Control access to Backup and DR Service with IAM

This page outlines the IAM roles and permissions required for Google Cloud Backup and DR Service. When you add new principals to your project, you can use an Identity and Access Management (IAM) policy to give that principal one or more IAM roles. Each IAM role contains permissions that grant the principals access to perform specific actions on specific resources. For a reference list of the IAM permissions that apply to Backup and DR Service, see IAM permissions for Backup and DR Service.

How IAM controls access

If a principal–a user, group, or service account–calls a Google Cloud API, that principal must have the appropriate IAM permissions to use the resource. To give a principal the required permissions, you grant an IAM role to the principal. Learn more about principals in IAM.

IAM role types

Backup and DR Service have predefined roles which are bundled permissions for them to be assigned to different principles. Users can also define custom roles which can have a combination of individual permissions to grant access to carry out a specific Backup and DR Workflow or action.

IAM permissions

Permissions allow users to perform specific actions on specific resources. They can be grouped to form roles. Each permission refers to a specific action that the user can perform or access they have.

Project level versus resource level permissions

Permissions can be granted on a project level or at the resource level. For example, a Backup and DR administrator can choose to only grant certain permissions on a storage bucket level as opposed to the entire project depending on their policy. Granting roles at the resource level does not affect any existing roles that you granted at the project level, and the other way around.

Predefined IAM roles for Backup and DR Service

Backup and DR Service has a set of predefined IAM roles that are described on this page. You can also create custom roles that contain subsets of permissions that map directly to your needs.

The following table describes IAM roles that are associated with Backup and DR Service and lists the permissions that are contained in each role. The description for each permission is listed in the IAM permission for Backup and DR Service section.

Role Permissions

(roles/backupdr.admin)

Provides full access to all Backup and DR resources.

backupdr.*

  • backupdr.locations.get
  • backupdr.locations.list
  • backupdr.managementServers.access
  • backupdr.managementServers.accessSensitiveData
  • backupdr.managementServers.assignBackupPlans
  • backupdr.managementServers.backupAccess
  • backupdr.managementServers.create
  • backupdr.managementServers.createDynamicProtection
  • backupdr.managementServers.delete
  • backupdr.managementServers.deleteDynamicProtection
  • backupdr.managementServers.get
  • backupdr.managementServers.getDynamicProtection
  • backupdr.managementServers.getIamPolicy
  • backupdr.managementServers.list
  • backupdr.managementServers.listDynamicProtection
  • backupdr.managementServers.manageApplications
  • backupdr.managementServers.manageBackupPlans
  • backupdr.managementServers.manageBackupServers
  • backupdr.managementServers.manageBackups
  • backupdr.managementServers.manageClones
  • backupdr.managementServers.manageExpiration
  • backupdr.managementServers.manageHosts
  • backupdr.managementServers.manageInternalACL
  • backupdr.managementServers.manageJobs
  • backupdr.managementServers.manageLiveClones
  • backupdr.managementServers.manageMigrations
  • backupdr.managementServers.manageMirroring
  • backupdr.managementServers.manageMounts
  • backupdr.managementServers.manageRestores
  • backupdr.managementServers.manageSensitiveData
  • backupdr.managementServers.manageStorage
  • backupdr.managementServers.manageSystem
  • backupdr.managementServers.manageWorkflows
  • backupdr.managementServers.refreshWorkflows
  • backupdr.managementServers.runWorkflows
  • backupdr.managementServers.setIamPolicy
  • backupdr.managementServers.testFailOvers
  • backupdr.managementServers.viewBackupPlans
  • backupdr.managementServers.viewBackupServers
  • backupdr.managementServers.viewReports
  • backupdr.managementServers.viewStorage
  • backupdr.managementServers.viewSystem
  • backupdr.managementServers.viewWorkflows
  • backupdr.operations.cancel
  • backupdr.operations.delete
  • backupdr.operations.get
  • backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.backupUser)

Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackups

backupdr.managementServers.manageHosts

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.cloudStorageOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

(roles/backupdr.computeEngineOperator)

Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.

compute.addresses.list

compute.addresses.use

compute.diskTypes.*

  • compute.diskTypes.get
  • compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.machineTypes.*

  • compute.machineTypes.get
  • compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

  • compute.regions.get
  • compute.regions.list

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.mountUser)

Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.restoreUser)

Allows the user to restore or mount from a backup. This role cannot create a backup plan.

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.user)

Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.userv2)

Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.backupAccess

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackupPlans

backupdr.managementServers.manageBackups

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageJobs

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

(roles/backupdr.viewer)

Provides read-only access to all Backup and DR resources.

backupdr.locations.*

  • backupdr.locations.get
  • backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Basic roles

Basic roles are project-level roles that predate IAM. See Basic roles for additional details.

Although Backup and DR supports the following basic roles, you should use one of the predefined roles whenever possible. Basic roles include broad permissions that apply to all of your Google Cloud resources; in contrast, Backup and DR's predefined roles include fine-grained permissions that apply only to Backup and DR.

Basic IAM role Description
Editor
(roles/editor)		 Provides full access to all Backup and DR resources.
Owner
(roles/owner)		 Provides full access to all Backup and DR resources.

IAM permissions for Backup and DR Service

The following table lists the IAM permissions that are associated with Backup and DR Service. IAM permissions are grouped into roles, and you assign roles to users and groups.

The following table lists the description for each Backup and DR permission.

Permission name Description
backupdr.managementServers.manageClones Provides permissions to create and manage clones from backups.
backupdr.managementServers.manageLiveClones Provides permissions to create and manage LiveClones from backups.
backupdr.managementServers.manageMounts Provides permissions to create and manage active mounts from backups.
backupdr.managementServers.manageRestores Provides permissions needed to restore from backups.
backupdr.managementServers.manageBackups Provides permissions to perform backup operations: Backup Now.
backupdr.managementServers.viewSystem Provides access to view backup/recovery appliance configuration.
backupdr.managementServers.manageSystem Provides permissions to configure backup/recovery appliances and report manager.
backupdr.managementServers.viewStorage Provide access to view storage and disk pool configurations.
backupdr.managementServers.manageStorage Provides permissions to add, modify, remove, and view storage and disk pools.
backupdr.managementServers.viewBackupPlans Provides access to view backup plans — backup templates and resource profiles.
backupdr.managementServers.assignBackupPlans Provides permissions to assign pre-configured backup plans — backup templates and resource profiles to applications or workloads.
backupdr.managementServers.manageBackupPlans Provides permissions to create, modify, delete, view, and assign backup plans — backup templates and resource profiles.
backupdr.managementServers.testFailOvers Provides permissions to perform test failover and delete test failover operations on a remote StreamSnap backup.
backupdr.managementServers.viewWorkflows Provide access to view backup Backup and DR Workflows that automate access to copy data within Backup and DR Service.
backupdr.managementServers.runWorkflows Provides permissions to run a preconfigured Backup and DR Workflows that automates access to copy data within Backup and DR Service.
backupdr.managementServers.refreshWorkflows Provides permissions to refresh a clone that was created by a backup Backup and DR Workflow that automates access to copy data within Backup and DR Service.
backupdr.managementServers.manageWorkflows Provides permissions to add, modify, remove, run, and view backup Backup and DR Workflow that automate access to copy data within Backup and DR Service.
backupdr.managementServers.manageMirroring Provides permissions to perform failover, syncback, cleanup, failback, test failover, and delete test failover operations on a remote StreamSnap backup.
backupdr.managementServers.manageHosts Provides permissions to add, modify, remove, and view hosts — physical and virtual machines
backupdr.managementServers.manageApplications Provides permissions to manage all aspects of applications, including logical groups and consistency groups, run backups on demand, and export templates.
backupdr.managementServers.manageSensitiveData Provides permissions needed to mark applications and backups as sensitive or non-sensitive data.
backupdr.managementServers.accessSensitiveData Provides access to applications and backups marked as sensitive.
backupdr.managementServers.manageBackupServers Provides permissions needed to execute Backup Server APIs through the management console.
backupdr.managementServers.manageExpiration Provides permissions needed to expire backups.
backupdr.managementServers.access Provides access to the management console and associated APIs.
backupdr.managementServers.onpremUsageUpload Provides access to all endpoints required to upload usage to an on-premises adapter.
backupdr.managementServers.viewReports Provides access to the Report Manager to run reports and view or download the output.
backupdr.managementServers.manageJobs Provides permissions to cancel jobs and modify job priority.
backupdr.managementServers.manageMigrations Provides permissions to manage the migration of mounted data as a final step in a restore or clone operation.