이 페이지는 Cloud Translation API를 통해 번역되었습니다.

IAM으로 백업 및 DR 서비스에 대한 액세스 제어

이 페이지에서는Google Cloud 백업 및 DR 서비스에 필요한 IAM 역할과 권한을 간략히 설명합니다. 프로젝트에 새 사용자를 추가할 때 Identity and Access Management (IAM) 정책을 사용하여 해당 사용자에게 하나 이상의 IAM 역할을 부여할 수 있습니다. 각 IAM 역할에는 주 구성원이 특정 리소스에 대해 특정 작업을 실행할 수 있는 액세스 권한을 부여하는 권한이 포함되어 있습니다. 백업 및 DR 서비스에 적용되는 IAM 권한의 참조 목록은 백업 및 DR 서비스의 IAM 권한을 참고하세요.

IAM에서 액세스를 제어하는 방법

주 구성원(사용자, 그룹 또는 서비스 계정)이 Google Cloud API를 호출하는 경우 해당 주 구성원에게 리소스를 사용할 적절한 IAM 권한이 있어야 합니다. 주 구성원에게 필수 권한을 부여하려면 주 구성원에게 IAM 역할을 부여합니다. IAM의 주 구성원 자세히 알아보기

IAM 역할 유형

백업 및 DR 서비스에는 다양한 원칙에 할당할 수 있는 번들 권한인 사전 정의된 역할이 있습니다. 사용자는 특정 백업 및 DR 워크플로 또는 작업을 실행할 수 있는 액세스 권한을 부여하기 위해 개별 권한을 조합할 수 있는 맞춤 역할을 정의할 수도 있습니다.

IAM 권한

권한이 있는 사용자는 특정 리소스에 대해 특정 작업을 실행할 수 있습니다. 권한을 그룹화하여 역할을 만들 수 있습니다. 각 권한은 사용자가 수행하거나 액세스할 수 있는 특정 작업을 나타냅니다.

프로젝트 수준 권한과 리소스 수준 권한 비교

권한은 프로젝트 수준 또는 리소스 수준에서 부여할 수 있습니다. 예를 들어 백업 및 DR 관리자는 정책에 따라 전체 프로젝트가 아닌 스토리지 버킷 수준에서만 특정 권한을 부여하도록 선택할 수 있습니다. 리소스 수준에서 역할을 부여하더라도 프로젝트 수준에서 부여한 기존 역할은 영향을 받지 않으며 그 반대의 경우도 마찬가지입니다.

백업 및 DR 서비스의 사전 정의된 IAM 역할

백업 및 DR 서비스에는 이 페이지에 설명된 사전 정의된 IAM 역할 집합이 있습니다. 요구사항에 맞는 권한 하위 집합이 포함된 커스텀 역할을 만들 수도 있습니다.

다음 표에서는 백업 및 DR 서비스와 연결된 IAM 역할을 설명하고 각 역할에 포함된 권한을 나열합니다. 각 권한에 대한 설명은 백업 및 DR 서비스의 IAM 권한 섹션에 나와 있습니다.

Role Permissions

Role	Permissions
Backup and DR Admin (`roles/backupdr.admin`) Provides full access to all Backup and DR resources.	`backupdr.backupPlanAssociations.` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.get` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlans.` `backupdr.backupPlans.create` `backupdr.backupPlans.delete` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupVaults.` `backupdr.backupVaults.associate` `backupdr.backupVaults.create` `backupdr.backupVaults.delete` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.backupVaults.update` `backupdr.bvbackups.` `backupdr.bvbackups.delete` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvbackups.update` `backupdr.bvdataSources.` `backupdr.bvdataSources.abandonBackup` `backupdr.bvdataSources.fetchAccessToken` `backupdr.bvdataSources.finalizeBackup` `backupdr.bvdataSources.get` `backupdr.bvdataSources.initiateBackup` `backupdr.bvdataSources.list` `backupdr.bvdataSources.remove` `backupdr.bvdataSources.setInternalStatus` `backupdr.bvdataSources.update` `backupdr.compute.restoreFromBackupVault` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.` `backupdr.managementServers.access` `backupdr.managementServers.accessSensitiveData` `backupdr.managementServers.assignBackupPlans` `backupdr.managementServers.backupAccess` `backupdr.managementServers.create` `backupdr.managementServers.createConnection` `backupdr.managementServers.createDynamicProtection` `backupdr.managementServers.delete` `backupdr.managementServers.deleteDynamicProtection` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageBackupPlans` `backupdr.managementServers.manageBackupServers` `backupdr.managementServers.manageBackups` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageExpiration` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageInternalACL` `backupdr.managementServers.manageJobs` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMigrations` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageRestores` `backupdr.managementServers.manageSensitiveData` `backupdr.managementServers.manageStorage` `backupdr.managementServers.manageSystem` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.setIamPolicy` `backupdr.managementServers.testFailOvers` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.` `backupdr.operations.cancel` `backupdr.operations.delete` `backupdr.operations.get` `backupdr.operations.list` `backupdr.serviceConfig.initialize` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Backup Config Viewer ^Beta (`roles/backupdr.backupConfigViewer`) Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.	`backupdr.resourceBackupConfigs.*` `backupdr.resourceBackupConfigs.get` `backupdr.resourceBackupConfigs.list`
Backup and DR Backup User (`roles/backupdr.backupUser`) Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.	`backupdr.backupPlanAssociations.` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.get` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.assignBackupPlans` `backupdr.managementServers.createDynamicProtection` `backupdr.managementServers.deleteDynamicProtection` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageBackups` `backupdr.managementServers.manageHosts` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Backup Vault Accessor (`roles/backupdr.backupvaultAccessor`) Allows the Backup Appliance permissions to create and manage backups in a backup vault.	`backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.delete` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.update` `backupdr.bvdataSources.` `backupdr.bvdataSources.abandonBackup` `backupdr.bvdataSources.fetchAccessToken` `backupdr.bvdataSources.finalizeBackup` `backupdr.bvdataSources.get` `backupdr.bvdataSources.initiateBackup` `backupdr.bvdataSources.list` `backupdr.bvdataSources.remove` `backupdr.bvdataSources.setInternalStatus` `backupdr.bvdataSources.update` `backupdr.operations.` `backupdr.operations.cancel` `backupdr.operations.delete` `backupdr.operations.get` `backupdr.operations.list`
Backup and DR Backup Vault Admin (`roles/backupdr.backupvaultAdmin`) Allows the Backup Appliance full administrative control of backup vault resources.	`backupdr.backupVaults.` `backupdr.backupVaults.associate` `backupdr.backupVaults.create` `backupdr.backupVaults.delete` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.backupVaults.update` `backupdr.bvbackups.` `backupdr.bvbackups.delete` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvbackups.update` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.bvdataSources.update` `backupdr.compute.restoreFromBackupVault` `backupdr.locations.` `backupdr.locations.get` `backupdr.locations.list` `backupdr.operations.` `backupdr.operations.cancel` `backupdr.operations.delete` `backupdr.operations.get` `backupdr.operations.list`
Backup and DR Backup Vault Lister (`roles/backupdr.backupvaultLister`) Allows the Backup Appliance permission to list backup vaults in a given project.	`backupdr.backupVaults.list`
Backup and DR Backup Vault Viewer (`roles/backupdr.backupvaultViewer`) Allows read-only permissions to access backup vault resources and backups.	`backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.operations.get` `backupdr.operations.list`
Backup and DR Cloud Storage Operator (`roles/backupdr.cloudStorageOperator`) Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.	`storage.buckets.create` `storage.buckets.get` `storage.objects.create` `storage.objects.delete` `storage.objects.get` `storage.objects.list`
Backup and DR Compute Engine Operator (`roles/backupdr.computeEngineOperator`) Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.	`backupdr.managementServers.createConnection` `compute.addresses.list` `compute.addresses.use` `compute.addresses.useInternal` `compute.diskTypes.` `compute.diskTypes.get` `compute.diskTypes.list` `compute.disks.create` `compute.disks.createSnapshot` `compute.disks.delete` `compute.disks.get` `compute.disks.setLabels` `compute.disks.use` `compute.firewalls.list` `compute.globalOperations.get` `compute.images.create` `compute.images.delete` `compute.images.get` `compute.images.useReadOnly` `compute.instances.attachDisk` `compute.instances.create` `compute.instances.createTagBinding` `compute.instances.delete` `compute.instances.detachDisk` `compute.instances.get` `compute.instances.list` `compute.instances.listEffectiveTags` `compute.instances.pscInterfaceCreate` `compute.instances.setDeletionProtection` `compute.instances.setLabels` `compute.instances.setMetadata` `compute.instances.setServiceAccount` `compute.instances.setTags` `compute.instances.start` `compute.instances.stop` `compute.instances.updateDisplayDevice` `compute.instances.useReadOnly` `compute.machineTypes.` `compute.machineTypes.get` `compute.machineTypes.list` `compute.networks.list` `compute.nodeGroups.get` `compute.nodeGroups.list` `compute.nodeTemplates.get` `compute.projects.get` `compute.regionOperations.get` `compute.regions.*` `compute.regions.get` `compute.regions.list` `compute.resourcePolicies.use` `compute.snapshots.create` `compute.snapshots.delete` `compute.snapshots.get` `compute.snapshots.setLabels` `compute.snapshots.useReadOnly` `compute.subnetworks.list` `compute.subnetworks.use` `compute.subnetworks.useExternalIp` `compute.zoneOperations.get` `compute.zones.list` `iam.serviceAccounts.actAs` `iam.serviceAccounts.get` `iam.serviceAccounts.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Management Server Accessor ^Beta (`roles/backupdr.managementServerAccessor`) Grants the Backup and DR management server access role to Backup Appliances.	`backupdr.managementServers.createConnection`
Backup and DR Mount User (`roles/backupdr.mountUser`) Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.	`backupdr.locations.*` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Restore User (`roles/backupdr.restoreUser`) Allows the user to restore or mount from a backup. This role cannot create a backup plan.	`backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.compute.restoreFromBackupVault` `backupdr.locations.*` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMigrations` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageRestores` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.testFailOvers` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR User (`roles/backupdr.user`) Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.	`backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.managementServers.access` `backupdr.managementServers.backupAccess` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR User V2 (`roles/backupdr.userv2`) Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.	`backupdr.backupPlanAssociations.` `backupdr.backupPlanAssociations.createForComputeInstance` `backupdr.backupPlanAssociations.deleteForComputeInstance` `backupdr.backupPlanAssociations.get` `backupdr.backupPlanAssociations.list` `backupdr.backupPlanAssociations.triggerBackupForComputeInstance` `backupdr.backupPlans.` `backupdr.backupPlans.create` `backupdr.backupPlans.delete` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupPlans.useForComputeInstance` `backupdr.backupVaults.associate` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvbackups.restore` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.compute.restoreFromBackupVault` `backupdr.locations.*` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.assignBackupPlans` `backupdr.managementServers.backupAccess` `backupdr.managementServers.createDynamicProtection` `backupdr.managementServers.deleteDynamicProtection` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.manageApplications` `backupdr.managementServers.manageBackupPlans` `backupdr.managementServers.manageBackups` `backupdr.managementServers.manageClones` `backupdr.managementServers.manageHosts` `backupdr.managementServers.manageJobs` `backupdr.managementServers.manageLiveClones` `backupdr.managementServers.manageMigrations` `backupdr.managementServers.manageMirroring` `backupdr.managementServers.manageMounts` `backupdr.managementServers.manageRestores` `backupdr.managementServers.manageWorkflows` `backupdr.managementServers.refreshWorkflows` `backupdr.managementServers.runWorkflows` `backupdr.managementServers.testFailOvers` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`
Backup and DR Viewer (`roles/backupdr.viewer`) Provides read-only access to all Backup and DR resources.	`backupdr.backupPlanAssociations.get` `backupdr.backupPlanAssociations.list` `backupdr.backupPlans.get` `backupdr.backupPlans.list` `backupdr.backupVaults.get` `backupdr.backupVaults.list` `backupdr.bvbackups.get` `backupdr.bvbackups.list` `backupdr.bvdataSources.get` `backupdr.bvdataSources.list` `backupdr.locations.*` `backupdr.locations.get` `backupdr.locations.list` `backupdr.managementServers.access` `backupdr.managementServers.backupAccess` `backupdr.managementServers.get` `backupdr.managementServers.getDynamicProtection` `backupdr.managementServers.getIamPolicy` `backupdr.managementServers.list` `backupdr.managementServers.listDynamicProtection` `backupdr.managementServers.viewBackupPlans` `backupdr.managementServers.viewBackupServers` `backupdr.managementServers.viewReports` `backupdr.managementServers.viewStorage` `backupdr.managementServers.viewSystem` `backupdr.managementServers.viewWorkflows` `backupdr.operations.get` `backupdr.operations.list` `resourcemanager.projects.get` `resourcemanager.projects.list`

Backup and DR Admin

(roles/backupdr.admin)

Provides full access to all Backup and DR resources.

backupdr.backupPlanAssociations.*

backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.get
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlans.*

backupdr.backupPlans.create
backupdr.backupPlans.delete
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupPlans.useForComputeInstance

backupdr.backupVaults.*

backupdr.backupVaults.associate
backupdr.backupVaults.create
backupdr.backupVaults.delete
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.backupVaults.update

backupdr.bvbackups.*

backupdr.bvbackups.delete
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvbackups.update

backupdr.bvdataSources.*

backupdr.bvdataSources.abandonBackup
backupdr.bvdataSources.fetchAccessToken
backupdr.bvdataSources.finalizeBackup
backupdr.bvdataSources.get
backupdr.bvdataSources.initiateBackup
backupdr.bvdataSources.list
backupdr.bvdataSources.remove
backupdr.bvdataSources.setInternalStatus
backupdr.bvdataSources.update

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.*

backupdr.managementServers.access
backupdr.managementServers.accessSensitiveData
backupdr.managementServers.assignBackupPlans
backupdr.managementServers.backupAccess
backupdr.managementServers.create
backupdr.managementServers.createConnection
backupdr.managementServers.createDynamicProtection
backupdr.managementServers.delete
backupdr.managementServers.deleteDynamicProtection
backupdr.managementServers.get
backupdr.managementServers.getDynamicProtection
backupdr.managementServers.getIamPolicy
backupdr.managementServers.list
backupdr.managementServers.listDynamicProtection
backupdr.managementServers.manageApplications
backupdr.managementServers.manageBackupPlans
backupdr.managementServers.manageBackupServers
backupdr.managementServers.manageBackups
backupdr.managementServers.manageClones
backupdr.managementServers.manageExpiration
backupdr.managementServers.manageHosts
backupdr.managementServers.manageInternalACL
backupdr.managementServers.manageJobs
backupdr.managementServers.manageLiveClones
backupdr.managementServers.manageMigrations
backupdr.managementServers.manageMirroring
backupdr.managementServers.manageMounts
backupdr.managementServers.manageRestores
backupdr.managementServers.manageSensitiveData
backupdr.managementServers.manageStorage
backupdr.managementServers.manageSystem
backupdr.managementServers.manageWorkflows
backupdr.managementServers.refreshWorkflows
backupdr.managementServers.runWorkflows
backupdr.managementServers.setIamPolicy
backupdr.managementServers.testFailOvers
backupdr.managementServers.viewBackupPlans
backupdr.managementServers.viewBackupServers
backupdr.managementServers.viewReports
backupdr.managementServers.viewStorage
backupdr.managementServers.viewSystem
backupdr.managementServers.viewWorkflows

backupdr.operations.*

backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list

backupdr.serviceConfig.initialize

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Backup Config Viewer ^Beta

(roles/backupdr.backupConfigViewer)

Provides read access to resource backup config. Resource backup config has the metadata of a Google Cloud resource that can be backed up, along with its backup configurations.

backupdr.resourceBackupConfigs.*

backupdr.resourceBackupConfigs.get
backupdr.resourceBackupConfigs.list

Backup and DR Backup User

(roles/backupdr.backupUser)

Allows the user to apply existing backup plans. This role cannot create backup plans or restore from a backup.

backupdr.backupPlanAssociations.*

backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.get
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupPlans.useForComputeInstance

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackups

backupdr.managementServers.manageHosts

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Backup Vault Accessor

(roles/backupdr.backupvaultAccessor)

Allows the Backup Appliance permissions to create and manage backups in a backup vault.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.delete

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.update

backupdr.bvdataSources.*

backupdr.bvdataSources.abandonBackup
backupdr.bvdataSources.fetchAccessToken
backupdr.bvdataSources.finalizeBackup
backupdr.bvdataSources.get
backupdr.bvdataSources.initiateBackup
backupdr.bvdataSources.list
backupdr.bvdataSources.remove
backupdr.bvdataSources.setInternalStatus
backupdr.bvdataSources.update

backupdr.operations.*

backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list

Backup and DR Backup Vault Admin

(roles/backupdr.backupvaultAdmin)

Allows the Backup Appliance full administrative control of backup vault resources.

backupdr.backupVaults.*

backupdr.backupVaults.associate
backupdr.backupVaults.create
backupdr.backupVaults.delete
backupdr.backupVaults.get
backupdr.backupVaults.list
backupdr.backupVaults.update

backupdr.bvbackups.*

backupdr.bvbackups.delete
backupdr.bvbackups.get
backupdr.bvbackups.list
backupdr.bvbackups.restore
backupdr.bvbackups.update

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.bvdataSources.update

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.operations.*

backupdr.operations.cancel
backupdr.operations.delete
backupdr.operations.get
backupdr.operations.list

Backup and DR Backup Vault Lister

(roles/backupdr.backupvaultLister)

Allows the Backup Appliance permission to list backup vaults in a given project.

backupdr.backupVaults.list

Backup and DR Backup Vault Viewer

(roles/backupdr.backupvaultViewer)

Allows read-only permissions to access backup vault resources and backups.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.operations.get

backupdr.operations.list

Backup and DR Cloud Storage Operator

(roles/backupdr.cloudStorageOperator)

Allows a Backup and DR service account to store and manage data (backups or metadata) in Cloud Storage.

storage.buckets.create

storage.buckets.get

storage.objects.create

storage.objects.delete

storage.objects.get

storage.objects.list

Backup and DR Compute Engine Operator

(roles/backupdr.computeEngineOperator)

Allows a Backup and DR service account to discover, back up, and restore Compute Engine VM instances.

backupdr.managementServers.createConnection

compute.addresses.list

compute.addresses.use

compute.addresses.useInternal

compute.diskTypes.*

compute.diskTypes.get
compute.diskTypes.list

compute.disks.create

compute.disks.createSnapshot

compute.disks.delete

compute.disks.get

compute.disks.setLabels

compute.disks.use

compute.firewalls.list

compute.globalOperations.get

compute.images.create

compute.images.delete

compute.images.get

compute.images.useReadOnly

compute.instances.attachDisk

compute.instances.create

compute.instances.createTagBinding

compute.instances.delete

compute.instances.detachDisk

compute.instances.get

compute.instances.list

compute.instances.listEffectiveTags

compute.instances.pscInterfaceCreate

compute.instances.setDeletionProtection

compute.instances.setLabels

compute.instances.setMetadata

compute.instances.setServiceAccount

compute.instances.setTags

compute.instances.start

compute.instances.stop

compute.instances.updateDisplayDevice

compute.instances.useReadOnly

compute.machineTypes.*

compute.machineTypes.get
compute.machineTypes.list

compute.networks.list

compute.nodeGroups.get

compute.nodeGroups.list

compute.nodeTemplates.get

compute.projects.get

compute.regionOperations.get

compute.regions.*

compute.regions.get
compute.regions.list

compute.resourcePolicies.use

compute.snapshots.create

compute.snapshots.delete

compute.snapshots.get

compute.snapshots.setLabels

compute.snapshots.useReadOnly

compute.subnetworks.list

compute.subnetworks.use

compute.subnetworks.useExternalIp

compute.zoneOperations.get

compute.zones.list

iam.serviceAccounts.actAs

iam.serviceAccounts.get

iam.serviceAccounts.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Management Server Accessor ^Beta

(roles/backupdr.managementServerAccessor)

Grants the Backup and DR management server access role to Backup Appliances.

backupdr.managementServers.createConnection

Backup and DR Mount User

(roles/backupdr.mountUser)

Allows the user to mount from a backup. This role cannot create a backup plan or restore from a backup.

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Restore User

(roles/backupdr.restoreUser)

Allows the user to restore or mount from a backup. This role cannot create a backup plan.

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR User

(roles/backupdr.user)

Provides access to management console. Granular Backup and DR permissions depend on ACL configuration provided by Backup and DR admin within the management console.

backupdr.backupPlanAssociations.createForComputeInstance

backupdr.backupPlanAssociations.deleteForComputeInstance

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR User V2

(roles/backupdr.userv2)

Provides full access to Backup and DR resources except deploying and managing backup infrastructure, expiring backups, changing data sensitivity and configuring on-premises billing.

backupdr.backupPlanAssociations.*

backupdr.backupPlanAssociations.createForComputeInstance
backupdr.backupPlanAssociations.deleteForComputeInstance
backupdr.backupPlanAssociations.get
backupdr.backupPlanAssociations.list
backupdr.backupPlanAssociations.triggerBackupForComputeInstance

backupdr.backupPlans.*

backupdr.backupPlans.create
backupdr.backupPlans.delete
backupdr.backupPlans.get
backupdr.backupPlans.list
backupdr.backupPlans.useForComputeInstance

backupdr.backupVaults.associate

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvbackups.restore

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.compute.restoreFromBackupVault

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.assignBackupPlans

backupdr.managementServers.backupAccess

backupdr.managementServers.createDynamicProtection

backupdr.managementServers.deleteDynamicProtection

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.manageApplications

backupdr.managementServers.manageBackupPlans

backupdr.managementServers.manageBackups

backupdr.managementServers.manageClones

backupdr.managementServers.manageHosts

backupdr.managementServers.manageJobs

backupdr.managementServers.manageLiveClones

backupdr.managementServers.manageMigrations

backupdr.managementServers.manageMirroring

backupdr.managementServers.manageMounts

backupdr.managementServers.manageRestores

backupdr.managementServers.manageWorkflows

backupdr.managementServers.refreshWorkflows

backupdr.managementServers.runWorkflows

backupdr.managementServers.testFailOvers

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

Backup and DR Viewer

(roles/backupdr.viewer)

Provides read-only access to all Backup and DR resources.

backupdr.backupPlanAssociations.get

backupdr.backupPlanAssociations.list

backupdr.backupPlans.get

backupdr.backupPlans.list

backupdr.backupVaults.get

backupdr.backupVaults.list

backupdr.bvbackups.get

backupdr.bvbackups.list

backupdr.bvdataSources.get

backupdr.bvdataSources.list

backupdr.locations.*

backupdr.locations.get
backupdr.locations.list

backupdr.managementServers.access

backupdr.managementServers.backupAccess

backupdr.managementServers.get

backupdr.managementServers.getDynamicProtection

backupdr.managementServers.getIamPolicy

backupdr.managementServers.list

backupdr.managementServers.listDynamicProtection

backupdr.managementServers.viewBackupPlans

backupdr.managementServers.viewBackupServers

backupdr.managementServers.viewReports

backupdr.managementServers.viewStorage

backupdr.managementServers.viewSystem

backupdr.managementServers.viewWorkflows

backupdr.operations.get

backupdr.operations.list

resourcemanager.projects.get

resourcemanager.projects.list

기본 역할

기본 역할은 IAM보다 먼저 발생하는 프로젝트 수준 역할입니다. 자세한 내용은 기본 역할을 참고하세요.

백업 및 DR은 다음과 같은 기본 역할을 지원하지만 가능하면 사전 정의된 역할 중 하나를 사용해야 합니다. 기본 역할에는 모든 Google Cloud 리소스에 적용되는 광범위한 권한이 포함됩니다. 반면에 백업 및 DR의 사전 정의된 역할에는 백업 및 DR에만 적용되는 세분화된 권한이 포함됩니다.

기본 IAM 역할	설명
편집자 (`roles/editor`)	모든 백업 및 DR 리소스에 대한 전체 액세스 권한을 제공합니다.
소유자 (`roles/owner`)	모든 백업 및 DR 리소스에 대한 전체 액세스 권한을 제공합니다.

백업 및 DR 서비스의 IAM 권한

다음 표에는 백업 및 DR 서비스와 관련된 IAM 권한이 나와 있습니다. IAM 권한은 역할로 그룹화되고 사용자 및 그룹에 역할이 할당됩니다.

다음 표에는 각 백업 및 DR 권한에 대한 설명이 나와 있습니다.

권한 이름	설명
backupdr.managementServers.manageClones	백업에서 클론을 만들고 관리할 수 있는 권한을 제공합니다.
backupdr.managementServers.manageLiveClones	백업에서 LiveClones를 만들고 관리할 수 있는 권한을 제공합니다.
backupdr.managementServers.manageMounts	백업에서 활성 마운트를 만들고 관리할 수 있는 권한을 제공합니다.
backupdr.managementServers.manageRestores	백업에서 복원하는 데 필요한 권한을 제공합니다.
backupdr.managementServers.manageBackups	백업 작업을 실행할 권한을 제공합니다(지금 백업).
backupdr.managementServers.viewSystem	백업/복구 어플라이언스 구성을 볼 수 있는 액세스 권한을 제공합니다.
backupdr.managementServers.manageSystem	백업/복구 어플라이언스 및 보고서 관리자를 구성할 수 있는 권한을 제공합니다.
backupdr.managementServers.viewStorage	스토리지 및 디스크 풀 구성을 볼 수 있는 액세스 권한을 제공합니다.
backupdr.managementServers.manageStorage	스토리지 및 디스크 풀을 추가, 수정, 삭제, 조회할 수 있는 권한을 제공합니다.
backupdr.managementServers.viewBackupPlans	백업 계획(백업 템플릿 및 리소스 프로필)을 볼 수 있는 액세스 권한을 제공합니다.
backupdr.managementServers.assignBackupPlans	사전 구성된 백업 계획(백업 템플릿 및 리소스 프로필)을 애플리케이션 또는 워크로드에 할당하는 권한을 제공합니다.
backupdr.managementServers.manageBackupPlans	백업 계획(백업 템플릿 및 리소스 프로필)을 생성, 수정, 삭제, 보기, 할당할 수 있는 권한을 제공합니다.
backupdr.managementServers.testFailOvers	원격 StreamSnap 백업에서 테스트 장애 조치를 실행하고 테스트 장애 조치 작업을 삭제할 수 있는 권한을 제공합니다.
backupdr.managementServers.viewWorkflows	백업 및 DR 서비스 내에서 데이터를 복사하는 액세스를 자동화하는 백업 백업 및 DR 워크플로를 볼 수 있는 액세스 권한을 제공합니다.
backupdr.managementServers.runWorkflows	백업 및 DR 서비스 내에서 데이터를 복사하는 액세스를 자동화하는 사전 구성된 백업 및 DR 워크플로를 실행할 수 있는 권한을 부여합니다.
backupdr.managementServers.refreshWorkflows	백업 및 DR 서비스 내에서 데이터를 복사하는 액세스를 자동화하는 백업 백업 및 DR 워크플로로 생성된 클론을 새로고침할 수 있는 권한을 제공합니다.
backupdr.managementServers.manageWorkflows	백업 및 DR 서비스 내에서 데이터를 복사하는 액세스를 자동화하는 백업 백업 및 DR 워크플로를 추가, 수정, 삭제, 실행, 조회할 수 있는 권한을 제공합니다.
backupdr.managementServers.manageMirroring	원격 StreamSnap 백업에서 장애 조치, 동기화 백, 정리, 페일백, 장애 조치 테스트, 장애 조치 테스트 삭제 작업을 실행할 수 있는 권한을 제공합니다.
backupdr.managementServers.manageHosts	호스트(물리적 및 가상 머신)를 추가, 수정, 삭제, 조회할 수 있는 권한을 제공합니다.
backupdr.managementServers.manageApplications	논리적 그룹 및 일관성 그룹을 비롯한 애플리케이션의 모든 측면을 관리하고, 필요에 따라 백업을 실행하고, 템플릿을 내보내는 권한을 제공합니다.
backupdr.managementServers.manageSensitiveData	애플리케이션 및 백업을 민감한 정보 또는 민감하지 않은 정보로 표시하는 데 필요한 권한을 제공합니다.
backupdr.managementServers.accessSensitiveData	민감한 것으로 표시된 애플리케이션 및 백업에 대한 액세스 권한을 제공합니다.
backupdr.managementServers.manageBackupServers	관리 콘솔을 통해 Backup Server API를 실행하는 데 필요한 권한을 제공합니다.
backupdr.managementServers.manageExpiration	백업을 만료하는 데 필요한 권한을 제공합니다.
backupdr.managementServers.access	관리 콘솔 및 관련 API에 대한 액세스 권한을 제공합니다.
backupdr.managementServers.onpremUsageUpload	온프레미스 어댑터에 사용량을 업로드하는 데 필요한 모든 엔드포인트에 대한 액세스를 제공합니다.
backupdr.managementServers.viewReports	보고서 관리자에 대한 액세스 권한을 제공하여 보고서를 실행하고 출력을 보거나 다운로드할 수 있습니다.
backupdr.managementServers.manageJobs	작업을 취소하고 작업 우선순위를 수정할 수 있는 권한을 제공합니다.
backupdr.managementServers.manageMigrations	복원 또는 클론 작업의 마지막 단계로 마운트된 데이터의 이전을 관리할 수 있는 권한을 제공합니다.

IAM으로 백업 및 DR 서비스에 대한 액세스 제어

IAM에서 액세스를 제어하는 방법

IAM 역할 유형

IAM 권한

프로젝트 수준 권한과 리소스 수준 권한 비교

백업 및 DR 서비스의 사전 정의된 IAM 역할

Backup and DR Admin

Backup and DR Backup Config Viewer Beta

Backup and DR Backup User

Backup and DR Backup Vault Accessor

Backup and DR Backup Vault Admin

Backup and DR Backup Vault Lister

Backup and DR Backup Vault Viewer

Backup and DR Cloud Storage Operator

Backup and DR Compute Engine Operator

Backup and DR Management Server Accessor Beta

Backup and DR Mount User

Backup and DR Restore User

Backup and DR User

Backup and DR User V2

Backup and DR Viewer

기본 역할

백업 및 DR 서비스의 IAM 권한

Backup and DR Backup Config Viewer ^Beta

Backup and DR Management Server Accessor ^Beta