This page outlines the IAM roles and permissions required for Google Cloud Backup and DR Service. When you add new principals to your project, you can use an Identity and Access Management (IAM) policy to give that principal one or more IAM roles. Each IAM role contains permissions that grant the principals access to perform specific actions on specific resources. For a reference list of the IAM permissions that apply to Backup and DR Service, see IAM permissions for Backup and DR Service.
How IAM controls access
If a principal–a user, group, or service account–calls a Google Cloud API, that principal must have the appropriate IAM permissions to use the resource. To give a principal the required permissions, you grant an IAM role to the principal. Learn more about principals in IAM.
IAM role types
Backup and DR Service have predefined roles which are bundled permissions for them to be assigned to different principles. Users can also define custom roles which can have a combination of individual permissions to grant access to carry out a specific Backup and DR Workflow or action.
IAM permissions
Permissions allow users to perform specific actions on specific resources. They can be grouped to form roles. Each permission refers to a specific action that the user can perform or access they have.
Project level versus resource level permissions
Permissions can be granted on a project level or at the resource level. For example, a Backup and DR administrator can choose to only grant certain permissions on a storage bucket level as opposed to the entire project depending on their policy. Granting roles at the resource level does not affect any existing roles that you granted at the project level, and the other way around.
Predefined IAM roles for Backup and DR Service
Backup and DR Service has a set of predefined IAM roles that are described on this page. You can also create custom roles that contain subsets of permissions that map directly to your needs.
The following table describes IAM roles that are associated with Backup and DR Service and lists the permissions that are contained in each role. The description for each permission is listed in the IAM permission for Backup and DR Service section.
Role | Permissions |
---|---|
Backup and DR Admin( Provides full access to all Backup and DR resources. |
|
Backup and DR Backup Config Viewer Beta( Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations. |
|
Backup and DR Backup User( Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup. |
|
Backup and DR Backup Vault Accessor( Allows the Backup Appliance permissions to create and manage backups in a backup vault. |
|
Backup and DR Backup Vault Admin( Allows the Backup Appliance full administrative control of backup vault resources. |
|
Backup and DR Backup Vault Lister( Allows the Backup Appliance permission to list backup vaults in a given project. |
|
Backup and DR Backup Vault Viewer( Allows read-only permissions to access backup vault resources and backups. |
|
Backup and DR Cloud Storage Operator( Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage. |
|
Backup and DR Compute Engine Operator( Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances. |
|
Backup and DR Management Server Accessor Beta( Grants the Backup and DR management server access role to Backup Appliances. |
|
Backup and DR Mount User( Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup. |
|
Backup and DR Restore User( Allows the user to restore or mount from a backup. This role cannot create a backup plan. |
|
Backup and DR User( Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console. |
|
Backup and DR User V2( Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing. |
|
Backup and DR Viewer( Provides read-only access to all Backup and DR resources. |
|
Basic roles
Basic roles are project-level roles that predate IAM. See Basic roles for additional details.
Although Backup and DR supports the following basic roles, you should use one of the predefined roles whenever possible. Basic roles include broad permissions that apply to all of your Google Cloud resources; in contrast, Backup and DR's predefined roles include fine-grained permissions that apply only to Backup and DR.
Basic IAM role | Description |
---|---|
Editor ( roles/editor ) |
Provides full access to all Backup and DR resources. |
Owner ( roles/owner ) |
Provides full access to all Backup and DR resources. |
IAM permissions for Backup and DR Service
The following table lists the IAM permissions that are associated with Backup and DR Service. IAM permissions are grouped into roles, and you assign roles to users and groups.
The following table lists the description for each Backup and DR permission.
Permission name | Description |
---|---|
backupdr.managementServers.manageClones | Provides permissions to create and manage clones from backups. |
backupdr.managementServers.manageLiveClones | Provides permissions to create and manage LiveClones from backups. |
backupdr.managementServers.manageMounts | Provides permissions to create and manage active mounts from backups. |
backupdr.managementServers.manageRestores | Provides permissions needed to restore from backups. |
backupdr.managementServers.manageBackups | Provides permissions to perform backup operations: Backup Now. |
backupdr.managementServers.viewSystem | Provides access to view backup/recovery appliance configuration. |
backupdr.managementServers.manageSystem | Provides permissions to configure backup/recovery appliances and report manager. |
backupdr.managementServers.viewStorage | Provide access to view storage and disk pool configurations. |
backupdr.managementServers.manageStorage | Provides permissions to add, modify, remove, and view storage and disk pools. |
backupdr.managementServers.viewBackupPlans | Provides access to view backup plans — backup templates and resource profiles. |
backupdr.managementServers.assignBackupPlans | Provides permissions to assign pre-configured backup plans — backup templates and resource profiles to applications or workloads. |
backupdr.managementServers.manageBackupPlans | Provides permissions to create, modify, delete, view, and assign backup plans — backup templates and resource profiles. |
backupdr.managementServers.testFailOvers | Provides permissions to perform test failover and delete test failover operations on a remote StreamSnap backup. |
backupdr.managementServers.viewWorkflows | Provide access to view backup Backup and DR Workflows that automate access to copy data within Backup and DR Service. |
backupdr.managementServers.runWorkflows | Provides permissions to run a preconfigured Backup and DR Workflows that automates access to copy data within Backup and DR Service. |
backupdr.managementServers.refreshWorkflows | Provides permissions to refresh a clone that was created by a backup Backup and DR Workflow that automates access to copy data within Backup and DR Service. |
backupdr.managementServers.manageWorkflows | Provides permissions to add, modify, remove, run, and view backup Backup and DR Workflow that automate access to copy data within Backup and DR Service. |
backupdr.managementServers.manageMirroring | Provides permissions to perform failover, syncback, cleanup, failback, test failover, and delete test failover operations on a remote StreamSnap backup. |
backupdr.managementServers.manageHosts | Provides permissions to add, modify, remove, and view hosts — physical and virtual machines |
backupdr.managementServers.manageApplications | Provides permissions to manage all aspects of applications, including logical groups and consistency groups, run backups on demand, and export templates. |
backupdr.managementServers.manageSensitiveData | Provides permissions needed to mark applications and backups as sensitive or non-sensitive data. |
backupdr.managementServers.accessSensitiveData | Provides access to applications and backups marked as sensitive. |
backupdr.managementServers.manageBackupServers | Provides permissions needed to execute Backup Server APIs through the management console. |
backupdr.managementServers.manageExpiration | Provides permissions needed to expire backups. |
backupdr.managementServers.access | Provides access to the management console and associated APIs. |
backupdr.managementServers.onpremUsageUpload | Provides access to all endpoints required to upload usage to an on-premises adapter. |
backupdr.managementServers.viewReports | Provides access to the Report Manager to run reports and view or download the output. |
backupdr.managementServers.manageJobs | Provides permissions to cancel jobs and modify job priority. |
backupdr.managementServers.manageMigrations | Provides permissions to manage the migration of mounted data as a final step in a restore or clone operation. |