Users can be assigned permissions and ownership that enable them to browse and restore backed up data for virtual machines. These permissions and ownership apply to the CommCell Console and Web Console.
-
Permissions can be assigned to a user through an association with a role, client computer group, or user group. Depending on the operations a user needs to perform, the user must have some or all of the following permissions:
-
Browse
-
Download
-
In Place Recover (files and folders)
-
Out of Place Recover (files and folders)
-
In Place Full Machine Recovery (full VMs)
-
Out of Place Full Machine Recovery (full VMs)
Note: To assign permissions for specific entities, configure a role and associate the role with the entity. Permissions can be assigned for all CommCell users at the CommCell level (Control Panel > User > Owner Permissions).
-
-
Ownership can be assigned for a client computer or a virtual machine. You must assign users or user groups as owners, including users and groups defined in Active Directory or directly in the CommCell.
CommCell Console
Permissions and Ownership for CommCell Console Users
The CommCell Console is available only to authorized CommCell users. End users of virtual machines cannot perform restores through the CommCell Console unless they are also authorized as CommCell users.
Members of the CommCell master group have superadmin access to all objects in the CommCell Console, and can perform all necessary operations in the CommCell Console without any further configuration.
For the CommCell Console, administrative users or user groups must be assigned as owners for the following entities:
-
Virtualization clients that contain subclients identifying VMs to be backed up. A virtualization client is shown in the CommCell Browser at Client Computers > client.
-
Proxies that perform protection operations. A proxy is shown in the CommCell Browser at Client Computers > client.
Proxies for virtualization clients are identified on the Proxies tab of the Virtual Server Instance Properties dialog; the Virtual Server instance is shown in the CommCell Browser at Client Computers > client > Virtual Server > instance. A proxy or client computer group can be assigned on this tab.
NOTES
If a proxy belongs to a client computer group that has the required permissions, an administrator does not need to have ownership of the proxy.
Associate proxies or a client computer group that contains proxies to a user group with the required permissions.
-
Virtual machines (source VM and destination client) for which the CommCell user needs to be able to restore guest files and folders. Ownership of the virtual machine is not required to perform restores of full VMs or VMDKs.
NOTE
When restoring files or folders to a new destination (not the source VM), the destination client must have a File System agent installed.
Ownership and Permissions Required for the CommCell Console
|
Operation |
Ownership |
Client Permissions |
|---|---|---|
|
Browse VMs and files |
|
|
|
Restore full VMs in place |
|
|
|
Restore full VMs out of place |
|
|
|
Restore files and folders in place |
|
|
|
Restore files and folders out of place |
|
|
Best Practice for CommCell Console User Configuration
The best practice for configuring ownership and permissions for the CommCell Console is:
-
Define roles for CommCell users or groups and assign permissions for each role.
-
Define user groups for CommCell users and add users to the group. For each group of users, add associations for roles, virtualization clients, and proxies (or a client computer group that includes the clients and proxies). As needed, you can define additional groups for specific scopes (for example, Microsoft Exchange administrators).
-
Define client computer groups for different classes of proxies (for example, proxy groups managing backups for Microsoft Exchange VMs or for SQL Server VMs). Add proxy clients and associated user groups to each proxy group. The proxy groups inherit permissions from the user group. Virtual machines can be added to client computer groups automatically.
-
On virtualization clients, assign administrative users or user groups as owners, and add associated user groups. Users inherit permissions from their associated user groups.
-
For each virtualization client, go to Client Computers > client > Virtual Server > instance. On the Virtual Server Instance Properties dialog, add the appropriate proxy group. The proxies in the proxy group inherit permissions defined for the user group associated with the proxy group.
-
On virtual machines, assign vSphere administrators or user groups who need to be able to perform file-level restores as owners of the virtual machines. Administrators inherit permissions from their user groups.
Web Console
Permissions and Ownership for Web Console Users
The Web Console is available to end users of virtual machines.
End users of virtual machines must have ownership of all VMs they are restoring (source and destination), and the required permissions needed for the operation. You can assign users or user groups as owners, including users and groups defined in Active Directory or directly in the CommCell. Assign permissions on the Security > Associations tab for the VM or destination client.
Permissions and Ownership for Web Console
|
Operation |
Ownership |
Client Permissions |
|---|---|---|
|
Browse VMs and files |
|
|
|
Restore full VMs in place |
|
|
|
Restore full VMs out of place |
|
|
|
Restore files and folders in place |
|
|
|
Restore files and folders out of place |
|
|
|
Download files and folders |
|
|
Best Practices for Web Console Configuration
The best practice for configuring ownership and permissions for the Web Console is:
-
For each virtual machine the user needs to access, or for destination clients with Windows File System agent, assign the user or a user group that contains each user as an owner.
-
Assign permissions for the virtual machine or client.
For more information, see Configuring Ownership and Permissions for a Client or Virtual Machine.