Add a custom RBAC role to restore Azure-managed instances
To restore Azure-managed instances, users must have the view permission for these instances. Administrators and similar users can provide other users with a custom role and this permission.
To assign the view permission for Azure-managed instances
- To get the access control ID of the managed instance, enter the following command:
GET /asset-service/workloads/cloud/assets?filter=extendedAttributes/ managedInstanceName eq 'managedInstanceName'
Search for accessControlId field in the response. Note down the value of this field.
- To get the role ID, enter the following command:
GET /access-control/roles
Search for the id field in the response. Note down the value of this field.
- Create an access definition, as follows:
POST /access-control/managed-objects/{objectId}/access-definitions
Request payload
{ "data": { "type": "accessDefinition", "attributes": { "propagation": "OBJECT_AND_CHILDREN" }, "relationships": { "role": { "data": { "id": "<roleId>", "type": "accessControlRole" } }, "operations": { "data": [ { "id": "|OPERATIONS|VIEW|", "type": "accessControlOperation" } ] }, "managedObject": { "data": { "id": "<objectId>", "type": "managedObject" } } } } }Use the following values:
objectId: Use the value of accessControlId obtained from step 1.
roleId: Use the value of id obtained from step 2.
Note:
For an alternate restore, provide the |OPERATIONS|ASSETS|CLOUD|RESTORE_DESTINATION| permission in the operations list.