Does anyone else find the User Permissions overly complicated/not intuitive?
Using the built-in “View” role applied to a user group at the Comcell level seems as though doesn't actually give “View” on everything.
Example: “View” only shows Command Center dashboards Overview and Activate. No virtualization or Hyperscale?
Are there any best practices from a Ransomware perspective (without the obvious least permission statement) to give a user access to the whole environment for monitoring purposes, allow to backup/restore but prevent the ability to delete any data?
Best answer by Christian - Support
We do not have a best practice guide for this. I did some checking on what should be removed to prevent deleting backup/archive jobs;
>Main permission to remove would be the “Configure and perform Delete Backup or Archive Data Using the CommCell Console.”
>However, “Administrative management” permission at the Commcell level to be removed which prevents from seeing the Virtualization dashboard.
>In my testing, to see the Virtualization Dashboard this permission is needed.
Documentation shows that access is given based on “User Types” (submitting doc feedback for clarity on provided information):
(All dashboards are not visible by default: https://documentation.commvault.com/11.23/expert/103702_dashboards_on_command_center.html)
>Based on this documentation, it appears for “Virtualization Dashboard, the minimum “User Type” is MSP Administrator. I assume this needs the Admin Management at the Commcell level.
>I added “Admin Management” to all “entities” individually and not at the Commcell level, this behavior remained.
Entities view for reference:
This may be a valid CMR (to allow viewing of all dashboard without “Administrative Management” at the Commcell level.
You can submit this via Cloud.Commvault.com or Raising a case with Support.
Dashbaord (Modification requests) : https://documentation.commvault.com/commvault/v11/article?p=38302.htm