Help Center/ Cloud Backup and Recovery/ User Guide/ Using IAM to Grant Access to CBR/ Using IAM Identity Policies to Grant Access to CBR
Updated on 2026-03-12 GMT+08:00

Using IAM Identity Policies to Grant Access to CBR

System-defined permissions in identity policy-based authorization provided by Identity and Access Management (IAM) let you control access to CBR resources. With IAM, you can:

  • Create IAM users or user groups for personnel based on your enterprise's organizational structure. Each IAM user can have their own identity credentials for accessing CBR resources.
  • Grant users only the permissions required to perform a given task based on their job responsibilities.
  • Entrust a Huawei Cloud account or a cloud service to perform efficient O&M on your CBR resources.

If your Huawei Cloud account meets your permissions requirements, you can skip this section.

Figure 1 shows the process flow of identity policy-based authorization.

Prerequisites

Before granting permissions, learn about CBR system-defined permissions in Permissions Management. For details about how to grant permissions for other services, see System-defined Permissions.

Process Flow

Figure 1 Process of granting CBR permissions
  1. On the IAM console, create an IAM user or create an IAM user group.

  2. Attach a system-defined identity policy to the user or user group.

    Assign the permissions defined in the system-defined identity policy CBRReadOnlyPolicy to the user or group, or attach the system-defined identity policy to it.

  3. Log in as the IAM user and verify permissions.

    Log in to the CBR console and verify the permissions.

    • Choose Service List > Cloud Backup and Recovery. Then click Buy Server Backup Vault on the CBR console. If a message appears indicating insufficient permissions to perform the operation, the CBR ReadOnlyAccess policy is in effect.
    • Choose another service in Service List. If a message appears indicating insufficient permissions to access the service, the CBR ReadOnlyAccess policy is in effect.

Example Custom Policies

You can create custom identity policies to supplement the system-defined identity policies of CBR. Add actions in custom policies as needed. For details about supported actions, see Permissions and Supported Actions > Actions Supported by Identity Policy-based Authorization in the Cloud Backup and Recovery API Reference.

To create a custom identity policy, choose either visual editor or JSON.
  • Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
  • JSON: Create a JSON policy or edit an existing one.

For details, see Creating a Custom Identity Policy and Attaching It to a Principal.

When creating a custom policy, use the Resource element to specify the resources the policy applies to and use the Condition element (service-specific condition keys) to control when the policy is in effect. For details about the supported resource types and condition keys, see Permissions Policies and Supported Actions > Actions Supported by Identity Policy-based Authorization in the Cloud Backup and Recovery API Reference.

The following lists examples of common CBR custom policies.

  • Example 1: Grant permission to create, modify, and delete vaults.
    {
        "Version": "5.0",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cbr:vaults:create",
                    "cbr:vaults:update",
                    "cbr:vaults:delete"
                ]
            }
        ]
    }
    {
        "Version": "5.0",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cbr:vaults:create",
                    "cbr:vaults:update",
                    "cbr:vaults:delete"
                ],
                "Resource": [
                    "cbr:*:*:vault:*"
                ]
            }
        ]
    }
  • Example 2: Create a custom policy containing multiple actions.

    A custom policy can contain the actions on one or multiple services.

    Example policy containing multiple actions:

    {
        "Version": "5.0",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cbr:vaults:create",
                    "cbr:vaults:delete"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "evs:volumes:create",
                    "evs:volumes:list"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ecs:cloudServers:createServers",
                    "ecs:cloudServers:listServersDetails"
                ]
            }
        ]
    }