With the Cloud Backup & Recovery (CBR) service, granular access permissions can now also be assigned at "action level" in the EU-NL region. This allows you to assign individual rights to individual actions such as "deleting backups" or "creating vaults". Using this functionality increases the overall security in your cloud environment and allows implementation of the least privilege principle (PoLP) when using the CBR service. For example, if you do not grant your administrators access to the "delete backup" functionality, those backups cannot be removed from your system even in the event of a compromised account.
A total of 45 individual actions are available to you, which you can assign individually to your users & user groups. Actions can be granted as well as explicitly forbidden. The explicit prohibition prevents that users do not get access to a functionality through otherwise created policies. In addition, it is possible to link permissions with conditions. This allows you to implement, for example, that certain actions can only be performed by users with active multi-factor authentication. This measure would also contribute to an overall more secure system.
Below you will find an overview of the functionality:
Permissions can be
- be set up at action level (a total of 45 individual actions)
- be allowed or explicitly forbidden
Further information can be found in the documentation or the corresponding community blog