Permissions and Ownership for CommCell Console Users
The CommCell Console is available only to authorized CommCell users. End users of virtual machines cannot perform restores through the CommCell Console unless they are also authorized as CommCell users.
Members of the CommCell master group have superadmin access to all objects in the CommCell Console, and can perform all necessary operations in the CommCell Console without any further configuration.
For the CommCell Console, administrative users or user groups must be assigned as owners for the following entities:
- Virtualization clients that contain subclients identifying VMs to be backed up. A virtualization client is shown in the CommCell Browser at Client Computers > client.
- Proxies that perform protection operations. A proxy is shown in the CommCell Browser at Client Computers > client.
Proxies for virtualization clients are identified on the Proxies tab of the Virtual Server Instance Properties dialog box; the Virtual Server instance is shown in the CommCell Browser at Client Computers > client > Virtual Server > instance. A proxy or client computer group can be assigned on this tab.
- If a proxy belongs to a client computer group that has the required permissions, an administrator does not need to have ownership of the proxy.
- Associate proxies or a client computer group that contains proxies to a user group with the required permissions.
- Virtual machines (source VM and destination client) for which the CommCell user needs to be able to restore guest files and folders. Ownership of the virtual machine is not required to perform restores of full VMs or VMDKs.
Note: When restoring files or folders to a new destination (not the source VM), the destination client must have a File System agent installed.
Ownership and Permissions Required for the CommCell Console
|Attach disks to existing VM||
|Browse VMs and files||
|Restore full VMs in place||
|Restore full VMs out of place||
|Restore files and folders in place||
|Restore files and folders out of place||
Best Practices for CommCell Console User Configuration
The best practice for configuring ownership and permissions for the CommCell Console is as follows:
- Define roles for CommCell users or groups and assign permissions for each role.
- Define user groups for CommCell users and add users to the group. For each group of users, add associations for roles, virtualization clients, and proxies (or a client computer group that includes the clients and proxies). As needed, you can define additional groups for specific scopes (for example, Microsoft Exchange administrators).
- Define client computer groups for different classes of proxies (for example, proxy groups managing backups for Microsoft Exchange VMs or for SQL Server VMs). Add proxy clients and associated user groups to each proxy group. The proxy groups inherit permissions from the user group. Virtual machines can be added to client computer groups automatically.
- On virtualization clients, assign administrative users or user groups as owners, and add associated user groups. Users inherit permissions from their associated user groups.
- For each virtualization client, go to Client Computers > client > Virtual Server > instance. On the Virtual Server Instance Properties dialog, add the appropriate proxy group. The proxies in the proxy group inherit permissions defined for the user group associated with the proxy group.
- On virtual machines, assign administrators or user groups who need to be able to perform file-level restores as owners of the virtual machines. Administrators inherit permissions from their user groups.