Skip to main content


 

 

How can we help you?

 

 
Druva Documentation

Roles and permissions

Heads up!

We've transitioned to a new documentation portal to serve you better. Access the latest content by clicking here.

Enterprise Workloads Editions: File:/tick.png Business File:/cross.png Enterprise File:/tick.png Elite

Azure role-based access control (Azure RBAC) is the primary method of managing access in Azure. Managing who can access your Azure resources and subscriptions is an important part of your Azure governance strategy. 

Azure RBAC is an authorization system built on Azure Resource Manager that provides granular access management to Azure resources. Azure RBAC allows you to manage access to your resources in Azure. When planning your access control strategy, it’s best practice to grant users the least privilege required to get their work done.

To assign roles or grant access, ensure that you have the appropriate Microsoft.Authorization/role assignment of Global Administrator.

Note: Before you onboard or register subscriptions, ensure  that you have the Users can register applications permission enabled for your user account in the Azure environment.

Permissions 

The following table provides detailed information on the permissions required to grant Druva access to your Azure environment.

Permission ID Why Druva needs the Permission
Onboarding Permissions

Azure Key Vault/
user_impersonation

Grants temporary access as the installer to create the link to Druva

Azure Service Management/
user_impersonation

Grants temporary access as the installer to create the link to Druva

Microsoft Graph/
Application.Read.All
Application.ReadWrite.OwnedBy

Grants Druva access to verify whether the tenant was previously registered (first onboarding as against adding additional subscriptions)

Microsoft Graph/
AppRoleAssignment.ReadWrite.All

Grants Druva access to specific Subscriptions

   
Backup and Restore Permissions

Azure Key Vault/
vaults/read
vaults/secrets/read
vaults/secrets/write
vaults/write

Creating the secondary encryption key

Microsoft.Network/
networkSecurityGroups/read
virtualNetworks/read
virtualNetworks/subnets/read

Discover values in order to provide inputs for restore

Microsoft Resources/
ResourceGroups/read

Discover Azure resources for backup

Microsoft.Compute/
virtualMachines/Read
virtualMachines/Write
virtualMachines/Deallocate
virtualMachines/Capture
virtualMachines/Read-InstanceView

Perform backup and restore operations

Microsoft.Compute
virtualMachineScaleSets/Read-InstanceView
virtualMachineScaleSets/Read-Skus
virtualMachineScaleSets/Read-NetworkInterfaces
virtualMachineScaleSets/Read-RunCommands

Perform backup and restore operations

Microsoft.Compute/
images/read
images/write
locations/operations/read
locations/vmSizes/read

Create a native image for backup, see images that were created and their status, and provide data for the UI

Microsoft.Compute/
snapshots/read

See snapshots that were created and their status

Microsoft.Compute/
snapshots/beginGetAccess
snapshots/endGetAccess

Read the data to be backed up

Microsoft.Compute/
disks/read
disks/write
disks/beginGetAccess
endGetAccess

View and manage restore, and in the case of restore failure grants clean-up permissions as required

Microsoft ManagedIdentity/
userAssignedIdentities/read

Perform backup and restore operations

  • Was this article helpful?