Skip to main content
commvault.com commvault.com
Question

Security Permissions for AD User (Restricted Consoles)

dude
Byte
Forum|alt.badge.img+15

So I`m working on permissions and making sure users only have access to the appropriate entities and interfaces.

We are AD Integrated and so all users have access to the “My data” via webconsole which is intended and works fine - Our administrators have access to everything and perform multiple backup operations throughout the day.

Since all users (admins and non-admins) are AD integrated, when I go to Command Center and select Domain Users and Restricted Consoles, add CommandCenter, CommCell Console, API etc, and hit ok - our Admins even though they are part of another group without the regular restrictions applied to regular users, they too lose access to the mentioned consoles. It kind makes sense, it applies the most restrictive permission to all Domain Users.

Any alternative here to exclude those admins from getting restricted by that Console Restriction within the domain users group?

We do not want to create local admin accounts.

https://documentation.commvault.com/2023e/essential/restricting_access_to_commvault_cloud_applications.html

4 replies

B
Vaulter
Forum|alt.badge.img+13
  • Brian BrunoVaulter
  • Vaulter
  • 166 replies
  • April 8, 2024

Hi @dude,

 

You are correct, when it comes to the Console restrictions we are going to apply those restrictions to all accounts that are contained in that group, even if that user exists in a different group which does not have the restriction.

 

Rather than creating local admin accounts, would it be feasible for you to add another AD group that contains all of the non-admin users?  This would allow you continue restricting the consoles at an AD group level (so that any new users get restricted upon creation without manual intervention) without negatively impacting the administrators.

 

-Brian Bruno

dude
Byte
Forum|alt.badge.img+15
  • dude
  • Author
  • Byte
  • 316 replies
  • April 8, 2024
Brian Bruno wrote:

Hi @dude,

Rather than creating local admin accounts, would it be feasible for you to add another AD group that contains all of the non-admin users?

Not really. Active Directory already has a group where any new users land on called “Domain Users” and this group is the one used in CV for Webconsole access. However the same group has all the admins that should have all the elevated permissions to consoles and webconsoles but being blocked even though I have a local group in CV where they are part of granting them access.

It is interesting that I even tested my account being part of the “masters” groups in CV, it will get restricted because it is part of Domain Users. Any way to prevent inheritance group permissions for a particular local group in CV?

 

J
Vaulter
Forum|alt.badge.img+11
  • JavierVaulter
  • Vaulter
  • 241 replies
  • April 9, 2024

As far as I am aware the only option will be to configure the restriction at another AD Group which the Administrators are not part of, that way they will not be affected by the restriction.

dude
Byte
Forum|alt.badge.img+15
  • dude
  • Author
  • Byte
  • 316 replies
  • April 11, 2024

Is there a way to block permissions inheritance for specific users? OR to have an exception option within the group permissions where we can add users to be excluded from the rules?

Reply


Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings