Commvault

Role Based Security - Commvault Command Center

Owned by Carl Brault (Unlicensed)
Last updated: Nov 30, 2021 by tdopko@commvault.com (Unlicensed)
11 min read

Quick Links to Topics:


V11 Role-Based Security

Role-based security in Commvault® Version 11 uses roles to grant access to CommCell® resources and tasks, such as performing backup, restore, and administrative operations on entities. It's a granular mechanism that clearly defines what resources are displayed to a user and the available tasks provided. For instance, role-based security can be implemented to display only SQL servers to database administrators and only the backup and restore tasks that are assigned to them.

To use role-based security, you must create a 'security association' between users or user groups, a role, and entities:

  • User(s) – defined by using a CommCell user, an external domain user, a CommCell user group, or an external domain user group.

  • Role – A collection of permissions that defines the level of access granted to a user or a user group.

  • Entity – A CommCell® resource, such as a server, server group, plan, etc.

For instance, the separation of user/user group (who), role (permissions), and entity (what) allows a user or user group to have different permissions depending on what their role is for a specific entity.

Example: A user requires backup and recovery permissions for a file server. The same user requires restore only permissions for a mail server. The user is associated with the file server entity and assigned the backup and recovery role. The same user is assigned to the mail server entity with the recovery role.

V11 role-based security overview






Users

Create a CommCell® User

CommCell® users are created to grant access to the Commvault Command CenterTM and CommCell resources. During initial installation, a built-in administrative account, called 'Admin,' is created. This account has all privileges to all CommCell resources.

During the creation of a user, the password can be generated by the system. The user receives an email prompting him to connect for the first time with the generated password. At this point, the system prompts the user to change it.

Tip: CommCell users for DR purposes
Commvault recommends that you create at least another account with all permissions. This can be used by the main backup administrator to ensure that in case of a disaster (e.g., directory services are unavailable), the administrator can still use his or her account to execute restores.




To create a new CommCell® user

1 - Expand Manage.

2 - Click Security.

3 - Click to manage CommCell® users.



4 - Click Add user.



5 - Define if it is a local (CommCell®) or external (i.e. Active Directory) user.

6 - Type the Full Name of the user.

7 - Enter a login name for the user.

8 - Type the Email ID of the user.

9 - The user can be associated to a user group by selecting it from the list.

10 - Type and confirm the password for the user.

11 - Click to create the user.



Disable a User Account

A user account can be disabled or enabled. When disabled, the user can no longer connect to any of the CommCell® consoles (Commvault Command CenterTM, CommCell® Console, Web Console), nor execute any tasks in the Commvault environment.

Tip! When working with contractors, create accounts that they can use to work in the environment, and once they leave disable the accounts.




To disable/enable a user account

1 - Expand Manage | Click Security | Click Users.

2 - Click the desired username.



3 - Click the toggle switch to enable/disable the account.

.



Delete a User

At any time, a user account can be deleted. This removes the user account preventing any future connection in the Commvault® environment. However, deleting the user does not deletes entities or configurations created by the user (i.e. plans, storage targets, servers, etc.).




To delete a user account

1 - Expand Manage | Click Security | Click Users.

2 - Click the Actions next to username, select Delete.

3 - Confirm the Delete.



Add an External Domain

External domain users are used to define security associations in Commvault® software. This allows a user to use his or her regular domain account, thus preventing the need to remember an additional login and password. Several LDAP vendors are supported. They are as follows:

  • Active Directory
  • Apple Directory Services
  • Oracle Directory
  • Open LDAP
  • LDAP Server

Note that SAML authentication is also supported.




To add an external domain

1 - Expand Manage.

2 - Click on Security.

3 - Click on Identity Servers.



4 - Click Add.



5 - Define if AD (LDAP) or SAML authentication is used.

6 - Select the LDAP technology to use.

7 - Provide the NETBIOS name of the domain.

8 - Provide the Fully Qualified Domain Name (FQDN).

9 - Provider service account credentials used to query the domain controller.

10 -Enable/Disable the use of Single Sign-on, which allows users to connect without having to type in a username or password.

11 - Click to create the connection to the domain.


Roles

A role is a consolidated set of permissions that is used when creating a security association. A role can be part of as many security associations as needed to make managing permissions much easier, but each security association can only have one role. A wide variety of associations are available to define user tasks, such as: ‘in-place recovery,’ ‘out-of-place recovery,’ ‘tape media operation,’ ‘scheduling,’ VM operations,’ and ‘Content Search.’

Example: If User01 requires backup and restore permissions on server A and User02 requires backup and restore permissions on server B, you can create a single role called ‘Backup and Restore’ with the appropriate permissions set. This role can then be used on two different security associations, one for User01 and one for User02.

For a complete list of permissions, refer to Commvault® Online Documentation.


Create a Role

During the role creation process, you can create a security association with it. All of the users and user groups that are a part of the security association inherit the permissions in the role.







To create a new role

1 - Expand Manage.

2 - Click on Security.

3 - Click to manage roles.



4 - Click to add a role.



5 - Provide a name for the role Existing roles are displayed in the main window.

6 - Select the required permissions.

7 - Check/uncheck to enable/disable the role.

8 - Click to create the role.



Editing a role




To edit an existing role

1 - Expand Manage.

2 - Click on Security.

3 - Click to manage roles.




4 -Click the name of the desired role.

.



5 - Uncheck to display all permissions.

6 - Select the required permissions.

7 - Click to save modifications.



Deleting a security role




To delete a role

1 - Expand Manage.

2 - Click on Security.

3 - Click to manage roles.



4 - Click to delete the role.

5 - Click to confirm the deletion of the role.



Security Associations

To use role-based security you must create a security association between users or user groups, a role, and CommCell® entities. The entity defines the object or group of objects on which the defined user or users can execute tasks defined by the role. For instance, if a user needs to achieve tasks on a server, create the security association on the desired server entity. If the user needs to execute tasks on several servers, a server group can be leveraged on which the security association can be defined.




To configure a security association

1 - Expand Manage | Click Servers.

2 - Click the CommCell® entity for which you want to create a security association.



3 - Click the Configuration tab.

4 - From the Security section on the Configuration tab, click Edit to add a security association.



5 - Search for the desired CommCell® user, CommCell® user group, domain user or domain user group.

6 - Select the desired role from the list.

7 - Click to add the security association.

8 - Click to create the security association.



Viewing security associations




To view object security associations

1 - Click the desired view.

2 - Click the name of the desired entity.



3 - Locate the security section and click to display inherited association.

4 - Security association are displayed and can be scrolled down if needed.



Owners

Define Global Owner Permissions

Global owner permissions are defined in the Owner Permissions section from the Access Control applet. Owner permissions can also be set at the client computer group level or at the client computer level. Permissions set at the client group level are automatically assigned to a system owner for which the laptop or desktop is associated to the group.




To define global owner permissions

1 - Expand Manage | Click System.

2 - Click Access control.



3 - Click to edit global owner permissions.



4 - Select the desired owner permissions.

5 - Click to save the changes.



Assign Entity Owner

Entity owners are defined from the entity Security section of a Commvault Command CenterTM entity. A single user or a user group can be selected as owners of a system.




To configure a device owner

1 - Expand Manage | Click Servers.

2 - Click the device for which you want to define the owner.



3 - Click the Configuration tab.

4 - Click to display the current owner of the device.

5 - Click to define owner of the device.



6 - Click the Owners tab.

7 - Type to search and add a CommCell® user, CommCell® user group, domain user or a domain user group.

8 - Select the role to apply for the association.

9 - Click Add to assign the owner.

10 - Click to save the changes.



Multi-Tenant Security

Commvault® software provides capabilities to create logically isolated environments for tenants. This feature is useful for Managed Services Providers (MSP) offering Backup-as-a-Service (BaaS) who want to ensure that each tenant is secured and other tenants cannot access his or her data and resources. This is easily implemented by creating Companies.

Create a Company

During the creation of a new company, the tenant's administrator information is required, such as name and email address. Upon creation of the company, the administrator receives a confirmation email stating that his or her company was created. It also includes information on how to login to the Commvault Command CenterTM. On first login, the administrator configures the following from the Getting Started section:

  • Set the default protection plan.
  • Add a domain server to leverage domain user accounts and user groups.
  • Add users to user groups.
  • Brand the Commvault Command CenterTM to the tenant colors.




To create a company

1 - Expand Manage | Click Companies.

2 - Click Add company.



3 - Provide the tenant company name.

4 - Provide the tenant administrator’s information.

5 - Select the default protection plan for the tenant.

6 - Provide the domain  NetBIOS name for the company.

7 - Provide the SMTP server to use.

8 - If required, slide and provide the tenant’s domain name.

9 - Click to create the company.



10 - Once added, the company is listed in the view.


Connect as the Tenant Administrator

The company creation process includes a notification that is sent to the tenant administrator. This email provides connection information for the administrator, as well as a temporary password that must be changed on the first login. Changing the temporary password is achieved by clicking the embedded link in the notification.




To connect for the first time

1 - Open the email that was sent to the tenant administrator.

2 - Take note of the connection information.

3 - Click the provided link to open the Commvault Command CenterTM .



4 - Password must be modified on first connection.

5 - Type the temporary password and the desired password.


Create Tenant Users

The tenant administrator executes company tasks such as creating users. These tenant users are responsible for:

  • An end-user device, such as a laptop or desktop
  • One or many servers
  • One or many virtual machines
  • Only tenant administrators can create additional administrators or users.




To create a tenant user

1 - Expand Manage | Click Security

2 - Click Users.



3 - Click Add user to add a tenant user.



4 - Provide the tenant user information.

5 - Assign the user to the appropriate company.

6 - From the list, assign the user to the tenant user group.


Copyright © 2021 Commvault | All Rights Reserved.