V11 SP8
Loading...

Permissions and Ownership for CommCell Console Users

The CommCell Console is available only to authorized CommCell users. End users of virtual machines cannot perform restores through the CommCell Console unless they are also authorized as CommCell users.

Members of the CommCell master group have superadmin access to all objects in the CommCell Console, and can perform all necessary operations in the CommCell Console without any further configuration.

For the CommCell Console, administrative users or user groups must be assigned as owners for the following entities:

  • Virtualization clients that contain subclients identifying VMs to be backed up. A virtualization client is shown in the CommCell Browser at Client Computers > client.
  • Proxies that perform protection operations. A proxy is shown in the CommCell Browser at Client Computers > client.

    Proxies for virtualization clients are identified on the Proxies tab of the Virtual Server Instance Properties dialog box; the Virtual Server instance is shown in the CommCell Browser at Client Computers > client > Virtual Server > instance. A proxy or client computer group can be assigned on this tab.

    Notes:

    • If a proxy belongs to a client computer group that has the required permissions, an administrator does not need to have ownership of the proxy.
    • Associate proxies or a client computer group that contains proxies to a user group with the required permissions.
  • Virtual machines (source VM and destination client) for which the CommCell user needs to be able to restore guest files and folders. Ownership of the virtual machine is not required to perform restores of full VMs or VMDKs.

    Note: When restoring files or folders to a new destination (not the source VM), the destination client must have a File System agent installed.

Ownership and Permissions Required for the CommCell Console

Operation Ownership Client Permissions
Attach disks to existing VM
  • Virtualization client
  • Browse on virtualization client
  • In Place Recover on VSA proxy
  • Out of Place Recover on virtualization client
Browse VMs and files
  • Virtualization client
  • Browse
Restore full VMs in place
  • Virtualization client
  • All proxies or proxy groups for the virtualization client
  • Browse on virtualization client
  • In Place Full Machine Recovery on virtualization client
Restore full VMs out of place
  • Virtualization client
  • All proxies or proxy groups for the virtualization client
  • Browse on virtualization client
  • Out of Place Full Machine Recovery on virtualization client
Restore files and folders in place
  • Virtualization client
  • Browse on virtualization client
  • In Place Recover and Out of Place Recover on all proxies or proxy groups for the virtualization client
  • Out of Place Recover on the virtualization client
Restore files and folders out of place
  • Virtualization client
  • Destination File System client (if restoring to File System client)
  • Browse on virtualization client
  • In Place Recover and Out of Place Recover on destination File System client
  • Out of Place Recover on virtualization client

Best Practices for CommCell Console User Configuration

The best practice for configuring ownership and permissions for the CommCell Console is as follows:

  1. Define roles for CommCell users or groups and assign permissions for each role.
  2. Define user groups for CommCell users and add users to the group. For each group of users, add associations for roles, virtualization clients, and proxies (or a client computer group that includes the clients and proxies). As needed, you can define additional groups for specific scopes (for example, Microsoft Exchange administrators).
  3. Define client computer groups for different classes of proxies (for example, proxy groups managing backups for Microsoft Exchange VMs or for SQL Server VMs). Add proxy clients and associated user groups to each proxy group. The proxy groups inherit permissions from the user group.  Virtual machines can be added to client computer groups automatically.
  4. On virtualization clients, assign administrative users or user groups as owners, and add associated user groups. Users inherit permissions from their associated user groups. 
  5. For each virtualization client, go to Client Computers > client > Virtual Server > instance. On the Virtual Server Instance Properties dialog, add the appropriate proxy group. The proxies in the proxy group inherit permissions defined for the user group associated with the proxy group.
  6. On virtual machines, assign administrators or user groups who need to be able to perform file-level restores as owners of the virtual machines. Administrators inherit permissions from their user groups.