Topics | How To | Troubleshoot | Support | Related Topics
Enable Users to Perform CommCell Functions
Enable Users to View All Objects in the CommCell Console
Restrict Visibility in the CommCell Console
Authentication for Agent Installs
Capabilities and Permitted Actions
Users have access to the resources and features of the CommCell based on the following:
Using this approach, a CommCell administrator can provide users with the exact capabilities they are required. These requirements can vary, depending on the tasks each user needs to perform. A CommCell administrator can also restrict the CommCell objects that a user can view, by restricting the CommCell objects that a user's member user group has an association with.
All users that perform functions within the CommCell must have a CommCell user account. This user account contains information about each user. A user can have a unique account, or use another account.
By default, a CommCell administrator user is established during the installation of the software. The user defined as the CommCell administrator user is permanent and cannot be deleted.
User Groups are named logical entities; containers to which capabilities, CommCell objects, and users are assigned. Users that are assigned to a group are granted the group's privileges as well as access to the group's object associations. The following user groups are automatically created by the installation of the software:
By default, the Master user group is automatically created during the installation of the software. This user group is assigned all available capabilities as system resources. The user you created during the installation of the software is automatically assigned to this user group. Users that are members of this user group have all available rights within the CommCell.
The View All user group allows a user to see all CommCell entities and associated schedules, regardless of the associations of the user groups to which that user has an association. Note that users cannot modify the schedules unless they created them. For more information, see Enable Users to View All Objects in the CommCell Console.
Name Servers comprises of external domains and external user groups to which CommServe user groups can be associated in order to utilize the Single Sign On feature and/or to use external domain user account credentials for logging in. For more information, see Single Sign On.
You can also create Name Servers for Domino Directory Services in order to enable end-user search for Lotus Notes Domino users. However, note that Single Sign On is not supported for Domino Name Servers. For step-by-step instructions, see Add a Domain Controller for Domino Directory Services.
|
Each user group must be assigned capabilities and objects so that its member users can perform functions within the CommCell. A user group can be assigned all capabilities and/or all associations, or individual associations and capabilities.
Capabilities are privileges that allow users to perform a variety of functions within a CommCell. These functions include performing data protection, data recovery, and administration operations, such as license administration and administering user accounts.
CommCell Objects are levels in the CommCell that a user group can be associated with. User groups must be given permissions to these objects.
If a user is not part of the View All user group, then that user will not see CommCell objects for which the user's member user group(s) does not have associations. Furthermore, users will not be able to view the Job Controller or Event Viewer details associated with the CommCell objects for which they do not have permissions. Note that a user will not be able to view these CommCell objects upon logging onto the CommCell Console after the restrictions have been set.
|
A user will be able to perform functions within the CommCell after the following steps are completed:
Once the above steps are completed, the user assigned to the created user group will be able to perform the functions available from the capabilities and objects the user group is associated with. See Capabilities and Permitted Actions for a list of the specific functions a user group can perform based on capabilities and associated objects.
Create a User AccountUser accounts are created for users who need to access the system. When you create a user account, you can immediately assign the account to the available user groups or leave the account unassigned. In the sample image, the user Technician was created from the General tab of the New User Properties dialog box. This user was given a password, user name, description and e-mail address. |
|
Create a User GroupUser groups must be created for users who require access to the system. Each user group represents a distinct set of users, capabilities, and CommCell objects. You can create any number of user groups, each having any combination of assigned capabilities. When planning your user group strategy, decide:
In the sample image, the user group Tech_Support was created from the General tab of the New User Group Properties dialog box. This user group was given a name and description. |
|
Assign Capabilities to a User GroupWhen assigning capabilities to a user group, the capabilities you assign should match the functions you want the users of that user group to perform within the CommCell. For a complete list of capabilities, see Capabilities and Permitted Actions. In the sample image, the user group Tech_Support was assigned capabilities from the Capabilities tab of the New User Group Properties dialog box. |
|
Assign A User To a User GroupA user can obtain the functionality of a user group by being assigned to that group. You can assign individual users or groups of users to user groups. A user can be a member of more than one group (and have all of the capabilities from each of those groups). In the sample image that follows, the user Technician was assigned to the Tech_Support user group from the Users tab of the New User Group Properties dialog box. Associate CommCell Objects to a User GroupCommCell object associations enable members of a group to perform operations on a specific object. The nature of those operations depends on the capabilities assigned to the group. If an object, such as a client computer or higher level object, is not associated with a given user group, then the users of that group cannot perform any operations involving that client computer. The following objects can be associated with a user group:
Each of these objects supports specific functions within the CommCell. For a summary of these functions, see Capabilities and Permitted Actions. |
|
In the sample image, the Tech_Support user group was associated at the Client level from the Security tab of the Client Computer Properties dialog box. |
|
Once the Tech_Support user group is given association at the client level, the client level is displayed in the Associated Objects tab of the User Group Properties dialog box. |
If a user is not part of the View All user
group, the user can only see objects in
the CommCell Console for which their member user group(s) has association
with. For example, if a user is not a member of the View All user group, and user Technician of the Tech_Support user group is associated at a particular client, this user will only be able to see that client upon logging on to the CommCell Console. If this user then wants to change the storage policy of a subclient, then Tech_Support must have association at both the subclient and storage policy levels. In the sample image that follows, Tech_Support does not have association at the storage policy level. User Technician of that user group cannot select a storage policy, as the storage policies are not visible.
|
|||
If you want the CommCell Console to disconnect after being inactive for a certain amount of time, you can enable the Allow GUI connections to timeout option on the System dialog box. You can define the timeout in minutes for the inactive CommCell Console to disconnect.
For more information, see View Users Logged In.
The Single Sign On (SSO) feature enables users to login to the CommServe using their user-account credentials from the Active Directory service provider, inheriting capabilities on the CommServe based on their Active Directory group membership mapping on the CommServe user groups, which must include the Browse capabilities.
If the Single Sign On feature is enabled for this Active Directory domain, the login/password entry screen is bypassed, and the user is authenticated without them having to enter any login/password information. Users can also launch the CommCell Console and select Cancel before the application initiates the login process. The username field is pre-populated if the user is connecting to the CommServe, and the Active Directory domain they are currently logged into has been configured on the CommServe. Users also have the option to overwrite this username with other Active Directory user account credentials; the username must be entered in the following format: <domain name>\<user name>. When a username is entered with a domain name, the CommServe Server automatically recognizes that the password information must be authenticated by the external domain server.
Prior to enabling Single Sign On on a Name Server, note the following:
In order to enable Single Sign On, you need to first add the external domain with the CommServe for authentication purposes. When adding the domain controller, you will provide the required information to communicate with the Active Directory service provider (such as domain name, hostname of directory server, directory service type, username and password).
Note the following when adding domain controllers:
Use the following steps to add a domain controller:
1. | Obtain the domain name and fully qualified domain name of the Active Directory server. | |
2. |
Ensure that LDAP is configured on the AD server:
|
|
3. | From the CommCell Browser, expand the Security node, right-click Name Servers | Add New Domain and click Active Directory. | |
4. |
|
|
5. |
|
|
6. |
|
|
7. | Once you have registered the Domain Controller, restart
the IIS services on the Web Search Server.
|
Once you have added the domain controller, associate certain external domain user groups (domain name\user group) with a user group defined in the CommServe. This will provide the external domain users access to the CommCell entities. Note that the CommServe user group must have Browse capabilities in order for the Single Sign On feature to work properly.
1. |
Ensure that the specific external user group in which the user belongs has Group Scope defined as
Globalon the Active Directory Domain:
|
|
2. | From the CommCell Browser, navigate to Security | Name Server |<Domain Name>, right-click External Groups and select Add New Group. | |
3. |
|
|
4. | 15.
|
Use the following steps to enable Single Sign On:
|
Once you have enabled Single Sign On on the Name Server , do the following:
Here the userName must match with the Name Server registration done in the Commcell GUI.
Once configured, if necessary, users can temporarily disable the Single Sign On feature or change user credentials. For more information, see Disable Single Sign On/Change the Target CommCell from a Specific Console.
You can also register Active Directory Admin domains and Resource domains with the CommServe. Admin domain contains the user credentials of all the users. The Resource domain includes the resources or applications that can be accessed by each user in the admin domain. In order to enable the users in the admin domain to access the resources in the resource domain, you need to associate the admin domain with the resource domain when adding a new domain controller.
For step-by-step instructions on mapping an admin domain with the resource domain, see Associate Admin Domain with Resource Domain.
An alert can be configured to send e-mail notifications to user groups created from within the CommCell Console as well as external domain user groups. However, individual external domain users will not receive the alert notification e-mail if they have not previously logged on to the CommCell Console. Users (from the user groups created from within the CommCell Console) will receive the alert e-mail notification regardless of their login status.
A scheduled report can be configured to be sent via e-mail to user groups created from within the CommCell Console as well as external domain user groups. However, individual external domain users will not receive the report via e-mail if they have not previously logged on to the CommCell Console. Users (from the user groups created from within the CommCell Console) will receive the report e-mail regardless of their login status.
This feature requires a Feature License to be available in the CommServe® Server.
Review general license requirements included in License Administration. Also, View All Licenses provides step-by-step instructions on how to view the license information.
Single Sign On configuration can also be used for the following:
CommCell environments can be secured by limiting agent installations to those users belonging to the following user group:
This feature, disabled by default, can be enabled in the CommCell Properties (Security) dialog. When enabled, during the installation of an Agent, you will be prompted with the Account Information for Agents Authentication dialog where you must enter the username and password credentials for an external domain user account or a CommCell user account. This authorizes the installation of the agent on the CommCell. If you attempt to install an agent without the proper credentials, the installation process will abort.
To enable this feature, see Require Authentication for Agent Installation.
|
Any operation performed by a user in the CommCell Console requires the user to have the appropriate security.
A user group given association to the CommCell level will be able to perform all actions on the CommCell. In this case all functions in the Control Panel will be available to them.
User groups who do not have association to the CommCell level but instead have associations to entities at lower levels will be able to perform all actions limited to the associated entities. These users will be able to perform functions in the Control Panel that do not affect the CommCell globally. This non-global permission model can be useful for Multi Tenancy CommServe.
See Control Panel for detailed information on the available Dialogs for each user group association.
The restricted view of Control Panel will be available to users if the allowAdminUserCapabilities parameter is set up in the Global Parameters. Use the steps below to setup this global parameter:
qoperation execscript -sn SetKeyIntoGlobalParamTbl.sql -si allowAdminUserCapabilities -si y -si 1
A user who belongs to a user group that has a particular capability must also be given an association at a particular level in the CommCell Console.
See Capabilities and Permitted Actions to view a list of operations that are available to a user who belongs to a user group that has a particular capability.
See the Capabilities and Permitted Actions (by Feature) to view a list of features with their required capability and the required association in the CommCell Console.
|
Operations performed with this feature are recorded in the Audit Trail. See Audit Trail for more information.
The User Capability Report displays the user groups and users within a CommCell.