The following sections provide additional configurations for end-users who have access to client computers from the Web Console.
Assigning Permissions to Client Owners
As a security method to control CommCell operations, you can assign specific permissions to client owners. This is useful for laptop clients because each client has a different owner. By assigning specific permissions to client owners, you can enable or disable specific options in the Web Console. The client owner permissions are in addition to any CommCell Console permissions a user may have. For a list of all Web Console permissions, see User Security Permissions and Permitted Actions by Feature: Web Console.
Note
By default, client owners must log off of the Web Console and then log on again for security changes to take effect. You can configure the software to refresh the security for users who are logged on. For instructions, see Refreshing Security for Users Logged On to the Web Console.
You can assign permissions for all client owners in the CommCell environment or for only the client owners of a particular client. For instructions on assigning permissions to client owners, see the following topics:
Configuring Privacy
For the Privacy setting in the Web Console to be functional, the Prevent admin access to user data check box must be selected.
-
See Enable Privacy at the CommCell Level for information on selecting the Prevent admin access to user data check box.
-
See My Computers - Privacy for information on turning on privacy once the Prevent admin access to user data check box is selected.
Configuring Alerts for End-Users
You can configure Job Management Data Protection and Data Recovery alerts to be sent to laptop clients. When configuring subscription-based alerts, a CommCell administrator can select the laptop clients or client groups that will receive alert notifications. Client owners of the selected clients are automatically subscribed to the configured alert notifications.
Note
Subscription-based alerts are only available to laptop clients and client groups.
By default, the following subscription-based alerts are available to client owners in the Web Console:
-
No backup for last 4 days
This is a Job Management - Data Protection alert which sends an individual email notification to client owners when no backup occurs in the last 4 days.
-
Recovery Job failed Alert
This is a Job Management - Data Recovery alert which sends an individual email notification to client owners when a restore operation fails.
About This Task
All client owners can subscribe to or unsubscribe from subscription-based alerts via the Web Console. For information on how client owners subscribe or unsubscribe, see Setting Up Data Management Alerts.
If you want to control which client owners can see the subscription-based alerts in the Command Center, see the instructions in the "Controlling the Client Owners Who Can See Alerts in the Command Center" section on this page.
Procedure
-
From the CommCell Console ribbon, on the Home tab, click Alerts.
-
In the Alerts dialog box, click Add.
-
On the General Information page, enter a name for the alert in the Display Name box.
-
To create an alert to monitor backup operations, select Job Management and Data Protection from the Category and Alert Type panes, respectively.
-
Select the Subscription based alert check box and then click Next.
-
Select the laptop clients or client groups that you want to associate with this alert and click Next.
-
Select the notification criteria to be used and click Next.
For example to monitor failed backup jobs, click Job Failed.
-
Select the way in which the alert is to be sent to its intended recipient:
-
To send the alert as an email, on the Email tab, select Select [Email] for notification.
-
To display the alert on the console, on the Console Alert tab, select Select [Console Alert] for notification.
Note: Only email and console alert notifications are supported for subscription-based alerts.
-
-
Click Next.
-
Review your selections on the Summary page and then click Finish.
Controlling the Client Owners Who Can See Alerts in the Web Console
You can control which client owners can see the subscription-based alerts in the Web Console. This prevents restricted client owners to subscribe or unsubscribe the subscription-based alerts created by the administrator. For information on creating subscription-based alerts, see Setting Up Subscription-Based Alerts.
Procedure
-
On the CommServe computer, add the bEnableSecurityForSubscriptionAlerts additional setting:
Property
Value
Name
bEnableSecurityForSubscriptionAlerts
Category
CommServDB.GxGlobalParam
Type
Boolean
Value
True
For instructions on adding the additional setting from the CommCell Console, see Adding or Modifying Additional Settings from the CommCell Console.
-
Set the security for the client owners:
-
For client owners who should not see subscription-based alerts in the Web Console, no configuration is required after the additional setting is added and set to true.
-
For client owners who should see subscription-based alerts in the Web Console, create a security association for the client owner that includes the following:
-
A role that includes the Edit Alert Associations permission.
-
The subscription-based alerts the client owner should see.
For instructions on creating a security association for a client owner, see Administering the Security Associations of a User.
-
-
Disabling Ability to Track a Client Computer
By default, end-users can track the location of a client computer from a map in the Web Console. The client location is fetched every 24 hours whenever the client is online. In addition, if the client is behind a firewall, another attempt to fetch the location takes place every time the client connects through the firewall.
You can disable the ability to track the location of laptop clients at the following levels:
At the CommCell Level
Use the following steps to disable the ability of laptop clients to fetch their geographical location.
-
From the CommCell Browser, right-click the <CommServe> and then click Properties.
-
On the Additional Settings tab, click Add.
-
In the Name box, type DisableGeoLocation.
-
In the Category list, select CommServDB.GxGlobalParam.
-
In the Type list, select INTEGER.
-
In the Value box, type 1.
-
Click OK to save the global parameter.
-
Click OK from the CommCell Properties dialog box.
-
Restart the Commvault services.
The laptop clients can no longer fetch their geographical location. If you only want to disable one or more clients from fetching their location, continue to the next section to configure the bDisableGeoLocation additional setting.
At the Client or Client Group Level
Use the following steps to disable the ability to track the location for a client group or for a specific client.
-
From the CommCell Browser:
For a Client Group
Navigate to the Client Computer Groups node, right-click the <Client Group> and then click Properties.
For a Specific Client
-
For a specific client, navigate to the Client Computers node, right-click the <Client> and then click Properties.
-
On the Client Computer Properties dialog box, click Advanced.
-
-
On the Additional Settings tab, click Add.
-
In the Name box, type bDisableGeoLocation.
-
In the Category list, select Cvd.
-
In the Type list, select BOOLEAN.
-
In the Value box, select true.
-
Click OK to save the additional setting configuration.
-
Click OK from the CommCell Properties dialog box.
The client map displayed in the Web Console stops showing the latest location of the client.
Configuring the Display Mode of All Geographical Maps
By default, the Web Console displays the maps that show the geographical location of each client. If you do not wish to display these maps, you can configure a global parameter at the CommServe level to do the following:
-
Hide all maps
-
Substitute each map with a link to Google Maps
Use the following steps to change the display mode of all geographical maps:
-
From the CommCell Browser, right-click the <CommServe>, and then click Properties.
-
Click the Additional Settings tab.
-
Click Add.
-
In the Name box, type Geo Location Display Mode.
-
Select CommServDB.GxGlobalParam from the Category list.
-
Select INTEGER from the Type list.
-
In the Value box, type:
-
0, if you want to hide all maps and any other client location information.
-
1, if you want to replace each map with a link to Google Maps which will show the client location.
Note
If you have already hidden the maps, but you want to display them again in the Web Console, type 2.
-
-
Click OK to save the global parameter.
-
Click OK from the CommCell Properties dialog box.
Browse or Search Based on End-User Access Control
During backups, the metadata information associated with the files is collected, stored in the backup index and is available for search/browse. By default, end-users can browse and search all the data backed up from a common resource like a shared laptop or file server. You can control the end-user access on such common resources by enabling access control on the client data.
When you enable access control on client data, the access control lists (ACLs) for the data are also included in the backup, which in turn, allow users to access only the files and folders for which they have access permissions. Other files and folders for which the user does not have permissions will be filtered and hidden during Find, Browse, Restore, and Delete Data operations.
To enable ACL based end-user browse for Security Assertion Markup Language (SAML) users, see Enabling ACL Based End-User Browse for SAML Users.
Remember: This option is only available for users who log in with their Active Directory credentials.
Before You Begin
-
To view the user data, assign End User Access permission to the client owners of the particular client computer. For instructions, see Configuring End-User Operations on Client Computers.
Assigning the End User Access permission helps maintain multiple user profiles on the same laptop (or desktop) and ensures that each user has the ability to access only the data for which the user has access permissions.
Also, remove any existing Browse permissions for the client owners.
-
By default, you can access data backed up by the defaultBackupSet on the Web Console. To browse user data backed up only by the default subclient on the Web Console, you must disable browse for non-default subclients. For instructions, see Disabling Data Browse from Non-Default Subclients.
Procedure
To enable browse or search based on end-user access control, complete the following steps:
-
From the CommCell Browser, expand Client Computers >Client > File System > Backup Set.
-
Right-click the subclient and click Properties.
-
In the Subclient Properties dialog box, click Advanced.
-
In the Advanced Subclient Properties dialog box, click the Advanced Options tab, and select Catalog ACL (end user access control list).
-
Click OK.
-
Click OK.
After enabling access control, run a full backup on the subclient to include the ACLs in the backup data. Conversely, if you run a differential or incremental backup, only the newer data will include the ACLs.