commvault.com commvault.com
Question

Security Permissions for AD User (Restricted Consoles)

  • 8 April 2024
  • 4 replies
  • 50 views
dude
Rank
Badge +15

So I`m working on permissions and making sure users only have access to the appropriate entities and interfaces.

We are AD Integrated and so all users have access to the “My data” via webconsole which is intended and works fine - Our administrators have access to everything and perform multiple backup operations throughout the day.

Since all users (admins and non-admins) are AD integrated, when I go to Command Center and select Domain Users and Restricted Consoles, add CommandCenter, CommCell Console, API etc, and hit ok - our Admins even though they are part of another group without the regular restrictions applied to regular users, they too lose access to the mentioned consoles. It kind makes sense, it applies the most restrictive permission to all Domain Users.

Any alternative here to exclude those admins from getting restricted by that Console Restriction within the domain users group?

We do not want to create local admin accounts.

https://documentation.commvault.com/2023e/essential/restricting_access_to_commvault_cloud_applications.html

4 replies

B
Rank
Userlevel 5
Badge +12

Hi @dude,

 

You are correct, when it comes to the Console restrictions we are going to apply those restrictions to all accounts that are contained in that group, even if that user exists in a different group which does not have the restriction.

 

Rather than creating local admin accounts, would it be feasible for you to add another AD group that contains all of the non-admin users?  This would allow you continue restricting the consoles at an AD group level (so that any new users get restricted upon creation without manual intervention) without negatively impacting the administrators.

 

-Brian Bruno

dude
Rank
Badge +15

Hi @dude,

Rather than creating local admin accounts, would it be feasible for you to add another AD group that contains all of the non-admin users?

Not really. Active Directory already has a group where any new users land on called “Domain Users” and this group is the one used in CV for Webconsole access. However the same group has all the admins that should have all the elevated permissions to consoles and webconsoles but being blocked even though I have a local group in CV where they are part of granting them access.

It is interesting that I even tested my account being part of the “masters” groups in CV, it will get restricted because it is part of Domain Users. Any way to prevent inheritance group permissions for a particular local group in CV?

 

J
Rank
Userlevel 4
Badge +10

As far as I am aware the only option will be to configure the restriction at another AD Group which the Administrators are not part of, that way they will not be affected by the restriction.

dude
Rank
Badge +15

Is there a way to block permissions inheritance for specific users? OR to have an exception option within the group permissions where we can add users to be excluded from the rules?

Reply


Terms & ConditionsCookie settings