Ownership and Permissions for Hyper-V Virtual Machine Recovery

Updated

Users can be assigned permissions and ownership that enable them to browse and restore backed up data for virtual machines. These permissions and ownership apply to the CommCell Console and Web Console.

  • Permissions can be assigned to a user through an association with a role, client computer group, or user group. Depending on the operations a user needs to perform, the user must have some or all of the following permissions:

    • Browse

    • Download

    • In Place Recover (files and folders)

    • Out of Place Recover (files and folders)

    • In Place Full Machine Recovery (full VMs)

    • Out of Place Full Machine Recovery (full VMs)

    Note: To assign permissions for specific entities, configure a role and associate the role with the entity. Permissions can be assigned for all CommCell users at the CommCell level (Control Panel > User > Owner Permissions).

  • Ownership can be assigned for a client computer or a virtual machine. You must assign users or user groups as owners, including users and groups defined in Active Directory or directly in the CommCell.

CommCell Console

Permissions and Ownership for CommCell Console Users

The CommCell Console is available only to authorized CommCell users. End users of virtual machines cannot perform restores through the CommCell Console unless they are also authorized as CommCell users.

Members of the CommCell master group have superadmin access to all objects in the CommCell Console, and can perform all necessary operations in the CommCell Console without any further configuration.

For the CommCell Console, administrative users or user groups must be assigned as owners for the following entities:

  • Virtualization clients that contain subclients identifying VMs to be backed up. A virtualization client is shown in the CommCell Browser at Client Computers > client.

  • Proxies that perform protection operations. A proxy is shown in the CommCell Browser at Client Computers > client.

    Proxies for virtualization clients are identified on the Proxies tab of the Virtual Server Instance Properties dialog; the Virtual Server instance is shown in the CommCell Browser at Client Computers > client > Virtual Server > instance. A proxy or client computer group can be assigned on this tab.

    NOTES

    If a proxy belongs to a client computer group that has the required permissions, an administrator does not need to have ownership of the proxy.

    Associate proxies or a client computer group that contains proxies to a user group with the required permissions.

  • Virtual machines (source VM and destination client) for which the CommCell user needs to be able to restore guest files and folders. Ownership of the virtual machine is not required to perform restores of full VMs or VMDKs.

    NOTE

    When restoring files or folders to a new destination (not the source VM), the destination client must have a File System agent installed.

Ownership and Permissions Required for the CommCell Console

Operation

Ownership

Client Permissions

Browse VMs and files

  • Virtualization client
  • Browse

Restore full VMs in place

  • Virtualization client

  • All proxies or proxy groups for the virtualization client

  • Browse on virtualization client

  • In Place Full Machine Recovery on virtualization client

Restore full VMs out of place

  • Virtualization client

  • All proxies or proxy groups for the virtualization client

  • Browse on virtualization client

  • Out of Place Full Machine Recovery on virtualization client

Restore files and folders in place

  • Virtualization client
  • Browse on virtualization client

  • In Place Recover and Out of Place Recover on all proxies or proxy groups for the virtualization client

  • Out of Place Recover on the virtualization client

Restore files and folders out of place

  • Virtualization client

  • Destination File System client (if restoring to File System client)

  • Browse on virtualization client

  • In Place Recover and Out of Place Recover on destination File System client

  • Out of Place Recover on virtualization client

Best Practice for CommCell Console User Configuration

The best practice for configuring ownership and permissions for the CommCell Console is:

  1. Define roles for CommCell users or groups and assign permissions for each role.

  2. Define user groups for CommCell users and add users to the group. For each group of users, add associations for roles, virtualization clients, and proxies (or a client computer group that includes the clients and proxies). As needed, you can define additional groups for specific scopes (for example, Microsoft Exchange administrators).

  3. Define client computer groups for different classes of proxies (for example, proxy groups managing backups for Microsoft Exchange VMs or for SQL Server VMs). Add proxy clients and associated user groups to each proxy group. The proxy groups inherit permissions from the user group. Virtual machines can be added to client computer groups automatically.

  4. On virtualization clients, assign administrative users or user groups as owners, and add associated user groups. Users inherit permissions from their associated user groups.

  5. For each virtualization client, go to Client Computers > client > Virtual Server > instance. On the Virtual Server Instance Properties dialog, add the appropriate proxy group. The proxies in the proxy group inherit permissions defined for the user group associated with the proxy group.

  6. On virtual machines, assign vSphere administrators or user groups who need to be able to perform file-level restores as owners of the virtual machines. Administrators inherit permissions from their user groups.

Web Console

Permissions and Ownership for Web Console Users

The Web Console is available to end users of virtual machines.

End users of virtual machines must have ownership of all VMs they are restoring (source and destination), and the required permissions needed for the operation. You can assign users or user groups as owners, including users and groups defined in Active Directory or directly in the CommCell. Assign permissions on the Security > Associations tab for the VM or destination client.

Permissions and Ownership for Web Console

Operation

Ownership

Client Permissions

Browse VMs and files

  • Source VM
  • Browse

Restore full VMs in place

  • Source VM
  • Browse on source VM

  • In Place Full Machine Recovery on source VM

Restore full VMs out of place

  • Source VM
  • Browse on source VM

  • Out of Place Full Machine Recovery on source VM

Restore files and folders in place

  • Source VM
  • Browse on source VM

  • In Place Recover on source VM

  • Out of Place Recover on source VM (when restoring to a different location on the VM)

Restore files and folders out of place

  • Source VM

  • Destination client with Windows File System agent

  • Browse on source VM

  • In Place Recover and Out of Place Recover on destination client with Windows File System agent

  • Out of Place Recover on source VM

Download files and folders

  • Source VM
  • Browse on source VM

  • Download on source VM

  • In Place Recover on source VM

  • Out of Place Recover on source VM

Best Practices for Web Console Configuration

The best practice for configuring ownership and permissions for the Web Console is:

  1. For each virtual machine the user needs to access, or for destination clients with Windows File System agent, assign the user or a user group that contains each user as an owner.

  2. Assign permissions for the virtual machine or client.

For more information, see Configuring Ownership and Permissions for a Client or Virtual Machine.