V11 SP8
Loading...

User Security Permissions and Permitted Actions by Feature

Table of Contents

The following table lists the features with their required permission and their required entity association in the CommCell Console. The Associated CommCell Entities column lists the minimum level of entity association a user or user group needs to perform the function. To see this information sorted by permission and associated CommCell entity, see the Permissions and Permitted Actions.

1-Touch

Task Permission Associated CommCell Entities
1-Touch operations Administrative management

Browse

End User Access

Out-of-place

Recover

In Place Recover

Install Package/Update or Install Client

Agent Management

Overwrite on Restore

Clients and Client Computer Groups where you installed the Windows File System Agent.

Advanced File System iDataAgent Options

On-Demand Data Protection

Task Permission Associated CommCell Entities
Run on-demand data protection jobs Data Protection/Management Operations Backup set
Create a new on-demand backup set Agent Management

Restore Data Using a Map File and Restore by Jobs

Task Permission Associated CommCell Entities
If data is being recovered to the same destination as the original data protection operation In Place Recovery At least subclient level association at the source client
If data is being recovered to a different destination than the original data protection operation: Source Client Out of Place Recovery At least backup set/instance association
If data is being recovered to a different destination than the original data protection operation: Destination Client (same platform as the source Client) In Place Recovery At least Agent level association
If data is being recovered to a different destination than the original data protection operation: Destination Client (different platform from the source Client) In Place Recovery At least Client level association

Agents

Task Permission Associated CommCell Entities
Modify and perform operations specific to an agent. Agent Management Agent
Install an agent on the CommCell.

Note: This operation requires this permission only when the Authentication for Agent Installs feature is enabled.

Install Package/Update, Install Client Client

Alerts

Task Permission Associated CommCell Entities
Create an alert.

Note: The user who creates the alert is automatically assigned the Alert Owner role on the new alert. The Alert Owner role includes the following permissions:

  • Edit Alert Associations
  • Add/Remove Recipients
  • Delete Alert
  • Edit Alert
  • Change security settings
  • View

Note: For the permissions and the entities needed to add security associations to an alert, see Security Associations.

Create Alert CommCell
Add entities to a new alert.

Note: Not all alerts require entities.

Alert Management You must have the Alert Management permission on the entities you are adding to the alert.
Add entities to an existing alert.

Note: Not all alerts require entities.

  • Edit Alert Associations or Edit Alert
  • Alert Management
Alert for Edit Alert Associations or Edit Alert

You must have the Alert Management permission on the entities you are adding to the alert.

Add notification recipients to a new alert. Create Alert CommCell
Add notification recipients to an existing alert. Add/Remove Recipients or Edit Alert Alert
Modify an alert.

Note: For the permissions and the entities needed to modify the security associations on an alert, see Security Associations.

Edit Alert Alert
View an alert. Any of the alert permissions Alert
Delete an alert. Delete Alert Alert
Modify or delete an alert on a schedule or schedule policy. See the Scheduling and Schedule Policy tables.
Create alert rules.
  • Administrative Management
  • Report Management
CommCell
Use alert rules to create alerts.

Alternate Data Paths (GridStor)

Task Permission Associated CommCell Entities
Configure a storage policy copy for alternate data paths, and delete data paths from the copy. Storage Policy Management Storage Policy

Application-Free Restore

This operation includes the following.

Task Permission Associated CommCell Entities
Restore databases directly to a disk from the CommCell Console without the use of the database application.

Out of Place Recover (Source Client)

Browse (Destination Client)

In Place Recover (Destination Client)

The Out of Place Recover permission at the backup set or instance at the source client

and

The Browse and In Place Recover permissions at the agent level of the destination client

Archive

Task Permission Associated CommCell Entities
Configure and perform archive operations. Data Protection/Management Operations Archive Set, Instance, Subclient
Configure offline archive options in Outlook Add-In. Local administrative privileges are required by users logged into the Outlook Add-In client. N/A

Audit Trail

Task Permission Associated CommCell Entities
Track the operations of users who have access to the CommCell and set or modify the Audit Trail settings. Administrative Management CommCell

Automatic Updates/Upgrade

Task Permission Associated CommCell Entities
Configure, download, and install software upgrades. Administrative Management CommCell
Install Package/Update Client
Install Client CommCell

Auxiliary Copy

Task Permission Associated CommCell Entities
Run an auxiliary copy operation. Administrative Management CommCell
Run an auxiliary copy operation for a storage policy. Storage Policy Management Storage Policy

Backup Copy

Task Permission Associated CommCell Entities
  • Copy the snapshots of the data to any media.
  • Create additional standby copies of data.
Data Protection/Management Operations

Storage Policy Management

Client/Subclient

Storage Policy

Backup Set

Task Permission Associated CommCell Entities
Create a backup set. Agent Management Agent
Modify and delete a backup set. Backup Set

Browse

Perform a browse operation at the following CommCell levels.

Task Permission Associated CommCell Entities
Client Browse

Note: Users with the Browse permission can browse all of the data.

Client
Agent Agent
Backup Set Backup Set
Instance/Partition Instance/Partition
Replication Set Replication Set
Subclient Subclient

Browse Recoveries and Find Recoveries from Windows File System

Description Permission Associated CommCell Entities
You can perform ACL-based browse and restore for the Windows File System. End User Access

Note: Users with End User permissions can browse data owned by them. Assigning End User Access permission helps to maintain multiple user profiles on the same laptop (or desktop) and ensures that users have the ability to browse and restore only the data to which they have access.

CommCell

Content Indexing and Search

Task Permission Associated CommCell Entities
  • Configure and perform Offline Content Indexing
  • Delete Content Indexing server
Administrative Management CommCell
Search data that has been content indexed on the associated entities that are owned by the user. End User Access CommCell/Client group/Client/Agent/Backup Set
Search all of the data that has been content indexed on the associated entities, regardless of ownership. Compliance Search CommCell/Client group/Client/Agent/Backup Set
Add/Modify Annotations to discovered items Annotation Management CommCell/Client group/Client/Agent/Backup Set
  • Create/Modify/Delete Legal Holds
  • Add search items to Legal Hold
  • Retrieve data from Legal Hold
Legal Hold Management CommCell/Client group/Client/Agent/Backup Set
  • Create/Modify/Delete Tags
  • Associate/Dissociate Tags to discovered items
Tag Management CommCell/Client group/Client/Agent/Backup Set

Client

Perform the following functions for a client.

Task Permission Associated CommCell Entities
Register a client from the client level Install Client CommCell
  • Modify
  • Enable privacy
  • Set the job priority
  • Create an Oracle RAC client
  • Create a DB2 MultiNode pseudo-client
  • Release License
  • Delete
Agent Management

The Storage Policy Management permission is also required for the following tasks:

  • Create an Oracle RAC client
  • Create a DB2 MultiNode pseudo-client
Client, Client Computer Group

Client Computer Group

Task Permission Associated CommCell Entities
Create a client computer group.

Note: The user who creates the client computer group is automatically assigned the Client Group Creator role on the new client computer group. The Client Group Creator role includes the following permissions:

  • Agent Management
  • Change Client Associations
  • Delete Client Group
  • Administrative Management
Create Client Group CommCell
Modify client computer group properties Agent Management Client Computer Group
Set Activity Control from the client computer group level Agent Management Client Computer Group
Delete client groups Delete Client Group, Administrative Management, and Agent Management Client Computer Group
Add clients to or remove clients from a client computer group when associations are listed on the Security tab in the Client Group dialog box
  • Change Client Associations, Administrative Management, and Agent Management
  • Change security settings and Agent Management
  • Client Computer Group
  • Any entity on which you want to perform the task.
Add clients to or remove clients from a client computer group when no associations are listed on the Security tab in the Client Group dialog box
  • Change Client Associations, Administrative Management, and Agent Management
  • Agent Management
  • Client Computer Group
  • Any entity on which you want to perform the task.
Modify smart client computer group rules (automatic associations) Change Client Associations, Administrative Management and Agent Management Client Computer Group

Control Panel

Add or modify the parameters available in the Control Panel.

Task Permission Associated CommCell Entities
License Administration License Management CommCell
All parameters Administrative Management CommCell

CommCell Migration

Task Permission Associated CommCell Entities
Migrate clients from one CommCell to another Administrative Management CommCell

CommServe

Task Permission Associated CommCell Entities
Modify CommServe properties. Administrative Management CommCell

Custom Calendar

Task Permission Associated CommCell Entities
Define custom calendars to suit the needs of your organization Administrative Management CommCell

Data Aging

Task Permission Associated CommCell Entities
Run a data aging operation Administrative Management CommCell

Data Collection

Perform Data Collection operations at the following CommCell Levels.

Task Permission Associated CommCell Entities
Agent Agent Management Agent
Subclient Agent Scheduling Subclient

Data Compression

Task Permission Associated CommCell Entities
Enable software compression for the Agent Agent Management Agent
Enable hardware compression for a data path from a storage policy copy to which the data path is associated Storage Policy Management Storage Policy

Data Encryption

Set Data Encryption at the following CommCell Levels.

Task Permission Associated CommCell Entities
Client Agent Management Client
Subclient Agent

Data Interface Pairs

Task Permission Associated CommCell Entities
Configure data interface pairs Administrative Management CommCell

Data Multiplexing

Task Permission Associated CommCell Entities
Configure a copy for Data Multiplexing Storage Policy Management Storage Policy

Data Protection

Note: The associated object is the object from which the data protection operation is being initiated.

Task Permission Associated CommCell Entities
Configure and perform the following data protection operations:
  • Backups including synthetic full backups
  • Compliance Archiving
  • Migration Archiving
Data Protection/Management Operations Backup Set/Archive Set, Instance/Partition, Subclient

Data Verification

Perform the following data verification functions.

Task Permission Associated CommCell Entities
  • Perform a data verification operation
  • Configure a storage policy copy for data verification
Storage Policy Management Storage Policy

Database Space Check Interval

Task Permission Associated CommCell Entities
Set the Database Space Check Interval Administrative Management CommCell

Deconfigure

De-configure the following CommCell Objects.

Task Permission Associated CommCell Entities
MediaAgent MediaAgent Management CommCell
Client Agent Management Client
Agent Agent

Deployment

Task Permission Associated CommCell Entities
Install new client

Interactive Install when the CommServe Authentication is available

Remote Install / Silent Install

Install Package/Update, Install Client

Note: Administrative Management permission is required when installing, registering, and uninstalling DB packages.

 

Client, CommCell
Install Agent on existing client
Register a Client
Uninstall and repair software using the CommCell Console

Disaster Recovery Backup

Task Permission Associated CommCell Entities
Configure and perform Disaster Recovery Backups Administrative Management CommCell

Erase Backup/Archived Data

Task Permission Associated CommCell Entities
Configure and perform an Erase Data by Browsing or Erase Stubs operation. Administrative Management CommCell

Erase Backup/Archived Data from the DataArchiver Outlook Add-In

Task Permission Associated CommCell Entities
Perform the following Erase Data operations from the DataArchiver Outlook Add-In:
  • Browse and Erase Data
  • Find and Erase Data
End User Access, Administrative Management CommCell

Event Viewer

Task Permission Associated CommCell Entities
Set the maximum number of events to be retained in the Event Viewer. No rights are required. No rights are required.

Filters

Perform the following filters functions.

Task Permission Associated CommCell Entities
Create Global Filters. Administrative Management CommCell
  • Enable global filters for a subclient.
  • Create data protection filters for a subclient.
Agent Management Subclient
Enable CSVDE filtering for discovery operations. Agent Management Agent

Hardware Maintenance

Modify the following hardware maintenance settings.

Task Permission Associated CommCell Entities
  • Library Maintenance
  • Drive Maintenance
  • Media Expiration
  • Drive Cleaning Thresholds
Administrative Management CommCell

In Place Recover

Browse and recover to the same place as the original data protection operation. These operations include the following.

Task Permission Associated CommCell Entities
  • Copyback
  • Restore
  • Recovery
  • Retrieve
In Place Recover

Note for File System Agents: To overwrite files during a restore to the same location, the Overwrite on Restore permission is required.

Client/Agent/Backup Set/Instance/Partition/Replication Set

Index Cache

See MediaAgent.

Instance/Partition

Task Permission Associated CommCell Entities
Create, modify, and delete an instance/partition. Agent Management Instance/Partition

Job Management

Note: When performing an action on multiple jobs in the Job Controller, the correct permission and object association for all of the selected jobs are necessary. If a user is missing the correct permission, the group action cannot be performed on any of the jobs. The user who initiated a job can perform Job Controller functions for that job regardless of permission or object association.

Task Permission Associated CommCell Entities
Perform the following Job Management configuration functions:
  • Set the job priority of an Agent.
  • Queue jobs.
  • Set the job update interval.
  • Determine if a job should be preemptible or restartable.
Administrative Management CommCell
Perform the following Job Controller functions:
  • Suspend, resume, and kill selected jobs and groups of jobs.
  • Change the job priority of a scheduled job, running jobs, or groups of running jobs from the Job Controller.
Job Management CommCell
Suspend, resume, and kill selected jobs and groups of jobs. Job Management Entity the job is associated with

Expert Storage Configuration

Task Permission Associated CommCell Entities
Configure and de-configure libraries and drives. Administrative Management MediaAgent
  • Configure and de-configure libraries and drives associated with a MediaAgent.
  • Automatically add the user group (the user belongs) to the newly-configured libraries.
MediaAgent Management

To enable these tasks or operations, set the value of the Media Management configuration parameter Provide user with MediaAgent management rights additional capabilities for libraries, data paths, and storage policies to 1.

MediaAgent
  • Create/delete or modify scratch pools.
  • Move media between scratch pools.
  • Reset library, library controller.
  • Full scan.
  • Mark library fixed.
  • Properties of library, master drive pool, drive pool, drive, and media.
  • Validate drive.
  • Mark a drive cleaned.
  • Mark a drive replaced.
  • Mark a drive fixed.
  • Clean drive.
  • Reset drive.
  • Unload drive.
  • Import media, cleaning media.
  • Load media.
  • Mark media full, bad, and appendable.
  • Mark media exported, prevent media export, export media.
  • Verify media.
  • Move media.
  • Delete media.
  • Update barcode.
  • Unload media.
  • Export media or schedule export media.

    Note: Users who are not a member of the View All user group would not be able to view/browse the export locations. However, they can manually enter the export location and successfully complete the export operation.

  • Recall media
  • View contents.
  • Inventory, Scheduled Inventory for Blind Library.
  • Stamp media in stand alone libraries.
Library Administration Library / Client Computer Group
  • Erase spare media.
  • Delete contents.
  • Overwrite Media options.
  • Create/delete or modify scratch pools.
  • Move media between scratch pools.
  • Reset library, library controller.
  • Full scan.
  • Mark library fixed.
  • Properties of library, master drive pool, drive pool, drive, and media.
  • Validate drive.
  • Mark a drive cleaned.
  • Mark a drive replaced.
  • Mark a drive fixed.
  • Clean drive.
  • Reset drive.
  • Unload drive.
  • Import media, cleaning media.
  • Load media.
  • Mark media full, bad, and appendable.
  • Mark media exported, prevent media export, export media.
  • Verify media.
  • Move media.
  • Delete media.
  • Update barcode.
  • Unload media.
  • Export media or schedule export media.

    Note: Users who are not a member of the View All user group would not be able to view/browse the export locations. However, they can manually enter the export location and successfully complete the export operation.

  • Recall media
  • View contents.
  • Inventory, Scheduled Inventory for Blind Library.
  • Stamp media in stand alone libraries.
Library Management

Library Management is a superior permission with critical library management rights, in addition to all the rights in Library Administration permission.

Library / Client Computer Group

License

Task Permission Associated CommCell Entities
Add and update a license. License Management and Administrative Management CommCell

List Media

View the list of media required for browse/data recovery operations.

Task Permission Associated CommCell Entities
Client Browse Client
Agent Agent
Backup Set Backup Set
Instance/Partition Instance/Partition
Subclient Subclient

Log Files

Note: The function of viewing log files does not require security.

Task Permission Associated CommCell Entities
Send and view log files. No rights are required. No rights are required.

MediaAgent

Task Permission Associated CommCell Entities
Modify MediaAgent properties including the Index Cache, and perform MediaAgent operations. MediaAgent Management MediaAgent / Client Computer Group

Monitoring Policy

The permissions apply to log monitoring and system monitoring policies unless otherwise noted.

Task Permission Associated CommCell Entities
Create a monitoring policy. No rights are required.

Note: The user creating the monitoring policy must have the Administrative Management or Agent Management permission on the client or client group that contains the logs to be monitored.

N/A
  • Delete a monitoring policy.
  • Log Monitoring: Erase search results from the Analytics Engine
Delete Monitoring Policy Monitoring Policy
Execute or run a monitoring policy. Execute Monitoring Policy Monitoring Policy
Edit a monitoring policy. Edit Monitoring Policy

Note: The user creating the monitoring policy must have the Administrative Management or Agent Management permission on the client or client group that contains the logs to be monitored.

Monitoring Policy
View a monitoring policy. View Monitoring Policy

Name Change

Task Permission Associated CommCell Entities
CommServe name change Administrative Management CommCell
Client name change Administrative Management CommCell
MediaAgent name change Media Management MediaAgent / Client Computer Group

NAS Client Configuration

Task Permission Associated CommCell Entities
Create NAS clients Install Client CommCell

Operation Window

Operation Rules can be defined at the following CommCell levels.

Task Permission Associated CommCell Entities
CommCell Administrative Management CommCell
Client Computer Group Administrative Management Client Computer Group
Client Agent Management Client
Agent Agent Management Agent
Subclient Agent Management Subclient

Out of Place Recover

Browse and recover to a different place than the original data protection operation. These operations include the following.

Task Permission Associated CommCell Entities
  • Copyback
  • Restore
  • Recovery
  • Retrieve
Out of Place Recover (Source Client)

In Place Recover (Destination Client)

At least Backup Set or Instance/Partition at the source client/Replication Set

and

The In Place Recovery permission at the agent level of the destination client. If the destination client is on a different platform than the source client (for example, a Unix File System client and a Windows File System client), then In Place Recovery with at least client level association at the destination client is needed.

Plans

Plans are used in the Admin Console to define the information to back up and how often to perform the backup.

Task Permission Associated CommCell Entities
Create a plan. Create Plan The entity using the plan.
Edit a plan. Edit Plan The entity using the plan.
Delete a plan. Delete Plan The entity using the plan.
Add a plan to or remove a plan from an entity. Edit Plan Associations The entity using the plan.

Pre/Post Processes

Task Permission Associated CommCell Entities
Configure Agent Management Agent
Add pre/post processes for data recovery operations Agent Management and the In Place or Out of Place Recover permission Agent
Remove a pre/post process for data protection/archive operations Agent Management and Data Protection/Management Operations Agent
Configure pre/post processes for Disaster Recovery Backup operations Administrative Management CommCell
Run subclient pre/post commands using a local system account. Run Command with System Account Subclient
Run subclient pre/post commands using an impersonated user. Run Command with User Account Subclient

Recovery Point

Task Permission Associated CommCell Entities
Schedule the creation and back up of a Recovery Point. Agent Scheduling Replication Set
  • Create Recovery Point.
  • Back up Recovery Point.
Data Protection/Management Operations

Records Management

Task Permission Associated CommCell Entities
Create custom properties for records. Create Custom Property Client
Update custom properties for records. Update Custom Property
Delete custom properties for records. Delete Custom Property

Reports

Task Permission Associated CommCell Entities
Add a data source for reports that were downloaded from the Commvault Store or built with Build Your Own Reports. Add Datasource CommCell
Delete data sources used in reports that were downloaded from the Commvault Store or built with Build Your Own Reports. Delete Datasource CommCell
Edit data sources for reports that were downloaded from the Commvault Store or built with Build Your Own Reports. Edit Datasource CommCell
Query data sources for reports that were downloaded from the Commvault Store or built with Build Your Own Reports. Query Datasource CommCell
Create a new report using Build Your Own Reports. Add Report CommCell
Delete reports that were downloaded from the Commvault Store or built with Build Your Own Reports. Delete Report CommCell
Edit reports that were downloaded from the Commvault Store or built with Build Your Own Reports. Edit Report CommCell
View reports that were downloaded from the Commvault Store or built with Build Your Own Reports. Execute Report CommCell
Publish reports to the Download Center.
  • Add Report
  • Edit Report
  • Install Package/Update
  • Download Center Management
CommCell

Web Server Client

Client Group with Web Server

Download reports from the Commvault Store. Add Report CommCell
View and run reports on CommCell Console. Report Management Any entity that you want to view in reports such as clients, storage policies, libraries, and any other available entity in the CommCell Console.
View Metrics reports on Web Console. Report Management Pseudo CommCell Client/CommCell Group level or higher
View the SLA Report and the Backup Job Summary Report on the Web Console. Report Management Client level or higher

Replication Pair

Task Permission Associated CommCell Entities
Delete a Replication Pair. Agent Management Replication Set
Start/suspend/resume/abort Replication Pairs. Job Management

Replication Set

Task Permission Associated CommCell Entities
  • Modify and delete a Replication Set.
  • Create, modify, and delete a Replication Pair.
Agent Management Replication Set
Start/suspend/resume/abort Replication Sets. Job Management

Schedule Policy

Note: Only a user who created the schedule policy or a user who is associated with all of the objects associated with the schedule policy can change the schedule pattern.

Task Permission Associated CommCell Entities
Delete a schedule policy. Delete Schedule Policy Schedule Policy
Modify an alert on a schedule or schedule policy. Alert Management

Note:

  • If the alert is on a data protection schedule policy, the Data Protection/Management Operations permission is needed.
  • If the alert is on a backup copy schedule policy, the Data Protection/Management Operations and Storage Policy Management permissions are needed.
CommCell
Delete an alert from a schedule or schedule policy. Administrative Management

Note:

  • If the alert is on a data protection schedule or schedule policy, the Data Protection/Management Operations permission is needed.
  • If the alert is on a backup copy schedule or schedule policy, the Data Protection/Management Operations and Storage Policy Management permissions are needed.
Client Computer Group, Client, Agent, Backup Set, Instance/Partition, Subclient, Library, MediaAgent, Storage Policy, Tracking Policy

Note: The necessary associated object depends on the entity for which the alert is created.

Data Protection Schedule Policy

Task Permission Associated CommCell Entities
Create and clone a Data Protection schedule policy. Create Schedule Policy CommCell
  • Agent Scheduling
  • Data Protection/Management Operations
Client
Modify a Data Protection schedule policy. Edit Schedule Policy Schedule Policy
Add entities to or remove entities from a Data Protection schedule policy. Edit Schedule Policy Associations Schedule Policy
Run the schedules of a Data Protection schedule policy immediately.
  • Agent Scheduling
  • Data Protection/Management Operations at the level for which the schedules were created.
Agent, Backup Set, Instance/Partition/Subclient
Decouple a scheduled job from a Data Protection schedule policy.
  • Edit Schedule Policy
  • Agent Scheduling
  • Data Protection/Management Operations at the level for which the schedules were created.
Schedule Policy

Auxiliary Copy Schedule Policy

Task Permission Associated CommCell Entities
Create and clone an auxiliary copy schedule policy. Create Schedule Policy CommCell
  • Storage Policy Management
  • Data Protection/Management Operations
  • Agent Scheduling
Storage Policy
Modify an auxiliary copy schedule policy. Edit Schedule Policy Schedule Policy
Add entities to or remove entities from an auxiliary copy schedule policy. Edit Schedule Policy Associations Schedule Policy
  • Disable an auxiliary copy schedule policy.
  • Run the schedules of the auxiliary copy schedule policy immediately.
  • View the storage policies and storage policy copies associated with the Auxiliary Copy schedule policy.
Storage Policy Management Storage Policy

Scheduling

Note: The user who created the schedule can also view it without any permission or object association.

Task Permission Associated CommCell Entities
Add, modify, disable, delete, and view data protection operation schedules.
  • Agent Scheduling
  • Data Protection/Management Operations

Note: This operation also requires the Data Protection/Management Operations, In Place Recover, and Out of Place Recover permissions respectively for Data Protection and Data Recovery Schedule.

Agent, Backup Set, Instance/Partition/Subclient
Add, modify, disable, delete, and view data recovery operation schedules.
  • Agent Scheduling
  • In Place Recover and/or Out of Place Recover

Note: This operation also requires the Data Protection/Management Operations, In Place Recover, and Out of Place Recover permissions respectively for Data Protection and Data Recovery Schedule.

  • Schedule administration operations such as Data Aging, Auxiliary Copy, Disaster Recovery backup, Data Verification, Automatic Update, Erase Data by Browsing/Erase Stubs, Drive Cleaning, and Report.
  • View, delete, disable, or modify the above schedules.
  • Run a scheduled task immediately.
  • Set Holidays.
Administrative Management CommCell
Delete an alert from a schedule or schedule policy. Administrative Management

Note:

  • If the alert is on a data protection schedule or schedule policy, the Data Protection/Management Operations permission is needed.
  • If the alert is on a backup copy schedule or schedule policy, the Data Protection/Management Operations and Storage Policy Management permissions are needed.
Client Computer Group, Client, Agent, Backup Set, Instance/Partition, Subclient, Library, MediaAgent, Storage Policy, Tracking Policy

Note: The necessary associated object depends on the entity for which the alert is created.

Modify an alert on a schedule or schedule policy. Alert Management CommCell
Create schedules for the Vault Tracker Policy.

Note: The user who creates a schedule can view, delete, disable, or modify the schedules without any capability or object association.

Vault Tracker Operations Entities other than CommCell

Security Associations

To create a security association, you must have all of the following permissions on the entities listed:

Task Permission Entity
Create a security association: a three-way mapping of a role, users, and entities. View

This permission is required if security was enabled for roles. For information on enabling security for roles, see Enabling Security on Roles.

Role
Add, delete and modify a user

Add, delete and modify a user group

Add, delete and modify a domain

The users, user groups, or domains that are included in the security association
Change security settings The entities that are included in the security association
A role that includes all of the same permissions as the role included in the security association The entities that are included in the security association
Example

User A wants to assign Role1 to User Group1 on Client001 and MediaAgent001.

Role1 has the Administrative Management and Agent Management permissions.

User A must have the following:

  • Add, delete and modify a user group on User Group1
  • Change security settings on Client001 and MediaAgent001
  • Administrative Management and Agent Management permissions on Client001 and MediaAgent001

For information on the permissions needed for user management, see User Administration and Security.

Single Sign On

Task Permission Associated CommCell Entities
Enable Single Sign On to use Active Directory credentials to access the CommServe Add, delete and modify a domain Domain

Snapshots

Task Permission Associated CommCell Entities
Configure, activate, and deactivate snapshots. Agent Management Agent

Storage Policy and Storage Policy Copy

Task Permission Associated CommCell Entities
  • Create and delete storage policies and storage policy copies.
  • Create and delete storage policy copies including inline copies.
  • Migrate media.
Storage Policy Management MediaAgent / Client Computer Group
  • Modify a storage policy or storage policy copy.
  • Enable an Incremental Storage Policy.
  • Prune, disable, and manually retain a data protection operation on a copy.
  • Set Inline Copy.
Storage Policy Management Storage Policy / Client Computer Group
Create, modify, and delete storage policies and storage policy copies associated with a MediaAgent. MediaAgent Management

To enable these tasks or operations, set the value of the Media Management configuration parameter Provide user with MediaAgent management rights additional capabilities for libraries, data paths, and storage policies to 1.

MediaAgent / Client Computer Group

Streams

Task Permission Associated CommCell Entities
Combine the data streams of a storage policy copy. Storage Policy Management Storage Policy / Client Computer Group

Subclient Policy

Note: The associated object is the object from which the data protection operation is being initiated.

Task Permission Associated CommCell Entities
Create a subclient policy.
  • Create Subclient Policy: on CommCell
  • Agent Management: on backup sets that are associated with the subclient policy.
  • CommCell
  • Backup Set
  • Edit subclient policy name and description.
  • Create, modify, or delete a subclient under a subclient policy.
Edit Subclient Policy Subclient Policy
Edit subclient policy associations.
  • Edit Subclient Policy Associations
  • Agent Management: on backup sets that are being associated or disassociated.
  • Subclient Policy
  • Backup Set
Clone a subclient policy.
  • View: on subclient policy
  • Create Subclient Policy: on CommCell
  • Subclient Policy
  • CommCell
Delete a subclient policy. Delete Subclient Policy Subclient Policy
Change security settings for subclient policy. Change Security Settings Subclient Policy

Subclient

Task Permission Associated CommCell Entities
Create and delete a subclient. Agent Management Backup set
Modify a subclient. Agent Management Subclient

Synthetic Full

See Data Protection.

User Accounts and Passwords

Task Permission Associated CommCell Entities
  • Control Panel > System > Change Passwords: Change the media and network passwords.
  • Control Panel > User Account Management: Change user accounts.
Administrative Management CommCell

User Administration - Search Console

Task Permission Associated CommCell Entities
Configure disk space utilization and search result display for each user. Administrative Management CommCell

User Administration and Security

Task Permission Associated CommCell Entities
Create, edit, and delete a role. Change security settings Any entity on which you want to perform the task.
Create a user. Add, delete and modify a user CommCell
Edit and delete a user. Add, delete and modify a user User
Create a user group. Add, delete and modify a user group CommCell
Edit and delete a user group and an external group. Add, delete and modify a user group User Group
Add a domain. Add, delete and modify a domain CommCell
Edit and delete a domain. Add, delete and modify a domain Domain
Add an external user. Add, delete and modify a user Domain
Add an external group. Add, delete and modify a user group Domain

For information on the permissions needed to create a security association, see Security Associations.

Vault Tracker Feature

Task Permission Associated CommCell Entities
Add, delete, and modify any of the following objects or operations:
  • Actions
  • Containers
  • Export Media from Backup/Auxiliary Copy Operations
  • Export Media using the Export Media Wizard
  • Iron Mountain ID
  • Library
  • Location
  • Media Repository
  • Recall Media
  • Vault Tracker Policy
  • Vault Tracker Alerts
  • Vault Tracker Reports

    Note: This operation also requires the Report Management permission. Only information about objects available with the user's current Vault Tracker Operations permission level are displayed in the report.

Vault Tracker Operations CommCell
  • Actions: details, set container, abort, picked up, reached destination
  • Containers: modify, delete, move all media, remove all media
  • Library: view and modify at the Vault tracker policy
  • Location: modify, delete
  • Media Repository: modify, delete, update barcode, add media
  • Tracking Policy: run, modify, delete, view media, view schedules, create schedules, set holidays
Vault Tracker Operations Entities other than CommCell

Virtual Machine Restore

Task Permission Associated CommCell Entities
Recover guest files and folders to their original location. In Place Recover Client/Agent
Recover full virtual machines to their original location. In Place Full Machine Recovery

End users performing the restore must own the virtual machines being recovered.

CommCell Console users performing the restore must own or have an association with the virtualization client protecting the virtual machine.

Client/Agent
Recover guest files and folders to a different destination client. Out of Place Recover

and

In Place Recover

Client/Agent
Recover full virtual machines to a location other than the original location. Out of Place Full Machine Recovery

End users performing the restore must own the virtual machines being recovered.

CommCell Console users performing the restore must own or have an association with the virtualization client protecting the virtual machine.

Client/Agent

Virtualize Me

Task Permission Associated CommCell Entities
Perform a Virtualize Me operation Administrative management

Browse

End User Access

Out-of-place

Recover

In Place Recover

Install Package/Update or Install Client

Agent Management

Overwrite on Restore

Clients and Client Computer Groups where you installed the Windows File System Agent.

Web Console

My Data Application

Task Permission Associated CommCell Entities
Run the incremental backup jobs, but not cancel or suspend the backup job. Data Protection Operations Clients managed using Web Console.
Pause, resume, or kill the backup job. Job Management Clients managed using Web Console.
Perform the following in the Web Console:
  • Restore the backed up data to the same place/different place as the original data protection operation
  • Restore backed up data from a specific date or time range
Users can have either of these groups of permissions:
  • Browse, In Place Recover, and Out of Place Recover
  • End User Access

(For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.
Perform the following in the Web Console:
  • Add a new content path
  • Modify/Delete the existing content path created by another user
  • Exclude specific content
Agent Management Clients managed using Web Console.
Perform the following in the Web Console:
  • Restore the backed up data to the same place/different place as the original data protection operation
  • Restore backed up data from a specific date or time range
Users can have either of these groups of permissions:
  • Browse, In Place Recover, and Out of Place Recover
  • End User Access

(For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.
Download one or more backed up files and folders to a specific location in the computer used for accessing the Web Console. Users can have either of these groups of permissions:
  • Browse, Compliance Search, and Download
  • End User Access and Download

(For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.
Upload one or more files and folders to a specific location in the client computer from the Web Console. Users can have either of these groups of permissions:
  • Browse and Upload
  • End User Access and Upload

(For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.
Share files and folders with other users. Sharing Clients managed using Web Console.
User can browse backed up data and live (not backed up) data on the client computer.

User can also browse data on network share location.

Applies To: File System agents

Users can have either of these groups of permissions:
  • Browse and Live Browse
  • End User Access and Live Browse

(For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.
Search the data backed up from the client computer.

The search capability provided in the Web Console also allows users to search through the contents of the backup data.

Users can have either of these groups of permissions:
  • Browse and Compliance Search
  • End User Access

(For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.
Erase the data backed up from the client computer. Users can have either of these permissions:
  • Browse
  • End User Access

(For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.
Open the Restore Files page. For CommCell users: Browse

For domain users: Browse or End User Access

(For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.
Synchronize a set of files and folders with up to three computers at once. Users can have either of these groups of permissions:
  • Browse, In Place Recover, and Out of Place Recover
  • End User Access, In Place Recover, and Out of Place Recover

(For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Virtual Machines Application

Task Permission Associated CommCell Entities
Make a copy of a virtual machine. Clone VM Virtual machines created using Web Console.
Create a snapshot backup of a virtual machine. Create VM Snapshot Virtual machines created using Web Console.
Delete a virtual machine. Delete VM Virtual machines created using Web Console.
Delete snapshot backups of a virtual machine. Delete VM Snapshot Virtual machines created using Web Console.
Edit the settings for a virtual machine. Edit VM Virtual machines created using Web Console.
Power off a virtual machine. Power OFF VM Virtual machines created using Web Console.
Power on a virtual machine. Power ON VM Virtual machines created using Web Console.
Refresh the connection to the hardware. Refresh VM Virtual machines created using Web Console.
Extend the life of a virtual machine to a specified date. Renew VM Virtual machines created using Web Console.
Revert a virtual machine to a previous snapshot backup. Revert VM Snapshot Virtual machines created using Web Console.

Workflow Feature

Task Permission Associated CommCell Entities
Create a workflow Create Workflow Any entity
Deploy a workflow Agent Management Client where the Workflow Engine is installed
Execute or run a workflow Execute Workflow Workflow
Edit a workflow Edit Workflow Workflow
Delete a workflow Delete Workflow Workflow