Controlla l'accesso con IAM

Questa pagina descrive i ruoli e le autorizzazioni IAM richiesti per Google Cloud il servizio di Backup e DR. Quando aggiungi nuove entità al progetto, puoi utilizzare una policy Identity and Access Management (IAM) per assegnare all'entità uno o più ruoli IAM. Ogni ruolo IAM contiene autorizzazioni che concedono alle entità l'accesso per eseguire azioni specifiche su risorse specifiche. Per un elenco di riferimento delle autorizzazioni IAM che si applicano al servizio di Backup e DR, vedi Autorizzazioni IAM per il servizio di Backup e DR.

In che modo IAM controlla l'accesso

Se un'entità (un utente, un gruppo o un account di servizio) chiama un' Google Cloud API, deve disporre delle autorizzazioni IAM appropriate per utilizzare la risorsa. Per concedere a un'entità le autorizzazioni richieste, devi assegnarle un ruolo IAM. Scopri di più sulle entità in IAM.

Tipi di ruoli IAM

Il servizio di Backup e DR dispone di ruoli predefiniti che sono autorizzazioni raggruppate da assegnare a diverse entità. Gli utenti possono anche definire ruoli personalizzati che possono avere una combinazione di singole autorizzazioni per concedere l'accesso all'esecuzione di un workflow Backup e DR o di un'azione specifico.

Autorizzazioni IAM

Le autorizzazioni consentono agli utenti di eseguire azioni specifiche su risorse specifiche. Possono essere raggruppate per formare i ruoli. Ogni autorizzazione si riferisce a un'azione specifica che l'utente può eseguire o a cui può accedere.

Autorizzazioni a livello di progetto e di risorsa

Le autorizzazioni possono essere concesse a livello di progetto o di risorsa. Ad esempio, un amministratore di Backup e RE può scegliere di concedere solo determinate autorizzazioni a livello di bucket di archiviazione anziché all'intero progetto, a seconda della sua policy. La concessione di ruoli a livello di risorsa non influisce sui ruoli esistenti concessi a livello di progetto e viceversa.

Ruoli IAM predefiniti per il servizio di Backup e DR

Il servizio di Backup e DR dispone di un insieme di ruoli IAM predefiniti, descritti su questa pagina. Puoi anche creare ruoli personalizzati che contengono sottoinsiemi di autorizzazioni che corrispondono direttamente alle tue esigenze.

La tabella seguente descrive i ruoli IAM associati al servizio di Backup e DR ed elenca le autorizzazioni contenute in ogni ruolo. La descrizione di ogni autorizzazione è riportata nella sezione Autorizzazioni IAM per il servizio di Backup e DR.

Role Permissions

(roles/backupdr.admin)

Provides full access to all Backup and DR resources.

backupdr.backupPlanAssociations.*

  • backupdr.backupPlanAssociations.createForAlloydbCluster
  • backupdr.backupPlanAssociations.createForCloudSqlInstance
  • backupdr.backupPlanAssociations.createForComputeDisk
  • backupdr.backupPlanAssociations.createForComputeInstance
  • backupdr.backupPlanAssociations.createForFilestoreInstance
  • backupdr.backupPlanAssociations.deleteForAlloydbCluster
  • backupdr.backupPlanAssociations.deleteForCloudSqlInstance
  • backupdr.backupPlanAssociations.deleteForComputeDisk
  • backupdr.backupPlanAssociations.deleteForComputeInstance
  • backupdr.backupPlanAssociations.deleteForFilestoreInstance
  • backupdr.backupPlanAssociations.fetchForAlloydbCluster
  • backupdr.backupPlanAssociations.fetchForCloudSqlInstance
  • backupdr.backupPlanAssociations.fetchForComputeDisk
  • backupdr.backupPlanAssociations.fetchForComputeInstance
  • backupdr.backupPlanAssociations.fetchForFilestoreInstance
  • backupdr.backupPlanAssociations.getForAlloydbCluster
  • backupdr.backupPlanAssociations.getForCloudSqlInstance
  • backupdr.backupPlanAssociations.getForComputeDisk
  • backupdr.backupPlanAssociations.getForComputeInstance
  • backupdr.backupPlanAssociations.getForFilestoreInstance
  • backupdr.backupPlanAssociations.list
  • backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
  • backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
  • backupdr.backupPlanAssociations.triggerBackupForComputeDisk
  • backupdr.backupPlanAssociations.triggerBackupForComputeInstance
  • backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
  • backupdr.backupPlanAssociations.updateForAlloydbCluster
  • backupdr.backupPlanAssociations.updateForComputeDisk
  • backupdr.backupPlanAssociations.updateForComputeInstance
  • backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

  • backupdr.backupPlanRevisions.get
  • backupdr.backupPlanRevisions.list

backupdr.backupPlans.*

  • backupdr.backupPlans.create
  • backupdr.backupPlans.delete
  • backupdr.backupPlans.get
  • backupdr.backupPlans.list
  • backupdr.backupPlans.update
  • backupdr.backupPlans.useForAlloydbCluster
  • backupdr.backupPlans.useForCloudSqlInstance
  • backupdr.backupPlans.useForComputeDisk
  • backupdr.backupPlans.useForComputeInstance
  • backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.*

  • backupdr.backupVaults.associate
  • backupdr.backupVaults.create
  • backupdr.backupVaults.delete
  • backupdr.backupVaults.get
  • backupdr.backupVaults.list
  • backupdr.backupVaults.update

backupdr.bvbackups.*

  • backupdr.bvbackups.delete
  • backupdr.bvbackups.fetchForCloudSqlInstance
  • backupdr.bvbackups.fetchForComputeDisk
  • backupdr.bvbackups.fetchForComputeInstance
  • backupdr.bvbackups.get
  • backupdr.bvbackups.list
  • backupdr.bvbackups.restore
  • backupdr.bvbackups.update
  • backupdr.bvbackups.useReadOnlyForAlloydbCluster
  • backupdr.bvbackups.useReadOnlyForCloudSqlInstance
  • backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.*

  • backupdr.bvdataSources.abandonBackup
  • backupdr.bvdataSources.fetchAccessToken
  • backupdr.bvdataSources.finalizeBackup
  • backupdr.bvdataSources.get
  • backupdr.bvdataSources.initiateBackup
  • backupdr.bvdataSources.list
  • backupdr.bvdataSources.remove
  • backupdr.bvdataSources.setInternalStatus
  • backupdr.bvdataSources.update
  • backupdr.bvdataSources.useReadOnlyForAlloydbCluster
  • backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.*

  • backupdr.managementServers.access
  • backupdr.managementServers.accessSensitiveData
  • backupdr.managementServers.assignBackupPlans
  • backupdr.managementServers.backupAccess
  • backupdr.managementServers.create
  • backupdr.managementServers.createConnection
  • backupdr.managementServers.createDynamicProtection
  • backupdr.managementServers.delete
  • backupdr.managementServers.deleteDynamicProtection
  • backupdr.managementServers.get
  • backupdr.managementServers.getDynamicProtection
  • backupdr.managementServers.getIamPolicy
  • backupdr.managementServers.list
  • backupdr.managementServers.listDynamicProtection
  • backupdr.managementServers.manageApplications
  • backupdr.managementServers.manageBackupPlans
  • backupdr.managementServers.manageBackupServers
  • backupdr.managementServers.manageBackups
  • backupdr.managementServers.manageClones
  • backupdr.managementServers.manageExpiration
  • backupdr.managementServers.manageHosts
  • backupdr.managementServers.manageInternalACL
  • backupdr.managementServers.manageJobs
  • backupdr.managementServers.manageLiveClones
  • backupdr.managementServers.manageMigrations
  • backupdr.managementServers.manageMirroring
  • backupdr.managementServers.manageMounts
  • backupdr.managementServers.manageRestores
  • backupdr.managementServers.manageSensitiveData
  • backupdr.managementServers.manageStorage
  • backupdr.managementServers.manageSystem
  • backupdr.managementServers.manageWorkflows
  • backupdr.managementServers.refreshWorkflows
  • backupdr.managementServers.runWorkflows
  • backupdr.managementServers.setIamPolicy
  • backupdr.managementServers.testFailOvers
  • backupdr.managementServers.viewBackupPlans
  • backupdr.managementServers.viewBackupServers
  • backupdr.managementServers.viewReports
  • backupdr.managementServers.viewStorage
  • backupdr.managementServers.viewSystem
  • backupdr.managementServers.viewWorkflows

backupdr.operations.*

  • backupdr.operations.cancel
  • backupdr.operations.delete
  • backupdr.operations.get
  • backupdr.operations.list

backupdr.serviceConfig.initialize

backupdr.trial.*

  • backupdr.trial.end
  • backupdr.trial.get
  • backupdr.trial.subscribe

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.alloydbOperator)

Allows a Backup and DR service account to discover and backup AlloyDB clusters.

alloydb.operations.get

(roles/backupdr.backupConfigViewer)

Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.

backupdr.locations.list

backupdr.resourceBackupConfigs.*

  • backupdr.resourceBackupConfigs.get
  • backupdr.resourceBackupConfigs.list

(roles/backupdr.backupUser)

Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.

backupdr.backupPlanAssociations.*

  • backupdr.backupPlanAssociations.createForAlloydbCluster
  • backupdr.backupPlanAssociations.createForCloudSqlInstance
  • backupdr.backupPlanAssociations.createForComputeDisk
  • backupdr.backupPlanAssociations.createForComputeInstance
  • backupdr.backupPlanAssociations.createForFilestoreInstance
  • backupdr.backupPlanAssociations.deleteForAlloydbCluster
  • backupdr.backupPlanAssociations.deleteForCloudSqlInstance
  • backupdr.backupPlanAssociations.deleteForComputeDisk
  • backupdr.backupPlanAssociations.deleteForComputeInstance
  • backupdr.backupPlanAssociations.deleteForFilestoreInstance
  • backupdr.backupPlanAssociations.fetchForAlloydbCluster
  • backupdr.backupPlanAssociations.fetchForCloudSqlInstance
  • backupdr.backupPlanAssociations.fetchForComputeDisk
  • backupdr.backupPlanAssociations.fetchForComputeInstance
  • backupdr.backupPlanAssociations.fetchForFilestoreInstance
  • backupdr.backupPlanAssociations.getForAlloydbCluster
  • backupdr.backupPlanAssociations.getForCloudSqlInstance
  • backupdr.backupPlanAssociations.getForComputeDisk
  • backupdr.backupPlanAssociations.getForComputeInstance
  • backupdr.backupPlanAssociations.getForFilestoreInstance
  • backupdr.backupPlanAssociations.list
  • backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
  • backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
  • backupdr.backupPlanAssociations.triggerBackupForComputeDisk
  • backupdr.backupPlanAssociations.triggerBackupForComputeInstance
  • backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
  • backupdr.backupPlanAssociations.updateForAlloydbCluster
  • backupdr.backupPlanAssociations.updateForComputeDisk
  • backupdr.backupPlanAssociations.updateForComputeInstance
  • backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

  • backupdr.backupPlanRevisions.get
  • backupdr.backupPlanRevisions.list

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForAlloydbCluster

backupdr.backupPlans.useForCloudSqlInstance

backupdr.backupPlans.useForComputeDisk

backupdr.backupPlans.useForComputeInstance

backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackups

backupdr.managementServers.manageHosts

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.backupvaultAccessor)

Allows the Backup Appliance permissions to create and manage backups in a backup vault.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.delete

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.update

backupdr.bvdataSources.abandonBackup

backupdr.bvdataSources.fetchAccessToken

backupdr.bvdataSources.finalizeBackup

backupdr.bvdataSources.get

backupdr.bvdataSources.initiateBackup

backupdr.bvdataSources.list

backupdr.bvdataSources.remove

backupdr.bvdataSources.setInternalStatus

backupdr.bvdataSources.update

backupdr.operations.*

  • backupdr.operations.cancel
  • backupdr.operations.delete
  • backupdr.operations.get
  • backupdr.operations.list

(roles/backupdr.backupvaultAdmin)

Allows the Backup Appliance full administrative control of backup vault resources.

backupdr.backupVaults.*

  • backupdr.backupVaults.associate
  • backupdr.backupVaults.create
  • backupdr.backupVaults.delete
  • backupdr.backupVaults.get
  • backupdr.backupVaults.list
  • backupdr.backupVaults.update

backupdr.bvbackups.delete

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.update

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.update

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.operations.*

  • backupdr.operations.cancel
  • backupdr.operations.delete
  • backupdr.operations.get
  • backupdr.operations.list

(roles/backupdr.backupvaultLister)

Allows the Backup Appliance permission to list backup vaults in a given project.

backupdr.backupVaults.list

(roles/backupdr.backupvaultViewer)

Allows read-only permissions to access backup vault resources and backups.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.operations.get

backupdr.operations.list

(roles/backupdr.cloudSqlOperator)

Allows a Backup and DR service account to discover and backup Cloud SQL instances.

cloudsql.instances.createBackupDrBackup

cloudsql.instances.get

(roles/backupdr.cloudStorageOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

(roles/backupdr.computeEngineOperator)

Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.

backupdr.managementServers.createConnection

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.pscInterfaceCreate

compute.instances.setDeletionProtection

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.updateDisplayDevice

compute.instances.useReadOnly

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.resourcePolicies.use

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.diskOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Disk.

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.useReadOnly

compute.regionOperations.get

compute.resourcePolicies.use

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.storagePools.use

compute.zoneOperations.get

(roles/backupdr.editor)

Editor role for backupdr

backupdr.backupPlanAssociations.*

  • backupdr.backupPlanAssociations.createForAlloydbCluster
  • backupdr.backupPlanAssociations.createForCloudSqlInstance
  • backupdr.backupPlanAssociations.createForComputeDisk
  • backupdr.backupPlanAssociations.createForComputeInstance
  • backupdr.backupPlanAssociations.createForFilestoreInstance
  • backupdr.backupPlanAssociations.deleteForAlloydbCluster
  • backupdr.backupPlanAssociations.deleteForCloudSqlInstance
  • backupdr.backupPlanAssociations.deleteForComputeDisk
  • backupdr.backupPlanAssociations.deleteForComputeInstance
  • backupdr.backupPlanAssociations.deleteForFilestoreInstance
  • backupdr.backupPlanAssociations.fetchForAlloydbCluster
  • backupdr.backupPlanAssociations.fetchForCloudSqlInstance
  • backupdr.backupPlanAssociations.fetchForComputeDisk
  • backupdr.backupPlanAssociations.fetchForComputeInstance
  • backupdr.backupPlanAssociations.fetchForFilestoreInstance
  • backupdr.backupPlanAssociations.getForAlloydbCluster
  • backupdr.backupPlanAssociations.getForCloudSqlInstance
  • backupdr.backupPlanAssociations.getForComputeDisk
  • backupdr.backupPlanAssociations.getForComputeInstance
  • backupdr.backupPlanAssociations.getForFilestoreInstance
  • backupdr.backupPlanAssociations.list
  • backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
  • backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
  • backupdr.backupPlanAssociations.triggerBackupForComputeDisk
  • backupdr.backupPlanAssociations.triggerBackupForComputeInstance
  • backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
  • backupdr.backupPlanAssociations.updateForAlloydbCluster
  • backupdr.backupPlanAssociations.updateForComputeDisk
  • backupdr.backupPlanAssociations.updateForComputeInstance
  • backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

  • backupdr.backupPlanRevisions.get
  • backupdr.backupPlanRevisions.list

backupdr.backupPlans.*

  • backupdr.backupPlans.create
  • backupdr.backupPlans.delete
  • backupdr.backupPlans.get
  • backupdr.backupPlans.list
  • backupdr.backupPlans.update
  • backupdr.backupPlans.useForAlloydbCluster
  • backupdr.backupPlans.useForCloudSqlInstance
  • backupdr.backupPlans.useForComputeDisk
  • backupdr.backupPlans.useForComputeInstance
  • backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.*

  • backupdr.backupVaults.associate
  • backupdr.backupVaults.create
  • backupdr.backupVaults.delete
  • backupdr.backupVaults.get
  • backupdr.backupVaults.list
  • backupdr.backupVaults.update

backupdr.bvbackups.*

  • backupdr.bvbackups.delete
  • backupdr.bvbackups.fetchForCloudSqlInstance
  • backupdr.bvbackups.fetchForComputeDisk
  • backupdr.bvbackups.fetchForComputeInstance
  • backupdr.bvbackups.get
  • backupdr.bvbackups.list
  • backupdr.bvbackups.restore
  • backupdr.bvbackups.update
  • backupdr.bvbackups.useReadOnlyForAlloydbCluster
  • backupdr.bvbackups.useReadOnlyForCloudSqlInstance
  • backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.*

  • backupdr.bvdataSources.abandonBackup
  • backupdr.bvdataSources.fetchAccessToken
  • backupdr.bvdataSources.finalizeBackup
  • backupdr.bvdataSources.get
  • backupdr.bvdataSources.initiateBackup
  • backupdr.bvdataSources.list
  • backupdr.bvdataSources.remove
  • backupdr.bvdataSources.setInternalStatus
  • backupdr.bvdataSources.update
  • backupdr.bvdataSources.useReadOnlyForAlloydbCluster
  • backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.accessSensitiveData

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.backupAccess

backupdr.managementServers.create

backupdr.managementServers.createConnection

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.delete

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackupPlans

backupdr.managementServers.manageBackupServers

backupdr.managementServers.manageBackups

backupdr.managementServers.manageClones

backupdr.managementServers.manageExpiration

backupdr.managementServers.manageHosts

backupdr.managementServers.manageInternalACL

backupdr.managementServers.manageJobs

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageStorage

backupdr.managementServers.manageSystem

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.*

  • backupdr.operations.cancel
  • backupdr.operations.delete
  • backupdr.operations.get
  • backupdr.operations.list

backupdr.resourceBackupConfigs.*

  • backupdr.resourceBackupConfigs.get
  • backupdr.resourceBackupConfigs.list

backupdr.serviceConfig.initialize

backupdr.trial.*

  • backupdr.trial.end
  • backupdr.trial.get
  • backupdr.trial.subscribe

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.filestoreOperator)

Allows a Backup and DR service account to discover and backup Filestore instances.

file.backups.create

file.instances.createCrossProjectBackup

file.instances.get

(roles/backupdr.managementServerAccessor)

Grants the Backup and DR management server access role to Backup Appliances.

backupdr.managementServers.createConnection

(roles/backupdr.mountUser)

Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.restoreUser)

Allows the user to restore or mount from a backup. This role cannot create a backup plan.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.useReadOnlyForAlloydbCluster

backupdr.bvbackups.useReadOnlyForCloudSqlInstance

backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.useReadOnlyForAlloydbCluster

backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.serviceAgent)

Grants the Backup and DR Service access to protect Compute Engine instances.

alloydb.operations.get

cloudsql.instances.createBackupDrBackup

cloudsql.instances.get

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.createTagBinding

compute.disks.delete

compute.disks.get

compute.disks.list

compute.disks.setLabels

compute.disks.use

compute.disks.useReadOnly

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.pscInterfaceCreate

compute.instances.setDeletionProtection

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.updateDisplayDevice

compute.instances.useReadOnly

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.resourcePolicies.use

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.storagePools.use

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

file.backups.create

file.instances.createCrossProjectBackup

file.instances.get

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.user)

Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.backupPlanAssociations.updateForComputeInstance

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.userv2)

Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.

backupdr.backupPlanAssociations.*

  • backupdr.backupPlanAssociations.createForAlloydbCluster
  • backupdr.backupPlanAssociations.createForCloudSqlInstance
  • backupdr.backupPlanAssociations.createForComputeDisk
  • backupdr.backupPlanAssociations.createForComputeInstance
  • backupdr.backupPlanAssociations.createForFilestoreInstance
  • backupdr.backupPlanAssociations.deleteForAlloydbCluster
  • backupdr.backupPlanAssociations.deleteForCloudSqlInstance
  • backupdr.backupPlanAssociations.deleteForComputeDisk
  • backupdr.backupPlanAssociations.deleteForComputeInstance
  • backupdr.backupPlanAssociations.deleteForFilestoreInstance
  • backupdr.backupPlanAssociations.fetchForAlloydbCluster
  • backupdr.backupPlanAssociations.fetchForCloudSqlInstance
  • backupdr.backupPlanAssociations.fetchForComputeDisk
  • backupdr.backupPlanAssociations.fetchForComputeInstance
  • backupdr.backupPlanAssociations.fetchForFilestoreInstance
  • backupdr.backupPlanAssociations.getForAlloydbCluster
  • backupdr.backupPlanAssociations.getForCloudSqlInstance
  • backupdr.backupPlanAssociations.getForComputeDisk
  • backupdr.backupPlanAssociations.getForComputeInstance
  • backupdr.backupPlanAssociations.getForFilestoreInstance
  • backupdr.backupPlanAssociations.list
  • backupdr.backupPlanAssociations.triggerBackupForAlloydbCluster
  • backupdr.backupPlanAssociations.triggerBackupForCloudSqlInstance
  • backupdr.backupPlanAssociations.triggerBackupForComputeDisk
  • backupdr.backupPlanAssociations.triggerBackupForComputeInstance
  • backupdr.backupPlanAssociations.triggerBackupForFilestoreInstance
  • backupdr.backupPlanAssociations.updateForAlloydbCluster
  • backupdr.backupPlanAssociations.updateForComputeDisk
  • backupdr.backupPlanAssociations.updateForComputeInstance
  • backupdr.backupPlanAssociations.updateForFilestoreInstance

backupdr.backupPlanRevisions.*

  • backupdr.backupPlanRevisions.get
  • backupdr.backupPlanRevisions.list

backupdr.backupPlans.*

  • backupdr.backupPlans.create
  • backupdr.backupPlans.delete
  • backupdr.backupPlans.get
  • backupdr.backupPlans.list
  • backupdr.backupPlans.update
  • backupdr.backupPlans.useForAlloydbCluster
  • backupdr.backupPlans.useForCloudSqlInstance
  • backupdr.backupPlans.useForComputeDisk
  • backupdr.backupPlans.useForComputeInstance
  • backupdr.backupPlans.useForFilestoreInstance

backupdr.backupVaults.associate

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvbackups.useReadOnlyForAlloydbCluster

backupdr.bvbackups.useReadOnlyForCloudSqlInstance

backupdr.bvbackups.useReadOnlyForFilestoreInstance

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.useReadOnlyForAlloydbCluster

backupdr.bvdataSources.useReadOnlyForCloudSqlInstance

backupdr.compute.restoreFromBackupVault

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.backupAccess

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackupPlans

backupdr.managementServers.manageBackups

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageJobs

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.viewer)

Provides read-only access to all Backup and DR resources.

backupdr.backupPlanAssociations.fetchForAlloydbCluster

backupdr.backupPlanAssociations.fetchForCloudSqlInstance

backupdr.backupPlanAssociations.fetchForComputeDisk

backupdr.backupPlanAssociations.fetchForComputeInstance

backupdr.backupPlanAssociations.fetchForFilestoreInstance

backupdr.backupPlanAssociations.getForAlloydbCluster

backupdr.backupPlanAssociations.getForCloudSqlInstance

backupdr.backupPlanAssociations.getForComputeDisk

backupdr.backupPlanAssociations.getForComputeInstance

backupdr.backupPlanAssociations.getForFilestoreInstance

backupdr.backupPlanAssociations.list

backupdr.backupPlanRevisions.*

  • backupdr.backupPlanRevisions.get
  • backupdr.backupPlanRevisions.list

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.fetchForCloudSqlInstance

backupdr.bvbackups.fetchForComputeDisk

backupdr.bvbackups.fetchForComputeInstance

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.dataSourceReferences.*

  • backupdr.dataSourceReferences.fetchForAlloydbCluster
  • backupdr.dataSourceReferences.fetchForCloudSqlInstance
  • backupdr.dataSourceReferences.fetchForFilestoreInstance
  • backupdr.dataSourceReferences.getForAlloydbCluster
  • backupdr.dataSourceReferences.getForCloudSqlInstance
  • backupdr.dataSourceReferences.getForFilestoreInstance
  • backupdr.dataSourceReferences.list

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

backupdr.trial.get

resourcemanager.projects.get

resourcemanager.projects.list

Ruoli di base

I ruoli di base sono ruoli a livello di progetto precedenti a IAM. Per ulteriori dettagli, vedi Ruoli di base.

Sebbene Backup e RE supporti i seguenti ruoli di base, ti consigliamo di utilizzare uno dei ruoli predefiniti, quando possibile. I ruoli di base includono autorizzazioni generali che si applicano a tutte le tue Google Cloud risorse; al contrario, i ruoli predefiniti di Backup e RE includono autorizzazioni granulari che si applicano solo a Backup e RE.

Ruolo IAM di base Descrizione
Editor
(roles/editor)		 Fornisce l'accesso completo a tutte le risorse di Backup e RE.
Proprietario
(roles/owner)		 Fornisce l'accesso completo a tutte le risorse di Backup e RE.

Autorizzazioni IAM per il servizio di Backup e DR

La tabella seguente elenca le autorizzazioni IAM associate al servizio di Backup e DR. Le autorizzazioni IAM sono raggruppate in ruoli e tu assegni i ruoli a utenti e gruppi.

La tabella seguente elenca la descrizione di ogni autorizzazione di Backup e RE.

Nome autorizzazione Descrizione
backupdr.managementServers.manageClones Fornisce le autorizzazioni per creare e gestire i cloni dai backup.
backupdr.managementServers.manageLiveClones Fornisce le autorizzazioni per creare e gestire LiveClone dai backup.
backupdr.managementServers.manageMounts Fornisce le autorizzazioni per creare e gestire i montaggi attivi dai backup.
backupdr.managementServers.manageRestores Fornisce le autorizzazioni necessarie per eseguire il ripristino dai backup.
backupdr.managementServers.manageBackups Fornisce le autorizzazioni per eseguire le operazioni di backup: Esegui backup ora.
backupdr.managementServers.viewSystem Fornisce l'accesso per visualizzare la configurazione dell'appliance di backup/ripristino.
backupdr.managementServers.manageSystem Fornisce le autorizzazioni per configurare le appliance di backup/ripristino e il gestore dei report.
backupdr.managementServers.viewStorage Fornisce l'accesso per visualizzare le configurazioni di archiviazione e pool di dischi.
backupdr.managementServers.manageStorage Fornisce le autorizzazioni per aggiungere, modificare, rimuovere e visualizzare l'archiviazione e i pool di dischi.
backupdr.managementServers.viewBackupPlans Fornisce l'accesso per visualizzare i piani di backup: modelli di backup e profili di risorse.
backupdr.managementServers.assignBackupPlans Fornisce le autorizzazioni per assegnare piani di backup preconfigurati (modelli di backup e profili di risorse) ad applicazioni o carichi di lavoro.
backupdr.managementServers.manageBackupPlans Fornisce le autorizzazioni per creare, modificare, eliminare, visualizzare e assegnare piani di backup (modelli di backup e profili di risorse).
backupdr.managementServers.testFailOvers Fornisce le autorizzazioni per eseguire operazioni di test di failover ed eliminare le operazioni di test di failover su un backup StreamSnap remoto.
backupdr.managementServers.viewWorkflows Fornisce l'accesso per visualizzare i flussi di lavoro di backup e DR che automatizzano l'accesso alla copia dei dati all'interno del servizio di Backup e DR.
backupdr.managementServers.runWorkflows Fornisce le autorizzazioni per eseguire un flusso di lavoro di backup e DR preconfigurato che automatizza l'accesso alla copia dei dati all'interno del servizio di Backup e DR.
backupdr.managementServers.refreshWorkflows Fornisce le autorizzazioni per aggiornare un clone creato da un workflow Backup e DR che automatizza l'accesso alla copia dei dati all'interno del servizio di Backup e DR.
backupdr.managementServers.manageWorkflows Fornisce le autorizzazioni per aggiungere, modificare, rimuovere, eseguire e visualizzare il workflow Backup e DR che automatizza l'accesso alla copia dei dati all'interno del servizio di Backup e DR.
backupdr.managementServers.manageMirroring Fornisce le autorizzazioni per eseguire operazioni di failover, syncback, pulizia, failback, test di failover ed eliminazione del test di failover su un backup StreamSnap remoto.
backupdr.managementServers.manageHosts Fornisce le autorizzazioni per aggiungere, modificare, rimuovere e visualizzare gli host (macchine fisiche e virtuali).
backupdr.managementServers.manageApplications Fornisce le autorizzazioni per gestire tutti gli aspetti delle applicazioni, inclusi i gruppi logici e i gruppi di coerenza, eseguire backup on demand ed esportare i modelli.
backupdr.managementServers.manageSensitiveData Fornisce le autorizzazioni necessarie per contrassegnare le applicazioni e i backup come dati sensibili o non sensibili.
backupdr.managementServers.accessSensitiveData Fornisce l'accesso alle applicazioni e ai backup contrassegnati come sensibili.
Fornisce le autorizzazioni necessarie per eseguire le API del server di backup tramite la console di gestione dell'appliance.
backupdr.managementServers.manageExpiration Fornisce le autorizzazioni necessarie per far scadere i backup.
Fornisce l'accesso alla console di gestione dell'appliance e alle API associate.
backupdr.managementServers.onpremUsageUpload Fornisce l'accesso a tutti gli endpoint necessari per caricare l'utilizzo in un adattatore on-premise.
backupdr.managementServers.viewReports Fornisce l'accesso a Report Manager per eseguire i report e visualizzare o scaricare l'output.
backupdr.managementServers.manageJobs Fornisce le autorizzazioni per annullare i job e modificarne la priorità.
backupdr.managementServers.manageMigrations Fornisce le autorizzazioni per gestire la migrazione dei dati montati come passaggio finale di un'operazione di ripristino o clonazione.

Autorizzazioni richieste per l'utilizzo di CMEK

Per informazioni sulle autorizzazioni richieste per l'utilizzo di CMEK, vedi Chiavi di crittografia gestite dal cliente (CMEK).