Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide
  3. Section I. NetBackup Snapshot Manager for Cloud installation and configuration
  4. NetBackup Snapshot Manager for cloud providers
  5. OCI plug-in configuration notes
  6. OCI permissions required by NetBackup Snapshot Manager
NetBackup™ Snapshot Manager for Cloud Install and Upgrade Guide

OCI permissions required by NetBackup Snapshot Manager

The table lists the required permissions.

Table: OCI permissions

Permissions

Description

BOOT_VOLUME_BACKUP_CREATE

To take snapshots of the boot volume.

BOOT_VOLUME_BACKUP_DELETE

To delete the snapshot of the boot volume as per policy.

BOOT_VOLUME_BACKUP_INSPECT

To fetch the list of boot volume backup in the discovery.

BOOT_VOLUME_BACKUP_READ

To create boot volume from backup.

COMPARTMENT_INSPECT

To list availability domains, and to retrieve all the compartments in the tenancy.

INSTANCE_ATTACH_VOLUME

To attach the volume to the instance while restore.

INSTANCE_BOOT_VOLUME_REPLACE

To allow boot volume replacement.

INSTANCE_CREATE

To restore the instance.

INSTANCE_DELETE

To create and delete the instance that is created for boot volume restore from backup copy.

INSTANCE_DETACH_VOLUME

To detach volume after backup and restore operation.

INSTANCE_IMAGE_INSPECT

To fetch the OS details of the instance.

INSTANCE_INSPECT

To list various attachments like VNIC, volume, and so on.

INSTANCE_POWER_ACTIONS

To stop or start the instance during parameterized restore.

INSTANCE_READ

To list the instances in discovery and retrieve the details of the instance.

INSTANCE_UPDATE

Update the tags attached on the instance.

KEY_ASSOCIATE

To attach CMK in the parameterized restore.

KEY_DISASSOCIATE

To detach the CMK in the parameterized restore.

KEY_INSPECT

To list the keys in the vault.

KEY_READ

To get the key details.

NETWORK_SECURITY_GROUP_READ

List the network security group for parameterized restore.

NETWORK_SECURITY_GROUP_UPDATE_MEMBERS

To attach a network security group to an instance.

SUBNET_ATTACH

To launch the instance in a specific subnet.

SUBNET_DETACH

To terminate the instance in a specific subnet.

SUBNET_READ

To list subnets in parameterized restore.

TAG_NAMESPACE_CREATE

To create the tag namespace for NetBackup Snapshot Manager.

TAG_NAMESPACE_INSPECT

To check if the NetBackupSnapshot Manager tag namespace exists or not.

TAG_NAMESPACE_USE

To create the tag in the NetBackupSnapshot Manager tag namespace.

TENANCY_INSPECT

To get the details of the tenancy.

VAULT_INSPECT

To list the vaults and retrieve the keys.

VCN_READ

To get VCN details associated with the instance.

VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP

To associate the network security group while launching the instance.

VNIC_ATTACH

To launch the instance.

VNIC_ATTACHMENT_READ

To list the VNIC attachment.

VNIC_CREATE

To associate VNIC to the instance while launching the instance.

VNIC_DELETE

To delete the associated VNIC to delete the instance.

VNIC_READ

To fetch the VNIC information associated with the instance.

VOLUME_ATTACHMENT_CREATE

To attach the volume after restore.

VOLUME_ATTACHMENT_DELETE

To attach the volume after restore.

VOLUME_ATTACHMENT_INSPECT

To detach the volume after backup and restore.

VOLUME_BACKUP_CREATE

To take snapshots of the volume.

VOLUME_BACKUP_DELETE

To delete the snapshot of the volume as per policy.

VOLUME_BACKUP_INSPECT

To retrieve the list of volume backups during discovery.

VOLUME_BACKUP_READ

List volume backups during the discovery.

BOOT_VOLUME_CREATE

To create volumes during restore.

BOOT_VOLUME_DELETE

To delete volumes during parameterized restore if the availability domain is changed.

BOOT_VOLUME_INSPECT

To list volumes during discovery.

BOOT_VOLUME_UPDATE

To update the tags and different attributes of the volume.

BOOT_VOLUME_WRITE

Create volume from snapshot.

Here is an example of assigning permissions to the policy that you create. Here, nbsm-iam-role is the name of dynamic group and NetBackup Snapshot Manager is a part of that dynamic group

Allow dynamic-group nbsm-iam-role to inspect compartments in tenancy
Allow dynamic-group nbsm-iam-role to inspect instance-images in tenancy
Allow dynamic-group nbsm-iam-role to inspect vnic-attachments in tenancy
Allow dynamic-group nbsm-iam-role to inspect vaults in tenancy
Allow dynamic-group nbsm-iam-role to read vcns in tenancy
Allow dynamic-group nbsm-iam-role to use keys in tenancy
Allow dynamic-group nbsm-iam-role to use subnets in tenancy where any { request.permission='SUBNET_DETACH', request.permission='SUBNET_ATTACH', request.permission='SUBNET_READ' }
Allow dynamic-group nbsm-iam-role to manage boot-volumes in tenancy where any { request.permission='BOOT_VOLUME_CREATE', request.permission='BOOT_VOLUME_DELETE', request.permission='BOOT_VOLUME_INSPECT', request.permission='BOOT_VOLUME_UPDATE', request.permission='BOOT_VOLUME_WRITE' }
Allow dynamic-group nbsm-iam-role to manage boot-volume-backups in tenancy where any { request.permission='BOOT_VOLUME_BACKUP_CREATE', request.permission='BOOT_VOLUME_BACKUP_DELETE', request.permission='BOOT_VOLUME_BACKUP_INSPECT', request.permission='BOOT_VOLUME_BACKUP_READ' , request.permission='BOOT_VOLUME_BACKUP_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage instances in tenancy where any { request.permission='INSTANCE_ATTACH_VOLUME', request.permission='INSTANCE_CREATE', request.permission='INSTANCE_DELETE', request.permission='INSTANCE_DETACH_VOLUME', request.permission='INSTANCE_INSPECT', request.permission='INSTANCE_READ', request.permission='INSTANCE_POWER_ACTIONS', request.permission='INSTANCE_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage network-security-groups in tenancy where any { request.permission='NETWORK_SECURITY_GROUP_READ', request.permission='NETWORK_SECURITY_GROUP_UPDATE_MEMBERS' }
Allow dynamic-group nbsm-iam-role to manage tag-namespaces in tenancy where any { request.permission='TAG_NAMESPACE_CREATE', request.permission='TAG_NAMESPACE_USE', request.permission='TAG_NAMESPACE_INSPECT' }
Allow dynamic-group nbsm-iam-role to manage volumes in tenancy where any { request.permission='VOLUME_CREATE', request.permission='VOLUME_DELETE', request.permission='VOLUME_INSPECT', request.permission='VOLUME_WRITE', request.permission='VOLUME_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage volume-attachments in tenancy where any { request.permission='VOLUME_ATTACHMENT_CREATE', request.permission='VOLUME_ATTACHMENT_DELETE', request.permission='VOLUME_ATTACHMENT_INSPECT' }
Allow dynamic-group nbsm-iam-role to manage volume-backups in tenancy where any { request.permission='VOLUME_BACKUP_CREATE', request.permission='VOLUME_BACKUP_DELETE', request.permission='VOLUME_BACKUP_INSPECT'request.permission='VOLUME_BACKUP_READ', request.permission='VOLUME_BACKUP_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage vnics in tenancy where any { request.permission='VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP', request.permission='VNIC_ATTACH', request.permission='VNIC_CREATE', request.permission='VNIC_DELETE', request.permission='VNIC_READ' }
Allow dynamic-group nbsm-iam-role to use key-delegate in tenancy
Allow dynamic-group nbsm-iam-role to {INSTANCE_BOOT_VOLUME_REPLACE} in tenancy

Feedback

Was this page helpful?
Previous

Configuring host support for OCI

Next

Oracle PCA permissions required by NetBackup Snapshot Manager

Feedback

Was this page helpful?