Skip to main content

Hi, I wondering if anyone has a multi-customer environment setup where some Commvault admins don’t have access to certain customers. That could be something like restoring data from a specific customer.

As much as possible the admins need to be full blown admins in regards to handling infrastructure specific tasks like restarting services on a media agent.

Is there perhaps some good approach to this way of working without it being too complicated and difficult to maintain?

I’m hoping that Commvault permissions and restrictions options work in a similar way like Microsoft access control list on e.g folders. Meaning that even if a person has read/write access to a folder based on AD group membership then this can be overridden by adding the person explicitly to the folder and deny the read/write option.

Also I would like to know how people differentiate or group the customers in regards to separating admins. We have customer groups which is used for e.g. network settings but I’m not sure if this will be enough. It would require some strict approach to make sure all servers are in the proper groups. Also we have seen that if a full VM is restored the restored client is not part of any group.

Hoping someone can guide me in what would be a good approach in handling the multiple customers with admin restrictions.

Thanks for the post and welcome!!

This is a good resource for each action and the required role:

https://documentation.commvault.com/2022e/expert/8407_user_security_permissions_by_feature.html

You should easily be able to apply the right roles to the correct entity and omit the ones you DON’T want them having access to.

You may want to review setting up tenants as well.

https://documentation.commvault.com/11.24/essential/43066_getting_started_with_shared_services_platform_for_multi_tenants.html

@JQEI make sure to organize your tenants into companies. there is also the possibility to move clients into an organization which is the preferred way of setting it up in case multi-tenancy is required. implementing this results in the ability to switch between companies within Command Center and allows access to a company to be organized via local Commvault groups. We have hooked on our environment to SAML (OKTA) and configured it as such that the access to a tenant is handled through OKTA group memberships. this works absolutely great!  

Hi @JQEI 

I have multiple multi tenant environments with each different security requirements.

I wish I could tell you that there is a simple solution when working with local groups and roles, but this is no out of the box setting if you want to completely prevent admins access to certain companies or specific activities for companies.

The default out of the box configured RBAC solution supplies in either a commcell master admin or a company admin/user .
When you have master rights, even if it is blocked on company level as a user/operator you can still reset the company selection to Commcell high over and then you can still perform the activities.

In order to truly accomplish a single account with access to and ability to switch between specific tenants, but without for instance restore rights you will need to create a custom RBAC.

Where the user is allocated in the Commcell and not at company level.
Do not assign commcell top level rights, but place the users in a company specific user group created specifically for these type of admin users.

Associate the correct group and role combination to the to be managed plans, companies general and operator ACL’s. This way you can switch between companies, but still be limited according to your role specifications at every level.

In order to still have then perform activities on infrastructure level you need to assign their user group with the master or a specific admin role on specific infrastructure sections, because if you assign a role om commcell level you will get the rights on all levels due to inheritance.

This will take some designing, documenting and tweaking.

Thanks for all the great information. Much appreciated.

Reply


Terms & ConditionsCookie settings