Access Control
Access Control Concepts
This section describes Ops Center Protector's access control features.
For further information, refer to:
About Role Based Access Control (RBAC)
Role Based Access Control (RBAC) is a framework for defining what a user can see and do within Protector. Users are only allowed to perform activities that are contained within the roles they are assigned. Furthermore they can only perform those activities on the resources to which they have access.
When setting up access control, the following must be defined:
- How a user's credentials will be verified (Authentication).
- What rights of access a user will be granted (Authorisation).
About Access Permissions
Data flows, policies, schedules and notifications are created in Protector to configure its behaviour. Access to these configuration objects is controlled by granting Permissions. Permissions determine if a particular user or group has Read Only Access or Read Write Access to a configuration object.
Permissions are a secondary access check within Protector.
Taking policies as an example:
The system will first check if a user has the RBAC activity View Policies. If they don't then they won't be able to see anything. If they do then for all policies that exist, the system looks at the permission on each one. E.g:
Policy1 - created by Paul@Contoso.com has READ/WRITE access (he can see Policy1)
Policy2 - created by Ian@Contoso.com has READ/WRITE access (Paul cannot see Policy2; Ian can)
Policy3 - created by Ian@Contoso.com has READ/WRITE access, shared with Paul@Contoso.com with READ access. paul can see Policy3 but he cannot edit it.
Policy4 - created by Ian@Contoso.com has READ/WRITE access, shared with Contoso.com\Managers group with READ access. Paul is not in the managers group so he can't see Policy4. However, Simon@Contoso.com is, so he can see Policy4 but can't change it.
About Ops Center Protector's implementation of RBAC
An Activity is an operation (typically of the type: create, read, update or delete) that is performed on a resource, backup or other object within Protector. For example:
- a node may be created and have its properties viewed or modified.
- a data flow may be created, viewed, edited or deleted.
- a snapshot may be created, browsed, restored or retired.
Activities are arranged into Activity Groups that represent a cohesive set of activities relating to features such as Nodes, Data Flows and Logs. Activity groups make it easier to organise, locate and assign activities.
Roles contain a set of activities. For example, the role Backup Administrator is assigned to a user tasked with managing nodes, creating backup policies and restoring backups, whereas the role Security Administrator is assigned to a user responsible for authentication and authorisation of other users.
Resource Groups define a collection of physical and logical computing or storage resources that a user is permitted to access (such as groups of servers, storage devices, repositories etc.). The visibility of any given Resource within the Protector system is determined by whether that resource appears in the ACPs assigned to the user at authorization time.
Access Control Profiles combine Roles and Resource Groups to define the activities that can be carried out on groups or resources.
Authentication Spaces specify which authentication service to use for a specific user or group of users. Authentication services supported include Active Directory, LDAP, RADIUS and Local system logon. Protector enables you to simultaneously configure multiple authentication services. Protector also supports OpenID Connect to enable integration with Hitachi Ops Center's single sign-on functionality.
ACP Associations link individual users and groups of users to one or more Access Control Profiles so as to grant them the required level of authority. Authentication is performed when a user or group attempt to log on, by passing a user's credentials to the authentication service specified by the Authentication Space.
Backup data sets (such as the volumes and files included in a snapshot or a replicated file system) are created, archived, restored and retired by Protector as the result of executing backup policies. These backup objects store information about the resource from which the backup data originated. The visibility of the backup object (in some storage location such as a repository) is then generally governed by whether the user has access to the node from which the data originated.
To enable RBAC to be configured quickly and easily, Protector is shipped with a number of predefined Activity Groups, Roles, a default Resource Group, Access Control Profiles and an administrator level ACP Association (refer to How to configure basic role based access control). These predefined RBAC objects can, if required, be tailored to suit each customer’s specific environment, as described in How to configure advanced role based access control.
Selecting an Authentication Service
Protector can be configured to authenticate users and groups against the following:
- Local accounts on a Protector node running any supported OS.
- Accounts in Active Directory via a Protector proxy node running Windows.
- Accounts on an LDAP Server via a Protector proxy node running Linux.
- Accounts on a RADIUS server via a Protector proxy node running any supported OS.
- Accounts in Hitachi Ops Center via OpenID Connect to support single sign-on.
When a user logs in via the Protector web UI they must provide either their:
- Username – to identify themselves to Protector.
- Authentication Space - to tell Protector which authentication service to use.
- Password – to authenticate themselves.
or, if integrated with Hitachi Ops Center, redirect to the single sign-on page to provide their Ops Center credentials.
Authentication spaces
Protector uses the concept of Authentication Spaces when authenticating users. The Authentication Space tells the Protector master node which authentication service is able to validate a specific user's login credentials. Authentication requests are routed, by the master, to the proxy node responsible for communicating with the authentication service in question.
Although it is possible to nominate the master node as the proxy, it is often the case that the master node is either not in the required space or is of the wrong OS type. Consider the following scenario:
Here the Protector master node is responsible for nodes in three separate spaces, so a separate proxy is required to communicate with each authentication service. It is possible to have different authentication service types for each space.
Each Authentication Space requires configuration within Protector. The name of the authentication space forms part of the user's login. For example:
- An Active Directory authentication space could be configured to point to the AD server ContosoDC.HV.local and could be named Contoso. Users in this AD domain must authenticate with Protector using <username>@Contoso. Here Contoso is used as an alias for ContosoDC.HV.local. If you want to use the full domain name then the authentication space must also be named using the full domain name.
- A Local Machine Accounts authentication space is configured to point to the computer TBell-Win7PC and could be named TBW7. Users with local accounts on the machine TBell-Win7PC must authenticate with Protector using <username>@TBW7. Here TBW7 is used as an alias for TBell-Win7PC. If you want to use the full computer name then the authentication space must also be named using the full computer name.
About Single Sign-On with Hitachi Ops Center
Protector can be integrated with Hitachi Ops Center and supports Ops Center's OpenID Connect based single-sign-on mechanism.
When Protector is installed with Ops Center, it is registered with Ops Center's OpenID Connect Provider. A corresponding OpenID Connect authentication space is also automatically added to Protector during the regsitration process.
When registered with Ops Center, Protector displays a button on it's login page that enables users to be redirected to Ops Center's authentication page. Once authenticated by Ops Center's authorization server, users are redirected to the Protector UI and granted access as normal.
The OpenID Connect authentication space added to Protector can be used, in the same way as any other type of authentication space, to create the required ACP Associations that grant the required permissions.
Authorising users and restricting access
Authorisation is granted to a user, group or entire authentication space by associating it with one or more ACPs. Each ACP defines a role that the user is assigned and one or more resource groups:
- The role defines what activities the user is allowed to perform.
- The resource groups define which resources the user is able to interact with.
In practice, an ACP is constructed by considering the following:
- What responsibilities will the users be given?
- What should the users be allowed to do?
- Which nodes should be visible to the users?
Bear in mind that if a resource is not included in a user’s resource group then it will not appear in any Protector view for that user, be it node lists, data flow diagrams, monitor views, reports, storage inventories, logs etc. So consider whether users should be prevented from seeing resources or simply restricted in what they can do with those resource
Default access control configuration
Access control is configured to default setting immediately after installing the Protector master for the first time. The Protector administrator must log on via the web UI using the <username> credentials specified in the Master installation. This user is granted full access to everything within Protector allowing them to configure access control and any other aspect of Protector. The following access control objects are automatically defined at installation:
- The Master authentication space is used to direct authentication to the OS on the master node.
- The <Username>@Master ACP association grants the <username>@master user the built-in Default Administrator ACP.
- The Default Administrator ACP is given the role Protector Admin which allows all activities to be performed. This ACP also grants access to all nodes and all backups on any storage location.
- The default resource group includes all Protector nodes that identify themselves to the master node, be they authorised or unauthorised.
Planning roles
Roles tend to follow reasonably consistent patterns across organisations, so in a multi-tenant environment for example, it is worth considering how roles can be defined so as to be reusable across each tenant’s environment. When roles are defined at a general level they can be reused in ACPs for defining specific privileges. Thus a role such as Backup Administrator could be reused by multiple ACPs such as Accounts Backup Admin, Legal Backup Admin and Production Backup Admin. What differs between these ACPs are the accessible resources, not the activities that will be performed on them.
Protector ships with a number of pre-defined roles that can be cloned and modified or used as-is.
Planning resource groups
Resource groups are the mechanism for restricting the visibility of nodes in Protector. When a user is associated with an ACP, they will be restricted to viewing only those nodes listed in the resource groups included in that ACP.
Resource groups are typically defined based on tenancy, organisational, divisional and departmental hierarchies. These hierarchies are likely to exist already in the IT infrastructure and can thus be reused as a basis for creating resource groups.
Applying access levels
An Access Level is attached to each resource group in an ACP. The access level controls which backups (including any logs or reports relating to that backup) are visible, and can be set to one of the following:
- FULL – All backups in a given storage location (e.g. a repository) are visible to the user irrespective of where the data originated from.
- LIMITED – Backups are visible if they originated from any of the nodes contained in the ACPs assigned to the user.
For LIMITED to work the storage node needs to be in the same resource group as the source nodes. For example, if a resource group is created with only a storage node in it and a user has FULL access to it, they can see all of the backups on that node. If the user has LIMITED access they can see no backups even if they have access to other resource groups.
A user given LIMITED access to a storage destination included in their resource group will only see log messages for that storage destination if they pertian to their backups. A user given FULL access level will see all log messages for that destination.
Access Control UI Reference
This section describes the Access Control UI, accessed via the Navigation Sidebar.
For further information, refer to:
Login Page
The user enters their credentials on this page in order to gain access to the web based user interface.
| Control | Description |
| Username@AuthenticationSpace | Enter the username and Authentication Space in the format Username@AuthenticationSpace. Authentication Spaces are configured via the Access Control Authentication Spaces Inventory. |
| Password | Enter the password for the given username |
| Click to login. If authentication succeeds, the Default Dashboard will be displayed. If authentication fails for any reason, a message will be displayed just below the Username and Password fields. |
| Login with | When Protector is integrated with Hitachi Ops CenterOps Center, this button is
displayed to enable users to log in using SSO (Single Sign-On). The
name of the OpenID Connect authentication space is displayed on the
button. In this case, the Username@AuthenticationSpace and Password fields should be left unpopulated; the user being redirected to the appropriate SSO authentication page. |
Access Control Dashboard
This dashboard enables the configuration of role based access control (RBAC) for users and groups who interact with Protector.
| Control | Description |
 Manage ACP Associations | Opens the Access Control Profile Associations Inventory |
 Manage Authentication Spaces | Opens the Access Control Authentication Spaces Inventory |
 Manage ACPs | Opens the Access Control Profiles Inventory |
 Manage Roles | Opens the Access Control Roles Inventory |
 Manage Resource Groups | Opens the Access Control Resource Groups Inventory |
Access Control Profile Associations Inventory
This inventory details all defined ACP Associations. ACP Associations link individual users, groups of users, or all users in an entire authentication space to one or more Access Control Profiles. This in turn governs what activities users are able to perform within Protector, and on which resources.
| Control | Description |
 Summary | Select the Summary option from the drop down menu in the Navigation Breadcrumbs to view the Access Control Summary. |
 Edit | Edits an existing ACP Association in the inventory. The Access Control Profile Association Wizard is launched to enable the ACP Association's attributes to be changed. |
 Delete | Enabled only when one or more ACP Association is selected. Deletes the selected item from the inventory. The associated Authentication Space and ACP are not deleted. |
 Add | Creates a new ACP Association. The Access Control Profile Association Wizard is launched to guide you through the process. |
| System generated ACP Association(s) | At least one system generated ACP association is available when the product is
installed. It associates an account chosen at installation time with a built-in ACP
that provides the Protector Administrator
role. This association cannot be deleted since it is necessary for initial login and
configuration of access control by the application installer. System generated ACP
Associations are marked with a  icon to indicate that they cannot be modified. The Access Control Profile Association Details is displayed to enable the association to be
viewed. |
| User defined ACP Association(s) | Any number of user defined ACP Associations can be created. These are displayed in the inventory and are marked with a Authentication Space, Group or User icon depending on whether the ACP is associated with an entire Authentication Space, a group or an individual user. ACP Associations must be defined in order to grant users access to the web and command line interfaces. The Access Control Profile Association Details is displayed to enable the association to be viewed and edited. |
| Filter on ACP Association Name | Filters the displayed results based on the name. |
| Filter on Type | Filters the displayed results based on the association type:
|
Group Association
User AssociationAccess Control Profile Association Wizard
| Control | Description |
| Name | Enter the name of the ACP association. |
| Description | Optional. Enter a short description of the ACP association. |
| Control | Description |
| User Name | The name of the user to associate with the ACP. |
| Control | Description |
| Authentication Space | The name of the Authentication Space from which the group is to be selected. Enter or select an Authentication Space from the drop down list, then click Browse to view a list of Groups for an Authentication Space. The selected Group will be automatically entered in the Group Name field below. |
| Group Name | The name of the group to associate with the ACP. |
| Path to Group | Provide the path to the required OU, using '/' as the path delimiter. For example, the following AD structure defines a Managers group within three different OUs:
Here Path to Group must be set to one of the following, depending on which Managers group is required:
|
| Control | Description |
| Authentication Space | The name of the Authentication Space to associate with the ACPs. NoteAll users and groups within the Authentication Space will be associated with the chosen ACPs. |
| Control | Description |
| Available Profiles | List of available Access Control Profiles listed. Click on one or more of the available ACPs to add them to the ACP Profile. |
| Selected Profiles | List of selected Access Control Profiles listed. Click on one or more of the selected ACPs to remove them to the ACP Profile. |
Access Control Profile Association Details
| Control | Description |
| Edit | Launches the Access Control Profile Association Wizard to enable the group to be edited. |
| View Access Control Profile | Click on the link on the ACP tile to open the Access Control Profile Details to enable the ACPs to be viewed and edited. |
| Role | Click on the Role link on the ACP tile to open the Access Control Role Details to enable the Role to be viewed and edited. |
| Filter on Access Control Profile Name | Filters the displayed ACPs based on the name. |
Access Control Authentication Spaces Inventory
This inventory list all defined Authentication Spaces. These specify authentication services that Protector uses to authenticate users when they login.
| Control | Description |
| Summary | Select the Summary option from the drop down menu in the Navigation Breadcrumbs to view the Access Control Summary. |
| Edit | Edits an existing Authentication Space in the inventory. The Access Control Authentication Space Wizard is launched to enable the Authentication Space's attributes to be changed. |
| Delete | Enabled only when one or more Authentication Spaces is selected. Deletes the selected item from the inventory. |
| Add | Creates a new Authentication Space. The Access Control Authentication Space Wizard is launched to guide you through the process. |
| System generated Authentication Space | A system generated Authentication Space is available when the product is
installed. It defines where the local administrator account(s)
on the master machine is authenticated. This Authentication Space cannot be deleted
since it is necessary for initial login and configuration of access control by the
application installer. The system generated Authentication Space is marked with a
icon to indicate that it cannot be modified. Click on the name of
the Authentication Space to open the Access Control Authentication Space Details. |
| OpenID Connect Authentication Space(s) | When Protector
is integrated with Hitachi Ops Center,
an OpenID Connect Authentication Space is automatically created to support single
sign-on. Click on the name of the Authentication Space to open the Access Control Authentication Space Details. NoteOpenID Connect Authentication Spaces cannot be
created via the UI. |
| User defined Authentication Space(s) | Any number of user defined Authentication Spaces can be created. These are displayed in the inventory and can be based on Active Directory, Local Machine, RADIUS or Stand-alone LDAP authentication servers. Click on the name of the Authentication Space to open the Access Control Authentication Space Details. |
 Filter on Authentication Space Name | Filters the displayed results based on the Authentication Space name. |
| Filter on Type | Filters the displayed results based on the Authentication Space server type. |
Access Control Authentication Space Wizard
This wizard is launched when a new Authentication Space is added to the Authentication Spaces Inventory.
| Control | Description |
| Name | Enter a name for the Authentication Space. |
| Description | Optional. Enter a short description of the Authentication Space. |
| Control | Description |
| Proxy | Type or select a Protector node that has a connection to the required Active Directory
Service. NoteThe AD Proxy must be
a Windows node. TipTo avoid the proxy becoming a
single point of failure for authentication, select a clustered node where
possible. |
| Active Directory Domain Name | Enter the AD domain name, e.g. Contoso.com |
| Control | Description |
| Authentication Node | Type or select a Protector node that will provide local authentication using the OS's authentication service. |
| Control | Description |
| Proxy | Type or select a Protector node that has a connection to the required RADIUS server. |
| Host Name / IP Address | Specify the IP address or DNS resolvable name of the required RADIUS server. |
| Port | Specify the IP port number or use the default port number (1812). |
| Secret Key | Specify the Secret Key for the RADIUS server. |
| Timeout | Specify the timeout period in seconds. |
| Retry Count | Specify the number of times a retry should be performed. |
| Control | Description |
| Proxy | Type or select a Protector node that has a connection to the required LDAP server. Note
|
| Server URI | Enter the URI of the required LDAP server in the format ldap://domain or ldaps://domain |
| Server Port | Enter the LDAP server port number if different from the default value. The default is 636 when connecting over SSL, otherwise it is 389. |
| Base DN | Enter the base Distinguished Name from which searches are performed. The default account distinguished name (DN) with which to perform initial searches. This is in LDAP DN format (e.g. cn=Admin, ou=Users, dc=mydomain, dc=com) The default account is needed to perform a lookup of a user's DN from their UID. Users log into Protector with a UID (e.g. bmortimer@mydomain.com) but the user's DN is needed for the LDAP bind and it is found using this account. If this value is not supplied the LDAP server must support anonymous bind. |
| Bind Using | Select how to bind to the server:
|
| Bind Account DN | Enabled only if Bind using specified account is selected. Enter the default account with which to perform searches. |
| Bind Account Password | Enabled only if Bind using specified account is selected. The default account password. This will be stored in an encrypted form within Protector until needed. If not set the server must support anonymous bind. |
| TLS Configuration | Click to specify TLS configuration options. See below. |
| Advanced Configuration | Click to specify advanced configuration options. See below. |
| Control | Description |
| TLS Request Certificate Check | The TLS configuration in LDAP validates the way the Protector client treats the server certificate:
|
| TLS CA Certificate Directory | Specifies path to the directory containing CA certificate files for the server. |
| TLS CA Certificate File | Specifies the CA certificate file for the server. |
| Control | Description |
| Person Filter | Enter a search filter in RFC 2254 format to look up users. |
| Group Filter | Enter a search filter in RFC 2254 format to look up groups. |
| Group Strategy | Specifies the group look up strategy of the LDAP server:
|
| Group Member attribute | Used to look for a group’s users or a user’s groups. |
| Group Member Type | Specifies value type stored in Group Member attribute:
|
| CN Attribute | Name of the attribute holding Common Name (CN). |
| DN Attribute | Name of the attribute holding Distinguished Name (DN). |
| UID attribute | The number of the attribute holding the user ID with the default UID. |
Access Control Authentication Space Details
This page displays the details of an Access Control Authentication Space and enables you launch the wizard to edit them.
| Control | Details |
| Edit | Launches the appropriate Access Control Authentication Space Wizard to enable the Authentication Space to be edited |
Access Control Profiles Inventory
This inventory lists all defined Access Control Profiles (ACPs). These associate Roles to Resource Groups thus controlling what activities are allowed on each resource.
| Control | Description |
| Summary | Select the Summary option from the drop down menu in the Navigation Breadcrumbs to view the Access Control Summary. |
| Edit | Edits an existing ACP in the inventory. The Access Control Profile Wizard is launched to enable the ACP's attributes to be changed. |
 Clone | Enabled only when one or more ACPs is selected. Creates a clone of the selected item which can then be modified. The clone is a shallow copy, in that it references the same Role and Resource Groups as the original. |
| Delete | Enabled only when one or more ACP Association is selected. Deletes the selected item from the inventory. The associated Role and Resource Groups are not deleted. |
| Add | Creates a new ACP. The Access Control Profile Wizard is launched to guide you through the process. |
| System generated ACPs | At least one system generated ACPs are available when the product is installed.
This associates system generated role Protector Administrator,
with the default resource group. These ACPs cannot be deleted
since they provide a basic level of access control. System generated ACPs are marked
with a icon to indicate that they cannot be modified. The Access Control Profile Details is displayed to enable the permissions to be
viewed. |
| User defined ACP(s) | Any number of user defined ACPs can be created. These are displayed in the inventory. ACPs should be defined in order to grant the required level of access to groups of resources as appropriate to the users' responsibilities. The Access Control Profile Details is displayed to enable the permissions to be viewed and edited. |
| Filter on Access Control Profile Name | Filters the displayed results based on the Access Control Profile Name. |
Access Control Profile Wizard
This wizard is launched when a new ACP is added to the Access Control Profiles Inventory.
| Control | Description |
| Name | The name of the Access Control Profile. |
| Description | Optional. A short description of the ACP. |
| Control | Description |
| Role | Select the role from the drop down list. The chosen role determines what activities owners of this ACP will be able to perform. |
| Control | Description |
| Available Resource Groups | List of available Resources Groups. Click on one or more of the available Resource Groups to add them to the ACP. |
| Selected Resource Groups | List of selected Resources Groups. The role chosen in the previous page of the wizard can be performed on these resources. Click on one or more of the Resource Groups to remove them from the ACP. |
| Access Level | Select the required Access Level from the dropdown list to the right of the
Selected Resource Groups entry. The access level controls
visibility of backups (including any logs or reports relating to that backup) on
storage nodes within the resource group as follows:
NoteThe access level only
controls the visibility. What a user is able to do with visible backups is
dependent on the activities they are allowed to perform on them. A user given LIMITED access to a storage destination included in their resource group will only see log messages for that storage destination if they pertian to their backups. A user given FULL access level will see all log messages for that destination. |
Access Control Profile Details
This page displays the details of an Access Control Profile and enables you launch the wizard to edit them.
| Control | Description |
| Edit | Launches the Access Control Profile Wizard to enable the ACP to be edited. |
| Role | Click on the role name link to open the Access Control Role Details. |
| Resource Groups | Click on View Resource Group link on a tile to open the Access Control Resource Group Details. |
| Filter on Resource Name | Filters the displayed resources groups. |
Access Control Roles Inventory
This inventory lists all defined Roles. These roles define what activities are allowed to be performed.
| Control | Description |
| Summary | Select the Summary option from the drop down menu in the Navigation Breadcrumbs to view the Access Control Summary. |
| Edit | Edits an existing Role in the inventory. The Access Control Role Wizard is launched to enable the Role's attributes to be changed. |
| Clone | Enabled only when one Role is selected. Creates a clone of the selected item which can then be modified. |
| Delete | Enabled only when one or more Roles are selected. Deletes the selected item from the inventory. |
| Add | Creates a new Role. The Access Control Role Wizard is launched to guide you through the process. |
| System generated Roles | At least three system generated Roles are available when the product is installed. They define default administrator, security manager and user roles. These roles cannot be deleted since they provide a basic level of access control. System generated roles are marked with a icon to indicate that they cannot be modified. The Access Control Role Details is displayed to enable the permissions to be viewed. |
| User defined Role(s) | Any number of user defined Roles can be created. These are displayed in the inventory. Roles should be defined in order to grant the required level of functionality appropriate to the users' responsibilities. The Access Control Role Details is displayed to enable the permissions to be viewed and edited. |
| Filter on Role Name | Filters the displayed results based on the Role Name. |
Access Control Role Wizard
This wizard is launched when a new Role is added to the Roles Inventory.
| Control | Description |
| Name | The name of the Role. |
| Description | Optional. A short description of the Role. |
| Control | Description |
| Activity Groups | Activity Groups contain a set of functionally cohesive Activities that are typically applied to a Role en-mass. Click the + button to the left of an Activity Group to expand and view the activities within a group. Click the checkbox to the left of an Activity Group to apply or remove all Activities within that group for the Role. Click the checkbox to the left of an Activity to apply or remove that Activity for the Role. The check box to the left of an Activity Group displays a '-' instead of a tick if only some of the Activities in the group have been applied. Refer to Controlling access to UI features with Activities and Activity Groups for details on how each activity affects access to the UI. NoteThe Override Ownership Permissions activity within the Permissions activity group allows users with this activity to view Policies, Dataflows, Destination Templates and Schedules regardless of who created them or who they are assigned to. Enable this permission with care. |
| Activities | Activities define what a user can do within Protector via the UI and via the REST API. Click the checkbox to the left of an Activity to apply or remove the activity for the Role. |
Access Control Role Details
This page displays the details of a Role and enables you to launch the wizard to edit them.
| Control | Description |
| Edit | Launches the Access Control Role Wizard to enable the role to be edited. |
Controlling access to UI features with Activities and Activity Groups
Access to Protector features is controlled by the Activity Groups and Activities assigned to the user. Access to a feature can be:
- Denied completely by disabling all activities
- Set to read-only by enabling only View activities (e.g. View Policies)
- Set to full control by enabling Manage activities (e.g. Manage Policies)
- Set to enable specific functionality within some features (e.g. Trigger Operations enables policies to be triggered from the Monitor page)
The following table lists the features available in Protector, along with the Activity Groups that control general access to those features. Fine grain access control to specific functions within a feature can be achieved by enabling or disabling specific Activities.
| User Interface Page | Activity Group | Activity |
| Pages accessible from the Main Banner: | ||
| Dashboard | Refer to Logs, Jobs, Nodes, Monitor, Policies, Data Flows and Licenses below. | |
| Jobs | Monitoring | View Jobs |
| Manage Jobs | ||
| Logs | Logs | View Logs |
| Manage Logs | ||
| Purge Audit Logs | ||
| Verify Audit Logs | ||
| Notifications | View Log Notifications | |
| Manage Log Notifications | ||
| Monitor | Monitoring | View Node Statistics |
| Triggering | Trigger Operations | |
| Storage | Hardware Storage | Manage Hardware. NoteEnabling this option will automatically enable all other activities in this activity group regardless of their current state. |
| Manage Hardware Snapshots and Clones | ||
| Mount Hardware Snapshots and Clones | ||
| Pause Hardware Replications | ||
| Revert Hardware Snapshots | ||
| Swap Hardware Replications | ||
| View Hardware | ||
| Repositories | View Repositories | |
| Use Repositories | ||
| Manage Repositories | ||
| Reports | Reports | View Reports |
| Manage Reports | ||
| Pages accessible from the Sidebar: | ||
| Nodes | Nodes | View Source Nodes |
| Manage Source Nodes | ||
| View Storage Nodes | ||
| Manage Storage Nodes | ||
| Software Updates | View Software Updates | |
| Manage Software Updates | ||
| Node Groups | Nodes | View Source Nodes |
| Manage Source Nodes | ||
| View Storage Nodes | ||
| Manage Storage Nodes | ||
| Policies | Policies | View Policies |
| Manage Policies | ||
| Data Flows | Dataflows | View Dataflows |
| Manage Dataflows | ||
| View Destination Templates | ||
| Manage Destination Templates | ||
| Rules | Manage Rules | |
| Schedules | Schedules | View Schedules |
| Manage Schedules | ||
| Notifications | Notifications | View Notification Settings |
| Manage Notification Settings | ||
| Restore | Restore | Perform Restores |
| Access Control | Authentication | View Authentication Spaces |
| Manage Authentication Spaces | ||
| Authorization | View RBAC Configuration | |
| Manage RBAC Configuration | ||
| Licences | Licences | View Licenses |
| Manage Licenses | ||
| <Item> Permissions | Permissions | Override Ownership Permissions |
If a user does not have the required Activity Group or Activity assigned to them via a Role then the user interface will prevent the user performing the activity or viewing information in one or more of the following ways:
- Suppressing display of the associated controls.
- Overlaying a warning triangle icon within the associated controls.
- Displaying an Access Denied hover hint when the user moves the cursor over the associated controls.
- Displaying an Access Denied message where the associated information would normally appear on a page, wizard or dialog.
- Displaying an Access Denied pop-up Session Notification when the request is denied by the back-end handler code.
Access Control Resource Groups Inventory
This inventory lists all defined Resource Groups. Resource Group are created to define logical groups of computing resources in the context of access control. They are distinct from Node Groups which are created to help define policies.
| Controls | Description |
| Summary | Select the Summary option from the drop down menu in the Navigation Breadcrumbs to view the Access Control Summary. |
| Edit | Edits an existing Resource Group in the inventory. The Access Control Resource Group Wizard is launched to enable the Resource Group's attributes to be changed. |
| Clone | Enabled only when one Resource Group is selected. Creates a clone of the selected item which can then be modified. |
| Delete | Enabled only when one or more Resource Groups is selected. Deletes the selected item from the inventory. The associated Nodes are not deleted. |
| Add | Creates a new Resource Group. The Access Control Resource Group Wizard is launched to guide you through the process. |
| System generated Resource Group | One system generated Resource Group is available when the product is installed. All nodes that are listed in the Nodes Inventory are automatically added to this default resource group. This resource cannot be deleted since it provides a basic level of access control. System generated Resource Groups are marked with a icon to indicate that they cannot be modified. The Access Control Resource Group Details is displayed to enable the permissions to be viewed. |
| User defined Resource Group(s) | Any number of user defined Resource Groups can be created. These are displayed in the inventory. Resource Groups should be defined in order to restrict access to nodes. The Access Control Resource Group Details is displayed to enable the permissions to be viewed and edited. |
| Filter on Resource Group Name | Filters the displayed results based on the name. |
Access Control Resource Group Wizard
This wizard is launched when a new Resource Group is added to the Resource Groups Inventory.
| Control | Description |
| Name | Enter the name of the resource group. |
| Description | Optional. Enter a short description of the resource group. |
| Control | Description |
| Resource Name | Searches for the resource by name. |
| Available Resources | Lists the available resources. Click on the name of the resource to add to the selected resource list. NoteIf the Master node is included in a resource group then users with access to that group will also have access to administrative log messages. Access to the Master node should only be granted to administrative users. |
| Selected Resources | Lists the selected resources. Click on the name of the resource to remove it from the selected resource list. |
Access Control Resource Group Details
This page displays the details of a Resource Group and enables you launch the wizard to edit them.
| Control | Description |
| Edit | Launches the Access Control Resource Group Wizard to enable the group to be edited. |
| Filter on Resource Name | Filters the displayed results based on name. |
Access Control Summary
This page displays Access Control settings for each user or group configured within Protector.
| Tree Node | Description |
| ACP Association Name | Each ACP Association defined within Protector is listed by name. Click [+] to view the related ACPs. |
| ACP Name | Shows the related ACPs below the ACP Association. Click [+] to view the related Role and Resource Groups. |
| Role Name | Shows the related Role below the ACP. Click [+] to view the related Activity Groups and Activities |
| Activity Group Name | Shows the related Activity Groups below the Role. Click [+] to view the related Activities. |
| Activity Name | Shows the related Activities below the Activity Group. |
| Resource Group Name | Shows the related Resource Groups below the ACP. Click [+] to view the related Resources. |
| Resource | Shows the related Resources below the Resource Group. |
Access Control Permissions Inventory
The Permissions Inventory is accessed via the Edit Permissions button on various items within the Web UI including policies, data flows and schedules. It enables read/write access for those items to be granted to specific users and groups.
| Control | Description |
| Edit | Edits an existing permission in the inventory. The Access Control Permissions Wizard is launched to enable the policy's attributes to be changed. |
| Delete | Enabled only when one or more permissions is selected. Deletes the selected item from the inventory. |
| Add | Adds a new permission. The Access Control Permissions Wizard is launched to guide you through the process. |
 Default Permission | By default the system adds the administrator@master user permission to controlled items and grants READ/WRITE access. The default permission provides a basic level of access control. The Access Control Permissions Wizard is launched to enable the permissions to be edited. |
| User defined Permission(s) | Any number of user defined permission(s) can be added. These are displayed in the inventory. Permissions should be defined in order to grant the required level of access to Policies, Data Flows and other items as appropriate to the users' responsibilities. The Access Control Permissions Wizard is launched to enable the permissions to be edited. |
Access Control Permissions Wizard
This wizard is launched when a new user or group is added to the Permissions Inventory.
| Control | Description |
| User Name | Enter the user name and Authentication Space (username@AuthenticationSpace) or click Browse to lookup the Authentication Space and user. |
| Read Access | Grants Read access to the item. |
| Write Access | Grants Create, Read, Update and Delete access to the item. |
| Control | Description |
| Authentication Space | Select the Authentication Space from the dropdown list or click Browse to lookup the Authentication Space and group. |
| Name | Enter the group name. This will be populated automatically if you click Browse. |
| Path of Group | If the group name is not unique between different organisational units (OUs) in the same Authentication Space, then enter the path to the group you are referring to using '\' as delimiter. |
| Read Access | Grants the group READ access to the item. |
| Write Access | Grants the group CREATE, READ, UPDATE and DELETE access to the item. |
Access Control Transfer Permissions Dialog
This dialog is displayed when the permissions for a resource are being tranferred from the current owner to new owner.
| Control | Description |
| Node | Select the node that will become the owner of this resource. |
Access Control Tasks
For further information, refer to:
How to configure basic role based access control
Before you begin
You will need to have:
- A Protector account with Default Administrator ACP authority. You will already have a <Username>@Master login with this authority if you installed Protector on the Master node. If you do not have an account with this authority then you will need to request one from your Protector administrator.
- Knowledge of users and user groups who require access to Protector and their data protection roles and responsibilities.
- The details of any authentication services that you intend to use to authenticate Protector users (e.g. Active Directory, LDAP, RADIUS etc.)
Refer to Access Control Concepts and Access Control UI Reference for further information.
Protector implements RBAC to control what actions users can perform on which resources. The RBAC implementation is extremely flexible and can be configured to be as open or restrictive as an organization demands.
This procedure will allow you to get up and running quickly, however to fully utilize RBAC's features you will need to setup a more advanced RBAC implementation. Refer to How to configure advanced role based access control for details on how to do this.
Protector includes the following built-in access control objects:
- The 'default' Resource Group that all Protector nodes are a member of by default.
- The Roles:
- Protector Admin that can perform all activities.
- Protector Security Manager that can perform all access control activities.
- Protector Operator that can view all resources and perform restore activities.
- The Access Control Profile:
- Default Administrator that can perform all activities on all (default) resources.
- The 'Master' Authentication Space that represents the local authentication service on the Master node's OS.
- The following Access Control Profile Association (depending on the UserName of the account on the Master node specified when Protector was installed):
- <UserName>@Master that represents a user that has Default Administrator privileges.
This topic explains how to implement a basic RBAC policy:
Procedure
Use a web browser to log on to the Protector user interface at: https://<Master>, where <Master> is the IP address or DNS name of the Master node.
The Login Page will be displayed.Enter the username <UserName>@master and the associated password to log in with Default Administrator privileges.
Click the Access Control link on the Navigation Sidebar to open the Access Control Dashboard.
Create an Authentication Space that represents your organization's existing authentication service (see How to create an Authentication Space).
Create ACP Associations for each user, group or entire authentication space that requires access to Protector, using one of the built-in Access Control Profiles (see How to create an Access Control Profile Association).
You can create your own ACPs or clone an existing ACP and make changes to the clone (see How to create an access control profile and How to clone an access control profile).It is recommended that the default ACP Association <UserName>@master is replaced with your own ACP associations, using dedicated usernames created in your organization's domain.
The default ACP Association cannot be deleted, but can be rendered unusable when the corresponding local Windows account is disabled. In the event that administrators are locked out from Protector due to access control configuration issues, this ACP Association is available as a way back in, by re-enabling the local Windows account.Caution- The default ACP Association is generated automatically when Protector is installed, to enable initial configuration of access control features. This is based on the local Windows account specified during installation.
- The default <Username>@Master ACP association should be assigned to a user with the specific responsibility as the primary Protector administrator, to ensure security is not compromised.
- Access to the Master node should be strictly controlled to prevent malicious access to the Protector executables and associated configuration data.
How to configure advanced role based access control
Before you begin
You will need to have:
- A Protector account with Default Administrator authority. You will already have an <Username>@master login with this authority if you installed Protector on the Master node. If you do not have an account with this authority then you will need to request one from your Protector administrator.
- A good understanding of your organization's computing resources and the way they are managed and grouped into departments.
- Knowledge of where computing resource will be backed up to (i.e. the storage devices to be used).
- Knowledge of users and user groups who require access to Protector and their data protection roles and responsibilities.
- The details of any authentication services that you intend to use to authenticate Protector users (e.g. Active Directory, LDAP, RADIUS etc.)
Refer to Access Control Concepts and Access Control UI Reference for further information.
Protector implements Role Based Access Control (RBAC) to ensure that only those users with sufficient privileges can view or modify resources. The RBAC implementation is extremely flexible and can be configured to be as open or restrictive as an organization demands.
If you require only a basic RBAC implementation then refer to How to configure basic role based access control
Alternatively, custom roles and resource groups can be created that precisely control the nodes that are visible and the operations that can be performed on them. This topic explains how to plan and implement a custom RBAC policy:
Procedure
Identify the computing resources within your organisation, based on geographical, divisional, departmental, functional and project groupings.
These resources may be managed locally and/or centrally and this will also dictate how they are grouped together, for the purposes of access control when:- Designing data protection policies and data flows
- Monitoring and reporting Protector performance
- Allocating and monitoring backup storage resources
- Auditing for compliance
- Administrating security and access controls
- Repurposing data for test and development
- Executing restore and disaster recovery procedures
For example, you might need to create the following resource groups in addition to the built-in default group:
(The names in this example are designed only to help illustrate how the RBAC objects are assembled into hierarchies).
- groupAccountsGlobal
- groupLegalGlobal
- groupHumanResourcesUS
- groupHumanResourcesUK
- groupDevelopmentUK
- groupProductionPrimaryUS
- groupProductionSecondaryUS
For guidance, refer to How to create a resource group.
Identify the generic roles (not the individuals) required within your organisation for administering computing resources and the associated data protection processes.
For example, you might need to create the following roles based on, or in addition to, the built-in roles:- roleBackupAdmin
- roleComplianceAuditor
- roleSecurityAdmin
- roleDevelopmentLead
- roleProtectorUser
Define precisely what activities each role should and should not be able to perform.
Protector defines numerous Activity Groups that are cohesive collections of Activities. Normally a role would be assigned all activities in a group, however individual activities can be assigned if fine grain control is required. For example, the Logs Activity Group contains the following Activities which can be granted to a role en-mass or individually:- View Logs
- Manage Logs
- Purge Audit Logs
- Verify Audit Logs
For guidance on configuring Roles and their associated Activities, refer to How to create a role.
Create Access Control Profiles based on the Resource Groups and Roles identified above. These ACPs combine a Role with one or more Resource Groups.
For example, it might be necessary to create the following ACPs, in addition to the built-in Default Administrator ACP:- acpAccountsBackupAdmin
- to allow roleBackupAdmin access to groupAccountsGlobal
- acpLegalBackupAdmin
- to allow roleBackupAdmin access to groupLegalGlobal
- acpDevelopmentBackupAdmin
- to allow roleBackupAdmin access to groupDevelopmentUK
- acpProductionBackupAdmin
- to allow roleBackupAdmin access to groupProductionPrimaryUS and groupProductionSecondaryUS
- acpDevelopmentUser
- to allow roleProtectorUser access to groupDevelopmentUK
For guidance on associating Roles with Resource Groups, refer to How to create an access control profile.
- acpAccountsBackupAdmin
Identify how users will be authenticated by Protector.
Protector supports a number of authentication protocols. If your organization has an established AD, LDAP or RADIUS authentication service or uses local accounts, then these can be used.For example, it might be necessary to create the following user and group accounts:
- Donald McPhee has a UID (User ID) of donald.mcphee in the Active Directory authentication service global.widgetdev.com.
An Authentication Space is created named widgetdev that refers to that AD service. He logs into Protector with the UPN (User Principal Name) donald.mcphee@widgetdev.
- Pete Traynor has a UID of traynorp in the local OS Account on the Protector node WIN7-PCEA45.
An Authentication Space is created named WIN7-PCEA45 that refers to that node. He logs in with the UPN traynorp@WIN7-PCEA45.
- Sarah Dean has a UID of svpdean in the RADIUS service uk.widgetdev.com.
An Authentication Space is created named uk.widgetdev that refers to that RADIUS service. She logs into Protector with the UPN svpdean@uk.widgetdev.
- The contract development team members are in a user group that has a UID of devteam in the LDAP authentication service datadevs.biz.
An Authentication Space is created named datadevs that refers to that LDAP service. They log in using the UPN devteam@datadevs
For guidance, refer to How to create an Authentication Space.
- Donald McPhee has a UID (User ID) of donald.mcphee in the Active Directory authentication service global.widgetdev.com.
Associate authenticated users and user groups with Access Control Profiles (i.e. Roles and Resource Groups) so that those users are able to log on to Protector, access the resources they need and carry out the activities their roles allow.
An individual user can be associated with more than one ACP, and an ACP can be assumed by more than one user.For example the following ACP Associations are required:
- donald.mcphee@widgetdev and svpdean@uk.widgetdev are authorized to perform the activities defined by acpDevelopmentBackupAdmin on its associated resources.
- svpdean@uk.widgetdev is, in addition, authorized to perform the activities defined by acpProductionBackupAdmin on its associated resources.
- The entire database development team devteam@datadevs are authorized to perform the activities defined by acpDevelopmentUser on its associated resources.
- traynorp@WIN7-PCEA45 is authorized to perform the activities defined by acpAccountsBackupAdmin and acpLegalBackupAdmin on its associated resources.
For guidance on authorizing users with their respective Roles and Resource Groups, refer to How to create an Access Control Profile Association.
It is recommended that the default ACP Association <username>@master is replaced with your own ACP associations, using dedicated usernames created in your organization's domain.
Caution- The default ACP Association is generated automatically when Protector is installed, to enable initial configuration of access control features. This is based on the local Windows account specified during installation. Best practice states that local accounts should be disabled on the Master to reduce security vulnerabilities.
- The default <Username>@Master ACP association should be assigned to a user with the specific responsibility as primary Protector administrator, to ensure security is not compromised.
- Access to the Master node should be strictly controlled to prevent malicious access to the Protector executables and associated configuration data.
How to create a resource group
Before you begin
Refer to How to configure advanced role based access control which describes how resource groups are used in configuring access control.
To create a resource group:
Procedure
From the Access Control Dashboard click Manage Resource Groups to open the Access Control Resource Groups Inventory.
Click the Create new item tile to open the Access Control Resource Group Wizard.
Enter a Name for the resource group and a Description, then click Next.
Select the resources to be included in the resource group from the left-hand list by clicking on each resource.
Each resource selected is added to the right-hand list. Resources can be removed from the right-hand list by selecting them there.Click Finish to close the wizard and return to the inventory.
How to create a role
Before you begin
Refer to How to configure advanced role based access control which describes how roles are used in configuring access control.
To create a role:
Procedure
From the Access Control Dashboard click Manage Roles to open the Access Control Roles Inventory.
Click the Create new item tile to open the Access Control Role Wizard.
Enter a Name and Description for the role, then click Next.
Select the activity groups to apply to the role by clicking the checkbox to the left of the activity group names.
To apply individual activities, click the + to the left of the activity group name to expand the group, then select the required activities by clicking the checkbox to the left of the activity names
Click Finish to close the wizard and return to the inventory.
How to create an access control profile
Before you begin
Refer to How to configure advanced role based access control which describes how access control profiles are used in configuring access control.
Ensure that the necessary resource groups and roles have been created (see How to create a resource group and How to create a role).To create an access control profile:
Procedure
From the Access Control Dashboard click Manage ACPs to open the Access Control Profiles Inventory.
Click the Create new item tile to open the Access Control Profile Wizard.
Enter a Name and Description for the role, then click Next.
Select the required Role from the menu, then click Next.
Select the resource groups to be included in the access control profile from the left hand list by clicking on each resource group.
Each resource group selected is added to the right hand list. Resource groups can be removed from the right-hand list by selecting them there.For each resource group included in the ACP, set the Access Level in the dropdown control to the right of the resource group in the right hand list.
The access level controls the visibility of backups of nodes in the resource group.Click Finish to close the wizard and return to the inventory.
How to clone an access control profile
Before you begin
Refer to How to configure advanced role based access control which describes how access control profiles are used in configuring access control.
Cloning is a way of creating a new ACP, based on an existing ACP. To clone an access control profile:
Procedure
From the Access Control Dashboard click Manage ACPs to open the Access Control Profiles Inventory.
Select the tile for the ACP you want to clone, then click Clone in the menu above.
A clone of the ACP will be added to the inventory having the same name but with (clone) appended.To rename the clone refer to How to edit an access control profile.
How to edit an access control profile
You can make changes to an existing access control profile as follows:
Procedure
From the Access Control Dashboard click Manage ACPs to open the Access Control Profiles Inventory.
Click on the name of the ACP you want to edit.
The Access Control Profile Details opens, showing the associated role and resource groups.Click on the Edit button in the top right corner of the page.
The Access Control Profile Wizard opens.Edit the parameters as required, clicking Next and Previous to locate the items to edit.
When you have finished editing, go to the final page of the wizard and click Finish.
The wizard is closed and the details page is displayed showing the updated parameters.
How to create an Authentication Space
Before you begin
Refer to How to configure basic role based access control or How to configure advanced role based access control which describes how Authentication Spaces are used in configuring access control.
Protector communicates with an authentication server via a single proxy node, which is specified when the access control Authentication Space is created. Ensure that the following prerequisites are met before you configure an AD, RADIUS or LAPD Authentication Space in Protector:- The Protector proxy (which can be a Client or Master node) connecting to the authentication server is registered with it and any prerequisites listed in the authentication server documentation are met.
- The authentication server is not blocked by any firewalls.
- The configuration parameters for type of authentication server selected are known. See Access Control Authentication Space Wizard for what is required for each server type.
To create an Authentication Space:
Procedure
From the Access Control Dashboard click Manage Authentication Spaces to open the Access Control Authentication Spaces Inventory.
Click the Create new item tile to open the Access Control Authentication Space Wizard.
Enter a Name and Description for the Authentication Space, then click Next.
NoteFor Active Directory, the Name must be the AD Domain Name.Select the type of Authentication Space you require from the list on the left of the wizard.
The parameters appropriate to the Authentication Space type selected are displayed on the right of the wizard. All Authentication Space types require a Proxy to be selected, (except OS Accounts, which require an Authentication Node) that actually holds the account information.Enter the parameters required for the selected Authentication Space type, then click Finish.
How to configure an LDAP authentication space
Before you begin
Ensure the LADPv3 server is correctly configured as per the instructions supplied with the LDAP software.
Configure a Linux based Protector (Master or Client) node with a connection to the LDAP server to act as a proxy. If you have a Windows Master, then you must select a Linux Client as a proxy. In this example the node Client5RHEL will be nominated as the proxy.
If using LDAP over TLS, place the TLS CA certificate file on the Protector proxy node.
This is an illustrative example only. LDAP configurations vary considerably between organisations so the output for your environment may be quite different to that shown here. It is assumed that the person performing this configuration is well versed in LDAP and the way it is configured in your organization:
Procedure
Examine the configuration of the LDAP server, using one of the following methods to ensure you can log into the LDAP server (preferably via the Protector proxy node to confirm the connection is working). Make a note of the Base DN and User/Group DNs listed in the output:
Either connect to the LDAP server via a web based interface.
Or connect via a command shell using the following Linux command. Consult the Linux man page for full syntax:
ldapsearch -D "uid=admin,dc=mydomain,dc=com" -w pa55w0rd -H ldap://mydomain.com -b "dc=mydomain,dc=com" -s sub "(objectClass=*)"Where the mydomain.com LDAP server's administrator UID is admin and the password is pa55w0rd.
- The Base DN:
# mydomain.com dn: dc=mydomain,dc=com objectClass: top objectClass: dcObject objectClass: organization o: mydomain.com dc: mydomain
- The Administrator's DN (used as the Bind DN):
# admin, mydomain.com dn: cn=admin,dc=mydomain,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator
- User DNs and UIDs:
# Joe Bloggs, mydomain.com dn: cn=Joe Bloggs,dc=mydomain,dc=com givenName: Joe sn: Bloggs cn: Joe Bloggs uid: jbloggs uidNumber: 1000 gidNumber: 500 homeDirectory: /home/users/jbloggs loginShell: /bin/bash objectClass: inetOrgPerson objectClass: posixAccount objectClass: top
- Group DNs and memberUids:
# Managers, Groups, mydomain.com dn: cn=Managers,ou=Groups,dc=mydomain,dc=com gidNumber: 501 objectClass: posixGroup objectClass: top cn: Managers memberUid: jbloggs memberUid: tsmith memberUid: mjones ...
Configure the parameters in the Access Control Authentication Space Wizard as follows:
NoteThe values entered are dependent on the particular LDAP configuration. Be sure to check the output generated by searchldap for your configuration to obtain the correct values.On the Configure authentication type page, select LDAP authentication, then enter the following parameters:
- Proxy: Client5RHEL
- Server URI: ldaps://mydomain.com
- Server Port: If not using the default value, enter a port number.
- Base DN: dc=mydomain,dc=com from the searchldap output:
# mydomain.com ... dn: dc=mydomain,dc=com ...
- Select Bind using specified account
- Bind Account DN: cn=admin,dc=mydomain,dc=com from the searchldap output:
# admin, mydomain.com ... dn: cn=admin,dc=mydomain,dc=com ...
- Bind Account Password: pa55w0rd
If using the LDAPS protocol, click TLS Configuration and configure the TLS Request Certificate Check method, TLS CA Certificate Directory and TLS CA Certificate File to use.
Click Advanced Configuration and enter the following parameters based on the given searchldap output:
- Person Filter: (objectClass=inetOrgPerson)
# Joe Bloggs, mydomain.com ... objectClass: inetOrgPerson ...
- Group Filter: (objectClass=posixGroup)
# Managers, Groups, mydomain.com ... objectClass: posixGroup ...
- Group Strategy: select Groups know users
# Managers, Groups, mydomain.com ... memberUid: jbloggs memberUid: tsmith memberUid: mjones ...
- Group Member Attribute: memberUid
# Managers, Groups, mydomain.com ... memberUid: jbloggs ...
- Group Member Type: select Member value contains a UID
# Managers, Groups, mydomain.com ... memberUid: jbloggs ...
# Joe Bloggs, mydomain.com ... uid: jbloggs ...
- The following attribute values are evident from the output:
- CN Attribute: cn
- DN Attribute: dn
- UID Attribute: uid
- Person Filter: (objectClass=inetOrgPerson)
Click Finish to close the wizard.
How to create an Access Control Profile Association
Before you begin
Refer to How to configure basic role based access control which describes how access control profile associations are used in configuring access control.
Ensure that the necessary Access Control Profiles and Authentication Spaces have been created (see How to create an access control profile and How to create an Authentication Space).To create an access control profile association:
Procedure
From the Access Control Dashboard click Manage ACP Associations to open the Access Control Profile Associations Inventory.
Click the Create new item tile to open the Access Control Profile Association Wizard.
Enter a Name and Description for the ACP Association.
Select the type of association you require from the list on the left of the wizard:
- User - associates the specified user with the selected ACPs.
- Group - associates all users in the specified group with the selected ACPs.
- Authentication Space - associates all users in the specified Authentication Space with the selected ACPs.
Enter the parameters required for the selected ACP association type, then click Next.
Select the ACPs to be included in the ACP association from the left-hand list by clicking on each ACP.
Each ACP selected is added to the right-hand list. ACPs can be removed from the right-hand list by selecting them there.Click Finish to close the wizard and return to the inventory.
How to view the access control settings summary
Before you begin
Refer to How to configure basic role based access control.
Ensure that the necessary access control profile associations have been created (see How to create an Access Control Profile Association).To view a summary of the current access control settings for each Protector user or group:
Procedure
From the Access Control Dashboard click Manage ACP Associations to open the Access Control Profile Associations Inventory.
You can also access the summary information from the Access Control Authentication Spaces Inventory, Access Control Profiles Inventory, Access Control Roles Inventory or Access Control Resource Groups Inventory.Open the drop down menu in the Navigation Breadcrumbs by clicking the
The Access Control Summary is displayed. button and select Summary from the menu.Click on the [>] to the left of the User or Group of interest to view its related ACPs, Role, Activity Groups,Activities, Resource Groups and Resources.
How to edit object permissions
Permissions control if an object (e.g. a data flow, schedule etc.) is visible to, or modifiable by specific users.
For normal creation of objects (e.g. policies, dataflows, schedules and store templates), the creating user is given Read/Write access, allowing that user to see and change the object. Users having the RBAC Override Ownership Permissions privilege can also see and edit the object. Nobody else will be able to view the object unless granted access.
Normal users (i.e. those without the RBAC Override Ownership Permissions privilege) are prevented from removing all permissions, although they can still remove their own access rights. Only users with the RBAC Override Ownership Permissions privilege can remove all permissions.
To edit the permissions for an object:
Procedure
Go to the Details or Inventory page of the object for which you want to edit the permissions.
Click Edit Permissions in the top right of the page.
The Access Control Permissions Inventory will be displayed, showing the users and groups that have read and write access to the object.You can then do one of the following:
- Add a new user or group permission by clicking the Create New Item tile.
- Edit an existing permission by clicking the user or group name on a tile.
- Remove an existing permission by selecting a tile and clicking Remove.
For new permissions, Select the type of permission you require from the list on the left of the wizard:
- User - to grant a single user permission
- Group - to grant a group of users permission
Check Write Access if you want the user or group to be able to modify the object. Read access is automatically granted to any user or group added to the permissions inventory for that object.
Click Finish to close the wizard and return to the inventory.