CBR UMN Fine-Grained Permission Version

Reviewed-by: Hasko, Vladimir <vladimir.hasko@t-systems.com>
Co-authored-by: zhangyue <zhangyue164@huawei.com>
Co-committed-by: zhangyue <zhangyue164@huawei.com>

docs/cbr/umn/cbr_01_0001.html

@@ -10,6 +10,8 @@
 </li>
 <li class="ulchildlink"><strong><a href="cbr_01_0003.html">Functions</a></strong><br>
 </li>
+<li class="ulchildlink"><strong><a href="cbr_01_0011.html">Permissions Management</a></strong><br>
+</li>
 <li class="ulchildlink"><strong><a href="cbr_01_0014.html">User Permissions</a></strong><br>
 </li>
 <li class="ulchildlink"><strong><a href="cbr_01_0009.html">Constraints</a></strong><br>

docs/cbr/umn/cbr_03_0032.html

@@ -18,7 +18,7 @@
 </p></li><li id="cbr_03_0032__li2954517411"><span>(Optional) Deselect <strong id="cbr_03_0032__b833280134711">Start the server immediately after restoration</strong>.</span><p><div class="p" id="cbr_03_0032__p4961151194115">If you deselect <strong id="cbr_03_0032__b13927110114710">Start the server immediately after restoration</strong>, manually start the server after the restoration is complete.<div class="notice" id="cbr_03_0032__note39675112419"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="cbr_03_0032__p69735112417">Servers are shut down during restoration. It is therefore recommended that you perform restoration operations during off-peak hours.</p>
 </div></div>
 </div>
-</p></li><li id="cbr_03_0032__li7167659112954"><span>In the <strong id="cbr_03_0032__b84235270610232">Specified Disk</strong> drop-down list, select the target disk to which the backup will be restored.</span><p><div class="note" id="cbr_03_0032__note18082466113114"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="cbr_03_0032__ul49179302113359"><li id="cbr_03_0032__li23071114164512">If the server has only one disk, the backup is restored to the disk by default.</li><li id="cbr_03_0032__li0309131416451">If the server has multiple disks, the backup is respectively restored to the original disks by default. You can also restore the backup to another disk on the backup server by selecting the disk from the drop-down list. However, the specified destination disk must be at least as large as the backup source disk.</li><li id="cbr_03_0032__li5828882315544">Data on data disks cannot be restored to system disks.</li></ul>
+</p></li><li id="cbr_03_0032__li7167659112954"><span>In the <strong id="cbr_03_0032__b84235270610232">Specified Disk</strong> drop-down list, select the target disk to which the backup will be restored.</span><p><div class="note" id="cbr_03_0032__note18082466113114"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="cbr_03_0032__ul49179302113359"><li id="cbr_03_0032__li23071114164512">If the server has only one disk, the backup is restored to the disk by default.</li><li id="cbr_03_0032__li0309131416451">If the server has multiple disks, the backup is respectively restored to the original disks by default. You can also restore the backup to another disk on the backup server by selecting the disk from the drop-down list. However, the specified destination disk must be at least as large as the backup source disk.</li><li id="cbr_03_0032__li5828882315544">Backup data of data disks cannot be restored to system disks.</li></ul>
 </div></div>
 <div class="notice" id="cbr_03_0032__note18728408571"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="cbr_03_0032__p176316122542">If the number of disks to be restored is greater than the number of disks that are backed up, restoration may cause data inconsistency. </p>
 <p id="cbr_03_0032__p1754310464251">For example, if the data of Oracle is scattered across multiple disks and only some of them are restored, data inconsistency occurs after the restoration and the application may unable to start.</p>

docs/cbr/umn/cbr_03_0046.html

@@ -8,9 +8,15 @@
 </th>
 </tr>
 </thead>
-<tbody><tr id="cbr_03_0046__row14031844827"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="cbr_03_0046__p1040412441926">2022-11-16</p>
+<tbody><tr id="cbr_03_0046__row5817193902120"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="cbr_03_0046__p19817173912217">2022-12-02</p>
 </td>
-<td class="cellrowborder" valign="top" width="82%" headers="mcps1.3.1.1.3.1.2 "><p id="cbr_03_0046__p1240464410212">This issue incorporates the following change:</p>
+<td class="cellrowborder" valign="top" width="82%" headers="mcps1.3.1.1.3.1.2 "><p id="cbr_03_0046__p20319165611219">This issue incorporates the following changes:</p>
+<ul id="cbr_03_0046__ul159374761412"><li id="cbr_03_0046__li42011616192117">Added section "Permissions Management" in "Service Overview."</li><li id="cbr_03_0046__li11947181317146">Added section "Permissions Management" in "User Guide."</li></ul>
+</td>
+</tr>
+<tr id="cbr_03_0046__row14031844827"><td class="cellrowborder" valign="top" width="18%" headers="mcps1.3.1.1.3.1.1 "><p id="cbr_03_0046__p1040412441926">2022-11-16</p>
+</td>
+<td class="cellrowborder" valign="top" width="82%" headers="mcps1.3.1.1.3.1.2 "><p id="cbr_03_0046__p1240464410212">This issue incorporates the following changes:</p>
 <p id="cbr_03_0046__p14636531529">Added the description of disk-level backup in section "Creating a Server Backup Vault."</p>
 </td>
 </tr>

docs/cbr/umn/cbr_03_0047.html

@@ -0,0 +1,14 @@
+<a name="cbr_03_0047"></a><a name="cbr_03_0047"></a>
+
+<h1 class="topictitle1">Permissions Management</h1>
+<div id="body1559549042505"><p id="cbr_03_0047__p8060118"></p>
+</div>
+<div>
+<ul class="ullinks">
+<li class="ulchildlink"><strong><a href="cbr_03_0048.html">Creating a User and Granting CBR Permissions</a></strong><br>
+</li>
+<li class="ulchildlink"><strong><a href="cbr_03_0050.html">Creating a Custom Policy</a></strong><br>
+</li>
+</ul>
+</div>
+

docs/cbr/umn/cbr_03_0048.html

@@ -0,0 +1,23 @@
+<a name="cbr_03_0048"></a><a name="cbr_03_0048"></a>
+
+<h1 class="topictitle1">Creating a User and Granting CBR Permissions</h1>
+<div id="body1559549042505"><p id="cbr_03_0048__p17514141482016">This section describes how to use IAM to implement fine-grained permissions control for your CBR resources. With IAM, you can:</p>
+<ul id="cbr_03_0048__ul65145145202"><li id="cbr_03_0048__li351561402014">Create IAM users for employees based on your enterprise's organizational structure. Each IAM user will have their own security credentials for accessing CBR resources.</li><li id="cbr_03_0048__li0515014192010">Grant only the permissions required for users to perform a specific task.</li><li id="cbr_03_0048__li75155148203">Entrust a cloud account or cloud service to perform efficient O&amp;M on your CBR resources.</li></ul>
+<p id="cbr_03_0048__p1651541420209">If your cloud account does not require individual IAM users, skip this section. If your account cannot meet your requirements, create IAM users by referring to <a href="https://docs.otc.t-systems.com/en-us/usermanual/iam/iam_01_0026.html" target="_blank" rel="noopener noreferrer">Identity and Access Management User Guide</a>.</p>
+<p id="cbr_03_0048__p5515114112016">This section describes the procedure for granting permissions (see <a href="#cbr_03_0048__fig194521431175317">Figure 1</a>).</p>
+<div class="section" id="cbr_03_0048__section1881236181014"><h4 class="sectiontitle">Prerequisites</h4><p id="cbr_03_0048__p9819544172111">You have learnt about the permissions (see <a href="cbr_01_0011.html">Permissions Management</a>) supported by CBR and chosen the policies or roles according to your requirements. For the system policies of other services, see "System Permissions".</p>
+</div>
+<div class="section" id="cbr_03_0048__section3858134855017"><h4 class="sectiontitle">Process Flow</h4><div class="fignone" id="cbr_03_0048__fig194521431175317"><a name="cbr_03_0048__fig194521431175317"></a><a name="fig194521431175317"></a><span class="figcap"><b>Figure 1 </b>Process for granting CBR permissions</span><br><span><img class="vsd" id="cbr_03_0048__image105401230162018" src="en-us_image_0220982950.png"></span></div>
+<ol id="cbr_03_0048__ol46562308273"><li id="cbr_03_0048__li3656183032711"><a name="cbr_03_0048__li3656183032711"></a><a name="li3656183032711"></a>Create a user group and assign permissions to it.<p id="cbr_03_0048__p166561530182716"><a name="cbr_03_0048__li3656183032711"></a><a name="li3656183032711"></a>Create a user group on the IAM console, and assign the <strong id="cbr_03_0048__b142413164561">CBR ReadOnlyAccess</strong> policy to the group.</p>
+</li><li id="cbr_03_0048__li16561330122713">Create an IAM user and add it to the user group.<p id="cbr_03_0048__p165613052710"><a name="cbr_03_0048__li16561330122713"></a><a name="li16561330122713"></a>Create a user on the IAM console and add the user to the group created in <a href="#cbr_03_0048__li3656183032711">1</a>.</p>
+</li><li id="cbr_03_0048__li8656153082719">Log in and verify permissions.<p id="cbr_03_0048__p865613303275"><a name="cbr_03_0048__li8656153082719"></a><a name="li8656153082719"></a>Log in to CBR Console using the created user, and verify that the user has read-only permissions for CBR.</p>
+<ul id="cbr_03_0048__ul162963396234"><li id="cbr_03_0048__li6296133992319">Choose <strong id="cbr_03_0048__b146613445810">Service List</strong> &gt; <strong id="cbr_03_0048__b14525183785814">Cloud Backup and Recovery</strong>. Then click <strong id="cbr_03_0048__b1159977165913">Create Server Backup Vault</strong> on CBR Console. If a message appears indicating that you have insufficient permissions to perform the operation, the <strong id="cbr_03_0048__b8128143914592">CBR ReadOnlyAccess</strong> policy has already taken effect.</li><li id="cbr_03_0048__li8296039182311">Choose any other service in <strong id="cbr_03_0048__b4206055112419">Service List</strong>. If a message appears indicating that you have insufficient permissions to access the service, the <strong id="cbr_03_0048__b2208125532413">CBR ReadOnlyAccess</strong> policy has already taken effect.</li></ul>
+</li></ol>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="cbr_03_0047.html">Permissions Management</a></div>
+</div>
+</div>
+

docs/cbr/umn/cbr_03_0050.html

@@ -0,0 +1,65 @@
+<a name="cbr_03_0050"></a><a name="cbr_03_0050"></a>
+
+<h1 class="topictitle1">Creating a Custom Policy</h1>
+<div id="body1559549042505"><p id="cbr_03_0050__p153751340284">Custom policies can be created to supplement the system-defined policies of CBR. For the actions supported for custom policies, see section "Permissions Policies and Supported Actions" in <em id="cbr_03_0050__i1014319111511">Cloud Backup and Recovery API Reference</em>.</p>
+<p id="cbr_03_0050__p2079563182513">You can create custom policies in either of the following ways:</p>
+<ul id="cbr_03_0050__ul379563122510"><li id="cbr_03_0050__li18795123142512">Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.</li><li id="cbr_03_0050__li294510932511">JSON: Edit JSON policies from scratch or based on an existing policy.</li></ul>
+<p id="cbr_03_0050__p8060118">This section provides examples of common user-defined CBR policies.</p>
+<div class="section" id="cbr_03_0050__section441833517360"><h4 class="sectiontitle">Example Custom Policies</h4><ul id="cbr_03_0050__ul131261824153811"><li id="cbr_03_0050__li15126112423817">Example 1: Allowing users to create, modify, and delete vaults<pre class="screen" id="cbr_03_0050__screen04611727294">{
+      "Version": "1.1",
+      "Statement": [
+            {
+                  "Effect": "Allow",
+                  "Action": [
+                        "cbr:*:get*",
+                        "cbr:*:list*",
+                        "cbr:vaults:update",
+                        "cbr:vaults:delete",
+                        "cbr:vaults:create"
+                  ]
+            }
+      ]
+}</pre>
+</li><li id="cbr_03_0050__li181121857133912">Example 2: Denying users to delete vaults and backups<p id="cbr_03_0050__p15136112164013"><a name="cbr_03_0050__li181121857133912"></a><a name="li181121857133912"></a>A policy with only "Deny" permissions must be used in conjunction with other policies to take effect. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.</p>
+<p id="cbr_03_0050__p15136721144010">The following method can be used if you need to assign permissions of the <strong id="cbr_03_0050__b1084219181016">CBR FullAccess</strong> policy to a user but you want to prevent the user from deleting vaults and backups. Create a custom policy for denying vault and backup deletion, and attach both policies to the group to which the user belongs. Then, the user can perform all operations on CBR except deleting vaults or backups. The following is an example of a deny policy:</p>
+<pre class="screen" id="cbr_03_0050__screen11607731143217">{
+    "Version": "1.1",
+    "Statement": [
+        {
+            "Effect": "Deny",
+            "Action": [
+                "cbr:backups:delete",
+                "cbr:vaults:delete"
+            ]
+        }
+    ]
+}</pre>
+</li><li id="cbr_03_0050__li712616247383">Example 3: Defining permissions for multiple services in a policy<p id="cbr_03_0050__p1212610243389"><a name="cbr_03_0050__li712616247383"></a><a name="li712616247383"></a>A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:</p>
+<pre class="screen" id="cbr_03_0050__screen17182038174810">{
+    "Version": "1.1",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "cbr:vaults:create",
+                "cbr:vaults:update",
+                "cbr:vaults:delete"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "sfs:shares:createShare"
+            ]
+        }
+    ]
+}</pre>
+</li></ul>
+</div>
+</div>
+<div>
+<div class="familylinks">
+<div class="parentlink"><strong>Parent topic:</strong> <a href="cbr_03_0047.html">Permissions Management</a></div>
+</div>
+</div>
+