This page outlines the IAM roles and permissions required for Google Cloud Backup and DR Service. When you add new principals to your project, you can use an Identity and Access Management (IAM) policy to give that principal one or more IAM roles. Each IAM role contains permissions that grant the principals access to perform specific actions on specific resources. For a reference list of the IAM permissions that apply to Backup and DR Service, see IAM permissions for Backup and DR Service.
Overview
If a principal–a user, group, or service account–calls a Google Cloud API, that principal must have the appropriate IAM permissions to use the resource. To give a principal the required permissions, you grant an IAM role to the principal. Learn more about principals in IAM.
This page lists the IAM roles for Backup and DR that you can grant to principals so that they can access Backup and DR resources.
IAM role types
Backup and DR Service have predefined roles which are bundled permissions for them to be assigned to different principles. Users can also define custom roles which can have a combination of individual permissions to grant access to carry out a specific Backup and DR Workflow or action.
IAM permissions
Permissions allow users to perform specific actions on specific resources. They can be grouped to form roles. Each permission refers to a specific action that the user can perform or access they have.
Project level versus resource level permissions
Permissions can be granted on a project level or at the resource level. For example, a Backup and DR administrator can choose to only grant certain permissions on a storage bucket level as opposed to the entire project depending on their policy. Granting roles at the resource level does not affect any existing roles that you granted at the project level, and the other way around.
Predefined IAM roles for Backup and DR Service
Backup and DR Service has a set of predefined IAM roles that are described on this page. You can also create custom roles that contain subsets of permissions that map directly to your needs.
The following table describes IAM roles that are associated with Backup and DR Service and lists the permissions that are contained in each role. The description for each permission is listed in the IAM permission for Backup and DR Service section.
| Role | Description | Permissions |
|---|---|---|
| Backup and DR Admin (roles/backupdr.admin) | Provides full access to all Backup and DR resources. | backupdr.managementServers.list backupdr.managementServers.get backupdr.managementServers.create backupdr.managementServers.update backupdr.managementServers.delete backupdr.managementServers.backupAccess backupdr.managementServers.recoveryAccess backupdr.managementServers.manageInternalACL backupdr.operations.list backupdr.operations.get backupdr.operations.cancel backupdr.operations.delete backupdr.locations.get Backupdr.locations.list backupdr.managementServers.onpremUsageUpload backupdr.managementServers.manageClones backupdr.managementServers.manageLiveClones backupdr.managementServers.manageMounts backupdr.managementServers.manageRestores backupdr.managementServers.manageBackups backupdr.managementServers.viewSystem backupdr.managementServers.manageSystem backupdr.managementServers.viewStorage backupdr.managementServers.manageStorage backupdr.managementServers.viewBackupPlans backupdr.managementServers.assignBackupPlans backupdr.managementServers.manageBackupPlans backupdr.managementServers.testFailovers backupdr.managementServers.viewWorkflows backupdr.managementServers.runWorkflows backupdr.managementServers.refreshWorkflows backupdr.managementServers.manageWorkflows backupdr.managementServers.manageMirroring backupdr.managementServers.manageHosts backupdr.managementServers.manageApplications backupdr.managementServers.manageSensitiveData backupdr.managementServers.accessSensitiveData backupdr.managementServers.manageBackupServers backupdr.managementServers.viewBackupServers backupdr.managementServers.manageExpiration backupdr.managementServers.access backupdr.managementServers.manageJobs backupdr.managementServers.manageMigrations backupdr.managementServers.viewReports |
| Backup and DR User V2
(roles/backupdr.userv2) |
Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity, and configuring on-premises billing. | backupdr.managementServers.list backupdr.managementServers.get backupdr.managementServers.backupAccess backupdr.operations.list backupdr.operations.get backupdr.locations.get backupdr.locations.list backupdr.managementServers.manageClones backupdr.managementServers.manageLiveClones backupdr.managementServers.manageMounts backupdr.managementServers.manageRestores backupdr.managementServers.manageBackups backupdr.managementServers.viewSystem backupdr.managementServers.viewStorage backupdr.managementServers.viewBackupPlans backupdr.managementServers.assignBackupPlans backupdr.managementServers.manageBackupPlans backupdr.managementServers.testFailovers backupdr.managementServers.viewWorkflows backupdr.managementServers.runWorkflows backupdr.managementServers.refreshWorkflows backupdr.managementServers.manageWorkflows backupdr.managementServers.manageMirroring backupdr.managementServers.manageHosts backupdr.managementServers.manageApplications backupdr.managementServers.viewBackupServers backupdr.managementServers.access backupdr.managementServers.manageJobs backupdr.managementServers.manageMigrations backupdr.managementServers.viewReports |
| Backup and DR Viewer (roles/backupdr.viewer) | Provides read-only access to all Backup and DR resources. | backupdr.managementServers.list backupdr.managementServers.get backupdr.operations.list backupdr.operations.get backupdr.locations.get Backupdr.locations.list backupdr.managementServers.viewSystem backupdr.managementServers.viewStorage backupdr.managementServers.viewBackupPlans backupdr.managementServers.viewWorkflows backupdr.managementServers.access backupdr.managementServers.viewReports |
| Backup and DR Backup User
(roles/backupdr.backupUser) |
Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup. | backupdr.managementServers.list backupdr.managementServers.get backupdr.managementServers.backupAccess backupdr.operations.list backupdr.operations.get backupdr.locations.get backupdr.locations.list backupdr.managementServers.manageBackups backupdr.managementServers.viewBackupPlans backupdr.managementServers.assignBackupPlans backupdr.managementServers.manageHosts backupdr.managementServers.manageApplications backupdr.managementServers.access backupdr.managementServers.viewReports |
| Backup and DR Restore User
(roles/backupdr.restoreUser) |
Allows the user to restore or mount from a backup. This role cannot create a backup plan. | backupdr.managementServers.list backupdr.managementServers.get backupdr.managementServers.backupAccess backupdr.operations.list backupdr.operations.get backupdr.locations.get backupdr.locations.list backupdr.managementServers.manageClones backupdr.managementServers.manageLiveClones backupdr.managementServers.manageMounts backupdr.managementServers.manageRestores backupdr.managementServers.testFailovers backupdr.managementServers.viewWorkflows backupdr.managementServers.runWorkflows backupdr.managementServers.refreshWorkflows backupdr.managementServers.manageWorkflows backupdr.managementServers.manageMirroring backupdr.managementServers.manageHosts backupdr.managementServers.manageApplications backupdr.managementServers.access backupdr.managementServers.manageMigrations backupdr.managementServers.viewReports |
| Backup and DR Mount User (roles/backupdr.mountUser) | Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup. | backupdr.managementServers.list backupdr.managementServers.get backupdr.managementServers.backupAccess backupdr.operations.list backupdr.operations.get backupdr.locations.get Backupdr.locations.list backupdr.managementServers.manageClones backupdr.managementServers.manageLiveClones backupdr.managementServers.manageMounts backupdr.managementServers.viewWorkflows backupdr.managementServers.runWorkflows backupdr.managementServers.refreshWorkflows backupdr.managementServers.manageWorkflows backupdr.managementServers.manageMirroring backupdr.managementServers.manageHosts backupdr.managementServers.manageApplications backupdr.managementServers.access backupdr.managementServers.viewReports |
| Backup and DR user (roles/backupdr.user) | This role has been deprecated. Do not assign this role to any user. |
IAM permission for Backup and DR Service
The following table lists the IAM permissions that are associated with Backup and DR Service. IAM permissions are grouped into roles, and you assign roles to users and groups.
The following table lists the description for each Backup and DR permission.
| Permission name | Description |
|---|---|
| backupdr.managementServers.manageClones | Provides permissions to create and manage clones from backups. |
| backupdr.managementServers.manageLiveClones | Provides permissions to create and manage LiveClones from backups. |
| backupdr.managementServers.manageMounts | Provides permissions to create and manage active mounts from backups. |
| backupdr.managementServers.manageRestores | Provides permissions needed to restore from backups. |
| backupdr.managementServers.manageBackups | Provides permissions to perform backup operations: Backup Now. |
| backupdr.managementServers.viewSystem | Provides access to view backup/recovery appliance configuration. |
| backupdr.managementServers.manageSystem | Provides permissions to configure backup/recovery appliances and report manager. |
| backupdr.managementServers.viewStorage | Provide access to view storage and disk pool configurations. |
| backupdr.managementServers.manageStorage | Provides permissions to add, modify, remove, and view storage and disk pools. |
| backupdr.managementServers.viewBackupPlans | Provides access to view backup plans — backup templates and resource profiles. |
| backupdr.managementServers.assignBackupPlans | Provides permissions to assign pre-configured backup plans — backup templates and resource profiles to applications or workloads. |
| backupdr.managementServers.manageBackupPlans | Provides permissions to create, modify, delete, view, and assign backup plans — backup templates and resource profiles. |
| backupdr.managementServers.testFailOvers | Provides permissions to perform test failover and delete test failover operations on a remote StreamSnap backup. |
| backupdr.managementServers.viewWorkflows | Provide access to view backup Backup and DR Workflows that automate access to copy data within Backup and DR Service. |
| backupdr.managementServers.runWorkflows | Provides permissions to run a preconfigured Backup and DR Workflows that automates access to copy data within Backup and DR Service. |
| backupdr.managementServers.refreshWorkflows | Provides permissions to refresh a clone that was created by a backup Backup and DR Workflow that automates access to copy data within Backup and DR Service. |
| backupdr.managementServers.manageWorkflows | Provides permissions to add, modify, remove, run, and view backup Backup and DR Workflow that automate access to copy data within Backup and DR Service. |
| backupdr.managementServers.manageMirroring | Provides permissions to perform failover, syncback, cleanup, failback, test failover, and delete test failover operations on a remote StreamSnap backup. |
| backupdr.managementServers.manageHosts | Provides permissions to add, modify, remove, and view hosts — physical and virtual machines |
| backupdr.managementServers.manageApplications | Provides permissions to manage all aspects of applications, including logical groups and consistency groups, run backups on demand, and export templates. |
| backupdr.managementServers.manageSensitiveData | Provides permissions needed to mark applications and backups as sensitive or non-sensitive data. |
| backupdr.managementServers.accessSensitiveData | Provides access to applications and backups marked as sensitive. |
| backupdr.managementServers.manageBackupServers | Provides permissions needed to execute Backup Server APIs through the management console. |
| backupdr.managementServers.manageExpiration | Provides permissions needed to expire backups. |
| backupdr.managementServers.access | Provides access to the management console and associated APIs. |
| backupdr.managementServers.onpremUsageUpload | Provides access to all endpoints required to upload usage to an on-premises adapter. |
| backupdr.managementServers.viewReports | Provides access to the Report Manager to run reports and view or download the output. |
| backupdr.managementServers.manageJobs | Provides permissions to cancel jobs and modify job priority. |
| backupdr.managementServers.manageMigrations | Provides permissions to manage the migration of mounted data as a final step in a restore or clone operation. |
Assign IAM roles to a user
Use the below instructions to assign a role to a user.
In the Google Cloud console, go to the IAM page.
Click a Select a project drop-down menu at the top of the page.
Click Grant Access.
In the Add Principals section, enter the principal's email address, domain, or other identifier.
Select the project you want to view users in.
Find the principal's email address, domain, or other identifier in Principals and select Edit principal.
The Assign roles drop-down menu displays all the roles–including any custom roles–that you can grant to the principal on this resource. Search for predefined roles.
Click Save.
Modify a users assigned roles
Use the below instructions to modify an existing role to a user.
In the Google Cloud console, go to the IAM page.
Click a Select a project drop-down menu at the top of the page.
Select the user you want to modify the role of and click Edit principal.
The Select a role drop-down menu displays all the roles–including any custom roles–that you can grant to the principal on this resource. Search for predefined roles.
Click Save.