+15
I want to grant two staff from the internal security at my employer access to see the “Unusual file activity” information (under “Monitoring” within the Command Center) and have added them with the “View All” privilege. They can access the page but don’t see any information there. The should see:
But they actually see:
Is there a way to grant them view access without granting total root / superuser / god-like access?
Ken
Best answer by Ken_H
View original
+23
If not, let me know and I can reach out to some internal folks.
+15
Apologies, this kind of fell off my radar. To answer your question: No, I never did figure out a solution for this.
+23
Ok, I’ll reach out to
+23
I was able to speak to both of them a few minutes ago.
their concern is that giving people access to a report (when they can’t act upon the events) sounds more like an awareness need.
If that is the case, perhaps alerts or using webhooks to connect to a Security information and event management system is best?
+15
Sorry to be such a pain about this but when I run the java GUI and navigate to Security > CommCell Users > right-click on a select user > Properties > Associated Entities > Roles, I do not see “Agent Management” as an option. Can you provide directions on how to grant this role?
Ken
+23
Not a pain at all,
Where are you trying to apply this (i.e. what entity?). this might be under Client Admins.
Here’s the role details (first one in the list):
https://documentation.commvault.com/2022e/expert/8298_client_permissions.html
+15
I must have COVID-brain today because it seems you were suggesting that I grant the Agent Management role to the clients from my security team that need view-only access to the Unusual File Activity page (found under Monitoring within the Command Center browser interface). However no Agent Management role exists either in the java GUI or the Command Center interface (Command Center > Manage > Security > Roles) (screen capture below). The link you provided seems to talk about all the permissions associated with the Agent Management role but I don’t seem to be able to find it. Is this something I have to download?
Ken
+23
I just realized you are looking at existing Roles. You want to look for Permissions (called Agent Management).
Roles are collections of permissions (which might include Agent Management, along with others):
https://documentation.commvault.com/2022e/expert/8176_roles_overview.html
Client Admins might have Agent Management built-in, though I’d have to dig in a bit.
+15
Update: I created a new role to contain the Agent Management permission: Using the Java GUI, I navigated to Security > Roles > right-click > New Role “Agent Management Role”. Right-click on “Agent Management Role” > Properties > Permissions (tab) > expand the tree under Client > Add a checkmark to “Agent Management” > OK.
I then went to the “View All” user group and added the new role. Java GUI > Security > ComMCell User Groups > View All > right-click on View All in the tree view > Properties > Associated Entrities > Add > expand tree under Roles > add check to Agent Management Role > OK > OK.
Confirmed that the Security staff have the View All group and have them test. Unfortunately, they still can’t see the Unusual File Activity page.
So… looks like more than just the Agent Management permission is needed.
Ken
+23
Did you associate that to an entity? The role has the Agent Management capability, so you just need to add that to an entity (maybe the CommCell itself if that’s the level you want).
+15
One more thing: I’ve confirmed that the bEnableSecurityOnRoles additional setting is set to True.
+15
I created the Agent Management Role and granted it the Agent Management permission. i then assigned the new role to the View All group so the association tab on the role shows the group.
+23
To confirm, did you add this to any entities, like the CommCell itself?
You have the role created,
Role-based security is typically used for administrators who need permissions on multiple entities. To use role-based security, you must create a security association between users or user groups, a role, and entities:
User or user group: The CommCell user or external user (for example, an Active Directory user) who is given access.
Role: A collection of permissions that defines the level of access granted to a user or a user group. Permissions allow users to perform tasks such as performing backup, restore, and administrative operations (for example, license administration) on entities.
Entity: A logical or physical component, for example, a client or a storage policy, that a user can access based on the user's role.
If you did, or even can’t, I’d open a support case. Once you have the user’s in the role, you add in the client entities and it should work. If it doesn’t, that’s definitely something we should get support to look at.
I’ve unchecked the Best Answer until you have this working as expected!
+15
I’ll have to open a ticket. I don’t see anything that allows me to link either the View All group of the Agent Management Role with an entity.
+15
221006-660 created.
+23
Thanks,
Definitely very curious about what is going on here 🤓
+15
Update: Working with CommVault support, we managed to get this working. Here’s what we did:
Step 1: Create the View Only Role
CommCell java Console > CommCell Browser > Security > Roles > right-click > New Role > “View Only Role” or other meaningful name > Permissions (tab) > expand Client > add check to Agent Management > OK.
Step 2: Create the View Only user group
CommCell Browser > Security > CommCell User Groups > right-click > New User Group > “View Only Group” or other meaningful name > Associated Entities (tab) > Add > select CommCell root item in treeview on the left > in “Please select Role” on the right, select the view created in step 1 > OK > OK.
Step 3: Add members to the new “View Only Group”
CommCell Browser > Security > CommCell User Groups > “View Only Group” from Step 1 > right-click > Properties > Members (tab) > add members as appropriate > OK.
Users have tested and now see information on the Unusual File Activity page within the Command Center.
Ken
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
