managementServers.manageJobs` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMigrations` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageRestores` `backupdr.managementServers.manageSensitiveData` `backupdr.managementServers.manageStorage` `backupdr.managementServers.manageSystem` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.setIamPolicy` `backupdr.managementServers.testFailOvers` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.` `backupdr.operations.cancel` `backupdr.operations.delete` `backupdr.operations.get` `backupdr.operations.list` `backupdr.serviceConfig.initialize` `backupdr.trial.*` `backupdr.trial.end` `backupdr.trial.get` `backupdr.trial.subscribe` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Backup Config Viewer ^Beta (`roles/backupdr.backupConfigViewer`) Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.	`backupdr.locations.list` `backupdr.resourceBackupConfigs.*` `backupdr.resourceBackupConfigs.get` `backupdr.resourceBackupConfigs.list`
Backup and DR Backup User (`roles/backupdr.backupUser`) Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.	`backupdr.backupPlanAssociations.` `backupdr.backupPlanAssociations.createForAlloydbCluster` `backupdr.backupPlanAssociations.createForCloudSqlInstance` `backupdr.backupPlanAssociations.createForComputeDisk` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.createForFilestoreInstance` `backupdr.backupPlanAssociations.deleteForAlloydbCluster` `backupdr.backupPlanAssociations.deleteForCloudSqlInstance` `backupdr.backupPlanAssociations.deleteForComputeDisk` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.deleteForFilestoreInstance` `backupdr.backupPlanAssociations.fetchForAlloydbCluster` `backupdr.backupPlanAssociations.fetchForCloudSqlInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.fetchForComputeInstance` `backupdr.backupPlanAssociations.fetchForFilestoreInstance` `backupdr.backupPlanAssociations.getForAlloydbCluster` `backupdr.backupPlanAssociations.getForCloudSqlInstance` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.getForComputeInstance` `backupdr.backupPlanAssociations.getForFilestoreInstance` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster` `backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance` `backupdr.backupPlanAssociations.triggerBackupForComputeDisk` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance` `backupdr.backupPlanAssociations.updateForAlloydbCluster` `backupdr.backupPlanAssociations.updateForComputeDisk` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.backupPlanAssociations.updateForFilestoreInstance` `backupdr.backupPlanRevisions.` `backupdr.backupPlanRevisions.get` `backupdr.backupPlanRevisions.list` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.useForAlloydbCluster` `backupdr.backupPlans.useForCloudSqlInstance` `backupdr.backupPlans.useForComputeDisk` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupPlans.useForFilestoreInstance` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.fetchForComputeDisk` `backupdr.bvbackups.fetchForComputeInstance` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.dataSourceReferences.` `backupdr.dataSourceReferences.fetchForAlloydbCluster` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForFilestoreInstance` `backupdr.dataSourceReferences.getForAlloydbCluster` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.dataSourceReferences.getForFilestoreInstance` `backupdr.dataSourceReferences.list` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.assignBackupPlans` `backupdr.managementServers.createDynamicProtection` `backupdr.managementServers.deleteDynamicProtection` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageBackups` `backupdr.managementServers.manageHosts` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Backup Vault Accessor (`roles/backupdr.backupvaultAccessor`) Allows the Backup Appliance permissions to create and manage backups in a backup vault.	`backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.delete` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.update` `backupdr.bvdataSources.abandonBackup` `backupdr.bvdataSources.fetchAccessToken` `backupdr.bvdataSources.finalizeBackup` `backupdr.bvdataSources.get` `backupdr.bvdataSources.initiateBackup` `backupdr.bvdataSources.list` `backupdr.bvdataSources.remove` `backupdr.bvdataSources.setInternalStatus` `backupdr.bvdataSources.update` `backupdr.operations.*` `backupdr.operations.cancel` `backupdr.operations.delete` `backupdr.operations.get` `backupdr.operations.list`
Backup and DR Backup Vault Admin (`roles/backupdr.backupvaultAdmin`) Allows the Backup Appliance full administrative control of backup vault resources.	`backupdr.backupVaults.` `backupdr.backupVaults.associate` `backupdr.backupVaults.create` `backupdr.backupVaults.delete` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.backupVaults.update` `backupdr.bvbackups.delete` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvbackups.update` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.bvdataSources.update` `backupdr.compute.restoreFromBackupVault` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.operations.*` `backupdr.operations.cancel` `backupdr.operations.delete` `backupdr.operations.get` `backupdr.operations.list`
Backup and DR Backup Vault Lister (`roles/backupdr.backupvaultLister`) Allows the Backup Appliance permission to list backup vaults in a given project.	`backupdr.backupVaults.list`
Backup and DR Backup Vault Viewer (`roles/backupdr.backupvaultViewer`) Allows read-only permissions to access backup vault resources and backups.	`backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.operations.get` `backupdr.operations.list`
Backup and DR Cloud SQL Operator ^Beta (`roles/backupdr.cloudSqlOperator`) Allows a Backup and DR service account to discover and backup Cloud SQL instances.	`cloudsql.instances.createBackupDrBackup` `cloudsql.instances.get`
Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.	`storage.buckets.create` `storage.buckets.get` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list`
Backup and DR Compute Engine Operator (`roles/backupdr.computeEngineOperator`) Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.	`backupdr.managementServers.createConnection` `compute.addresses.list` `compute.addresses.use` `compute.addresses.useInternal` `compute.diskTypes.` `compute.diskTypes.get` `compute.diskTypes.list` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.delete` `compute.disks.get` `compute.disks.setLabels` `compute.disks.use` `compute.disks.useReadOnly` `compute.firewalls.list` `compute.globalOperations.get` `compute.images.create` `compute.images.delete` `compute.images.get` `compute.images.useReadOnly` `compute.instances.attachDisk` `compute.instances.create` `compute.instances.createTagBinding` `compute.instances.delete` `compute.instances.detachDisk` `compute.instances.get` `compute.instances.list` `compute.instances.listEffectiveTags` `compute.instances.pscInterfaceCreate` `compute.instances.setDeletionProtection` `compute.instances.setLabels` `compute.instances.setMetadata` `compute.instances.setServiceAccount` `compute.instances.setTags` `compute.instances.start` `compute.instances.stop` `compute.instances.updateDisplayDevice` `compute.instances.useReadOnly` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.list` `compute.nodeGroups.get` `compute.nodeGroups.list` `compute.nodeTemplates.get` `compute.projects.get` `compute.regionOperations.get` `compute.regions.*` `compute.regions.get` `compute.regions.list` `compute.resourcePolicies.use` `compute.snapshots.create` `compute.snapshots.delete` `compute.snapshots.get` `compute.snapshots.setLabels` `compute.snapshots.useReadOnly` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.zoneOperations.get` `compute.zones.list` `iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Disk Operator ^Beta (`roles/backupdr.diskOperator`) Allows a Backup and DR service account to store and manage data (backups or metadata) in Disk.	`compute.disks.create` `compute.disks.createSnapshot` `compute.disks.createTagBinding` `compute.disks.get` `compute.disks.list` `compute.disks.setLabels` `compute.disks.useReadOnly` `compute.regionOperations.get` `compute.resourcePolicies.use` `compute.snapshots.setLabels` `compute.snapshots.useReadOnly` `compute.storagePools.use` `compute.zoneOperations.get`
Backup and DR Filestore Operator ^Beta (`roles/backupdr.filestoreOperator`) Allows a Backup and DR service account to discover and backup Filestore instances.	`file.backups.create` `file.instances.get`
Backup and DR Management Server Accessor (`roles/backupdr.managementServerAccessor`) Grants the Backup and DR management server access role to Backup Appliances.	`backupdr.managementServers.createConnection`
Backup and DR Mount User (`roles/backupdr.mountUser`) Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.	`backupdr.locations.*` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Restore User (`roles/backupdr.restoreUser`) Allows the user to restore or mount from a backup. This role cannot create a backup plan.	`backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.fetchForComputeDisk` `backupdr.bvbackups.fetchForComputeInstance` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvbackups.useReadOnlyForAlloydbCluster` `backupdr.bvbackups.useReadOnlyForCloudSqlInstance` `backupdr.bvbackups.useReadOnlyForFilestoreInstance` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.bvdataSources.useReadOnlyForAlloydbCluster` `backupdr.bvdataSources.useReadOnlyForCloudSqlInstance` `backupdr.compute.restoreFromBackupVault` `backupdr.dataSourceReferences.` `backupdr.dataSourceReferences.fetchForAlloydbCluster` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForFilestoreInstance` `backupdr.dataSourceReferences.getForAlloydbCluster` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.dataSourceReferences.getForFilestoreInstance` `backupdr.dataSourceReferences.list` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMigrations` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageRestores` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.testFailOvers` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Service Agent (`roles/backupdr.serviceAgent`) Grants the Backup and DR Service access to protect Compute Engine instances. Warning: Do not grant service agent roles to any principals except service agents.	`alloydb.operations.get` `cloudsql.instances.createBackupDrBackup` `cloudsql.instances.get` `compute.addresses.list` `compute.addresses.use` `compute.addresses.useInternal` `compute.diskTypes.` `compute.diskTypes.get` `compute.diskTypes.list` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.delete` `compute.disks.get` `compute.disks.list` `compute.disks.setLabels` `compute.disks.use` `compute.disks.useReadOnly` `compute.firewalls.list` `compute.globalOperations.get` `compute.images.create` `compute.images.delete` `compute.images.get` `compute.images.useReadOnly` `compute.instances.attachDisk` `compute.instances.create` `compute.instances.delete` `compute.instances.detachDisk` `compute.instances.get` `compute.instances.list` `compute.instances.setLabels` `compute.instances.setMetadata` `compute.instances.setServiceAccount` `compute.instances.setTags` `compute.instances.start` `compute.instances.stop` `compute.instances.useReadOnly` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.list` `compute.nodeGroups.get` `compute.nodeGroups.list` `compute.nodeTemplates.get` `compute.projects.get` `compute.regionOperations.get` `compute.regions.*` `compute.regions.get` `compute.regions.list` `compute.snapshots.create` `compute.snapshots.delete` `compute.snapshots.get` `compute.snapshots.setLabels` `compute.snapshots.useReadOnly` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.zoneOperations.get` `compute.zones.list` `file.backups.create` `file.instances.get` `iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR User (`roles/backupdr.user`) Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.	`backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.managementServers.access` `backupdr.managementServers.backupAccess` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `backupdr.trial.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR User V2 (`roles/backupdr.userv2`) Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.	`backupdr.backupPlanAssociations.` `backupdr.backupPlanAssociations.createForAlloydbCluster` `backupdr.backupPlanAssociations.createForCloudSqlInstance` `backupdr.backupPlanAssociations.createForComputeDisk` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.createForFilestoreInstance` `backupdr.backupPlanAssociations.deleteForAlloydbCluster` `backupdr.backupPlanAssociations.deleteForCloudSqlInstance` `backupdr.backupPlanAssociations.deleteForComputeDisk` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.deleteForFilestoreInstance` `backupdr.backupPlanAssociations.fetchForAlloydbCluster` `backupdr.backupPlanAssociations.fetchForCloudSqlInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.fetchForComputeInstance` `backupdr.backupPlanAssociations.fetchForFilestoreInstance` `backupdr.backupPlanAssociations.getForAlloydbCluster` `backupdr.backupPlanAssociations.getForCloudSqlInstance` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.getForComputeInstance` `backupdr.backupPlanAssociations.getForFilestoreInstance` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster` `backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance` `backupdr.backupPlanAssociations.triggerBackupForComputeDisk` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance` `backupdr.backupPlanAssociations.updateForAlloydbCluster` `backupdr.backupPlanAssociations.updateForComputeDisk` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.backupPlanAssociations.updateForFilestoreInstance` `backupdr.backupPlanRevisions.` `backupdr.backupPlanRevisions.get` `backupdr.backupPlanRevisions.list` `backupdr.backupPlans.` `backupdr.backupPlans.create` `backupdr.backupPlans.delete` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.update` `backupdr.backupPlans.useForAlloydbCluster` `backupdr.backupPlans.useForCloudSqlInstance` `backupdr.backupPlans.useForComputeDisk` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupPlans.useForFilestoreInstance` `backupdr.backupVaults.associate` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.fetchForComputeDisk` `backupdr.bvbackups.fetchForComputeInstance` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvbackups.useReadOnlyForAlloydbCluster` `backupdr.bvbackups.useReadOnlyForCloudSqlInstance` `backupdr.bvbackups.useReadOnlyForFilestoreInstance` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.bvdataSources.useReadOnlyForAlloydbCluster` `backupdr.bvdataSources.useReadOnlyForCloudSqlInstance` `backupdr.compute.restoreFromBackupVault` `backupdr.dataSourceReferences.` `backupdr.dataSourceReferences.fetchForAlloydbCluster` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForFilestoreInstance` `backupdr.dataSourceReferences.getForAlloydbCluster` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.dataSourceReferences.getForFilestoreInstance` `backupdr.dataSourceReferences.list` `backupdr.locations.*` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.assignBackupPlans` `backupdr.managementServers.backupAccess` `backupdr.managementServers.createDynamicProtection` `backupdr.managementServers.deleteDynamicProtection` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageBackupPlans` `backupdr.managementServers.manageBackups` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageJobs` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMigrations` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageRestores` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.testFailOvers` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `backupdr.trial.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Viewer (`roles/backupdr.viewer`) Provides read-only access to all Backup and DR resources.	`backupdr.backupPlanAssociations.fetchForAlloydbCluster` `backupdr.backupPlanAssociations.fetchForCloudSqlInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.fetchForComputeInstance` `backupdr.backupPlanAssociations.fetchForFilestoreInstance` `backupdr.backupPlanAssociations.getForAlloydbCluster` `backupdr.backupPlanAssociations.getForCloudSqlInstance` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.getForComputeInstance` `backupdr.backupPlanAssociations.getForFilestoreInstance` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanRevisions.` `backupdr.backupPlanRevisions.get` `backupdr.backupPlanRevisions.list` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.fetchForComputeDisk` `backupdr.bvbackups.fetchForComputeInstance` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.dataSourceReferences.` `backupdr.dataSourceReferences.fetchForAlloydbCluster` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForFilestoreInstance` `backupdr.dataSourceReferences.getForAlloydbCluster` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.dataSourceReferences.getForFilestoreInstance` `backupdr.dataSourceReferences.list` `backupdr.locations.*` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.backupAccess` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `backupdr.trial.get` `resourcemanager.projects.get` `resourcemanager.projects.list`

Backup and DR Admin

(roles/backupdr.admin)

Provides full access to all Backup and DR resources.

backupdr.backupPlanAssociations.*

backupdr.backupPlanAssociations.createForAlloydbCluster
backupdr.backupPlanAssociations.createForCloudSqlInstance
backupdr.backupPlanAssociations.createForComputeDisk
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.createForFilestoreInstance
backupdr.backupPlanAssociations.deleteForAlloydbCluster
backupdr.backupPlanAssociations.deleteForCloudSqlInstance
backupdr.backupPlanAssociations.deleteForComputeDisk
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.deleteForFilestoreInstance
backupdr.backupPlanAssociations.fetchForAlloydbCluster
backupdr.backupPlanAssociations.fetchForCloudSqlInstance
backupdr.backupPlanAssociations.fetchForComputeDisk
backupdr.backupPlanAssociations.fetchForComputeInstance
backupdr.backupPlanAssociations.fetchForFilestoreInstance
backupdr.backupPlanAssociations.getForAlloydbCluster
backupdr.backupPlanAssociations.getForCloudSqlInstance
backupdr.backupPlanAssociations.getForComputeDisk
backupdr.backupPlanAssociations.getForComputeInstance
backupdr.backupPlanAssociations.getForFilestoreInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
backupdr.backupPlanAssociations.triggerBackupForComputeDisk
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
backupdr.backupPlanAssociations.updateForAlloydbCluster
backupdr.backupPlanAssociations.updateForComputeDisk
backupdr.backupPlanAssociations.updateForComputeInstance
backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

backupdr.backupPlanRevisions.get
backupdr.backupPlanRevisions.list

backupdr.backupPlans.*

backupdr.backupPlans.create
backupdr.backupPlans.delete
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupPlans.update
backupdr.backupPlans.useForAlloydbCluster
backupdr.backupPlans.useForCloudSqlInstance
backupdr.backupPlans.useForComputeDisk
backupdr.backupPlans.useForComputeInstance
backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.*

backupdr.backupVaults.associate
backupdr.backupVaults.create
backupdr.backupVaults.delete
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.backupVaults.update

backupdr.bvbackups.*

backupdr.bvbackups.delete
backupdr.bvbackups.fetchForCloudSqlInstance
backupdr.bvbackups.fetchForComputeDisk
backupdr.bvbackups.fetchForComputeInstance
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvbackups.update
backupdr.bvbackups.useReadOnlyForAlloydbCluster
backupdr.bvbackups.useReadOnlyForCloudSqlInstance
backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.*

backupdr.bvdataSources.abandonBackup
backupdr.bvdataSources.fetchAccessToken
backupdr.bvdataSources.finalizeBackup
backupdr.bvdataSources.get
backupdr.bvdataSources.initiateBackup
backupdr.bvdataSources.list
backupdr.bvdataSources.remove
backupdr.bvdataSources.setInternalStatus
backupdr.bvdataSources.update
backupdr.bvdataSources.useReadOnlyForAlloydbCluster
backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

backupdr.dataSourceReferences.fetchForAlloydbCluster
backupdr.dataSourceReferences.fetchForCloudSqlInstance
backupdr.dataSourceReferences.fetchForFilestoreInstance
backupdr.dataSourceReferences.getForAlloydbCluster
backupdr.dataSourceReferences.getForCloudSqlInstance
backupdr.dataSourceReferences.getForFilestoreInstance
backupdr.dataSourceReferences.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.*

backupdr.managementServers.access
backupdr.managementServers.accessSensitiveData
backupdr.managementServers.assignBackupPlans
backupdr.managementServers.backupAccess
backupdr.managementServers.create
backupdr.managementServers.createConnection
backupdr.managementServers.createDynamicProtection
backupdr.managementServers.delete
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.get
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.listDynamicProtection
backupdr.managementServers.manageApplications
backupdr.managementServers.manageBackupPlans
backupdr.managementServers.manageBackupServers
backupdr.managementServers.manageBackups
backupdr.managementServers.manageClones
backupdr.managementServers.manageExpiration
backupdr.managementServers.manageHosts
backupdr.managementServers.manageInternalACL
backupdr.managementServers.manageJobs
backupdr.managementServers.manageLiveClones
backupdr.managementServers.manageMigrations
backupdr.managementServers.manageMirroring
backupdr.managementServers.manageMounts
backupdr.managementServers.manageRestores
backupdr.managementServers.manageSensitiveData
backupdr.managementServers.manageStorage
backupdr.managementServers.manageSystem
backupdr.managementServers.manageWorkflows
backupdr.managementServers.refreshWorkflows
backupdr.managementServers.runWorkflows
backupdr.managementServers.setIamPolicy
backupdr.managementServers.testFailOvers
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewBackupServers
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows

backupdr.operations.*

backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list

backupdr.serviceConfig.initialize

backupdr.trial.*

backupdr.trial.end
backupdr.trial.get
backupdr.trial.subscribe

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Backup Config Viewer ^Beta

(roles/backupdr.backupConfigViewer)

Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.

backupdr.locations.list

backupdr.resourceBackupConfigs.*

backupdr.resourceBackupConfigs.get
backupdr.resourceBackupConfigs.list

Backup and DR Backup User

(roles/backupdr.backupUser)

Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.

backupdr.backupPlanAssociations.*

backupdr.backupPlanAssociations.createForAlloydbCluster
backupdr.backupPlanAssociations.createForCloudSqlInstance
backupdr.backupPlanAssociations.createForComputeDisk
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.createForFilestoreInstance
backupdr.backupPlanAssociations.deleteForAlloydbCluster
backupdr.backupPlanAssociations.deleteForCloudSqlInstance
backupdr.backupPlanAssociations.deleteForComputeDisk
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.deleteForFilestoreInstance
backupdr.backupPlanAssociations.fetchForAlloydbCluster
backupdr.backupPlanAssociations.fetchForCloudSqlInstance
backupdr.backupPlanAssociations.fetchForComputeDisk
backupdr.backupPlanAssociations.fetchForComputeInstance
backupdr.backupPlanAssociations.fetchForFilestoreInstance
backupdr.backupPlanAssociations.getForAlloydbCluster
backupdr.backupPlanAssociations.getForCloudSqlInstance
backupdr.backupPlanAssociations.getForComputeDisk
backupdr.backupPlanAssociations.getForComputeInstance
backupdr.backupPlanAssociations.getForFilestoreInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
backupdr.backupPlanAssociations.triggerBackupForComputeDisk
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
backupdr.backupPlanAssociations.updateForAlloydbCluster
backupdr.backupPlanAssociations.updateForComputeDisk
backupdr.backupPlanAssociations.updateForComputeInstance
backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

backupdr.backupPlanRevisions.get
backupdr.backupPlanRevisions.list

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForAlloydbCluster

backupdr.backupPlans.useForCloudSqlInstance

backupdr.backupPlans.useForComputeDisk

backupdr.backupPlans.useForComputeInstance

backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.dataSourceReferences.*

backupdr.dataSourceReferences.fetchForAlloydbCluster
backupdr.dataSourceReferences.fetchForCloudSqlInstance
backupdr.dataSourceReferences.fetchForFilestoreInstance
backupdr.dataSourceReferences.getForAlloydbCluster
backupdr.dataSourceReferences.getForCloudSqlInstance
backupdr.dataSourceReferences.getForFilestoreInstance
backupdr.dataSourceReferences.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackups

backupdr.managementServers.manageHosts

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Backup Vault Accessor

(roles/backupdr.backupvaultAccessor)

Allows the Backup Appliance permissions to create and manage backups in a backup vault.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.delete

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.update

backupdr.bvdataSources.abandonBackup

backupdr.bvdataSources.fetchAccessToken

backupdr.bvdataSources.finalizeBackup

backupdr.bvdataSources.get

backupdr.bvdataSources.initiateBackup

backupdr.bvdataSources.list

backupdr.bvdataSources.remove

backupdr.bvdataSources.setInternalStatus

backupdr.bvdataSources.update

backupdr.operations.*

backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list

Backup and DR Backup Vault Admin

(roles/backupdr.backupvaultAdmin)

Allows the Backup Appliance full administrative control of backup vault resources.

backupdr.backupVaults.*

backupdr.backupVaults.associate
backupdr.backupVaults.create
backupdr.backupVaults.delete
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.backupVaults.update

backupdr.bvbackups.delete

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.update

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.update

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.operations.*

backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list

Backup and DR Backup Vault Lister

(roles/backupdr.backupvaultLister)

Allows the Backup Appliance permission to list backup vaults in a given project.

backupdr.backupVaults.list

Backup and DR Backup Vault Viewer

(roles/backupdr.backupvaultViewer)

Allows read-only permissions to access backup vault resources and backups.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.operations.get

backupdr.operations.list

Backup and DR Cloud SQL Operator ^Beta

(roles/backupdr.cloudSqlOperator)

Allows a Backup and DR service account to discover and backup Cloud SQL instances.

cloudsql.instances.createBackupDrBackup

cloudsql.instances.get

Backup and DR Cloud Storage Operator

(roles/backupdr.cloudStorageOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

Backup and DR Compute Engine Operator

(roles/backupdr.computeEngineOperator)

Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.

backupdr.managementServers.createConnection

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.pscInterfaceCreate

compute.instances.setDeletionProtection

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.updateDisplayDevice

compute.instances.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.resourcePolicies.use

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Disk Operator ^Beta

(roles/backupdr.diskOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Disk.

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.useReadOnly

compute.regionOperations.get

compute.resourcePolicies.use

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.storagePools.use

compute.zoneOperations.get

Backup and DR Filestore Operator ^Beta

(roles/backupdr.filestoreOperator)

Allows a Backup and DR service account to discover and backup Filestore instances.

file.backups.create

file.instances.get

Backup and DR Management Server Accessor

(roles/backupdr.managementServerAccessor)

Grants the Backup and DR management server access role to Backup Appliances.

backupdr.managementServers.createConnection

Backup and DR Mount User

(roles/backupdr.mountUser)

Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Restore User

(roles/backupdr.restoreUser)

Allows the user to restore or mount from a backup. This role cannot create a backup plan.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.useReadOnlyForAlloydbCluster

backupdr.bvbackups.useReadOnlyForCloudSqlInstance

backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.useReadOnlyForAlloydbCluster

backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

backupdr.dataSourceReferences.fetchForAlloydbCluster
backupdr.dataSourceReferences.fetchForCloudSqlInstance
backupdr.dataSourceReferences.fetchForFilestoreInstance
backupdr.dataSourceReferences.getForAlloydbCluster
backupdr.dataSourceReferences.getForCloudSqlInstance
backupdr.dataSourceReferences.getForFilestoreInstance
backupdr.dataSourceReferences.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Service Agent

(roles/backupdr.serviceAgent)

Grants the Backup and DR Service access to protect Compute Engine instances.

alloydb.operations.get

cloudsql.instances.createBackupDrBackup

cloudsql.instances.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

file.backups.create

file.instances.get

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR User

(roles/backupdr.user)

Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.updateForComputeInstance

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR User V2

(roles/backupdr.userv2)

Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.

backupdr.backupPlanAssociations.*

backupdr.backupPlanAssociations.createForAlloydbCluster
backupdr.backupPlanAssociations.createForCloudSqlInstance
backupdr.backupPlanAssociations.createForComputeDisk
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.createForFilestoreInstance
backupdr.backupPlanAssociations.deleteForAlloydbCluster
backupdr.backupPlanAssociations.deleteForCloudSqlInstance
backupdr.backupPlanAssociations.deleteForComputeDisk
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.deleteForFilestoreInstance
backupdr.backupPlanAssociations.fetchForAlloydbCluster
backupdr.backupPlanAssociations.fetchForCloudSqlInstance
backupdr.backupPlanAssociations.fetchForComputeDisk
backupdr.backupPlanAssociations.fetchForComputeInstance
backupdr.backupPlanAssociations.fetchForFilestoreInstance
backupdr.backupPlanAssociations.getForAlloydbCluster
backupdr.backupPlanAssociations.getForCloudSqlInstance
backupdr.backupPlanAssociations.getForComputeDisk
backupdr.backupPlanAssociations.getForComputeInstance
backupdr.backupPlanAssociations.getForFilestoreInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
backupdr.backupPlanAssociations.triggerBackupForComputeDisk
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
backupdr.backupPlanAssociations.updateForAlloydbCluster
backupdr.backupPlanAssociations.updateForComputeDisk
backupdr.backupPlanAssociations.updateForComputeInstance
backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

backupdr.backupPlanRevisions.get
backupdr.backupPlanRevisions.list

backupdr.backupPlans.*

backupdr.backupPlans.create
backupdr.backupPlans.delete
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupPlans.update
backupdr.backupPlans.useForAlloydbCluster
backupdr.backupPlans.useForCloudSqlInstance
backupdr.backupPlans.useForComputeDisk
backupdr.backupPlans.useForComputeInstance
backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.associate

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.useReadOnlyForAlloydbCluster

backupdr.bvbackups.useReadOnlyForCloudSqlInstance

backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.useReadOnlyForAlloydbCluster

backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

backupdr.dataSourceReferences.fetchForAlloydbCluster
backupdr.dataSourceReferences.fetchForCloudSqlInstance
backupdr.dataSourceReferences.fetchForFilestoreInstance
backupdr.dataSourceReferences.getForAlloydbCluster
backupdr.dataSourceReferences.getForCloudSqlInstance
backupdr.dataSourceReferences.getForFilestoreInstance
backupdr.dataSourceReferences.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.backupAccess

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackupPlans

backupdr.managementServers.manageBackups

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageJobs

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Viewer

(roles/backupdr.viewer)

Provides read-only access to all Backup and DR resources.

backupdr.backupPlanAssociations.fetchForAlloydbCluster

backupdr.backupPlanAssociations.fetchForCloudSqlInstance

backupdr.backupPlanAssociations.fetchForComputeDisk

backupdr.backupPlanAssociations.fetchForComputeInstance

backupdr.backupPlanAssociations.fetchForFilestoreInstance

backupdr.backupPlanAssociations.getForAlloydbCluster

backupdr.backupPlanAssociations.getForCloudSqlInstance

backupdr.backupPlanAssociations.getForComputeDisk

backupdr.backupPlanAssociations.getForComputeInstance

backupdr.backupPlanAssociations.getForFilestoreInstance

backupdr.backupPlanAssociations.list

backupdr.backupPlanRevisions.*

backupdr.backupPlanRevisions.get
backupdr.backupPlanRevisions.list

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.dataSourceReferences.*

backupdr.dataSourceReferences.fetchForAlloydbCluster
backupdr.dataSourceReferences.fetchForCloudSqlInstance
backupdr.dataSourceReferences.fetchForFilestoreInstance
backupdr.dataSourceReferences.getForAlloydbCluster
backupdr.dataSourceReferences.getForCloudSqlInstance
backupdr.dataSourceReferences.getForFilestoreInstance
backupdr.dataSourceReferences.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

基本角色

基本角色是在 IAM 之前專案層級的角色。詳情請參閱「基本角色」。

雖然備份和災難復原支援下列基本角色，您仍應盡可能使用預先定義的角色。基本角色包含多種適用於所有 Google Cloud 資源的權限；相反地，Backup and DR 的預先定義角色則包含僅適用於 Backup and DR 的精確權限。

基本 IAM 角色	說明
編輯者 (`roles/editor`)	提供所有備份和災難復原資源的完整存取權。
擁有者 (`roles/owner`)	提供所有備份和災難復原資源的完整存取權。

備份和災難復原服務的 IAM 權限

下表列出與 Backup and DR Service 相關的 IAM 權限。IAM 權限會歸類為角色，您可以將角色指派給使用者和群組。

下表列出每個 Backup and DR 權限的說明。

權限名稱	說明
backupdr.managementServers.manageClones	提供從備份建立及管理副本的權限。
backupdr.managementServers.manageLiveClones	提供從備份建立及管理 LiveClone 的權限。
backupdr.managementServers.manageMounts	提供從備份建立及管理有效掛接點的權限。
backupdr.managementServers.manageRestores	提供從備份還原所需的權限。
backupdr.managementServers.manageBackups	提供執行備份作業的權限：立即備份。
backupdr.managementServers.viewSystem	提供備份/復原設備設定的檢視權限。
backupdr.managementServers.manageSystem	提供設定備份/還原裝置和報表管理工具的權限。
backupdr.managementServers.viewStorage	提供檢視儲存空間和磁碟集區設定的權限。
backupdr.managementServers.manageStorage	提供新增、修改、移除及檢視儲存空間和磁碟集區的權限。
backupdr.managementServers.viewBackupPlans	提供備份方案的檢視權限，包括備份範本和資源設定檔。
backupdr.managementServers.assignBackupPlans	提供權限，可將預先設定的備份方案 (備份範本和資源設定檔) 指派給應用程式或工作負載。
backupdr.managementServers.manageBackupPlans	提供建立、修改、刪除、查看及指派備份方案 (備份範本和資源設定檔) 的權限。
backupdr.managementServers.testFailOvers	提供權限，可對遠端 StreamSnap 備份執行測試容錯移轉，以及刪除測試容錯移轉作業。
backupdr.managementServers.viewWorkflows	提供存取權，以便查看備份和災難復原工作流程，自動存取備份和災難復原服務中的複製資料。
backupdr.managementServers.runWorkflows	提供權限，可執行預先設定的備份和災難復原工作流程，自動存取備份和災難復原服務中的資料，並進行複製。
backupdr.managementServers.refreshWorkflows	提供權限，可重新整理透過備份和災難復原工作流程建立的副本，自動存取備份和災難復原服務中的資料副本。
backupdr.managementServers.manageWorkflows	提供權限，可新增、修改、移除、執行及查看備份和災難復原工作流程，自動存取備份和災難復原服務中的資料副本。
backupdr.managementServers.manageMirroring	提供權限，可對遠端 StreamSnap 備份執行容錯移轉、同步備份、清除、容錯回復、測試容錯移轉，以及刪除測試容錯移轉作業。
backupdr.managementServers.manageHosts	提供新增、修改、移除及查看主機 (實體和虛擬機器) 的權限
backupdr.managementServers.manageApplications	提供管理應用程式各個方面的權限，包括邏輯群組和一致性群組、視需要執行備份，以及匯出範本。
backupdr.managementServers.manageSensitiveData	提供將應用程式和備份資料標示為機密或非機密資料所需的權限。
backupdr.managementServers.accessSensitiveData	可存取標示為機密的應用程式和備份資料。
backupdr.managementServers.manageBackupServers	提供透過管理控制台執行備份伺服器 API 所需的權限。
backupdr.managementServers.manageExpiration	提供備份到期所需的權限。
backupdr.managementServers.access	具備管理主控台和相關聯 API 的存取權。
backupdr.managementServers.onpremUsageUpload	提供上傳用量至地端部署轉接程式所需的所有端點存取權。
backupdr.managementServers.viewReports	提供 Report Manager 的存取權，可執行報表及查看或下載輸出內容。
backupdr.managementServers.manageJobs	提供取消工作和修改工作優先順序的權限。
backupdr.managementServers.manageMigrations	提供權限，可在還原或複製作業的最後一個步驟中，管理已掛接資料的遷移作業。

使用 CMEK 的必備權限

如要瞭解使用 CMEK 時所需的權限，請參閱「客戶自行管理的加密金鑰 (CMEK)」。

使用 IAM 控管備份和災難復原服務的存取權 透過集合功能整理內容 你可以依據偏好儲存及分類內容。

IAM 如何控管存取權

IAM 角色類型

IAM 權限

專案層級與資源層級權限

備份和災難復原服務的預先定義 IAM 角色

Backup and DR Admin

Backup and DR Backup Config Viewer Beta

Backup and DR Backup User

Backup and DR Backup Vault Accessor

Backup and DR Backup Vault Admin

Backup and DR Backup Vault Lister

Backup and DR Backup Vault Viewer

Backup and DR Cloud SQL Operator Beta

Backup and DR Cloud Storage Operator

Backup and DR Compute Engine Operator

Backup and DR Disk Operator Beta

Backup and DR Filestore Operator Beta

Backup and DR Management Server Accessor

Backup and DR Mount User

Backup and DR Restore User

Backup and DR Service Agent

Backup and DR User

Backup and DR User V2

Backup and DR Viewer

基本角色

備份和災難復原服務的 IAM 權限

使用 CMEK 的必備權限

使用 IAM 控管備份和災難復原服務的存取權

Backup and DR Backup Config Viewer ^Beta

Backup and DR Cloud SQL Operator ^Beta

Backup and DR Disk Operator ^Beta

Backup and DR Filestore Operator ^Beta