Does anyone else find the User Permissions overly complicated/not intuitive?
Using the built-in “View” role applied to a user group at the Comcell level seems as though doesn't actually give “View” on everything.
Example: “View” only shows Command Center dashboards Overview and Activate. No virtualization or Hyperscale?
Are there any best practices from a Ransomware perspective (without the obvious least permission statement) to give a user access to the whole environment for monitoring purposes, allow to backup/restore but prevent the ability to delete any data?
Best answer by Christian NegronView original
We do not have a best practice guide for this. I did some checking on what should be removed to prevent deleting backup/archive jobs;
>Main permission to remove would be the “Configure and perform Delete Backup or Archive Data Using the CommCell Console.”
>However, “Administrative management” permission at the Commcell level to be removed which prevents from seeing the Virtualization dashboard.
>In my testing, to see the Virtualization Dashboard this permission is needed.
Documentation shows that access is given based on “User Types” (submitting doc feedback for clarity on provided information):
(All dashboards are not visible by default: https://documentation.commvault.com/11.23/expert/103702_dashboards_on_command_center.html)
>Based on this documentation, it appears for “Virtualization Dashboard, the minimum “User Type” is MSP Administrator. I assume this needs the Admin Management at the Commcell level.
>I added “Admin Management” to all “entities” individually and not at the Commcell level, this behavior remained.
Entities view for reference:
This may be a valid CMR (to allow viewing of all dashboard without “Administrative Management” at the Commcell level.
You can submit this via Cloud.Commvault.com or Raising a case with Support.
Dashbaord (Modification requests) : https://documentation.commvault.com/commvault/v11/article?p=38302.htm
Hi, sorry for the excavation.
I was about to state the same as
@Tom Evans and ask for almost the same.
I wish to give my management and some other teammates (but not backup/restore operators at all), a view of the Commcell activity (jobs/history), and the possibility to simply check what kind of backup we have from a server we’re asked to check for. I’m losing time receiving such request, and answering them. It would be so much better if they could lookup by themselves.
Server could have FS agent only, DB agent, and could also be backup using VSA.
So far, I never managed to create the right role with proper permissions that would allow them to have a read-only access to the web console/adminconsole to look for, like, backup type and history.
I will soon onboard a new teammate that does not master our environment at all, so in the first days, I would like to grant him access to my whole Commcell, but again with read-only rights, so he could look everywhere and see how it’s done, but not create/change anything or start a backup or restore..
Let’s forget the java console, and focus on the Commcell console. Is such role in the pipe ?
@Laurent ! What I’m seeing here shows that you need to have permissions to the items themselves within the report to actually see them in the CommCell Console, though you might be able to give them access to Metrics report:
Let me know if this is an option.
View and run reports on CommCell Console.
Any entity that you want to view in reports such as clients, storage policies, libraries, and any other available entity in the CommCell Console.
View Metrics reports on WebConsole>.
Pseudo CommCell Client/CommCell Group level or higher