User Administration and Security
Topics |
How To |
Troubleshoot | Support | Related Topics
Overview
Enable Users to Perform
CommCell Functions
Enable Users to View All Objects in the CommCell Console
Restrict Visibility
in the CommCell Console
Users Logged In
Single Sign On
Authentication for Agent Installs
Capabilities and Permitted Actions
Audit Trail
Related Reports
Users have access to the resources and features of the CommCell based on the
following:
- CommCell user accounts
- CommCell user groups
- User group capabilities
- User group object associations
Using this approach, a CommCell administrator can provide users with the exact
capabilities they are required. These requirements can vary, depending on the tasks
each user needs to perform. A CommCell administrator can also restrict the CommCell
objects that a user can view, by restricting the CommCell objects that a user's
member user group has an association with.
All users that perform functions within the CommCell must have a CommCell user
account. This user account contains information about each user. A user can have
a unique account, or use another account.
By default, a CommCell administrator user is established during the installation
of the software. The user defined as the CommCell administrator user is permanent
and cannot be deleted.
User Groups are named logical entities; containers to which capabilities, CommCell
objects, and users are assigned. Users that are assigned to a group are granted
the group's privileges as well as access to the group's object associations. The
following user groups are automatically created by the installation of the software:
By default, the Master user group is automatically created during the installation
of the software. This user group is assigned all available capabilities as system
resources. The user you created during the installation of the software is automatically
assigned to this user group. Users that are members of this user group have all
available rights within the CommCell.
View All User Group
The View All user group allows a user to see
all CommCell entities, despite the associations of the user groups to which that
user has an association.
Name Servers comprises of external domains and external user groups to which
CommServe user groups can be associated in order to utilize the Single Sign On feature
and/or to use external domain user account credentials for logging in. For more
information, see Single Sign On.
Capabilities and CommCell Objects
Each user group must be assigned capabilities and objects so that its member
users can perform functions within the CommCell. A user group can be assigned all
capabilities and/or all associations, or individual associations and capabilities.
Capabilities are privileges that allow users to perform a variety of functions
within a CommCell. These functions include performing data protection, data recovery,
and administration operations, such as license administration and administering
user accounts.
CommCell Objects are levels in the CommCell that a user group can be associated
with. User groups must be given permissions to these objects.
If a user is not part of the View All
user group, then that user will not see CommCell objects for which the user's
member user group(s) does not have associations. Furthermore, users will not be
able to view the Job Controller or Event Viewer details associated with the
CommCell objects for which they do not have permissions. Note that a user will
not be able to view these CommCell objects upon logging onto the CommCell
Console after the restrictions have been set.
|
-
The CommCell Console, unlike the CLI interface, allows you to restrict user
access for performing various operations. The CLI interface does not allow you to restrict
such user access.
- An alert can be configured to notify users of multiple failed login
attempts, which may signify that a non-registered user is trying to
gain unauthorized access to the CommCell. This alert can assist in securing
your CommCell environment. To configure this alert, see
CommCell alert.
|
A user will be able to perform functions within the CommCell after the following
steps are completed:
- Create a user account. See Create a User
Account.
- Create a user group. See Create a User Group.
- Assign that user group with a particular capability. See
Assign Capabilities to a User
Group.
- Make the user a member of the user group you created. See
Assign A User To a User Group.
- Associate the group with a CommCell object. See
Associate CommCell Objects
to a User Group.
Once the above steps are completed, the user assigned to the created user group
will be able to perform the functions available from the capabilities and objects
the user group is associated with. See
Capabilities and Permitted Actions
for a list of the specific functions a user group can perform based on capabilities
and associated objects.
|
User accounts are created for users who need to access the system. When
you create a user account, you can immediately assign the account to the
available user groups or leave the account unassigned.
In the sample image, the user Technician
was created from the General tab of the New User
Properties dialog box. This user was given a password, user name,
description and e-mail address.
|
 |
|
User groups must be created for users who require access to the system.
Each user group represents a distinct set of users, capabilities, and CommCell
objects. You can create any number of user groups, each having any combination
of assigned capabilities.
When planning your user group strategy, decide:
- Who needs access to the system?
- What tasks will each CommCell user need to perform?
- As an administrator, what are your security needs?
In the sample image, the user group Tech_Support
was created from the General tab of the
New User Group Properties dialog box. This
user group was given a name and description.
|
 |
|
When assigning capabilities to a user group, the capabilities you assign
should match the functions you want the users of that user group to perform
within the CommCell. For a complete list of capabilities, see
Capabilities and Permitted
Actions.
In the sample image, the user group Tech_Support
was assigned capabilities from the Capabilities
tab of the New User Group Properties dialog
box. |
 |
|
A user can obtain the functionality of a user group by being assigned
to that group. You can assign individual users or groups of users to user
groups. A user can be a member of more than one group (and have all of the
capabilities from each of those groups).
In the sample image that follows, the user Technician
was assigned to the Tech_Support user group
from the Users tab of the
New User Group Properties dialog box.
CommCell object associations enable members of a group to perform operations
on a specific object. The nature of those operations depends on the capabilities
assigned to the group.
If an object, such as a client computer or higher level object, is not
associated with a given user group, then the users of that group cannot
perform any operations involving that client computer. The following objects
can be associated with a user group:
- The CommServe
- Client Computer Group
- Client Computer
- Agent
- Backup set
- Subclient
- MediaAgent
- Library
- Storage policy
Each of these objects supports specific functions within the CommCell.
For a summary of these functions, see
Capabilities and Permitted
Actions.
|
 |
|
In the sample image, the Tech_Support
user group was associated at the Client level from the
Security tab of the
Client Computer Properties dialog box.
|
|
|
Once the Tech_Support user group is given
association at the client level, the client level is displayed in the
Associated Objects tab of the
User Group Properties dialog box. |
|
|
The View All user group allows members of
that group to see all entities in the CommCell Console, regardless of the
associations of their member user groups. By default, the
Automatically Add New Users to the
View All Group option on the Security tab
at the CommCell level is enabled, allowing all newly created users membership
with this group. Users can also be added to this group individually.
|
 |
|
If a user is not part of the View All user
group, the user can only see objects in
the CommCell Console for which their member user group(s) has association
with. For example, if a user is not a member of the
View All user group, and user
Technician of the
Tech_Support user group is associated at
a particular client, this user will only be able to see that client upon
logging on to the CommCell Console.
If this user then wants to change the storage policy of a subclient,
then Tech_Support must have association
at both the subclient and storage policy levels.
In the sample image that follows, Tech_Support
does not have association at the storage policy level. User
Technician of that user group cannot select
a storage policy, as the storage policies are not visible.
Another way of restricting visibility to users is to enable the
nRestrictedViewEnabled
registry key on the CommServe. Doing this will display the special user
group, CV_Restricted_Visibility. Members
of this user group will only be permitted to complete browse and restore
operations.
|
When a user belongs to a user group with restricted access, the restrictions
extend to the Job Controller and the Event Viewer; they will not be able
to view the Job Controller or Event Viewer details associated with the clients
or objects for which they do not have permissions. Once a user is added
to a user group with restricted access, the restrictions will take place
upon the user logging into the CommCell Console after the restrictions are
set. They will only be able to view Job Controller or Event Viewer details
with which they are associated and have permissions. |
|
 |
You can view the users currently logged on to the CommCell Console via the CommCell
Console or Command Line Interface. Through the
Users Logged In
dialog box, you can obtain the log on name of the user that is currently logged
on, the host name the user logged on from, the date and time the user logged on
to the CommCell Console, and the amount of time the CommCell Console has been inactive.
For more information, see View Users
Logged In.If you want the CommCell Console to disconnect after being inactive
for a certain amount of time, you can enable the Allow GUI connections to timeout
option on the System
dialog box. You can define the timeout in minutes for the inactive CommCell Console
to disconnect.
The Single Sign On feature enables users to login to the CommServe using their
user-account credentials from the Active Directory service provider, inheriting
capabilities on the CommServe based on their Active Directory group membership mapping
on the CommServe user groups, which must include the Browse capabilities.
The CommServe must be a member of an Active Directory domain in order to support
Single Sign On logins. SSO logins are not supported if the CommServe is part of
a workgroup.
If the Single Sign On feature is enabled for this Active Directory domain, the
login/password entry screen is bypassed, and the user is authenticated without them
having to enter any login/password information. Users can also launch the CommCell
Console and select Cancel before the application initiates the login process.
The username field is pre-populated if the user is connecting to the CommServe,
and the Active Directory domain they are currently logged into has been configured
on the CommServe. Users also have the option to overwrite this username with other
Active Directory user account credentials; the username must be entered in the following
format: <domain name>\<user name>. When a username
is entered with a domain name, the CommServe Server automatically recognizes that
the password information must be authenticated by the external domain server.
LDAP
Single Sign On also supports Active Directory configured with secure Lightweight
Directory Access Protocol (LDAP), which provides additional network security. If
Active Directory (the external domain) is configured with secure LDAP, you can configure
the external domain controller from the
Add/Edit New Domain
Controller dialog box to use the secure LDAP for additional network security
with the external domain. Remember that this can only be enabled when the external
domain has been configured to use the secure LDAP. If this protocol is enabled from
the Add/Edit New Domain
Controller dialog box, but not configured from the external domain; the
feature is not enabled.
Note that in order for Single Sign On to function, the CommServe must have
LDAP, DNS and Kerberos connectivity to each domain that you wish to register for
Single Sign On. If firewalls exist between the CommServe and domain controllers,
these services must be able to traverse the firewall in order for Single Sign On
to function.
Configuration
Before the Single Sign On feature can be used, users must provide the information
required to communicate with the Active Directory service provider (such as domain
name, hostname of directory server, directory service type, username and password)
so that it will be maintained in the CommServe database for authentication purposes.
To do this, you must Add a New Domain
Controller, which registers the external domain with the CommServe Server. Once
you enter this information, you or a CommServe administrator, must associate certain
external domain user groups (domain name\user group) with a user group defined in
the CommServe. This will provide the external domain users access to the CommCell
entities. For more information, see
Add a New External User Group.
Note that the CommServe user group must have Browse capabilities in order for the
Single Sign On feature to work properly.
Once configured, if necessary, users can temporarily disable the feature or change
user credentials. For more information, see
Disable Single Sign On/Change
the Target CommCell from a Specific Console.
Alerts
An alert can be configured to send e-mail notifications to user groups
created from within the CommCell Console as well as external domain user groups.
However, individual external domain users will not receive the alert
notification e-mail if they have not previously logged on to the CommCell
Console. Users (from the user groups created from within the CommCell Console)
will receive the alert e-mail notification regardless of their login status.
Reports
A scheduled report can be configured to be sent via e-mail to user
groups created from within the CommCell Console as well as external domain user
groups. However, individual external domain users will not receive the report
via e-mail if they have not previously logged on to the CommCell Console. Users
(from the user groups created from within the CommCell Console) will receive the
report e-mail regardless of their login status.
License Requirement
This feature requires a Feature License to be available in the CommServe® Server.
Review general license requirements included in
License Administration. Also,
View All Licenses provides step-by-step
instructions on how to view the license information.
Additional Features supported by Single Sign On
Single Sign On configuration can also be used for the following:
|
External Active Directory users cannot log in to
the CommServe from the command line. |
CommCell environments can be secured by limiting agent installations to only
those users belonging to a user group assigned with Administrative Management capabilities
for the CommCell or an existing Client computer within the CommCell. This feature,
disabled by default, can be enabled in the
CommCell Properties
(Security) dialog. When enabled, during the installation of an Agent, you will
be prompted with the Account Information for Agents Authentication dialog
where you must enter the username and password credentials for an
external domain user account or a CommCell user account. This authorizes the installation
of the agent on the CommCell. If you attempt to install an agent without the proper
credentials, the installation process will abort.
To enable this feature, see
Require Authentication for Agent
Installation.
|
- If Single Sign On is enabled together
with this feature, then during the installation of an Agent, the user's
credentials will be verified automatically, and if they are assigned
with Administrative Management capabilities, the Agent Authentication
dialog will not be displayed during install.
-
If this feature is enabled, and you are installing the first
Agent on the client computer, you must have Administrative Management capabilities
for the entire CommCell to add a new client machine. However, if executing a decoupled install where
the client computer is registered in the CommServe database prior to
the installation and you are assigned Administrative Management capabilities
for that client, you can still install this first Agent on the CommCell.
-
If this feature is enabled, uninstalling an agent will also require
you to have Administrative Management capabilities.
- This feature is not available for Express versions of the software.
|
Any operation performed by a user in the CommCell Console requires the user to
have the appropriate security. A user who belongs to a user group that has a particular
capability must also be given an association at a particular level in the CommCell
Console.
|
- The following types of operations do not require security:
- Modifying the default display of the CommCell Console.
- Set the maximum number of events to be retained in the Event Viewer.
- Display the parameters available in the Control Panel.
- For information about User Capabilities required for Recovery Director,
see
Overview - Recovery Director - User Capability Requirements.
|
Operations performed with this feature are recorded in the Audit Trail. See Audit Trail for more information.
User Capability Report
The User Capability Report
displays the user groups and users within a CommCell.
Back To Top