The Cloud Backup & Recovery Service (CBR) supports the assignment of granular access permissions at "action level" via the Identity & Access Management Service (IAM). This allows you to create permissions for individual actions on the CBR service. You could e.g. prevent users from deleting backups or vaults by not granting this permission to them. Using fine-grained policies will increase your security level, as you can define user access rights to only those that they really need.
Via the "Custom Policy Designer" you can now easily configure these fine-grained policies. This is available to you via the IAM Service (Tab: "Permissions", via "Create Custom Policy"). You can select from 45 individual actions. These actions can not only be granted, but also explicitly prohibited. This helps you to avoid users accidentally gaining access to a specific functionality, as any explicit deny configured will definitely prevent access to the functionality, even if there is another rule configured that would normally allow the corresponding permission.
This function level authorization can be linked to further conditional parameters that must be met before the user is allowed to perform the corresponding action. For example, permissions can be bound to time periods. This allows you to issue authorizations only for certain periods of time that automatically will expire.
Below you will find a short overview of the update:
- be set up on action level (45 individual actions in total)
- be allowed or explicitly prohibited
- now also be linked to conditions