Commvault

Role Based Security - CommCell® Console

Owned by Carl Brault (Unlicensed)
Last updated: Nov 30, 2021 by tdopko@commvault.com (Unlicensed)
14 min read

Quick Links to Topics:

Credits:

Great thanks to Mike Byrne for his hard work with the screen captures.

Commvault® software has a security management capability in Version 11 that transcends limitations of traditional user and group security models. This functionality separates the permissions required to perform CommCell® actions from the user or group through the implementation of roles. Roles allow users or user groups to have different security settings for various CommCell® entities.

In Version 11, Commvault security is configured using two methods:

  • Role-based Security – used for administrators who need permissions on multiple entities. To use role-based security, you must create a security association between users or user groups, a role, and entities.

  • Owner Security – used for end-users who need permissions on very few client entities. For example, a user needs permission to restore files to a laptop.

Security has evolved significantly in Commvault® software. The following sections describe the differences in security management between Version 10 and Version 11.




V10 Security

In CommCell® V10, security works by assigning local users and domain user groups to CommCell user groups. These CommCell groups are then associated with entities in the CommCell® browser to grant access to specific areas within the CommCell® console.
Each CommCell® user has their own login with a full or restricted set of capabilities to view entities and/or perform tasks.

  • CommCell Users – defined internally within the CommCell® software or enabled externally through Microsoft's Active Directory or IBM's Domino Directory Server. The ability of a user to view entities and perform tasks within a CommCell group collectively is managed exclusively via membership to a CommCell User Group.

  • CommCell User Group(s) – associated with CommCell entities (e.g., clients, libraries, storage policies) allowing the member users to perform authorized tasks on those entities only.

A CommCell user is a member of any number of CommCell User Groups. The user's ability to perform tasks on a CommCell entity is determined by the combined capabilities of the CommCell User Groups that are associated with that entity.
A list of tasks and required capabilities are found in the Commvault Online Documentation.

  • External Users/Groups – Microsoft's Active Directory or IBM's Domino Directory Service can be associated with CommCell User Groups. Associated external group members login to the CommCell® console using their external credentials. Single Sign-on can be enabled to allow external users, who are already logged into the domain, access to the CommCell console without re-entering their password.

V10 security overview






V11 Role-Based Security

Role-based security in Commvault® Version 11 uses roles to grant access to CommCell® resources and tasks, such as performing backup, restore, and administrative operations on entities. It's a granular mechanism that clearly defines what resources are displayed to a user and the available tasks provided to him or her. For instance, role-based security can be implemented to display only SQL servers to database administrators and only the backup and restore tasks that are assigned to them.

To use role-based security, you must create a 'security association' between users or user groups, a role, and entities:

  • User(s) – defined by using a CommCell user, an external domain user, a CommCell user group, or an external domain user group.

  • Role – A collection of permissions that defines the level of access granted to a user or a user group.

  • Entity – A CommCell® resource, such as a client computer, client computer group, library, storage policy, schedule policy, MediaAgent, etc.

For instance, the separation of user/user group (who), role (permissions), and entity (what) allows a user or user group to have different permissions depending on what their role is for a specific entity.

Example: A user requires backup and recovery permissions for a file server. The same user requires restore only permissions for a mail server. The user is associated with the file server entity and assigned the backup and recovery role. The same user is assigned to the mail server entity with the recovery role.

V11 role-based security overview


Upgrading Roles from Previous Versions

Prior to Commvault® Version 11, all permissions (formerly called capabilities) were associated with a CommCell® user group. When upgrading Commvault software, a role is created for each user group and permissions are assigned to the role which is based on the capabilities of the old user group. For each user group, a role that is automatically created is prefixed with <SystemCreatedRole>_Role. These roles are automatically assigned to entities along with the user groups.




Role after upgrading a CommCell®

1 - Description for roles inherited from previous version of Commvault® software starts with System Created.



Manage Users

Two sets of users can be used to define security associations in Commvault® software; CommCell® users and external domain users. You can create CommCell and external domain users and control the features they have access to by making security associations between the user(s), a role, and entities. CommCell and domain users can also be combined in the same security association. Once CommCell users are created and external users are added, they both are available in the CommCell® console.

To use domain accounts, a connection to the directory services must be configured prior to configuring the security association.

Create a CommCell® User

CommCell® users are created to grant access to the CommCell console and CommCell resources. During initial installation, a built-in administrative account, called 'Admin,' is created. This account has all privileges to all CommCell resources.

Tip: CommCell users for DR purposes
Commvault recommends that you create at least another account with all permissions. This can be used by the main backup administrator to ensure that in case of a disaster (e.g., directory services are unavailable), the administrator can still use his or her account to execute restores.




To create a new CommCell® user

1 - Expand Security | Right-click CommCell Users | New User.

2 - Enter a login name for the user.

3 - Type and confirm the password for the user.

4 - Type the Full Name of the user.

5 - Type the Email ID of the user.

6 - Check the Age Password box and set a number of days to force the user to change his password.



Add an External Domain

External domain users are used to define security associations in Commvault® software. This allows a user to use his or her regular domain account, thus preventing the need to remember an additional login and password. Single Sign-On can be used to automatically populate the username and password field on the Admin Console or CommCell® console login screen.
To use external domain users, a connection to the directory services must first be created in the CommCell console. More than one domain connection can be added if users from multiple domains are required to login to Commvault software.

The following directory services are supported as of Service Pack 18:

  • Microsoft® Active Directory

  • IBM® Domino Directory Services

  • JumpCloud® Directory

  • Apple® Open Directory

  • RADIUS Servers

  • Oracle Directory Services

  • Open LDAP

For JumpCloud directory and Apple Open Directory, an additional setting must first be configured to allow the creation of connections.




To connect to an Active Directory domain

1 - Right-click Domains and Organizations | Add new domain | Active Directory.

2 - Provide the NetBIOS domain name.

3 - Provide the fully qualified domain name.

4 - Provide a domain service account that can query Active Directory.

5 - Enable Single Sign On (SSO) if needed.

6 - If the CommServe® server is not on the same network as domain controller, a client on the domain controller network can be defined and used as a proxy for communication.



Disable/Enable a User Account

You can control user access by disabling or enabling a CommCell® user or an external domain user. When disabled, the user can no longer connect to Commvault® software, but all security associations stay in place in case the user is re-enabled at a later time. If the user is disabled, objects that were created previously, such as schedules, monitoring policies, alerts, etc., can be re-associated to another user account.

Tip: Working with a consultant

Scenario: A consultant periodically requires connecting to your CommCell® console. You are concerned about security and do not want to put your environment at risk.

Solution: Instead of giving the 'Admin' account or your account password, create a CommCell account for the consultant. When the consultant has completed his work, disable the account until his next visit.




To disable/enable a user account

1 - Expand the domain | Right-click the desired user account | Disable/Enable.

2 - Confirm to disable the user account.

3 - Choose if the object created by this user should or should not be associated to another user account.



Delete a User Account

A CommCell® user account or an external domain account can be deleted from the console. User deletions are effective immediately, therefore functions cannot be performed within the console.




To delete a user account

1 - Expand the domain | Right-click the desired user account | Delete.

2 - Click to confirm the deletion.

3 - Type the phrase to confirm deletion.

4 - Choose the user account to transfer objects, and check to transfer computer groups.



Roles

A role is a consolidated set of permissions that is used when creating a security association. A role can be part of as many security associations as needed to make managing permissions much easier, but each security association can only have one role. A wide variety of associations are available to define user tasks, such as: 'in-place recovery,' 'out-of-place recovery,' 'tape media operation,' 'scheduling,' VM operations,' and 'Content Search.'

Example: If User01 requires backup and restore permissions on server A and User02 requires backup and restore permissions on server B, you can create a single role called 'Backup and Restore' with the appropriate permissions set. This role can then be used on two different security associations, one for User01 and one for User02.

For a complete list of permissions, refer to Commvault® Online Documentation.

Create a Role

During the role creation process, you can create a security association with it. All of the users and user groups that are a part of the security association inherit the permissions in the role.




To add a new role

1 - Security | Roles | Right-click | New Role.

2 - Type a name for the role.

3 - Select permissions for the role.


Edit an Existing Role

You can edit a role, such as adding or removing permissions. When a role is modified, permission changes are applied to all users assigned to that role. When editing a role, the default view displays only the assigned permissions. To view and to select unassigned permissions, you can uncheck the 'Show only selected' checkbox.



To edit an existing role

1 - Click Roles | Right-click the desired role | Properties.

2 - Uncheck to view unassigned permissions.

3 - Add or remove permissions as desired.


Delete a Role

A role that is no longer required can be deleted. When you delete a role, all of the security associations supported by that role are deleted as well.

Deleting a role must be carefully planned. Always ensure that the role is not required for any other security associations.



To delete a role

1 - Click Roles | Right-click the desired role | Delete.

2 - Click to confirm that any security association using the role will be deleted.



Security Associations

To use role-based security you must create a security association between users or user groups, a role, and CommCell® entities. The entity defines the object or group of objects on which the defined user or users can execute tasks defined by the role. For instance, if a user needs to achieve tasks on a server, create the security association on the desired client computer entity. If the user needs to execute tasks on several servers, a client computer group can be leveraged on which the security association can be defined.

Security association overview


Create a Security Association

You can associate entities and roles to CommCell users and user groups. This controls the operations that the user or user groups can perform on the entity.




To configure a security association

1 - Right-click on the CommCell® entity | Properties.

2 - From the Security tab | Add button.

3 - Select the desired domain from the drop-down list.

4 - Select a user group or user | Add.

5 - Select a role from the drop-down box.


Cascading Security Associations

When creating a security association on a parent CommCell® entity, it cascades down to all child objects. Cascaded security associations appear as grayed out in the Security tab of a child object.




To view security rules

1 - Right-click on the CommCell® entity | Properties.

2 - Existing associations are displayed in the Security tab.

3 - Check to see associations inherited from parent objects.

4 - Associations cascading from a parent object are grayed out.

5 - The ‘Defined in’ column displays the parent object on which the association is defined.



Owner Security

Owner security is used to define permission for end-users who own a device—typically a laptop or a desktop. Owner security works differently than role-based security:

  1. Owner permissions are assigned universally at the CommCell® level.

  2. The owner of the computer is defined for the entity.

  3. Permissions defined globally are inherited for the owner of the entity.

Permissions control tasks that the owner can achieve in the CommCell® console and in the Web console.

Owner security overview


Define Global Owner Permissions

Global owner permissions are defined in the Owner Permissions applet from the Control Panel. Owner permissions can also be set at the client computer group level or at the client computer level. Permissions set at the client group level are automatically assigned to a system owner for which the laptop or desktop is associated to the group.




To define global owner permissions

1 - From the Home menu | Control Panel.

2 - Click to open the applet and define owner permissions.

3 - Select the desired permissions.


Assign Entity Owner

Entity owners are defined from the entity Security tab, Owner sub-tab. A single user or a user group can be selected as owners of a system.




To assign an owner to an entity

1 - Expand Client Computers | Right-click the desired client | Properties.

2 - Click to browse for users.

3 - Choose the user’s domain from the list.

4 - Select the desired user from the list and click Add.



Quotas

In backup environments, even if protected storage is less expensive than production storage, there is still a cost per terabyte that must be considered to control storage usage. In a CommCell® environment which is licensed by capacity, the application size of protected systems also has a cost per terabyte and might need to be controlled as well.

User quotas have the capability to control backup size of end-user laptops and desktops efficiently:

  • For servers, quotas can be applied to client computer groups.

  • End-users and backup administrators can be notified when the quota is about to be reached.

User Data Protection Quotas

Domain users can have data protection quotas enforced for file-based backups. Quotas can be set at the group or user level. If quotas are set at the group level, they can be overridden at the user level.

How user quotas work:

  • When a user reaches 90% of their defined quotas, a warning email is sent to the user.

  • When a user reaches 110% of quota, backups will not run for systems owned by the client.

  • To fall below these thresholds, the user either must delete data or the administrator must increase the user's quota.




To configure user backup quotas

1 - User Group quota: Right-click user group | Properties.

Existing user: Right-click user | Properties.


Group Quotas

2 - Check to enforce user quotas in the user group properties and define the size limit.

User Quota

3 - Override group level settings and set quotas for individual domain users.



Commvault® Edge Drive Quotas

Commvault Edge Drive is a cloud-based storage solution that enables users to access files from any location. When using the Commvault® Edge Drive feature, size quotas can be applied to the end-user's Edge Drive—limiting storage use in Commvault software.

Quotas are set at these levels:

  • An individual user can be assigned a quota.

  • As a member of external user groups allows the user to inherit a quota from those groups (if the user has been configured to inherit them).

The formula for calculating an effective quota is as follows:

  • By default, each user inherits a quota from an external group or CommCell® group.

    • If a user is a member of only one external group or CommCell group and that group has a quota, that is the quota for the user.

    • If a user is a member of more than one external group or CommCell group for which a quota is set, the effective quota is the highest quota across all those groups. Groups for which no quota is set are ignored.

    • If the 'Inherit User Group Edge Drive Quota Settings' option is cleared for a user, the calculation ignores any quotas set for groups of which the user is a member.

  • If a quota is set for a user name using the 'Enforce Edge Drive Quota' option, the user has that quota regardless of any quotas set for groups the user is a member.




To configure user Edge Drive quotas

1User Group quota: Right-click user group | Properties.

Existing user: Right-click user | Properties.


Group Edge Drive Quotas

2 - Check to enforce user Edge Drive quotas in the user group properties and define the size limit.

User Edge Drive Quota

3 - Override group level settings and set quotas for individual domain users.



Client Computer Group Quotas

Data protection quotas can be applied to client computer groups. The quota is set at the client computer group level and adds up the size of each client that is a member of the group. This option is frequently used by Managed Service Providers (MSP) or in chargeback scenarios when limited resources are shared amongst different business units or entities.
When the limit is exceeded, backup jobs are placed in a waiting state and are tagged with an error code and the following error description: Client group capacity limit is exceeded.




To configure client computer group quotas

1 - From the Home menu | Control Panel.

2 - Select the System tool.

3 - Enable the use of client computer group quota.



4 - Right-click the desired computer group | Properties.

5 - Set the desired quota for the group.


Copyright © 2021 Commvault | All Rights Reserved.