OCI permissions required by NetBackup Snapshot Manager
The table lists the required permissions.
Table: OCI permissions
Permissions | Description |
|---|---|
BOOT_VOLUME_BACKUP_CREATE | To take snapshots of the boot volume. |
BOOT_VOLUME_BACKUP_DELETE | To delete the snapshot of the boot volume as per policy. |
BOOT_VOLUME_BACKUP_INSPECT | To fetch the list of boot volume backup in the discovery. |
BOOT_VOLUME_BACKUP_READ | To create boot volume from backup. |
COMPARTMENT_INSPECT | To list availability domains, and to retrieve all the compartments in the tenancy. |
INSTANCE_ATTACH_VOLUME | To attach the volume to the instance while restore. |
INSTANCE_BOOT_VOLUME_REPLACE | To allow boot volume replacement. |
INSTANCE_CREATE | To restore the instance. |
INSTANCE_DELETE | To create and delete the instance that is created for boot volume restore from backup copy. |
INSTANCE_DETACH_VOLUME | To detach volume after backup and restore operation. |
INSTANCE_IMAGE_INSPECT | To fetch the OS details of the instance. |
INSTANCE_INSPECT | To list various attachments like VNIC, volume, and so on. |
INSTANCE_POWER_ACTIONS | To stop or start the instance during parameterized restore. |
INSTANCE_READ | To list the instances in discovery and retrieve the details of the instance. |
INSTANCE_UPDATE | Update the tags attached on the instance. |
KEY_ASSOCIATE | To attach CMK in the parameterized restore. |
KEY_DISASSOCIATE | To detach the CMK in the parameterized restore. |
KEY_INSPECT | To list the keys in the vault. |
KEY_READ | To get the key details. |
NETWORK_SECURITY_GROUP_READ | List the network security group for parameterized restore. |
NETWORK_SECURITY_GROUP_UPDATE_MEMBERS | To attach a network security group to an instance. |
SUBNET_ATTACH | To launch the instance in a specific subnet. |
SUBNET_DETACH | To terminate the instance in a specific subnet. |
SUBNET_READ | To list subnets in parameterized restore. |
TAG_NAMESPACE_CREATE | To create the tag namespace for NetBackup Snapshot Manager. |
TAG_NAMESPACE_INSPECT | To check if the NetBackupSnapshot Manager tag namespace exists or not. |
TAG_NAMESPACE_USE | To create the tag in the NetBackupSnapshot Manager tag namespace. |
TENANCY_INSPECT | To get the details of the tenancy. |
VAULT_INSPECT | To list the vaults and retrieve the keys. |
VCN_READ | To get VCN details associated with the instance. |
VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP | To associate the network security group while launching the instance. |
VNIC_ATTACH | To launch the instance. |
VNIC_ATTACHMENT_READ | To list the VNIC attachment. |
VNIC_CREATE | To associate VNIC to the instance while launching the instance. |
VNIC_DELETE | To delete the associated VNIC to delete the instance. |
VNIC_READ | To fetch the VNIC information associated with the instance. |
VOLUME_ATTACHMENT_CREATE | To attach the volume after restore. |
VOLUME_ATTACHMENT_DELETE | To attach the volume after restore. |
VOLUME_ATTACHMENT_INSPECT | To detach the volume after backup and restore. |
VOLUME_BACKUP_CREATE | To take snapshots of the volume. |
VOLUME_BACKUP_DELETE | To delete the snapshot of the volume as per policy. |
VOLUME_BACKUP_INSPECT | To retrieve the list of volume backups during discovery. |
VOLUME_BACKUP_READ | List volume backups during the discovery. |
BOOT_VOLUME_CREATE | To create volumes during restore. |
BOOT_VOLUME_DELETE | To delete volumes during parameterized restore if the availability domain is changed. |
BOOT_VOLUME_INSPECT | To list volumes during discovery. |
BOOT_VOLUME_UPDATE | To update the tags and different attributes of the volume. |
BOOT_VOLUME_WRITE | Create volume from snapshot. |
Here is an example of assigning permissions to the policy that you create. Here, nbsm-iam-role is the name of dynamic group and NetBackup Snapshot Manager is a part of that dynamic group
Allow dynamic-group nbsm-iam-role to inspect compartments in tenancy
Allow dynamic-group nbsm-iam-role to inspect instance-images in tenancy
Allow dynamic-group nbsm-iam-role to inspect vnic-attachments in tenancy
Allow dynamic-group nbsm-iam-role to inspect vaults in tenancy
Allow dynamic-group nbsm-iam-role to read vcns in tenancy
Allow dynamic-group nbsm-iam-role to use keys in tenancy
Allow dynamic-group nbsm-iam-role to use subnets in tenancy where any { request.permission='SUBNET_DETACH', request.permission='SUBNET_ATTACH', request.permission='SUBNET_READ' }
Allow dynamic-group nbsm-iam-role to manage boot-volumes in tenancy where any { request.permission='BOOT_VOLUME_CREATE', request.permission='BOOT_VOLUME_DELETE', request.permission='BOOT_VOLUME_INSPECT', request.permission='BOOT_VOLUME_UPDATE', request.permission='BOOT_VOLUME_WRITE' }
Allow dynamic-group nbsm-iam-role to manage boot-volume-backups in tenancy where any { request.permission='BOOT_VOLUME_BACKUP_CREATE', request.permission='BOOT_VOLUME_BACKUP_DELETE', request.permission='BOOT_VOLUME_BACKUP_INSPECT', request.permission='BOOT_VOLUME_BACKUP_READ' , request.permission='BOOT_VOLUME_BACKUP_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage instances in tenancy where any { request.permission='INSTANCE_ATTACH_VOLUME', request.permission='INSTANCE_CREATE', request.permission='INSTANCE_DELETE', request.permission='INSTANCE_DETACH_VOLUME', request.permission='INSTANCE_INSPECT', request.permission='INSTANCE_READ', request.permission='INSTANCE_POWER_ACTIONS', request.permission='INSTANCE_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage network-security-groups in tenancy where any { request.permission='NETWORK_SECURITY_GROUP_READ', request.permission='NETWORK_SECURITY_GROUP_UPDATE_MEMBERS' }
Allow dynamic-group nbsm-iam-role to manage tag-namespaces in tenancy where any { request.permission='TAG_NAMESPACE_CREATE', request.permission='TAG_NAMESPACE_USE', request.permission='TAG_NAMESPACE_INSPECT' }
Allow dynamic-group nbsm-iam-role to manage volumes in tenancy where any { request.permission='VOLUME_CREATE', request.permission='VOLUME_DELETE', request.permission='VOLUME_INSPECT', request.permission='VOLUME_WRITE', request.permission='VOLUME_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage volume-attachments in tenancy where any { request.permission='VOLUME_ATTACHMENT_CREATE', request.permission='VOLUME_ATTACHMENT_DELETE', request.permission='VOLUME_ATTACHMENT_INSPECT' }
Allow dynamic-group nbsm-iam-role to manage volume-backups in tenancy where any { request.permission='VOLUME_BACKUP_CREATE', request.permission='VOLUME_BACKUP_DELETE', request.permission='VOLUME_BACKUP_INSPECT'request.permission='VOLUME_BACKUP_READ', request.permission='VOLUME_BACKUP_UPDATE' }
Allow dynamic-group nbsm-iam-role to manage vnics in tenancy where any { request.permission='VNIC_ASSOCIATE_NETWORK_SECURITY_GROUP', request.permission='VNIC_ATTACH', request.permission='VNIC_CREATE', request.permission='VNIC_DELETE', request.permission='VNIC_READ' }
Allow dynamic-group nbsm-iam-role to use key-delegate in tenancy
Allow dynamic-group nbsm-iam-role to {INSTANCE_BOOT_VOLUME_REPLACE} in tenancy