Users have access to the resources and features of the CommCell based on the
following:
CommCell user accounts
CommCell user groups
User group capabilities
User group object associations
Using this approach, a CommCell administrator can provide users with the exact
capabilities they are required. These requirements can vary, depending on the tasks
each user needs to perform. A CommCell administrator can also restrict the CommCell
objects that a user can view, by restricting the CommCell objects that a user's
member user group has an association with.
All users that perform functions within the CommCell must have a CommCell user
account. This user account contains information about each user. A user can have
a unique account, or use another account.
By default, a CommCell administrator user is established during the installation
of the software. The user defined as the CommCell administrator user is permanent
and cannot be deleted.
User Groups are named logical entities; containers to which capabilities, CommCell
objects, and users are assigned. Users that are assigned to a group are granted
the group's privileges as well as access to the group's object associations. The
following user groups are automatically created by the installation of the software:
By default, the Master user group is automatically created during the installation
of the software. This user group is assigned all available capabilities as system
resources. The user you created during the installation of the software is automatically
assigned to this user group. Users that are members of this user group have all
available rights within the CommCell.
The View All user group allows a user to see
all CommCell entities and associated schedules, regardless of the associations of the user groups to which that
user has an association. Note that users cannot modify the schedules unless they
created them. For more information, see Enable Users to View All Objects in the CommCell Console.
Name Servers comprises of external domains and external user groups to which
CommServe user groups can be associated in order to utilize the Single Sign On feature
and/or to use external domain user account credentials for logging in. For more
information, see Single Sign On.
You can also create Name Servers for Domino Directory Services in order to
enable end-user search for Lotus Notes Domino users. However, note that Single
Sign On is not supported for Domino Name Servers. For step-by-step instructions,
see
Add a Domain Controller for Domino Directory Services.
When adding domain controllers, note that no two domain controllers can have
the same domain name. In other words, you cannot register duplicate domain
controllers with the CommServe.
Whenever you register a new domain controller with the CommServe, make sure
to restart the IIS services on the Web Search Server in order to enable logging
to the Search Console using the new domain.
Capabilities and CommCell Objects
Each user group must be assigned capabilities and objects so that its member
users can perform functions within the CommCell. A user group can be assigned all
capabilities and/or all associations, or individual associations and capabilities.
Capabilities are privileges that allow users to perform a variety of functions
within a CommCell. These functions include performing data protection, data recovery,
and administration operations, such as license administration and administering
user accounts.
CommCell Objects are levels in the CommCell that a user group can be associated
with. User groups must be given permissions to these objects.
If a user is not part of the View All
user group, then that user will not see CommCell objects for which the user's
member user group(s) does not have associations. Furthermore, users will not be
able to view the Job Controller or Event Viewer details associated with the
CommCell objects for which they do not have permissions. Note that a user will
not be able to view these CommCell objects upon logging onto the CommCell
Console after the restrictions have been set.
Similar to the CommCell Console, the Command Line Interface also has the ability to restrict user
access for performing various operations. For example, if a user with limited
permissions uses the command to obtain the list of all CommCell clients, then
only the clients that the user has access to will be displayed.
An alert can be configured to notify users of multiple failed login
attempts, which may signify that a non-registered user is trying to
gain unauthorized access to the CommCell. This alert can assist in securing
your CommCell environment. To configure this alert, see
CommCell alert.
Once the above steps are completed, the user assigned to the created user group
will be able to perform the functions available from the capabilities and objects
the user group is associated with. See
Capabilities and Permitted Actions
for a list of the specific functions a user group can perform based on capabilities
and associated objects.
User accounts are created for users who need to access the system. When
you create a user account, you can immediately assign the account to the
available user groups or leave the account unassigned.
In the sample image, the user Technician
was created from the General tab of the New User
Properties dialog box. This user was given a password, user name,
description and e-mail address.
User groups must be created for users who require access to the system.
Each user group represents a distinct set of users, capabilities, and CommCell
objects. You can create any number of user groups, each having any combination
of assigned capabilities.
When planning your user group strategy, decide:
Who needs access to the system?
What tasks will each CommCell user need to perform?
As an administrator, what are your security needs?
In the sample image, the user group Tech_Support
was created from the General tab of the
New User Group Properties dialog box. This
user group was given a name and description.
When assigning capabilities to a user group, the capabilities you assign
should match the functions you want the users of that user group to perform
within the CommCell. For a complete list of capabilities, see
Capabilities and Permitted
Actions.
In the sample image, the user group Tech_Support
was assigned capabilities from the Capabilities
tab of the New User Group Properties dialog
box.
A user can obtain the functionality of a user group by being assigned
to that group. You can assign individual users or groups of users to user
groups. A user can be a member of more than one group (and have all of the
capabilities from each of those groups).
In the sample image that follows, the user Technician
was assigned to the Tech_Support user group
from the Users tab of the
New User Group Properties dialog box.
CommCell object associations enable members of a group to perform operations
on a specific object. The nature of those operations depends on the capabilities
assigned to the group.
If an object, such as a client computer or higher level object, is not
associated with a given user group, then the users of that group cannot
perform any operations involving that client computer. The following objects
can be associated with a user group:
The CommServe
Client Computer Group
Client Computer
Agent
Backup set
Subclient
MediaAgent
Library
Storage policy
Each of these objects supports specific functions within the CommCell.
For a summary of these functions, see
Capabilities and Permitted
Actions.
In the sample image, the Tech_Support
user group was associated at the Client level from the
Security tab of the
Client Computer Properties dialog box.
Once the Tech_Support user group is given
association at the client level, the client level is displayed in the
Associated Objects tab of the
User Group Properties dialog box.
The View All user group allows members of
that group to see all entities in the CommCell Console as well as
associated job schedules, regardless of the
associations of their member user groups. By default, the
Automatically Add New Users to the
View All Group option on the Security tab
at the CommCell level is enabled, allowing all newly created users membership
with this group.
Users can also be added to this group individually.
Though users within this group can view all schedules associated with
all CommCell entities, they can only modify those schedules which they
have created.
If a user is not part of the View All user
group, the user can only see objects in
the CommCell Console for which their member user group(s) has association
with.
For example, if a user is not a member of the
View All user group, and user
Technician of the
Tech_Support user group is associated at
a particular client, this user will only be able to see that client upon
logging on to the CommCell Console.
If this user then wants to change the storage policy of a subclient,
then Tech_Support must have association
at both the subclient and storage policy levels.
In the sample image that follows, Tech_Support
does not have association at the storage policy level. User
Technician of that user group cannot select
a storage policy, as the storage policies are not visible.
When a user belongs to a user group with restricted access, the
restrictions extend to the Job Controller and the Event Viewer; they
will not be able to view the Job Controller or Event Viewer details
associated with the clients or objects for which they do not have
permissions. Once a user is added to a user group with restricted
access, the restrictions will take place upon the user logging into
the CommCell Console after the restrictions are set. They will only
be able to view Job Controller or Event Viewer details with which
they are associated and have permissions.
You can create a user group with the View
capability, which can be associated with specific entities within
the CommCell. Members of this user group will only be able to view
those entities associated with the user group.
You can view the users currently logged on to the CommCell Console via the CommCell
Console or Command Line Interface. Through the
Users Logged In
dialog box, you can obtain the log on name of the user that is currently logged
on, the host name the user logged on from, the date and time the user logged on
to the CommCell Console, and the amount of time the CommCell Console has been
inactive. For more information, see
View Users Logged In.
If you want the CommCell Console to disconnect after being inactive
for a certain amount of time, you can enable the Allow GUI connections to timeout
option on the System
dialog box. You can define the timeout in minutes for the inactive CommCell Console
to disconnect.
The Single Sign On (SSO) feature enables users to login to the CommServe
using their user-account credentials from the Active Directory service provider,
inheriting capabilities on the CommServe based on their Active Directory group
membership mapping on the CommServe user groups, which must include the
Browse capabilities.
If the Single Sign On feature is enabled for this Active Directory domain,
the login/password entry screen is bypassed, and the user is authenticated
without them having to enter any login/password information. Users can also
launch the CommCell Console and select Cancel before the application
initiates the login process. The username field is pre-populated if the user is
connecting to the CommServe, and the Active Directory domain they are currently
logged into has been configured on the CommServe. Users also have the option to
overwrite this username with other Active Directory user account credentials;
the username must be entered in the following format:
<domain name>\<user name>. When a username is entered with a domain name,
the CommServe Server automatically recognizes that the password information must
be authenticated by the external domain server.
Prior to enabling Single Sign On on a Name Server, note the following:
Ensure that a Web Client package is installed on at least one of the
clients in the domain.
Ensure that Java 6 is installed (1.6.x and above)
Single Sign On works only on Intranet based sites.
The CommServe must be a member of an Active Directory domain in order to
support Single Sign On logins. SSO logins are not supported if the CommServe
is part of a workgroup.
In order to enable Single Sign On, you need to first add the external domain with
the CommServe for authentication purposes. When adding the domain controller,
you will provide the required information to communicate with the Active
Directory service provider (such as domain name, hostname of directory server,
directory service type, username and password).
Note the following when adding domain controllers:
The CommServe must have
LDAP, DNS and Kerberos connectivity to each domain that you wish to register for
Single Sign On. If firewalls exist between the CommServe and domain controllers,
these services must be able to traverse the firewall in order for Single Sign On
to function.
When using trusted domains, make sure to add both the domains with the
CommServe so that users from the trusted domains can login using Single Sign
On.
Make sure no two domain controllers have
the same domain name. In other words, you cannot register duplicate domain
controllers with the CommServe.
Use the following steps to add a domain controller:
1.
Obtain the domain name and fully qualified domain name of the Active
Directory server.
2.
Ensure that LDAP is configured on the AD server:
From the Active Directory Server, select Start | Run.
Type ldp on the Run dialog box and click OK.
Click the Connections menu option, and select Connect.
From the Connect dialog box, enter the following information:
Server: Enter the name of the external domain server,
e.g., computer.domain.com.
Port: Enter 636 as the port number for the external
domain server.
SSL: Mark this checkbox to check for the proper
certificate.
Click OK. If properly configured for LDAP, the external
domain server details will be displayed in the LDP windowpane. If not
configured for use with LDAP, an error message will appear indicating
that a connection cannot be made using this feature.
3.
From the CommCell Browser, expand the Security node, right-click
Name Servers | Add New Domain and click
Active Directory.
4.
Enter the domain name in NetBIOS Name text box,
e.g., mydomain.
Enter the Fully Qualified Domain Name (FQDN), e.g.,
mydomain.mycompany.com
in the Domain Name text box.
5.
Click Edit to enter the user account information for the
domain.
Type Username and Password in Enter User
Account Information.
Click OK.
6.
Select Use Secure LDAP to enable the secure Lightweight
Directory Access Protocol (LDAP) with the external domain.
Click OK.
7.
Once you have registered the Domain Controller, restart
the IIS services on the Web Search Server.
From your CommServe computer, click the Start button on the Windows task bar and then
click Administrative Tools.
Click Services.
In the Services window, select and right-click IIS
Admin Service and click Restart.
Restart Other Services dialog will be displayed, click
Yes.
Add a New External Group
Once you have added the domain controller, associate certain
external domain user groups (domain name\user group) with a user group defined in
the CommServe. This will provide the external domain users access to the CommCell
entities. Note that the CommServe user group must have Browse capabilities in order for the
Single Sign On feature to work properly.
1.
Ensure that the specific external user group in which the user belongs has Group Scope defined as
Globalon the Active Directory Domain:
Navigate to Start | Administrative Tools | Active Directory
Users and Computers.
Right-click the external group and select Properties.
Select Group from Group Scope and click OK.
2.
From the CommCell Browser, navigate to Security | Name Server
|<Domain Name>, right-click External Groups and select
AddNew
Group.
3.
Click Browse.
Select the <external user group name> in which the user
belongs.
4.
15.
Select the CommCell User Group to associate with the specified external
user group.
Click OK.
Enable Single Sign On
Use the following steps to enable Single Sign On:
From the CommCell Browser, click the Security icon, and
right-click on the Name Servers icon.
Right click on the domain for which you wish to enable/disable the
feature, and
select Properties from the popup menu.
Enable or disable the Enable SSO option.
Configuration
Once you have enabled Single Sign On on the Name Server , do the following:
Restart the Web Server (IIS) since the domain information is cached in the
server.
Ensure that you have administrative permissions for the domain.
Open the command prompt and execute cvspn.bat
located in the Base folder of the web client.
cvspn.bat -A domainName\userName (adds a
Service Principal Name)
cvspn.bat -D domainName\userName (deletes a
Service Principal Name)
Here the userName must match with the Name Server registration done in
the Commcell GUI.
Configure your browser to include the site in the Intranet zone in case
of Internet Explorer.
You can also register Active Directory Admin domains and Resource domains
with the CommServe. Admin domain contains the user credentials of all the users.
The Resource domain includes the resources or applications that can be accessed
by each user in the admin domain. In order to enable the users in the admin
domain to access the resources in the resource domain, you need to associate the
admin domain with the resource domain when adding a new domain controller.
An alert can be configured to send e-mail notifications to user groups
created from within the CommCell Console as well as external domain user groups.
However, individual external domain users will not receive the alert
notification e-mail if they have not previously logged on to the CommCell
Console. Users (from the user groups created from within the CommCell Console)
will receive the alert e-mail notification regardless of their login status.
Reports
A scheduled report can be configured to be sent via e-mail to user
groups created from within the CommCell Console as well as external domain user
groups. However, individual external domain users will not receive the report
via e-mail if they have not previously logged on to the CommCell Console. Users
(from the user groups created from within the CommCell Console) will receive the
report e-mail regardless of their login status.
License Requirement
This feature requires a Feature License to be available in the CommServe® Server.
Review general license requirements included in
License Administration. Also,
View All Licenses provides step-by-step
instructions on how to view the license information.
Additional Features supported by Single Sign On
Single Sign On configuration can also be used for the following:
CommCell environments can be secured by limiting agent installations to
those users belonging to the following user group:
A user group assigned with Installation capabilities for the CommCell,
or
A user group assigned with Administrative Management capabilities
for the CommCell or an existing client computer within the CommCell
This feature,
disabled by default, can be enabled in the
CommCell Properties
(Security) dialog. When enabled, during the installation of an Agent, you will
be prompted with the Account Information for Agents Authentication dialog
where you must enter the username and password credentials for an
external domain user account or a CommCell user account. This authorizes the installation
of the agent on the CommCell. If you attempt to install an agent without the proper
credentials, the installation process will abort.
If Single Sign On is enabled together
with this feature, then during the installation of an Agent, the user's
credentials will be verified automatically, and if they are assigned
with Administrative Management capabilities, the Agent Authentication
dialog will not be displayed during install.
If this feature is enabled, and you want to install an
Agent on a client not yet associated to the CommCell, you must have Administrative Management capabilities
for the entire CommCell to add the new client computer. However, if executing a decoupled install where
the client computer is registered in the CommServe database prior to
the installation and you are assigned Administrative Management capabilities
for that client, you can still install this first Agent on the CommCell.
If this feature is enabled, uninstalling an agent will require
you to have Administrative Management capabilities.
This feature is not available for Express versions of the software.
Any operation performed by a user in the CommCell Console requires the user
to have the appropriate security.
A user group given association to the CommCell level will be able to perform
all actions on the CommCell. In this case all functions in the Control Panel
will be available to them.
User groups who do not have association to the CommCell level but instead
have associations to entities at lower levels will be able to perform all
actions limited to the associated entities. These users will be able to perform
functions in the Control Panel that do not affect the CommCell globally. This
non-global permission model can be useful for Multi Tenancy CommServe.
See Control
Panel for detailed information on the available Dialogs for each user group
association.
The restricted view of Control Panel will be available to users if the
allowAdminUserCapabilities parameter is set up in the Global Parameters.
Use the steps below to setup this global parameter:
Log on to the CommServe computer.
From the command prompt, navigate to <software_installation_path>\base.
Run the following command:
qoperation execscript -sn
SetKeyIntoGlobalParamTbl.sql -si allowAdminUserCapabilities -si y -si 1
A user who belongs to a user group that has a particular capability must also
be given an association at a particular level in the CommCell Console.
See Capabilities and Permitted Actions
to view a list of operations that are available to a user who belongs to a user
group that has a particular capability.
