Configuring permissions on Microsoft Azure
Before NetBackup Snapshot Manager can protect your Microsoft Azure assets, it must have access to them. You must associate a custom role that NetBackup Snapshot Manager users can use to work with Azure assets.
The following is a custom role definition (in JSON format) that gives NetBackup Snapshot Manager the ability to:
Configure the Azure plug-in and discover assets.
Create host and disk snapshots.
Restore snapshots to the original location or to a new location.
Delete snapshots.
Table: NetBackup Snapshot Manager feature versus permissions for Microsoft Azure cloud provider
Feature | Task/Operation | Required permission |
|---|---|---|
| VM based | ||
Backup from snapshot | To create shared access signature URI for backup from snapshot. | Microsoft.Storage/*/read |
To generate shared access signature URI for backup from snapshot. | Microsoft.Compute/restorePointCollections/restorePoints/retrieveSasUris/action | |
To get access to read from disk restore point for creating backup copy in backup from snapshot. | Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/beginGetAccess/action | |
To obtain end access to restore points, after successful backup from snapshot. | Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/endGetAccess/action | |
Creating backup from snapshot | To get access to the snapshot data. | Microsoft.Compute/snapshots/beginGetAccess/action |
For ending the URI after data from snapshot copied into the backup. | Microsoft.Compute/snapshots/endGetAccess/action | |
Restore from backup from snapshot | To create shared access signature URI for the managed disk. | Microsoft.Compute/disks/beginGetAccess/action |
To delete shared access signature URI, after backup from snapshot. | Microsoft.Compute/disks/endGetAccess/action | |
Protection of Virtual Machines | To list VMs, VM scale set and attached disks. | Microsoft.Compute/*/read |
Protection of SQL databases | To list Azure SQL databases to be protected. | Microsoft.Sql/*/read |
Restore disks from snapshots/restore points | To create disk for restore. | Microsoft.Compute/disks/write |
Rollback restore/ Cleanup in restore | To restore VM in rollback restore. Or To cleanup in case of failure in restore workflow. | Microsoft.Compute/virtualMachines/delete |
Restore disk | To identify the available disk attachment points, for restoring disks/ files. | Microsoft.Compute/virtualMachines/vmSizes/read |
Cleanup | To delete public IP, in case of cleanup in restore workflow failure. When the original VM has public IP and the alternate location restore fails. | Microsoft.Network/publicIPAddresses/delete |
To delete RPC, if create snapshot workflow fails, and therefore rollback. | Microsoft.Compute/restorePointCollections/delete | |
List Resources (Discovery) | To get resource group and location information. | Microsoft.Resources/*/read |
Discovery | To list subscriptions which can be used to list out the assets to be protected. | Microsoft.Subscription/*/read |
Snapshots and Restores | To add tags to snapshots for indicating that the tags are created by Snapshot Manager To add tags which are originally present in the VM to the restored VM. | Microsoft.Resources/subscriptions/tagNames/tagValues/write Microsoft.Resources/subscriptions/tagNames/write |
Snapshot | To protect disk snapshots from accidental deletion. | Microsoft.Authorization/locks/* |
List restore points | To list snapshots (restore point), for restores. | Microsoft.Compute/restorePointCollections/read |
List snapshots | To list and map restore point for the VMs. | Microsoft.Compute/restorePointCollections/restorePoints/read |
List disk snapshots | To list disk restore points, for application consistency. | Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/read |
Write snapshots | For incremental snapshots as restore points (Application consistent). | Microsoft.Compute/restorePointCollections/restorePoints/write |
Snapshot cleanup | For cleanup in case of restore failures. | Microsoft.Compute/restorePointCollections/restorePoints/delete |
Create restore point collections | To create RPC, 1 per VM in case a snapshot is triggered for the VM. | Microsoft.Compute/restorePointCollections/write |
Restore VM | For creating VM in restore. | Microsoft.Compute/virtualMachines/write |
For power on restored VM, as mentioned in protection plan. | Microsoft.Compute/virtualMachines/start/action | |
To obtain ADE extension details if installed. | Microsoft.Compute/virtualMachines/extensions/read | |
To install ADE extension at time of restore. | Microsoft.Compute/virtualMachines/extensions/write | |
To change the state of VM. Stopping the VM for rollback restore. | Microsoft.Compute/virtualMachines/powerOff/action | |
To list the networks for restores into the same network as original resource, or to a network selected by user. | Microsoft.Network/*/read | |
To list the Customer Managed Keys. | Microsoft.KeyVault/vaults/keys/read | |
To rollback restore, cleanup in case of failure in workflow. | Microsoft.Network/networkInterfaces/delete | |
To attach network interface card to restored VM. | Microsoft.Network/networkInterfaces/join/action | |
To create network interface card for VM restore. | Microsoft.Network/networkInterfaces/write | |
To attach network security group to VM during restore. | Microsoft.Network/networkSecurityGroups/join/action | |
To create network security group for VM restore, if original VM has one. | Microsoft.Network/networkSecurityGroups/write | |
To attach public IP, in restore when original VM has public IP. | Microsoft.Network/publicIPAddresses/join/action | |
To create public IP, in restore when original VM has public IP. | Microsoft.Network/publicIPAddresses/write | |
To create VM in a subnet, that is, join a subnet. | Microsoft.Network/virtualNetworks/subnets/join/action | |
Kubernetes cluster based | ||
Get cluster information | To obtain the cluster information. | Microsoft.ContainerService/managedClusters/agentPools/read |
Scale-in/Scale-out | To obtain the capability of the cluster. | Microsoft.ContainerService/managedClusters/read |
Scale-in | To maintain the state of VM scale set. | Microsoft.Compute/virtualMachineScaleSets/delete/action |
Scale-out | To maintain the state of VM scale set. | Microsoft.Compute/virtualMachineScaleSets/write |
Marketplace deployment | ||
High availability | To attach Snapshot Manager data disk to VM scale set instance. | Microsoft.Compute/virtualMachineScaleSets/write |
(Scale-in) To maintain the state of the VM scale set. | Microsoft.Compute/virtualMachineScaleSets/delete/action | |
The following set of permissions are required to use managed identity for discovery, create, delete, database authentication and point in time restore (applicable only for Azure SQL and Managed Instance databases) for supported PaaS databases:
actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Subscription/*/read",
"Microsoft.Resources/*/read",
"Microsoft.ManagedIdentity/*/read",
"Microsoft.Sql/*/read",
"Microsoft.Sql/servers/databases/write",
"Microsoft.Sql/servers/databases/delete",
"Microsoft.Sql/managedInstances/databases/write",
"Microsoft.Sql/managedInstances/databases/delete",
"Microsoft.DBforMySQL/servers/read",
"Microsoft.DBforMySQL/servers/databases/read",
"Microsoft.DBforMySQL/flexibleServers/read",
"Microsoft.DBforMySQL/flexibleServers/databases/read",
"Microsoft.DBforMySQL/servers/databases/write",
"Microsoft.DBforMySQL/flexibleServers/databases/write",
"Microsoft.DBforMySQL/servers/databases/delete",
"Microsoft.DBforMySQL/flexibleServers/databases/delete",
"Microsoft.DBforPostgreSQL/servers/databases/delete",
"Microsoft.DBforPostgreSQL/flexibleServers/databases/delete",
"Microsoft.DBforPostgreSQL/servers/databases/write",
"Microsoft.DBforPostgreSQL/flexibleServers/databases/write",
"Microsoft.DBforPostgreSQL/servers/read",
"Microsoft.DBforPostgreSQL/servers/databases/read",
"Microsoft.DBforPostgreSQL/flexibleServers/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.DBforPostgreSQL/flexibleServers/databases/read"
],Additional permissions required by PaaS workloads
"Microsoft.DBforMySQL/servers/read", "Microsoft.DBforMySQL/servers/databases/read", "Microsoft.DBforMySQL/flexibleServers/read", "Microsoft.DBforMySQL/flexibleServers/databases/read", "Microsoft.DBforPostgreSQL/servers/read", "Microsoft.DBforPostgreSQL/servers/databases/read", "Microsoft.DBforPostgreSQL/flexibleServers/read", "Microsoft.DBforMariaDB/servers/read", "Microsoft.DBforMariaDB/servers/databases/read", "Microsoft.DBforPostgreSQL/flexibleServers/databases/read", "Microsoft.Sql/*/write", "Microsoft.Sql/*/delete"
If you use system managed identity for the PaaS Azure SQL and Managed Instance, apply the same set of permissions/rules to the media server(s) and Snapshot Manager. If you use user managed identity, attach the same user managed identity to the media server(s) and Snapshot Manager.
Permissions required by Azure Cosmos DB for NoSQL
"Microsoft.DocumentDB/databaseAccounts/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/write", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/write", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/read" "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/throughputSettings/write", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/storedProcedures/write", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/triggers/write", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/userDefinedFunctions/write", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/read", "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/throughputSettings/write"
Permissions required by Azure Cosmos DB for MongoDB
"Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/read", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/write", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/read", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/write", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/delete", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/read", "Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/throughputSettings/write", "Microsoft.DocumentDB/databaseAccounts/listKeys/action"
The following set of permissions are required for discovery, backup, restore, and authentication of Microsoft Azure Object Store
{
"properties": {
"roleName": "cosp_minimal",
"description": "minimal permission required for cos protection.",
"assignableScopes": [
"/subscriptions/<Subsfription_ID>"
],
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.ApiManagement/service/*",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action",
"Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write",
"Microsoft.Storage/storageAccounts/blobServices/containers/blob/read",
],
"notDataActions": []
}
]
}
}To create a custom role using powershell, follow the steps mentioned in the Azure documentation.
For example:
New-AzureRmRoleDefinition -InputFile "C:\CustomRoles\ReaderSupportRole.json"
To create a custom role using Azure CLI, follow the steps mentioned in the Azure documentation.
For example:
az role definition create --role-definition "~/CustomRoles/ ReaderSupportRole.json"
Note:
Before creating a role, you must copy the role definition given earlier (text in JSON format) in a .json file and then use that file as the input file. In the sample command displayed earlier, ReaderSupportRole.json is used as the input file that contains the role definition text.
To use this role, perform the following:
Assign the role to an application running in the Azure environment.
In NetBackup Snapshot Manager, configure the Azure off-host plug-in with the application's credentials.
More Information