Esta página se ha traducido con Cloud Translation API.

Controlar el acceso al servicio Backup y DR con gestión de identidades y accesos

En esta página se describen los roles y permisos de gestión de identidades y accesos necesarios para el servicio de copia de seguridad y recuperación tras desastres.Google Cloud Cuando añades nuevas entidades principales a tu proyecto, puedes usar una política de Gestión de Identidades y Accesos (IAM) para asignar a esa entidad principal uno o varios roles de IAM. Cada rol de gestión de identidades y accesos contiene permisos que conceden a las entidades principales acceso para realizar acciones específicas en recursos concretos. Para ver una lista de referencia de los permisos de gestión de identidades y accesos que se aplican al servicio de copia de seguridad y recuperación tras fallos, consulta Permisos de gestión de identidades y accesos para el servicio de copia de seguridad y recuperación tras fallos.

Cómo controla el acceso la gestión de identidades y accesos

Si una entidad principal (un usuario, un grupo o una cuenta de servicio) llama a una API, debe tener los permisos de gestión de identidades y accesos adecuados para usar el recurso. Google Cloud Para dar a una entidad principal los permisos necesarios, debes concederle un rol de gestión de identidades y accesos. Más información sobre las entidades de gestión de identidades y accesos

Tipos de roles de gestión de identidades y accesos

El servicio de copias de seguridad y recuperación ante desastres tiene roles predefinidos que son conjuntos de permisos que se pueden asignar a diferentes entidades. Los usuarios también pueden definir roles personalizados que pueden tener una combinación de permisos individuales para conceder acceso a un flujo de trabajo o una acción de copia de seguridad y recuperación ante desastres específicos.

Permisos de gestión de identidades y accesos

Los permisos permiten que los usuarios realicen acciones específicas en recursos concretos. Se pueden agrupar para formar roles. Cada permiso hace referencia a una acción específica que puede realizar el usuario o al acceso que tiene.

Permisos a nivel de proyecto y a nivel de recurso

Los permisos se pueden conceder a nivel de proyecto o de recurso. Por ejemplo, un administrador de Backup and DR puede elegir conceder solo determinados permisos a nivel de segmento de almacenamiento en lugar de a todo el proyecto, en función de su política. Conceder roles a nivel de recurso no afecta a los roles que hayas concedido a nivel de proyecto, y viceversa.

Roles de IAM predefinidos para el servicio de copia de seguridad y recuperación tras desastres

El servicio de copias de seguridad y recuperación ante desastres tiene un conjunto de roles de gestión de identidades y accesos predefinidos que se describen en esta página. También puedes crear roles personalizados que contengan subconjuntos de permisos que se ajusten directamente a tus necesidades.

En la siguiente tabla se describen los roles de IAM asociados al servicio Backup and DR y se indican los permisos que contiene cada rol. La descripción de cada permiso se indica en la sección Permisos de gestión de identidades y accesos para el servicio Backup and DR.

Role Permissions

Role	Permissions
Backup and DR Admin (`roles/backupdr.admin`) Provides full access to all Backup and DR resources.	`backupdr.backupPlanAssociations.` `backupdr.backupPlanAssociations.createForAlloydbCluster` `backupdr.backupPlanAssociations.createForCloudSqlInstance` `backupdr.backupPlanAssociations.createForComputeDisk` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.createForFilestoreInstance` `backupdr.backupPlanAssociations.deleteForAlloydbCluster` `backupdr.backupPlanAssociations.deleteForCloudSqlInstance` `backupdr.backupPlanAssociations.deleteForComputeDisk` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.deleteForFilestoreInstance` `backupdr.backupPlanAssociations.fetchForAlloydbCluster` `backupdr.backupPlanAssociations.fetchForCloudSqlInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.fetchForComputeInstance` `backupdr.backupPlanAssociations.fetchForFilestoreInstance` `backupdr.backupPlanAssociations.getForAlloydbCluster` `backupdr.backupPlanAssociations.getForCloudSqlInstance` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.getForComputeInstance` `backupdr.backupPlanAssociations.getForFilestoreInstance` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster` `backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance` `backupdr.backupPlanAssociations.triggerBackupForComputeDisk` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance` `backupdr.backupPlanAssociations.updateForAlloydbCluster` `backupdr.backupPlanAssociations.updateForComputeDisk` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.backupPlanAssociations.updateForFilestoreInstance` `backupdr.backupPlanRevisions.` `backupdr.backupPlanRevisions.get` `backupdr.backupPlanRevisions.list` `backupdr.backupPlans.` `backupdr.backupPlans.create` `backupdr.backupPlans.delete` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.update` `backupdr.backupPlans.useForAlloydbCluster` `backupdr.backupPlans.useForCloudSqlInstance` `backupdr.backupPlans.useForComputeDisk` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupPlans.useForFilestoreInstance` `backupdr.backupVaults.` `backupdr.backupVaults.associate` `backupdr.backupVaults.create` `backupdr.backupVaults.delete` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.backupVaults.update` `backupdr.bvbackups.` `backupdr.bvbackups.delete` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.fetchForComputeDisk` `backupdr.bvbackups.fetchForComputeInstance` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvbackups.update` `backupdr.bvbackups.useReadOnlyForAlloydbCluster` `backupdr.bvbackups.useReadOnlyForCloudSqlInstance` `backupdr.bvbackups.useReadOnlyForFilestoreInstance` `backupdr.bvdataSources.` `backupdr.bvdataSources.abandonBackup` `backupdr.bvdataSources.fetchAccessToken` `backupdr.bvdataSources.finalizeBackup` `backupdr.bvdataSources.get` `backupdr.bvdataSources.initiateBackup` `backupdr.bvdataSources.list` `backupdr.bvdataSources.remove` `backupdr.bvdataSources.setInternalStatus` `backupdr.bvdataSources.update` `backupdr.bvdataSources.useReadOnlyForAlloydbCluster` `backupdr.bvdataSources.useReadOnlyForCloudSqlInstance` `backupdr.compute.restoreFromBackupVault` `backupdr.dataSourceReferences.` `backupdr.dataSourceReferences.fetchForAlloydbCluster` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForFilestoreInstance` `backupdr.dataSourceReferences.getForAlloydbCluster` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.dataSourceReferences.getForFilestoreInstance` `backupdr.dataSourceReferences.list` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.` `backupdr.managementServers.access` `backupdr.managementServers.accessSensitiveData` `backupdr.managementServers.assignBackupPlans` `backupdr.managementServers.backupAccess` `backupdr.managementServers.create` `backupdr.managementServers.createConnection` `backupdr.managementServers.createDynamicProtection` `backupdr.managementServers.delete` `backupdr.managementServers.deleteDynamicProtection` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageBackupPlans` `backupdr.managementServers.manageBackupServers` `backupdr.managementServers.manageBackups` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageExpiration` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageInternalACL` `backupdr.managementServers.manageJobs` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMigrations` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageRestores` `backupdr.managementServers.manageSensitiveData` `backupdr.managementServers.manageStorage` `backupdr.managementServers.manageSystem` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.setIamPolicy` `backupdr.managementServers.testFailOvers` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.` `backupdr.operations.cancel` `backupdr.operations.delete` `backupdr.operations.get` `backupdr.operations.list` `backupdr.serviceConfig.initialize` `backupdr.trial.*` `backupdr.trial.end` `backupdr.trial.get` `backupdr.trial.subscribe` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Backup Config Viewer ^Beta (`roles/backupdr.backupConfigViewer`) Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.	`backupdr.locations.list` `backupdr.resourceBackupConfigs.*` `backupdr.resourceBackupConfigs.get` `backupdr.resourceBackupConfigs.list`
Backup and DR Backup User (`roles/backupdr.backupUser`) Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.	`backupdr.backupPlanAssociations.` `backupdr.backupPlanAssociations.createForAlloydbCluster` `backupdr.backupPlanAssociations.createForCloudSqlInstance` `backupdr.backupPlanAssociations.createForComputeDisk` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.createForFilestoreInstance` `backupdr.backupPlanAssociations.deleteForAlloydbCluster` `backupdr.backupPlanAssociations.deleteForCloudSqlInstance` `backupdr.backupPlanAssociations.deleteForComputeDisk` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.deleteForFilestoreInstance` `backupdr.backupPlanAssociations.fetchForAlloydbCluster` `backupdr.backupPlanAssociations.fetchForCloudSqlInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.fetchForComputeInstance` `backupdr.backupPlanAssociations.fetchForFilestoreInstance` `backupdr.backupPlanAssociations.getForAlloydbCluster` `backupdr.backupPlanAssociations.getForCloudSqlInstance` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.getForComputeInstance` `backupdr.backupPlanAssociations.getForFilestoreInstance` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster` `backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance` `backupdr.backupPlanAssociations.triggerBackupForComputeDisk` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance` `backupdr.backupPlanAssociations.updateForAlloydbCluster` `backupdr.backupPlanAssociations.updateForComputeDisk` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.backupPlanAssociations.updateForFilestoreInstance` `backupdr.backupPlanRevisions.` `backupdr.backupPlanRevisions.get` `backupdr.backupPlanRevisions.list` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.useForAlloydbCluster` `backupdr.backupPlans.useForCloudSqlInstance` `backupdr.backupPlans.useForComputeDisk` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupPlans.useForFilestoreInstance` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.fetchForComputeDisk` `backupdr.bvbackups.fetchForComputeInstance` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.dataSourceReferences.` `backupdr.dataSourceReferences.fetchForAlloydbCluster` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForFilestoreInstance` `backupdr.dataSourceReferences.getForAlloydbCluster` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.dataSourceReferences.getForFilestoreInstance` `backupdr.dataSourceReferences.list` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.assignBackupPlans` `backupdr.managementServers.createDynamicProtection` `backupdr.managementServers.deleteDynamicProtection` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageBackups` `backupdr.managementServers.manageHosts` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Backup Vault Accessor (`roles/backupdr.backupvaultAccessor`) Allows the Backup Appliance permissions to create and manage backups in a backup vault.	`backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.delete` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.update` `backupdr.bvdataSources.abandonBackup` `backupdr.bvdataSources.fetchAccessToken` `backupdr.bvdataSources.finalizeBackup` `backupdr.bvdataSources.get` `backupdr.bvdataSources.initiateBackup` `backupdr.bvdataSources.list` `backupdr.bvdataSources.remove` `backupdr.bvdataSources.setInternalStatus` `backupdr.bvdataSources.update` `backupdr.operations.*` `backupdr.operations.cancel` `backupdr.operations.delete` `backupdr.operations.get` `backupdr.operations.list`
Backup and DR Backup Vault Admin (`roles/backupdr.backupvaultAdmin`) Allows the Backup Appliance full administrative control of backup vault resources.	`backupdr.backupVaults.` `backupdr.backupVaults.associate` `backupdr.backupVaults.create` `backupdr.backupVaults.delete` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.backupVaults.update` `backupdr.bvbackups.delete` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvbackups.update` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.bvdataSources.update` `backupdr.compute.restoreFromBackupVault` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.operations.*` `backupdr.operations.cancel` `backupdr.operations.delete` `backupdr.operations.get` `backupdr.operations.list`
Backup and DR Backup Vault Lister (`roles/backupdr.backupvaultLister`) Allows the Backup Appliance permission to list backup vaults in a given project.	`backupdr.backupVaults.list`
Backup and DR Backup Vault Viewer (`roles/backupdr.backupvaultViewer`) Allows read-only permissions to access backup vault resources and backups.	`backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.operations.get` `backupdr.operations.list`
Backup and DR Cloud SQL Operator ^Beta (`roles/backupdr.cloudSqlOperator`) Allows a Backup and DR service account to discover and backup Cloud SQL instances.	`cloudsql.instances.createBackupDrBackup` `cloudsql.instances.get`
Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.	`storage.buckets.create` `storage.buckets.get` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list`
Backup and DR Compute Engine Operator (`roles/backupdr.computeEngineOperator`) Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.	`backupdr.managementServers.createConnection` `compute.addresses.list` `compute.addresses.use` `compute.addresses.useInternal` `compute.diskTypes.` `compute.diskTypes.get` `compute.diskTypes.list` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.delete` `compute.disks.get` `compute.disks.setLabels` `compute.disks.use` `compute.disks.useReadOnly` `compute.firewalls.list` `compute.globalOperations.get` `compute.images.create` `compute.images.delete` `compute.images.get` `compute.images.useReadOnly` `compute.instances.attachDisk` `compute.instances.create` `compute.instances.createTagBinding` `compute.instances.delete` `compute.instances.detachDisk` `compute.instances.get` `compute.instances.list` `compute.instances.listEffectiveTags` `compute.instances.pscInterfaceCreate` `compute.instances.setDeletionProtection` `compute.instances.setLabels` `compute.instances.setMetadata` `compute.instances.setServiceAccount` `compute.instances.setTags` `compute.instances.start` `compute.instances.stop` `compute.instances.updateDisplayDevice` `compute.instances.useReadOnly` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.list` `compute.nodeGroups.get` `compute.nodeGroups.list` `compute.nodeTemplates.get` `compute.projects.get` `compute.regionOperations.get` `compute.regions.*` `compute.regions.get` `compute.regions.list` `compute.resourcePolicies.use` `compute.snapshots.create` `compute.snapshots.delete` `compute.snapshots.get` `compute.snapshots.setLabels` `compute.snapshots.useReadOnly` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.zoneOperations.get` `compute.zones.list` `iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Disk Operator ^Beta (`roles/backupdr.diskOperator`) Allows a Backup and DR service account to store and manage data (backups or metadata) in Disk.	`compute.disks.create` `compute.disks.createSnapshot` `compute.disks.createTagBinding` `compute.disks.get` `compute.disks.list` `compute.disks.setLabels` `compute.disks.useReadOnly` `compute.regionOperations.get` `compute.resourcePolicies.use` `compute.snapshots.setLabels` `compute.snapshots.useReadOnly` `compute.storagePools.use` `compute.zoneOperations.get`
Backup and DR Filestore Operator ^Beta (`roles/backupdr.filestoreOperator`) Allows a Backup and DR service account to discover and backup Filestore instances.	`file.backups.create` `file.instances.get`
Backup and DR Management Server Accessor (`roles/backupdr.managementServerAccessor`) Grants the Backup and DR management server access role to Backup Appliances.	`backupdr.managementServers.createConnection`
Backup and DR Mount User (`roles/backupdr.mountUser`) Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.	`backupdr.locations.*` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Restore User (`roles/backupdr.restoreUser`) Allows the user to restore or mount from a backup. This role cannot create a backup plan.	`backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.fetchForComputeDisk` `backupdr.bvbackups.fetchForComputeInstance` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvbackups.useReadOnlyForAlloydbCluster` `backupdr.bvbackups.useReadOnlyForCloudSqlInstance` `backupdr.bvbackups.useReadOnlyForFilestoreInstance` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.bvdataSources.useReadOnlyForAlloydbCluster` `backupdr.bvdataSources.useReadOnlyForCloudSqlInstance` `backupdr.compute.restoreFromBackupVault` `backupdr.dataSourceReferences.` `backupdr.dataSourceReferences.fetchForAlloydbCluster` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForFilestoreInstance` `backupdr.dataSourceReferences.getForAlloydbCluster` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.dataSourceReferences.getForFilestoreInstance` `backupdr.dataSourceReferences.list` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMigrations` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageRestores` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.testFailOvers` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Service Agent (`roles/backupdr.serviceAgent`) Grants the Backup and DR Service access to protect Compute Engine instances. Warning: Do not grant service agent roles to any principals except service agents.	`alloydb.operations.get` `cloudsql.instances.createBackupDrBackup` `cloudsql.instances.get` `compute.addresses.list` `compute.addresses.use` `compute.addresses.useInternal` `compute.diskTypes.` `compute.diskTypes.get` `compute.diskTypes.list` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.delete` `compute.disks.get` `compute.disks.list` `compute.disks.setLabels` `compute.disks.use` `compute.disks.useReadOnly` `compute.firewalls.list` `compute.globalOperations.get` `compute.images.create` `compute.images.delete` `compute.images.get` `compute.images.useReadOnly` `compute.instances.attachDisk` `compute.instances.create` `compute.instances.delete` `compute.instances.detachDisk` `compute.instances.get` `compute.instances.list` `compute.instances.setLabels` `compute.instances.setMetadata` `compute.instances.setServiceAccount` `compute.instances.setTags` `compute.instances.start` `compute.instances.stop` `compute.instances.useReadOnly` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.list` `compute.nodeGroups.get` `compute.nodeGroups.list` `compute.nodeTemplates.get` `compute.projects.get` `compute.regionOperations.get` `compute.regions.*` `compute.regions.get` `compute.regions.list` `compute.snapshots.create` `compute.snapshots.delete` `compute.snapshots.get` `compute.snapshots.setLabels` `compute.snapshots.useReadOnly` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.zoneOperations.get` `compute.zones.list` `file.backups.create` `file.instances.get` `iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR User (`roles/backupdr.user`) Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.	`backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.managementServers.access` `backupdr.managementServers.backupAccess` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `backupdr.trial.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR User V2 (`roles/backupdr.userv2`) Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.	`backupdr.backupPlanAssociations.` `backupdr.backupPlanAssociations.createForAlloydbCluster` `backupdr.backupPlanAssociations.createForCloudSqlInstance` `backupdr.backupPlanAssociations.createForComputeDisk` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.createForFilestoreInstance` `backupdr.backupPlanAssociations.deleteForAlloydbCluster` `backupdr.backupPlanAssociations.deleteForCloudSqlInstance` `backupdr.backupPlanAssociations.deleteForComputeDisk` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.deleteForFilestoreInstance` `backupdr.backupPlanAssociations.fetchForAlloydbCluster` `backupdr.backupPlanAssociations.fetchForCloudSqlInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.fetchForComputeInstance` `backupdr.backupPlanAssociations.fetchForFilestoreInstance` `backupdr.backupPlanAssociations.getForAlloydbCluster` `backupdr.backupPlanAssociations.getForCloudSqlInstance` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.getForComputeInstance` `backupdr.backupPlanAssociations.getForFilestoreInstance` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster` `backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance` `backupdr.backupPlanAssociations.triggerBackupForComputeDisk` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance` `backupdr.backupPlanAssociations.updateForAlloydbCluster` `backupdr.backupPlanAssociations.updateForComputeDisk` `backupdr.backupPlanAssociations.updateForComputeInstance` `backupdr.backupPlanAssociations.updateForFilestoreInstance` `backupdr.backupPlanRevisions.` `backupdr.backupPlanRevisions.get` `backupdr.backupPlanRevisions.list` `backupdr.backupPlans.` `backupdr.backupPlans.create` `backupdr.backupPlans.delete` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.update` `backupdr.backupPlans.useForAlloydbCluster` `backupdr.backupPlans.useForCloudSqlInstance` `backupdr.backupPlans.useForComputeDisk` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupPlans.useForFilestoreInstance` `backupdr.backupVaults.associate` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.fetchForComputeDisk` `backupdr.bvbackups.fetchForComputeInstance` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvbackups.useReadOnlyForAlloydbCluster` `backupdr.bvbackups.useReadOnlyForCloudSqlInstance` `backupdr.bvbackups.useReadOnlyForFilestoreInstance` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.bvdataSources.useReadOnlyForAlloydbCluster` `backupdr.bvdataSources.useReadOnlyForCloudSqlInstance` `backupdr.compute.restoreFromBackupVault` `backupdr.dataSourceReferences.` `backupdr.dataSourceReferences.fetchForAlloydbCluster` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForFilestoreInstance` `backupdr.dataSourceReferences.getForAlloydbCluster` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.dataSourceReferences.getForFilestoreInstance` `backupdr.dataSourceReferences.list` `backupdr.locations.*` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.assignBackupPlans` `backupdr.managementServers.backupAccess` `backupdr.managementServers.createDynamicProtection` `backupdr.managementServers.deleteDynamicProtection` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageBackupPlans` `backupdr.managementServers.manageBackups` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageJobs` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMigrations` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageRestores` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.testFailOvers` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `backupdr.trial.get` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Viewer (`roles/backupdr.viewer`) Provides read-only access to all Backup and DR resources.	`backupdr.backupPlanAssociations.fetchForAlloydbCluster` `backupdr.backupPlanAssociations.fetchForCloudSqlInstance` `backupdr.backupPlanAssociations.fetchForComputeDisk` `backupdr.backupPlanAssociations.fetchForComputeInstance` `backupdr.backupPlanAssociations.fetchForFilestoreInstance` `backupdr.backupPlanAssociations.getForAlloydbCluster` `backupdr.backupPlanAssociations.getForCloudSqlInstance` `backupdr.backupPlanAssociations.getForComputeDisk` `backupdr.backupPlanAssociations.getForComputeInstance` `backupdr.backupPlanAssociations.getForFilestoreInstance` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanRevisions.` `backupdr.backupPlanRevisions.get` `backupdr.backupPlanRevisions.list` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.fetchForCloudSqlInstance` `backupdr.bvbackups.fetchForComputeDisk` `backupdr.bvbackups.fetchForComputeInstance` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.dataSourceReferences.` `backupdr.dataSourceReferences.fetchForAlloydbCluster` `backupdr.dataSourceReferences.fetchForCloudSqlInstance` `backupdr.dataSourceReferences.fetchForFilestoreInstance` `backupdr.dataSourceReferences.getForAlloydbCluster` `backupdr.dataSourceReferences.getForCloudSqlInstance` `backupdr.dataSourceReferences.getForFilestoreInstance` `backupdr.dataSourceReferences.list` `backupdr.locations.*` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.backupAccess` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `backupdr.trial.get` `resourcemanager.projects.get` `resourcemanager.projects.list`

Backup and DR Admin

(roles/backupdr.admin)

Provides full access to all Backup and DR resources.

backupdr.backupPlanAssociations.*

backupdr.backupPlanAssociations.createForAlloydbCluster
backupdr.backupPlanAssociations.createForCloudSqlInstance
backupdr.backupPlanAssociations.createForComputeDisk
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.createForFilestoreInstance
backupdr.backupPlanAssociations.deleteForAlloydbCluster
backupdr.backupPlanAssociations.deleteForCloudSqlInstance
backupdr.backupPlanAssociations.deleteForComputeDisk
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.deleteForFilestoreInstance
backupdr.backupPlanAssociations.fetchForAlloydbCluster
backupdr.backupPlanAssociations.fetchForCloudSqlInstance
backupdr.backupPlanAssociations.fetchForComputeDisk
backupdr.backupPlanAssociations.fetchForComputeInstance
backupdr.backupPlanAssociations.fetchForFilestoreInstance
backupdr.backupPlanAssociations.getForAlloydbCluster
backupdr.backupPlanAssociations.getForCloudSqlInstance
backupdr.backupPlanAssociations.getForComputeDisk
backupdr.backupPlanAssociations.getForComputeInstance
backupdr.backupPlanAssociations.getForFilestoreInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
backupdr.backupPlanAssociations.triggerBackupForComputeDisk
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
backupdr.backupPlanAssociations.updateForAlloydbCluster
backupdr.backupPlanAssociations.updateForComputeDisk
backupdr.backupPlanAssociations.updateForComputeInstance
backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

backupdr.backupPlanRevisions.get
backupdr.backupPlanRevisions.list

backupdr.backupPlans.*

backupdr.backupPlans.create
backupdr.backupPlans.delete
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupPlans.update
backupdr.backupPlans.useForAlloydbCluster
backupdr.backupPlans.useForCloudSqlInstance
backupdr.backupPlans.useForComputeDisk
backupdr.backupPlans.useForComputeInstance
backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.*

backupdr.backupVaults.associate
backupdr.backupVaults.create
backupdr.backupVaults.delete
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.backupVaults.update

backupdr.bvbackups.*

backupdr.bvbackups.delete
backupdr.bvbackups.fetchForCloudSqlInstance
backupdr.bvbackups.fetchForComputeDisk
backupdr.bvbackups.fetchForComputeInstance
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvbackups.update
backupdr.bvbackups.useReadOnlyForAlloydbCluster
backupdr.bvbackups.useReadOnlyForCloudSqlInstance
backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.*

backupdr.bvdataSources.abandonBackup
backupdr.bvdataSources.fetchAccessToken
backupdr.bvdataSources.finalizeBackup
backupdr.bvdataSources.get
backupdr.bvdataSources.initiateBackup
backupdr.bvdataSources.list
backupdr.bvdataSources.remove
backupdr.bvdataSources.setInternalStatus
backupdr.bvdataSources.update
backupdr.bvdataSources.useReadOnlyForAlloydbCluster
backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

backupdr.dataSourceReferences.fetchForAlloydbCluster
backupdr.dataSourceReferences.fetchForCloudSqlInstance
backupdr.dataSourceReferences.fetchForFilestoreInstance
backupdr.dataSourceReferences.getForAlloydbCluster
backupdr.dataSourceReferences.getForCloudSqlInstance
backupdr.dataSourceReferences.getForFilestoreInstance
backupdr.dataSourceReferences.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.*

backupdr.managementServers.access
backupdr.managementServers.accessSensitiveData
backupdr.managementServers.assignBackupPlans
backupdr.managementServers.backupAccess
backupdr.managementServers.create
backupdr.managementServers.createConnection
backupdr.managementServers.createDynamicProtection
backupdr.managementServers.delete
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.get
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.listDynamicProtection
backupdr.managementServers.manageApplications
backupdr.managementServers.manageBackupPlans
backupdr.managementServers.manageBackupServers
backupdr.managementServers.manageBackups
backupdr.managementServers.manageClones
backupdr.managementServers.manageExpiration
backupdr.managementServers.manageHosts
backupdr.managementServers.manageInternalACL
backupdr.managementServers.manageJobs
backupdr.managementServers.manageLiveClones
backupdr.managementServers.manageMigrations
backupdr.managementServers.manageMirroring
backupdr.managementServers.manageMounts
backupdr.managementServers.manageRestores
backupdr.managementServers.manageSensitiveData
backupdr.managementServers.manageStorage
backupdr.managementServers.manageSystem
backupdr.managementServers.manageWorkflows
backupdr.managementServers.refreshWorkflows
backupdr.managementServers.runWorkflows
backupdr.managementServers.setIamPolicy
backupdr.managementServers.testFailOvers
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewBackupServers
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows

backupdr.operations.*

backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list

backupdr.serviceConfig.initialize

backupdr.trial.*

backupdr.trial.end
backupdr.trial.get
backupdr.trial.subscribe

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Backup Config Viewer ^Beta

(roles/backupdr.backupConfigViewer)

Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.

backupdr.locations.list

backupdr.resourceBackupConfigs.*

backupdr.resourceBackupConfigs.get
backupdr.resourceBackupConfigs.list

Backup and DR Backup User

(roles/backupdr.backupUser)

Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.

backupdr.backupPlanAssociations.*

backupdr.backupPlanAssociations.createForAlloydbCluster
backupdr.backupPlanAssociations.createForCloudSqlInstance
backupdr.backupPlanAssociations.createForComputeDisk
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.createForFilestoreInstance
backupdr.backupPlanAssociations.deleteForAlloydbCluster
backupdr.backupPlanAssociations.deleteForCloudSqlInstance
backupdr.backupPlanAssociations.deleteForComputeDisk
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.deleteForFilestoreInstance
backupdr.backupPlanAssociations.fetchForAlloydbCluster
backupdr.backupPlanAssociations.fetchForCloudSqlInstance
backupdr.backupPlanAssociations.fetchForComputeDisk
backupdr.backupPlanAssociations.fetchForComputeInstance
backupdr.backupPlanAssociations.fetchForFilestoreInstance
backupdr.backupPlanAssociations.getForAlloydbCluster
backupdr.backupPlanAssociations.getForCloudSqlInstance
backupdr.backupPlanAssociations.getForComputeDisk
backupdr.backupPlanAssociations.getForComputeInstance
backupdr.backupPlanAssociations.getForFilestoreInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
backupdr.backupPlanAssociations.triggerBackupForComputeDisk
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
backupdr.backupPlanAssociations.updateForAlloydbCluster
backupdr.backupPlanAssociations.updateForComputeDisk
backupdr.backupPlanAssociations.updateForComputeInstance
backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

backupdr.backupPlanRevisions.get
backupdr.backupPlanRevisions.list

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForAlloydbCluster

backupdr.backupPlans.useForCloudSqlInstance

backupdr.backupPlans.useForComputeDisk

backupdr.backupPlans.useForComputeInstance

backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.dataSourceReferences.*

backupdr.dataSourceReferences.fetchForAlloydbCluster
backupdr.dataSourceReferences.fetchForCloudSqlInstance
backupdr.dataSourceReferences.fetchForFilestoreInstance
backupdr.dataSourceReferences.getForAlloydbCluster
backupdr.dataSourceReferences.getForCloudSqlInstance
backupdr.dataSourceReferences.getForFilestoreInstance
backupdr.dataSourceReferences.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackups

backupdr.managementServers.manageHosts

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Backup Vault Accessor

(roles/backupdr.backupvaultAccessor)

Allows the Backup Appliance permissions to create and manage backups in a backup vault.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.delete

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.update

backupdr.bvdataSources.abandonBackup

backupdr.bvdataSources.fetchAccessToken

backupdr.bvdataSources.finalizeBackup

backupdr.bvdataSources.get

backupdr.bvdataSources.initiateBackup

backupdr.bvdataSources.list

backupdr.bvdataSources.remove

backupdr.bvdataSources.setInternalStatus

backupdr.bvdataSources.update

backupdr.operations.*

backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list

Backup and DR Backup Vault Admin

(roles/backupdr.backupvaultAdmin)

Allows the Backup Appliance full administrative control of backup vault resources.

backupdr.backupVaults.*

backupdr.backupVaults.associate
backupdr.backupVaults.create
backupdr.backupVaults.delete
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.backupVaults.update

backupdr.bvbackups.delete

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.update

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.update

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.operations.*

backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list

Backup and DR Backup Vault Lister

(roles/backupdr.backupvaultLister)

Allows the Backup Appliance permission to list backup vaults in a given project.

backupdr.backupVaults.list

Backup and DR Backup Vault Viewer

(roles/backupdr.backupvaultViewer)

Allows read-only permissions to access backup vault resources and backups.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.operations.get

backupdr.operations.list

Backup and DR Cloud SQL Operator ^Beta

(roles/backupdr.cloudSqlOperator)

Allows a Backup and DR service account to discover and backup Cloud SQL instances.

cloudsql.instances.createBackupDrBackup

cloudsql.instances.get

Backup and DR Cloud Storage Operator

(roles/backupdr.cloudStorageOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

Backup and DR Compute Engine Operator

(roles/backupdr.computeEngineOperator)

Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.

backupdr.managementServers.createConnection

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.pscInterfaceCreate

compute.instances.setDeletionProtection

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.updateDisplayDevice

compute.instances.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.resourcePolicies.use

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Disk Operator ^Beta

(roles/backupdr.diskOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Disk.

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.useReadOnly

compute.regionOperations.get

compute.resourcePolicies.use

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.storagePools.use

compute.zoneOperations.get

Backup and DR Filestore Operator ^Beta

(roles/backupdr.filestoreOperator)

Allows a Backup and DR service account to discover and backup Filestore instances.

file.backups.create

file.instances.get

Backup and DR Management Server Accessor

(roles/backupdr.managementServerAccessor)

Grants the Backup and DR management server access role to Backup Appliances.

backupdr.managementServers.createConnection

Backup and DR Mount User

(roles/backupdr.mountUser)

Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Restore User

(roles/backupdr.restoreUser)

Allows the user to restore or mount from a backup. This role cannot create a backup plan.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.useReadOnlyForAlloydbCluster

backupdr.bvbackups.useReadOnlyForCloudSqlInstance

backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.useReadOnlyForAlloydbCluster

backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

backupdr.dataSourceReferences.fetchForAlloydbCluster
backupdr.dataSourceReferences.fetchForCloudSqlInstance
backupdr.dataSourceReferences.fetchForFilestoreInstance
backupdr.dataSourceReferences.getForAlloydbCluster
backupdr.dataSourceReferences.getForCloudSqlInstance
backupdr.dataSourceReferences.getForFilestoreInstance
backupdr.dataSourceReferences.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Service Agent

(roles/backupdr.serviceAgent)

Grants the Backup and DR Service access to protect Compute Engine instances.

alloydb.operations.get

cloudsql.instances.createBackupDrBackup

cloudsql.instances.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

file.backups.create

file.instances.get

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR User

(roles/backupdr.user)

Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.updateForComputeInstance

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR User V2

(roles/backupdr.userv2)

Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.

backupdr.backupPlanAssociations.*

backupdr.backupPlanAssociations.createForAlloydbCluster
backupdr.backupPlanAssociations.createForCloudSqlInstance
backupdr.backupPlanAssociations.createForComputeDisk
backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.createForFilestoreInstance
backupdr.backupPlanAssociations.deleteForAlloydbCluster
backupdr.backupPlanAssociations.deleteForCloudSqlInstance
backupdr.backupPlanAssociations.deleteForComputeDisk
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.deleteForFilestoreInstance
backupdr.backupPlanAssociations.fetchForAlloydbCluster
backupdr.backupPlanAssociations.fetchForCloudSqlInstance
backupdr.backupPlanAssociations.fetchForComputeDisk
backupdr.backupPlanAssociations.fetchForComputeInstance
backupdr.backupPlanAssociations.fetchForFilestoreInstance
backupdr.backupPlanAssociations.getForAlloydbCluster
backupdr.backupPlanAssociations.getForCloudSqlInstance
backupdr.backupPlanAssociations.getForComputeDisk
backupdr.backupPlanAssociations.getForComputeInstance
backupdr.backupPlanAssociations.getForFilestoreInstance
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
backupdr.backupPlanAssociations.triggerBackupForComputeDisk
backupdr.backupPlanAssociations.triggerBackupForComputeInstance
backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
backupdr.backupPlanAssociations.updateForAlloydbCluster
backupdr.backupPlanAssociations.updateForComputeDisk
backupdr.backupPlanAssociations.updateForComputeInstance
backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

backupdr.backupPlanRevisions.get
backupdr.backupPlanRevisions.list

backupdr.backupPlans.*

backupdr.backupPlans.create
backupdr.backupPlans.delete
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupPlans.update
backupdr.backupPlans.useForAlloydbCluster
backupdr.backupPlans.useForCloudSqlInstance
backupdr.backupPlans.useForComputeDisk
backupdr.backupPlans.useForComputeInstance
backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.associate

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.useReadOnlyForAlloydbCluster

backupdr.bvbackups.useReadOnlyForCloudSqlInstance

backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.useReadOnlyForAlloydbCluster

backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

backupdr.dataSourceReferences.fetchForAlloydbCluster
backupdr.dataSourceReferences.fetchForCloudSqlInstance
backupdr.dataSourceReferences.fetchForFilestoreInstance
backupdr.dataSourceReferences.getForAlloydbCluster
backupdr.dataSourceReferences.getForCloudSqlInstance
backupdr.dataSourceReferences.getForFilestoreInstance
backupdr.dataSourceReferences.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.backupAccess

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackupPlans

backupdr.managementServers.manageBackups

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageJobs

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Viewer

(roles/backupdr.viewer)

Provides read-only access to all Backup and DR resources.

backupdr.backupPlanAssociations.fetchForAlloydbCluster

backupdr.backupPlanAssociations.fetchForCloudSqlInstance

backupdr.backupPlanAssociations.fetchForComputeDisk

backupdr.backupPlanAssociations.fetchForComputeInstance

backupdr.backupPlanAssociations.fetchForFilestoreInstance

backupdr.backupPlanAssociations.getForAlloydbCluster

backupdr.backupPlanAssociations.getForCloudSqlInstance

backupdr.backupPlanAssociations.getForComputeDisk

backupdr.backupPlanAssociations.getForComputeInstance

backupdr.backupPlanAssociations.getForFilestoreInstance

backupdr.backupPlanAssociations.list

backupdr.backupPlanRevisions.*

backupdr.backupPlanRevisions.get
backupdr.backupPlanRevisions.list

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.dataSourceReferences.*

backupdr.dataSourceReferences.fetchForAlloydbCluster
backupdr.dataSourceReferences.fetchForCloudSqlInstance
backupdr.dataSourceReferences.fetchForFilestoreInstance
backupdr.dataSourceReferences.getForAlloydbCluster
backupdr.dataSourceReferences.getForCloudSqlInstance
backupdr.dataSourceReferences.getForFilestoreInstance
backupdr.dataSourceReferences.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

Roles básicos

Los roles básicos son roles a nivel de proyecto anteriores a la gestión de identidades y accesos. Consulta Roles básicos para obtener más información.

Aunque Backup and DR admite los siguientes roles básicos, siempre que sea posible, debes usar uno de los roles predefinidos. Los roles básicos incluyen permisos generales que se aplican a todos tus recursos de Google Cloud . Por el contrario, los roles predefinidos de Backup and DR incluyen permisos detallados que solo se aplican a Backup and DR.

Rol básico de gestión de identidades y accesos	Descripción
Editor (`roles/editor`)	Proporciona acceso completo a todos los recursos de Backup and DR.
Propietario (`roles/owner`)	Proporciona acceso completo a todos los recursos de Backup and DR.

Permisos de gestión de identidades y accesos para el servicio de Backup y DR

En la siguiente tabla se indican los permisos de IAM que están asociados al servicio de copia de seguridad y recuperación tras desastres. Los permisos de IAM se agrupan en roles y tú asignas roles a usuarios y grupos.

En la siguiente tabla se muestra la descripción de cada permiso de Backup and DR.

Nombre del permiso	Descripción
backupdr.managementServers.manageClones	Proporciona permisos para crear y gestionar clones a partir de copias de seguridad.
backupdr.managementServers.manageLiveClones	Proporciona permisos para crear y gestionar LiveClones a partir de copias de seguridad.
backupdr.managementServers.manageMounts	Proporciona permisos para crear y gestionar montajes activos a partir de copias de seguridad.
backupdr.managementServers.manageRestores	Proporciona los permisos necesarios para restaurar copias de seguridad.
backupdr.managementServers.manageBackups	Proporciona permisos para realizar operaciones de copia de seguridad: Crear copia de seguridad ahora.
backupdr.managementServers.viewSystem	Proporciona acceso para ver la configuración del dispositivo de copia de seguridad o recuperación.
backupdr.managementServers.manageSystem	Proporciona permisos para configurar dispositivos de copia de seguridad y recuperación, así como el gestor de informes.
backupdr.managementServers.viewStorage	Proporciona acceso para ver las configuraciones de almacenamiento y de grupos de discos.
backupdr.managementServers.manageStorage	Proporciona permisos para añadir, modificar, eliminar y ver grupos de almacenamiento y de discos.
backupdr.managementServers.viewBackupPlans	Proporciona acceso para ver planes de copias de seguridad, plantillas de copias de seguridad y perfiles de recursos.
backupdr.managementServers.assignBackupPlans	Proporciona permisos para asignar planes de copias de seguridad preconfigurados (plantillas de copias de seguridad y perfiles de recursos) a aplicaciones o cargas de trabajo.
backupdr.managementServers.manageBackupPlans	Proporciona permisos para crear, modificar, eliminar, ver y asignar planes de copias de seguridad (plantillas de copias de seguridad y perfiles de recursos).
backupdr.managementServers.testFailOvers	Proporciona permisos para realizar conmutaciones por error de prueba y eliminar operaciones de conmutación por error de prueba en una copia de seguridad de StreamSnap remota.
backupdr.managementServers.viewWorkflows	Proporciona acceso para ver los flujos de trabajo de copia de seguridad y recuperación tras fallos que automatizan el acceso a los datos de copia en el servicio Backup y DR.
backupdr.managementServers.runWorkflows	Proporciona permisos para ejecutar un flujo de trabajo de Backup and DR preconfigurado que automatiza el acceso a los datos de copia en el servicio Backup and DR.
backupdr.managementServers.refreshWorkflows	Proporciona permisos para actualizar un clon que se ha creado mediante un flujo de trabajo de copia de seguridad y recuperación ante desastres que automatiza el acceso a los datos de copia en el servicio de copia de seguridad y recuperación ante desastres.
backupdr.managementServers.manageWorkflows	Proporciona permisos para añadir, modificar, eliminar, ejecutar y ver el flujo de trabajo de copia de seguridad y recuperación ante desastres que automatiza el acceso a los datos de copia en el servicio de copia de seguridad y recuperación ante desastres.
backupdr.managementServers.manageMirroring	Proporciona permisos para realizar operaciones de conmutación por error, sincronización, limpieza, restauración tras error, prueba de conmutación por error y eliminación de prueba de conmutación por error en una copia de seguridad de StreamSnap remota.
backupdr.managementServers.manageHosts	Proporciona permisos para añadir, modificar, quitar y ver hosts (máquinas físicas y virtuales).
backupdr.managementServers.manageApplications	Proporciona permisos para gestionar todos los aspectos de las aplicaciones, incluidos los grupos lógicos y los grupos de coherencia, ejecutar copias de seguridad bajo demanda y exportar plantillas.
backupdr.managementServers.manageSensitiveData	Proporciona los permisos necesarios para marcar aplicaciones y copias de seguridad como datos sensibles o no sensibles.
backupdr.managementServers.accessSensitiveData	Proporciona acceso a aplicaciones y copias de seguridad marcadas como sensibles.
backupdr.managementServers.manageBackupServers	Proporciona los permisos necesarios para ejecutar las APIs de Backup Server a través de la consola de gestión.
backupdr.managementServers.manageExpiration	Proporciona los permisos necesarios para caducar las copias de seguridad.
backupdr.managementServers.access	Proporciona acceso a la consola de gestión y a las APIs asociadas.
backupdr.managementServers.onpremUsageUpload	Proporciona acceso a todos los endpoints necesarios para subir el uso a un adaptador local.
backupdr.managementServers.viewReports	Proporciona acceso al Gestor de informes para ejecutar informes y ver o descargar los resultados.
backupdr.managementServers.manageJobs	Proporciona permisos para cancelar tareas y modificar la prioridad de las tareas.
backupdr.managementServers.manageMigrations	Proporciona permisos para gestionar la migración de datos montados como paso final en una operación de restauración o clonación.

Permisos necesarios para usar CMEK

Para obtener información sobre los permisos necesarios para usar CMEK, consulta Claves de cifrado gestionadas por el cliente (CMEK).

Controlar el acceso al servicio Backup y DR con gestión de identidades y accesos Organízate con las colecciones Guarda y clasifica el contenido según tus preferencias.

Cómo controla el acceso la gestión de identidades y accesos

Tipos de roles de gestión de identidades y accesos

Permisos de gestión de identidades y accesos

Permisos a nivel de proyecto y a nivel de recurso

Roles de IAM predefinidos para el servicio de copia de seguridad y recuperación tras desastres

Backup and DR Admin

Backup and DR Backup Config Viewer Beta

Backup and DR Backup User

Backup and DR Backup Vault Accessor

Backup and DR Backup Vault Admin

Backup and DR Backup Vault Lister

Backup and DR Backup Vault Viewer

Backup and DR Cloud SQL Operator Beta

Backup and DR Cloud Storage Operator

Backup and DR Compute Engine Operator

Backup and DR Disk Operator Beta

Backup and DR Filestore Operator Beta

Backup and DR Management Server Accessor

Backup and DR Mount User

Backup and DR Restore User

Backup and DR Service Agent

Backup and DR User

Backup and DR User V2

Backup and DR Viewer

Roles básicos

Permisos de gestión de identidades y accesos para el servicio de Backup y DR

Permisos necesarios para usar CMEK

Controlar el acceso al servicio Backup y DR con gestión de identidades y accesos

Backup and DR Backup Config Viewer ^Beta

Backup and DR Cloud SQL Operator ^Beta

Backup and DR Disk Operator ^Beta

Backup and DR Filestore Operator ^Beta