Does anyone else find the User Permissions overly complicated/not intuitive?
Using the built-in “View” role applied to a user group at the Comcell level seems as though doesn't actually give “View” on everything.
Example: “View” only shows Command Center dashboards Overview and Activate. No virtualization or Hyperscale?
Are there any best practices from a Ransomware perspective (without the obvious least permission statement) to give a user access to the whole environment for monitoring purposes, allow to backup/restore but prevent the ability to delete any data?
Thanks
Best answer by Christian Negron
Hello Tom,
We do not have a best practice guide for this. I did some checking on what should be removed to prevent deleting backup/archive jobs;
>Main permission to remove would be the “Configure and perform Delete Backup or Archive Data Using the CommCell Console.”
>Based on this documentation, it appears for “Virtualization Dashboard, the minimum “User Type” is MSP Administrator. I assume this needs the Admin Management at the Commcell level.
>I added “Admin Management” to all “entities” individually and not at the Commcell level, this behavior remained.
Entities view for reference:
===
This may be a valid CMR (to allow viewing of all dashboard without “Administrative Management” at the Commcell level.
You can submit this via Cloud.Commvault.com or Raising a case with Support.
>Based on this documentation, it appears for “Virtualization Dashboard, the minimum “User Type” is MSP Administrator. I assume this needs the Admin Management at the Commcell level.
>I added “Admin Management” to all “entities” individually and not at the Commcell level, this behavior remained.
Entities view for reference:
===
This may be a valid CMR (to allow viewing of all dashboard without “Administrative Management” at the Commcell level.
You can submit this via Cloud.Commvault.com or Raising a case with Support.
I was about to state the same as @Tom Evans and ask for almost the same.
I wish to give my management and some other teammates (but not backup/restore operators at all), a view of the Commcell activity (jobs/history), and the possibility to simply check what kind of backup we have from a server we’re asked to check for. I’m losing time receiving such request, and answering them. It would be so much better if they could lookup by themselves.
Server could have FS agent only, DB agent, and could also be backup using VSA.
So far, I never managed to create the right role with proper permissions that would allow them to have a read-only access to the web console/adminconsole to look for, like, backup type and history.
I will soon onboard a new teammate that does not master our environment at all, so in the first days, I would like to grant him access to my whole Commcell, but again with read-only rights, so he could look everywhere and see how it’s done, but not create/change anything or start a backup or restore..
Let’s forget the java console, and focus on the Commcell console. Is such role in the pipe ?
Hi @Laurent ! What I’m seeing here shows that you need to have permissions to the items themselves within the report to actually see them in the CommCell Console, though you might be able to give them access to Metrics report:
We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.
