Solved

User Permissions

  • 10 June 2021
  • 1 reply
  • 34 views

Userlevel 1
Badge +6

Does anyone else find the User Permissions overly complicated/not intuitive? 

Using the built-in “View” role applied to a user group at the Comcell level seems as though doesn't actually give “View” on everything.

Example: “View”  only shows Command Center dashboards Overview and Activate. No virtualization or Hyperscale?

Are there any best practices from a Ransomware perspective (without the obvious least permission statement) to give a user access to the whole environment for monitoring purposes, allow to backup/restore but prevent the ability to delete any data?

Thanks

 

icon

Best answer by Christian - Support 10 June 2021, 19:54

Hello Tom,

We do not have a best practice guide for this. I did some checking on what should be removed to prevent deleting backup/archive jobs; 

 

>Main permission to remove would be the “Configure and perform  Delete Backup or Archive Data Using the CommCell Console.” 

https://documentation.commvault.com/11.23/expert/8407_user_security_permissions_by_feature.html#delete-backup-and-archive-data

>However, “Administrative management” permission at the Commcell level to be removed which prevents from seeing the Virtualization dashboard. 

>In my testing, to see the Virtualization Dashboard this permission is needed.

==

Documentation shows that access is given based on “User Types” (submitting doc feedback for clarity on provided information):

https://documentation.commvault.com/11.23/expert/108405_dashboard_visibility_by_user.html

(All dashboards are not visible by default: https://documentation.commvault.com/11.23/expert/103702_dashboards_on_command_center.html)

>Based on this documentation, it appears for “Virtualization Dashboard, the minimum “User Type” is MSP Administrator. I assume this needs the Admin Management at the Commcell level. 

>I added “Admin Management” to all “entities” individually and not at the Commcell level, this behavior remained. 

 

 

Entities view for reference: 

 

===

 

This may be a valid CMR (to allow viewing of all dashboard without “Administrative Management” at the Commcell level. 

You can submit this via Cloud.Commvault.com or Raising a case with Support.

Dashbaord (Modification requests) : https://documentation.commvault.com/commvault/v11/article?p=38302.htm

View original

1 reply

Userlevel 1
Badge +3

Hello Tom,

We do not have a best practice guide for this. I did some checking on what should be removed to prevent deleting backup/archive jobs; 

 

>Main permission to remove would be the “Configure and perform  Delete Backup or Archive Data Using the CommCell Console.” 

https://documentation.commvault.com/11.23/expert/8407_user_security_permissions_by_feature.html#delete-backup-and-archive-data

>However, “Administrative management” permission at the Commcell level to be removed which prevents from seeing the Virtualization dashboard. 

>In my testing, to see the Virtualization Dashboard this permission is needed.

==

Documentation shows that access is given based on “User Types” (submitting doc feedback for clarity on provided information):

https://documentation.commvault.com/11.23/expert/108405_dashboard_visibility_by_user.html

(All dashboards are not visible by default: https://documentation.commvault.com/11.23/expert/103702_dashboards_on_command_center.html)

>Based on this documentation, it appears for “Virtualization Dashboard, the minimum “User Type” is MSP Administrator. I assume this needs the Admin Management at the Commcell level. 

>I added “Admin Management” to all “entities” individually and not at the Commcell level, this behavior remained. 

 

 

Entities view for reference: 

 

===

 

This may be a valid CMR (to allow viewing of all dashboard without “Administrative Management” at the Commcell level. 

You can submit this via Cloud.Commvault.com or Raising a case with Support.

Dashbaord (Modification requests) : https://documentation.commvault.com/commvault/v11/article?p=38302.htm

Reply