Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section I. Identity and access management
  4. Role-based access control
  5. Default RBAC roles
  6. Add a custom RBAC role to restore Azure-managed instances
NetBackup™ Security and Encryption Guide

Add a custom RBAC role to restore Azure-managed instances

To restore Azure-managed instances, users must have the view permission for these instances. Administrators and similar users can provide other users with a custom role and this permission.

To assign the view permission for Azure-managed instances

  1. To get the access control ID of the managed instance, enter the following command:
    GET /asset-service/workloads/cloud/assets?filter=extendedAttributes/
    managedInstanceName eq 'managedInstanceName'

    Search for accessControlId field in the response. Note down the value of this field.

  2. To get the role ID, enter the following command:

    GET /access-control/roles

    Search for the id field in the response. Note down the value of this field.

  3. Create an access definition, as follows:

    POST /access-control/managed-objects/{objectId}/access-definitions

    Request payload

    {
     
        "data": {
            "type": "accessDefinition",
            "attributes": {
                "propagation": "OBJECT_AND_CHILDREN"
            },
            "relationships": {
                "role": {
                    "data": {
                        "id": "<roleId>",
                        "type": "accessControlRole"
                    }
                },
                "operations": {
                    "data": [
                        {
                            "id": "|OPERATIONS|VIEW|",
                            "type": "accessControlOperation"
                        }
                    ]
                },
                "managedObject": {
                    "data": {
                        "id": "<objectId>",
                        "type": "managedObject"
                    }
                }
            }
        }
    }

    Use the following values:

    • objectId: Use the value of accessControlId obtained from step 1.

    • roleId: Use the value of id obtained from step 2.

    Note:

    For an alternate restore, provide the |OPERATIONS|ASSETS|CLOUD|RESTORE_DESTINATION| permission in the operations list.

Feedback

Was this page helpful?
Previous

Add a custom RBAC role for a PaaS administrator

Next

Add a custom RBAC role

Feedback

Was this page helpful?