Restricting User Access with Access Control Lists (ACLs)

Applies to: Windows and Macintosh.

During backups, the metadata information associated with the files is collected, stored in the backup index, and is available for search or browse. By default, end-users can browse and search all the data backed up from a common resource like a shared laptop or file server. You can restrict end user access on such common resources by enabling access control on the client data.

When you enable access control on client data, the access control lists (ACL) for the data are also included in the backup, which, allow users to access only the files and folders for which they have access permissions. Other files and folders for which the user does not have permissions will be filtered and hidden during Find, Browse, Restore, and Delete Data operations.

Restriction: This option is available only for users who log on with their Active Directory credentials.

Before You Begin

Review the following requirements:

  • To view the user data, ensure that End User Access permission is configured on the client computer. For instructions, see Configuring End-User Operations on Client Computers.

    Assigning the End User Access permission helps maintain multiple user profiles on the same laptop (or desktop) and ensures that each user has the ability to access only the data for which the user has access permissions.

  • By default, you can access data backed up by the Default subclient on the Web Console. To browse user data backed up by non-default subclients on the Web Console, enable browse for non-default subclients. For instructions, see Enabling Data Browse from Non-Default Subclients.


To enable browse or search based on end-user access control, complete the following steps:

  1. From the CommCell Browser, expand Client Computers >client > File System > Backup Set.
  2. Right-click the appropriate subclient and click Properties.
  3. Click the Advanced Options tab and select  Catalog ACL (end user access control list).
  4. Click Recursive Scan, and then select the Check archive bit during backups check box.
  5. Click OK.

The subclient is now configured to include backup of ACLs. Users with end-user access permissions will be able to view and access only the files and folders in the backed up data for which they have permissions.

What to Do Next

After enabling access control, run a full backup on the subclient to include the ACLs in the backup data. Conversely, if you run a differential or incremental backup, only the newer data will include the ACLs. For instructions, see Performing Backups for the Windows File System Subclients.

Last modified: 10/24/2018 9:58:25 PM