Permissions to see the "Unusual file activity" page

@DMCVault    

@Ken_H , following up on this one.  Were you able to get an answer on this one?

If not, let me know and I can reach out to some internal folks.

Apologies, this kind of fell off my radar.  To answer your question:  No, I never did figure out a solution for this.

Ok, I’ll reach out to @MFasulo and @DMCVault .

I was able to speak to both of them a few minutes ago.  @DMCVault mentioned that Agent Management role is needed, but they both (at the same time) asked what the overall goal is.

their concern is that giving people access to a report (when they can’t act upon the events) sounds more like an awareness need.

If that is the case, perhaps alerts or using webhooks to connect to a Security information and event management system is best?

Sorry to be such a pain about this but when I run the java GUI and navigate to Security > CommCell Users > right-click on a select user > Properties > Associated Entities > Roles, I do not see “Agent Management” as an option.  Can you provide directions on how to grant this role?

Ken

Not a pain at all, @Ken_H !!

Where are you trying to apply this (i.e. what entity?).  this might be under Client Admins.

Here’s the role details (first one in the list):

https://documentation.commvault.com/2022e/expert/8298_client_permissions.html

I must have COVID-brain today because it seems you were suggesting that I grant the Agent Management role to the clients from my security team that need view-only access to the Unusual File Activity page (found under Monitoring within the Command Center browser interface).  However no Agent Management role exists either in the java GUI or the Command Center interface (Command Center > Manage > Security > Roles) (screen capture below).  The link you provided seems to talk about all the permissions associated with the Agent Management role but I don’t seem to be able to find it.  Is this something I have to download?

Ken

I just realized you are looking at existing Roles.  You want to look for Permissions (called Agent Management).

Roles are collections of permissions (which might include Agent Management, along with others):

https://documentation.commvault.com/2022e/expert/8176_roles_overview.html

Client Admins might have Agent Management built-in, though I’d have to dig in a bit.

Update:  I created a new role to contain the Agent Management permission:  Using the Java GUI, I navigated to Security > Roles > right-click > New Role “Agent Management Role”.  Right-click on “Agent Management Role” > Properties > Permissions (tab) > expand the tree under Client > Add a checkmark to “Agent Management” > OK.

I then went to the “View All” user group and added the new role.  Java GUI > Security > ComMCell User Groups > View All > right-click on View All in the tree view > Properties > Associated Entrities > Add > expand tree under Roles > add check to Agent Management Role > OK > OK.

Confirmed that the Security staff have the View All group and have them test.  Unfortunately, they still can’t see the Unusual File Activity page.

So… looks like more than just the Agent Management permission is needed.

Ken

Did you associate that to an entity?  The role has the Agent Management capability, so you just need to add that to an entity (maybe the CommCell itself if that’s the level you want).

One more thing:  I’ve confirmed that the bEnableSecurityOnRoles additional setting is set to True.

I created the Agent Management Role and granted it the Agent Management permission.  i then assigned the new role to the View All group so the association tab on the role shows the group.

To confirm, did you add this to any entities, like the CommCell itself?

You have the role created, 

Role-based security is typically used for administrators who need permissions on multiple entities. To use role-based security, you must create a security association between users or user groups, a role, and entities:

• User or user group: The CommCell user or external user (for example, an Active Directory user) who is given access.

• Role: A collection of permissions that defines the level of access granted to a user or a user group. Permissions allow users to perform tasks such as performing backup, restore, and administrative operations (for example, license administration) on entities.

• Entity: A logical or physical component, for example, a client or a storage policy, that a user can access based on the user's role.

If you did, or even can’t, I’d open a support case.  Once you have the user’s in the role, you add in the client entities and it should work.  If it doesn’t, that’s definitely something we should get support to look at.

I’ve unchecked the Best Answer until you have this working as expected!

I’ll have to open a ticket.  I don’t see anything that allows me to link either the View All group of the Agent Management Role with an entity.

221006-660 created.

Thanks, @Ken_H !

Definitely very curious about what is going on here 🤓