Topics | How To | Troubleshoot | Support | Related Topics
Enable Users to Perform CommCell Functions
Enable Users to View All Objects in the CommCell Console
Restrict Visibility in the CommCell Console
Authentication for Agent Installs
Capabilities and Permitted Actions
Users have access to the resources and features of the CommCell based on the following:
Using this approach, a CommCell administrator can provide users with the exact capabilities they are required. These requirements can vary, depending on the tasks each user needs to perform. A CommCell administrator can also restrict the CommCell objects that a user can view, by restricting the CommCell objects that a user's member user group has an association with.
All users that perform functions within the CommCell must have a CommCell user account. This user account contains information about each user. A user can have a unique account, or use another account.
By default, a CommCell administrator user is established during the installation of the software. The user defined as the CommCell administrator user is permanent and cannot be deleted.
User Groups are named logical entities; containers to which capabilities, CommCell objects, and users are assigned. Users that are assigned to a group are granted the group's privileges as well as access to the group's object associations. The following user groups are automatically created by the installation of the software:
By default, the Master user group is automatically created during the installation of the software. This user group is assigned all available capabilities as system resources. The user you created during the installation of the software is automatically assigned to this user group. Users that are members of this user group have all available rights within the CommCell.
The View All user group allows a user to see all CommCell entities, despite the associations of the user groups to which that user has an association.
Name Servers comprises of external domains and external user groups to which CommServe user groups can be associated in order to utilize the Single Sign On feature and/or to use external domain user account credentials for logging in. For more information, see Single Sign On.
Each user group must be assigned capabilities and objects so that its member users can perform functions within the CommCell. A user group can be assigned all capabilities and/or all associations, or individual associations and capabilities.
Capabilities are privileges that allow users to perform a variety of functions within a CommCell. These functions include performing data protection, data recovery, and administration operations, such as license administration and administering user accounts.
CommCell Objects are levels in the CommCell that a user group can be associated with. User groups must be given permissions to these objects.
If a user is not part of the View All user group, then that user will not see CommCell objects for which the user's member user group(s) does not have associations. Furthermore, users will not be able to view the Job Controller or Event Viewer details associated with the CommCell objects for which they do not have permissions. Note that a user will not be able to view these CommCell objects upon logging onto the CommCell Console after the restrictions have been set.
|
A user will be able to perform functions within the CommCell after the following steps are completed:
Once the above steps are completed, the user assigned to the created user group will be able to perform the functions available from the capabilities and objects the user group is associated with. See Capabilities and Permitted Actions for a list of the specific functions a user group can perform based on capabilities and associated objects.
Create a User AccountUser accounts are created for users who need to access the system. When you create a user account, you can immediately assign the account to the available user groups or leave the account unassigned. In the sample image, the user Technician was created from the General tab of the New User Properties dialog box. This user was given a password, user name, description and e-mail address. |
|
Create a User GroupUser groups must be created for users who require access to the system. Each user group represents a distinct set of users, capabilities, and CommCell objects. You can create any number of user groups, each having any combination of assigned capabilities. When planning your user group strategy, decide:
In the sample image, the user group Tech_Support was created from the General tab of the New User Group Properties dialog box. This user group was given a name and description. |
|
Assign Capabilities to a User GroupWhen assigning capabilities to a user group, the capabilities you assign should match the functions you want the users of that user group to perform within the CommCell. For a complete list of capabilities, see Capabilities and Permitted Actions. In the sample image, the user group Tech_Support was assigned capabilities from the Capabilities tab of the New User Group Properties dialog box. |
|
Assign A User To a User GroupA user can obtain the functionality of a user group by being assigned to that group. You can assign individual users or groups of users to user groups. A user can be a member of more than one group (and have all of the capabilities from each of those groups). In the sample image that follows, the user Technician was assigned to the Tech_Support user group from the Users tab of the New User Group Properties dialog box. Associate CommCell Objects to a User GroupCommCell object associations enable members of a group to perform operations on a specific object. The nature of those operations depends on the capabilities assigned to the group. If an object, such as a client computer or higher level object, is not associated with a given user group, then the users of that group cannot perform any operations involving that client computer. The following objects can be associated with a user group:
Each of these objects supports specific functions within the CommCell. For a summary of these functions, see Capabilities and Permitted Actions. |
|
In the sample image, the Tech_Support user group was associated at the Client level from the Security tab of the Client Computer Properties dialog box. |
|
Once the Tech_Support user group is given association at the client level, the client level is displayed in the Associated Objects tab of the User Group Properties dialog box. |
If a user is not part of the View All user
group, the user can only see objects in
the CommCell Console for which their member user group(s) has association
with. For example, if a user is not a member of the View All user group, and user Technician of the Tech_Support user group is associated at a particular client, this user will only be able to see that client upon logging on to the CommCell Console. If this user then wants to change the storage policy of a subclient, then Tech_Support must have association at both the subclient and storage policy levels. In the sample image that follows, Tech_Support does not have association at the storage policy level. User Technician of that user group cannot select a storage policy, as the storage policies are not visible. Another way of restricting visibility to users is to enable the nRestrictedViewEnabled registry key on the CommServe. Doing this will display the special user group, CV_Restricted_Visibility. Members of this user group will only be permitted to complete browse and restore operations.
|
If you want the CommCell Console to disconnect after being inactive for a certain amount of time, you can enable the Allow GUI connections to timeout option on the System dialog box. You can define the timeout in minutes for the inactive CommCell Console to disconnect.
The Single Sign On feature enables users to login to the CommServe using their user-account credentials from the Active Directory service provider, inheriting capabilities on the CommServe based on their Active Directory group membership mapping on the CommServe user groups, which must include the Browse capabilities. The CommServe must be a member of an Active Directory domain in order to support Single Sign On logins. SSO logins are not supported if the CommServe is part of a workgroup.
If the Single Sign On feature is enabled for this Active Directory domain, the login/password entry screen is bypassed, and the user is authenticated without them having to enter any login/password information. Users can also launch the CommCell Console and select Cancel before the application initiates the login process. The username field is pre-populated if the user is connecting to the CommServe, and the Active Directory domain they are currently logged into has been configured on the CommServe. Users also have the option to overwrite this username with other Active Directory user account credentials; the username must be entered in the following format: <domain name>\<user name>. When a username is entered with a domain name, the CommServe Server automatically recognizes that the password information must be authenticated by the external domain server.
Single Sign On also supports Active Directory configured with secure Lightweight Directory Access Protocol (LDAP), which provides additional network security. If Active Directory (the external domain) is configured with secure LDAP, you can configure the external domain controller from the Add/Edit New Domain Controller dialog box to use the secure LDAP for additional network security with the external domain. Remember that this can only be enabled when the external domain has been configured to use the secure LDAP. If this protocol is enabled from the Add/Edit New Domain Controller dialog box, but not configured from the external domain; the feature is not enabled.
Note that in order for Single Sign On to function, the CommServe must have LDAP, DNS and Kerberos connectivity to each domain that you wish to register for Single Sign On. If firewalls exist between the CommServe and domain controllers, these services must be able to traverse the firewall in order for Single Sign On to function.
Before the Single Sign On feature can be used, users must provide the information required to communicate with the Active Directory service provider (such as domain name, hostname of directory server, directory service type, username and password) so that it will be maintained in the CommServe database for authentication purposes. To do this, you must Add a New Domain Controller, which registers the external domain with the CommServe Server. Once you enter this information, you or a CommServe administrator, must associate certain external domain user groups (domain name\user group) with a user group defined in the CommServe. This will provide the external domain users access to the CommCell entities. For more information, see Add a New External User Group. Note that the CommServe user group must have Browse capabilities in order for the Single Sign On feature to work properly.
Once configured, if necessary, users can temporarily disable the feature or change user credentials. For more information, see Disable Single Sign On/Change the Target CommCell from a Specific Console.
An alert can be configured to send e-mail notifications to user groups created from within the CommCell Console as well as external domain user groups. However, individual external domain users will not receive the alert notification e-mail if they have not previously logged on to the CommCell Console. Users (from the user groups created from within the CommCell Console) will receive the alert e-mail notification regardless of their login status.
A scheduled report can be configured to be sent via e-mail to user groups created from within the CommCell Console as well as external domain user groups. However, individual external domain users will not receive the report via e-mail if they have not previously logged on to the CommCell Console. Users (from the user groups created from within the CommCell Console) will receive the report e-mail regardless of their login status.
|
This feature requires a Feature License to be available in the CommServe® Server.
Review general license requirements included in License Administration. Also, View All Licenses provides step-by-step instructions on how to view the license information.
Single Sign On configuration can also be used for the following:
External Active Directory users cannot log in to the CommServe from the command line. |
CommCell environments can be secured by limiting agent installations to only those users belonging to a user group assigned with Administrative Management capabilities for the CommCell or an existing Client computer within the CommCell. This feature, disabled by default, can be enabled in the CommCell Properties (Security) dialog. When enabled, during the installation of an Agent, you will be prompted with the Account Information for Agents Authentication dialog where you must enter the username and password credentials for an external domain user account or a CommCell user account. This authorizes the installation of the agent on the CommCell. If you attempt to install an agent without the proper credentials, the installation process will abort.
To enable this feature, see Require Authentication for Agent Installation.
|
Any operation performed by a user in the CommCell Console requires the user to have the appropriate security. A user who belongs to a user group that has a particular capability must also be given an association at a particular level in the CommCell Console.
|
Operations performed with this feature are recorded in the Audit Trail. See Audit Trail for more information.
The User Capability Report displays the user groups and users within a CommCell.