User Security Permissions by Feature

1-Touch operations

Administrative management

Browse

End User Access

Out-of-place Recover

In Place Recover

Install Package/Update

Install Client

Agent Management

Overwrite on Restore

Clients and Client Computer Groups where you installed the Windows File System Agent or the Linux File System Agent.

Case Manager User

• Agent Management

• Browse

• Compliance Search

• Data Protection/Management Operations

• View

Exchange user mailbox, Journal mailbox, or SMTP clients where the custodian data is backed up

Case Manager Reviewer

• Agent Management

• Browse

• Compliance Search

• View

Exchange user mailbox, Journal mailbox, or SMTP clients where the custodian data is backed up

Compliance Officers

• To perform basic operations such as performing a search:

  • Download

  • Out-of-Place Recover

  • Compliance Search

• Additional permissions needed to add search results to a case:

  • Agent Management

  • Data Protection/Management Operations

• Additional permissions needed to tag all items in a review set:

  • Administrative Management

Servers or server groups

• Data Controller

• Infrastructure Administrator

• Data Connectors

• Agent Management

• Download

• Data Protection/Management Operations

• Browse

• In Place Recover

• Out-of-Place Recover

• End User Access

• Compliance Search

• Live Browse

• Install Client

• Add Datasource

• Delete Datasource

• Edit Datasource

• Query Datasource

• Administrative Management

• View

• Change security settings

• Create Plan

• Edit Plan

• Delete Plan

• Use Plan

• Create Schedule Policy

• Delete Schedule Policy

• Edit Schedule Policy

• Edit Schedule Policy Associations

• Operations on Storage Policy\Copy

• Add, delete and modify a user

CommCell

Data Processor (reviewer)

No permissions are needed

Run on-demand data protection jobs

Data Protection/Management Operations

Backup set

Create a new on-demand backup set

Agent Management

If data is being recovered to the same destination as the original data protection operation

In Place Recovery

At least subclient level association at the source client

If data is being recovered to a different destination than the original data protection operation: Source Client

Out of Place Recovery

At least backup set/instance association

If data is being recovered to a different destination than the original data protection operation: Destination Client (same platform as the source Client)

In Place Recovery

At least Agent level association

If data is being recovered to a different destination than the original data protection operation: Destination Client (different platform from the source Client)

In Place Recovery

At least Client level association

Modify and perform operations specific to an agent.

Agent Management

Agent

Install an agent on the CommCell. Note: This operation requires this permission only when the Authentication for Agent Installs feature is enabled.

Install Package/Update, Install Client

Client

Create an alert.

Note: The user who creates the alert is automatically assigned the Alert Owner role on the new alert. The Alert Owner role includes the following permissions:

• Edit Alert Associations

• Add/Remove Recipients

• Delete Alert

• Edit Alert

• Change security settings

• View

  Note: For the permissions and the entities needed to add security associations to an alert, see the "Security Associations" section on this page.

Create Alert

CommCell

To view custom alerts, you must have Execute permission under custom rules at the CommCell level.

Add entities to a new alert.

Note: Not all alerts require entities.

Alert Management

You must have the Alert Management permission on the entities you are adding to the alert.

Add entities to an existing alert.

Note: Not all alerts require entities.

• Edit Alert Associations or Edit Alert

• Alert Management

Alert for Edit Alert Associations or Edit Alert

You must have the Alert Management permission on the entities you are adding to the alert.

Add notification recipients to a new alert.

Create Alert

CommCell

Add notification recipients to an existing alert.

Add/Remove Recipients or Edit Alert

Alert

Modify an alert.

Note: For the permissions and the entities needed to modify the security associations on an alert, see the "Security Associations" section on this page.

Edit Alert

Alert

View an alert.

Any of the alert permissions

Alert

Delete an alert.

Delete Alert

Alert

Modify or delete an alert on a schedule or schedule policy.

See the "Scheduling" and "Schedule Policy" sections on this page.

Create alert rules.

• Administrative Management

• Report Management

CommCell

Use alert rules to create alerts.

Configure a storage policy copy for alternate data paths, and delete data paths from the copy.

Storage Policy Management

Storage Policy

Access an application that was created in the App Studio.

Access Application

Any Custom Application

Change the schema of an application that was created in the App Studio.

Change Application Schema

Any Custom Application

Create a custom application in the App Studio.

Create Application

Any Custom Application

Access records in a table that is in an application in the App Studio.

Access Records

Table in a custom application

Change the schema for a table in an application in the App Studio.

Change Table Schema

Table in a custom application

Create a table in an application in the App Studio.

Create Table

Table in a custom application

Restore databases directly to a disk from the CommCell Console without the use of the database application.

Out of Place Recover (Source Client)

Browse (Destination Client)

In Place Recover (Destination Client)

The Out of Place Recover permission at the backup set or instance at the source client

and

The Browse and In Place Recover permissions at the agent level of the destination client

Configure and perform archive operations.

Data Protection/Management Operations

Archive Set, Instance, Subclient

Configure offline archive options in Outlook Add-In.

Local administrative privileges are required by users logged into the Outlook Add-In client.

N/A

Track the operations of users who have access to the CommCell and set or modify the Audit Trail settings.

Administrative Management

CommCell

Configure, download, and install software upgrades.

Administrative Management

CommCell

Install Package/Update

Client

Install Client

CommCell

Run an auxiliary copy operation.

Administrative Management

CommCell

Run an auxiliary copy operation for a storage policy.

Storage Policy Management

Storage Policy

• Copy the snapshots of the data to any media.

• Create additional standby copies of data.

Data Protection/Management Operations

Storage Policy Management

Client/Subclient

Storage Policy

Create a backup set.

Agent Management

Agent

Modify and delete a backup set.

Backup Set

CommCell

Administrative Management

CommCell

Client Computer Group

Administrative Management

Client Computer Group

Client

Agent Management

Client

Agent

Agent Management

Agent

Subclient

Agent Management

Subclient

Client

Browse Note: Users with the Browse permission can browse all of the data.

Client

Agent

Agent

Backup Set

Backup Set

Instance/Partition

Instance/Partition

Replication Set

Replication Set

Subclient

Subclient

You can perform ACL-based browse and restore for the Windows File System.

End User Access

Note: Users with End User permissions can browse data owned by them. Assigning End User Access permission helps to maintain multiple user profiles on the same laptop (or desktop) and ensures that users have the ability to browse and restore only the data to which they have access.

CommCell

Case Manager users or user groups

• Browse

• Compliance Search

• View

• Agent Management

• Data Protection/Management Operations

Client group with the following entities:

• MediaAgents used in the server plan

• Exchange Virtual server

• Web Server

• Index Server

Register a client from the client level

Install Client

CommCell

• Modify

• Enable privacy

• Set the job priority

• Create an Oracle RAC client

• Create a DB2 MultiNode pseudo-client

• Release License

• Delete

Agent Management

The Storage Policy Management permission is also required for the following tasks:

• Create an Oracle RAC client

• Create a DB2 MultiNode pseudo-client

Client, Client Computer Group

Retire a client

Delete client

CommCell, Client Computer Group, Client

Create a client computer group.

Note: The user who creates the client computer group is automatically assigned the Client Group Creator role on the new client computer group. The Client Group Creator role includes the following permissions:

• Agent Management

• Change Client Associations

• Delete Client Group

• Administrative Management

Create Client Group

CommCell

Modify client computer group properties

Agent Management

Client Computer Group

Set Activity Control from the client computer group level

Agent Management (CommCell Console),

Agent Management or Job Management (Command Center)

Client Computer Group

Delete client groups

Delete Client Group, Administrative Management, and Agent Management

Client Computer Group

Add clients to or remove clients from a client computer group when associations are listed on the Security tab in the Client Group dialog box

• Change Client Associations

• Change security settings and Agent Management

• Client Computer Group

• Any entity on which you want to perform the task.

Add clients to or remove clients from a client computer group when no associations are listed on the Security tab in the Client Group dialog box

• Change Client Associations

• Agent Management

• Client Computer Group

• Any entity on which you want to perform the task.

Modify smart client computer group rules (automatic associations)

Change Client Associations, Administrative Management and Agent Management

Client Computer Group

Modify owner of smart client group

Agent Management and Change Client Associations

Client Computer Group

• Configure and perform Offline Content Indexing

• Delete Content Indexing server

Administrative Management

CommCell

Access the Search Admin page

Administrative Management

Web Server Client

Add or modify comments to discovered items

Annotation Management

CommCell/Client group/Client/Agent/Backup Set

• Search all of the data that has been content indexed on the associated entities, regardless of ownership.

• Create review sets

Compliance Search

CommCell/Client group/Client/Agent/Backup Set

Search data that has been content indexed on the associated entities that are owned by the user.

End User Access

CommCell/Client group/Client/Agent/Backup Set

• Create/Modify/Delete Legal Holds

• Add search items to Legal Hold

• Retrieve data from Legal Hold

Legal Hold Management

CommCell/Client group/Client/Agent/Backup Set

• Create/Modify/Delete Tags

• Associate/Dissociate Tags to discovered items

Tag Management

CommCell/Client group/Client/Agent/Backup Set

Share a review set with a user in a different user group

View

The user group entity of the shared user

License Administration

License Management

CommCell

All parameters

Administrative Management

CommCell

Migrate clients from one CommCell to another

Administrative Management

CommCell

Modify CommServe properties.

Administrative Management

CommCell

Define custom calendars to suit the needs of your organization

Administrative Management

CommCell

Run a data aging operation

Administrative Management

CommCell

Agent

Agent Management

Agent

Subclient

Agent Scheduling

Subclient

Enable software compression for the Agent

Agent Management

Agent

Enable hardware compression for a data path from a storage policy copy to which the data path is associated

Storage Policy Management

Storage Policy

Add data sources in Data Cube using API.

Data Connector

Index Server pseudo-client (under Client Computer Groups > Index Server Group)

Applies To: File System Data Source

Paths on the access node used for the data source.

• Agent Management

• Data Protection/Management Operations

• View

Access node client

Applies To: File System Data Source

UNC paths and paths on the access node used for the data source.

• Agent Management

• Data Protection/Management Operations

• View

Access node client

Install Client

CommCell

View data sources that are shared with the user.

The user with whom the data source is shared must be able to access the Web Console. No additional permissions are required.

n/a

Create reports from data sources in Data Cube.

Add Report

CommCell

Client

Agent Management

Client

Subclient

Agent

Configure data interface pairs

Administrative Management

CommCell

Configure a copy for Data Multiplexing

Storage Policy Management

Storage Policy

Configure and perform the following data protection operations:

• Backups including synthetic full backups

• Compliance Archiving

• Migration Archiving

Data Protection/Management Operations

Backup Set/Archive Set, Instance/Partition, Subclient

• Perform a data verification operation

• Configure a storage policy copy for data verification

Storage Policy Management

Storage Policy

Set the Database Space Check Interval

Administrative Management

CommCell

MediaAgent

MediaAgent Management

CommCell

Client

Agent Management

Client

Agent

Agent

Install new client

Interactive Install when the CommServe Authentication is available

Remote Install / Silent Install

Install Package/Update, Install Client

Note: Administrative Management permission is required when installing, registering, and uninstalling DB packages.

Client, CommCell

Install Agent on existing client

Register a Client

Uninstall and repair software using the CommCell Console

Configure and perform Disaster Recovery Backups

Administrative Management

CommCell

Configure and perform a Delete Backup or Archive Data using the CommCell Console.

Administrative Management

CommCell

Perform the following Erase Data operations from the DataArchiver Outlook Add-In:

• Browse and Erase Data

• Find and Erase Data

End User Access, Administrative Management

CommCell

Set the maximum number of events to be retained in the Event Viewer.

No rights are required.

No rights are required.

Create Global Filters.

Administrative Management

CommCell

• Enable global filters for a subclient.

• Create data protection filters for a subclient.

Agent Management

Subclient

Enable CSVDE filtering for discovery operations.

Agent Management

Agent

• Library Maintenance

• Drive Maintenance

• Media Expiration

• Drive Cleaning Thresholds

Administrative Management

CommCell

Configure and manage HyperScale Storage Pool

Create Storage policy

MediaAgent Management

Associated HyperScale MediaAgents

• Copyback

• Restore

• Recovery

• Retrieve

In Place Recover

Note for File System Agents: To overwrite files during a restore to the same location, the Overwrite on Restore permission is required.

Client/Agent/Backup Set/Instance/Partition/Replication Set

Create, modify, and delete an instance/partition.

Agent Management

Instance/Partition

Perform the following Job Management configuration functions:

• Set the job priority of an Agent.

• Queue jobs.

• Set the job update interval.

• Determine if a job should be preemptible or restartable.

Administrative Management

CommCell

Perform the following Job Controller functions:

• Suspend, resume, and kill selected jobs and groups of jobs.

• Change the job priority of a scheduled job, running jobs, or groups of running jobs from the Job Controller.

Job Management

CommCell

Suspend, resume, and kill selected jobs and groups of jobs.

Job Management

Entity the job is associated with

Configure and de-configure libraries and drives.

Administrative Management

MediaAgent

• Configure and de-configure libraries and drives associated with a MediaAgent.

• Automatically add the user group (the user belongs) to the newly-configured libraries.

MediaAgent Management To enable these tasks or operations, go to Control Panel > Media Management, and on the Service Configuration tab, set Provide user with MediaAgent management rights additional capabilities for libraries, data paths, and storage policies to 1.

MediaAgent

• Create/delete or modify scratch pools.

• Move media between scratch pools.

• Reset library, library controller.

• Full scan.

• Mark library fixed.

• Properties of library, master drive pool, drive pool, drive, and media.

• Validate drive.

• Mark a drive cleaned.

• Mark a drive replaced.

• Mark a drive fixed.

• Clean drive.

• Reset drive.

• Unload drive.

• Import media, cleaning media.

• Load media.

• Mark media full, bad, and appendable.

• Mark media exported, prevent media export, export media.

• Verify media.

• Move media.

• Delete media.

• Update barcode.

• Unload media.

Export media or schedule export media. Note: Users who are not a member of the View All user group would not be able to view/browse the export locations. However, they can manually enter the export location and successfully complete the export operation.

• Recall media

• View contents.

• Inventory, Scheduled Inventory for Blind Library.

• Stamp media in stand alone libraries.

Library Administration

Library / Client Computer Group

• Erase spare media.

• Delete contents.

• Overwrite Media options.

• Create/delete or modify scratch pools.

• Move media between scratch pools.

• Reset library, library controller.

• Full scan.

• Mark library fixed.

• Properties of library, master drive pool, drive pool, drive, and media.

• Validate drive.

• Mark a drive cleaned.

• Mark a drive replaced.

• Mark a drive fixed.

• Clean drive.

• Reset drive.

• Unload drive.

• Import media, cleaning media.

• Load media.

• Mark media full, bad, and appendable.

• Mark media exported, prevent media export, export media.

• Verify media.

• Move media.

• Delete media.

• Update barcode.

• Unload media.

Export media or schedule export media. Note: Users who are not a member of the View All user group would not be able to view/browse the export locations. However, they can manually enter the export location and successfully complete the export operation.

• Recall media

• View contents.

• Inventory, Scheduled Inventory for Blind Library.

• Stamp media in stand alone libraries.

Library Management Library Management is a superior permission with critical library management rights, in addition to all the rights in Library Administration permission.

Library / Client Computer Group

Add and update a license.

License Management and Administrative Management

CommCell

Client

Browse

Client

Agent

Agent

Backup Set

Backup Set

Instance/Partition

Instance/Partition

Subclient

Subclient

Send and view log files.

Agent Management or Collect Diagnostics

Client

Modify MediaAgent properties including the Index Cache, and perform MediaAgent operations.

MediaAgent Management

MediaAgent / Client Computer Group

Create a monitoring policy.

No rights are required.

Note: The user creating the monitoring policy must have the Administrative Management or Agent Management permission on the client or client group that contains the logs to be monitored.

N/A

• Delete a monitoring policy.

• Log Monitoring: Erase search results from the Analytics Engine

Delete Monitoring Policy

Monitoring Policy

Execute or run a monitoring policy.

Execute Monitoring Policy

Monitoring Policy

Edit a monitoring policy.

Edit Monitoring Policy

Note: The user creating the monitoring policy must have the Administrative Management or Agent Management permission on the client or client group that contains the logs to be monitored.

Monitoring Policy

View a monitoring policy.

View

Monitoring Policy

CommServe name change

Administrative Management

CommCell

Client name change

Administrative Management

CommCell

MediaAgent name change

Media Management

MediaAgent / Client Computer Group

Create NAS clients

Install Client

CommCell

• Copyback

• Restore

• Recovery

• Retrieve

Out of Place Recover (Source Client)

In Place Recover (Destination Client)

At least Backup Set or Instance/Partition at the source client/Replication Set

and

The In Place Recovery permission at the agent level of the destination client. If the destination client is on a different platform than the source client (for example, a Unix File System client and a Windows File System client), then In Place Recovery with at least client level association at the destination client is needed.

Create a plan

Create Plan

CommCell

Edit a plan

Edit Plan

The entity that uses the plan

Delete a plan

Delete Plan

The entity that uses the plan

Add a plan to or remove a plan from an entity

Use Plan

The entity that uses the plan

Configure

Agent Management

Agent

Add pre-processes and post-processes for data recovery operations

Agent Management and the In Place or Out of Place Recover permission

Agent

Remove a pre-processes and post-processes for data protection/archive operations

Agent Management and Data Protection/Management Operations

Agent

Configure pre-processes and post-processes for Disaster Recovery Backup operations

Administrative Management

CommCell

Run subclient pre-process commands and post-process commands using a local system account.

Run Command with System Account

Subclient

Run subclient pre-process and post-commands using an impersonated user.

Run Command with User Account

Subclient

Schedule the creation and back up of a Recovery Point.

Agent Scheduling

Replication Set

• Create Recovery Point.

• Back up Recovery Point.

Data Protection/Management Operations

Add a data source for reports that were downloaded from the Commvault Store or built with Build Your Own Reports.

Add Datasource

CommCell

Delete data sources used in reports that were downloaded from the Commvault Store or built with Build Your Own Reports.

Delete Datasource

CommCell

Edit data sources for reports that were downloaded from the Commvault Store or built with Build Your Own Reports.

Edit Datasource

CommCell

Query data sources for reports that were downloaded from the Commvault Store or built with Build Your Own Reports.

Query Datasource

CommCell

Create a new report using Build Your Own Reports.

Add Report

CommCell

Delete reports that were downloaded from the Commvault Store or built with Build Your Own Reports.

Delete Report

CommCell

Edit reports that were downloaded from the Commvault Store or built with Build Your Own Reports.

Edit Report

CommCell

View reports that were downloaded from the Commvault Store or built with Build Your Own Reports.

Execute Report

CommCell

Publish reports to the Download Center.

• Add Report

• Edit Report

• Install Package/Update

• Download Center Management

• CommCell

• Web Server Client

• Client Group with Web Server

Download reports from the Commvault Store.

Create Report

CommCell

View and run reports on CommCell Console.

Report Management

Any entity that you want to view in reports such as clients, storage policies, libraries, and any other available entity in the CommCell Console.

View Metrics reports on WebConsole>.

Report Management

Pseudo CommCell Client/CommCell Group level or higher

View the SLA Report and the Job Summary Report on the Web Console.

Report Management

Client level or higher

Change the permissions for a report or a data set.

Change Security Settings

CommCell (for all reports)

Delete a Replication Pair.

Agent Management

Replication Set

Start/suspend/resume/abort Replication Pairs.

Job Management

• Modify and delete a Replication Set.

• Create, modify, and delete a Replication Pair.

Agent Management

Replication Set

Start/suspend/resume/abort Replication Sets.

Job Management

Delete a schedule policy.

Delete Schedule Policy

Schedule Policy

Modify an alert on a schedule or schedule policy.

Alert Management

Note:

• If the alert is on a data protection schedule policy, the Data Protection/Management Operations permission is needed.

• If the alert is on a backup copy schedule policy, the Data Protection/Management Operations and Storage Policy Management permissions are needed.

CommCell

Delete an alert from a schedule or schedule policy.

Administrative Management

Note:

• If the alert is on a data protection schedule or schedule policy, the Data Protection/Management Operations permission is needed.

• If the alert is on a backup copy schedule or schedule policy, the Data Protection/Management Operations and Storage Policy Management permissions are needed.

Client Computer Group, Client, Agent, Backup Set, Instance/Partition, Subclient, Library, MediaAgent, Storage Policy, Tracking Policy

Note: The necessary associated object depends on the entity for which the alert is created.

Create and clone a Data Protection schedule policy.

Create Schedule Policy

CommCell

• Agent Scheduling

• Data Protection/Management Operations

Client

Modify a Data Protection schedule policy.

Edit Schedule Policy

Schedule Policy

Add entities to or remove entities from a Data Protection schedule policy.

• Edit Schedule Policy Associations

• Data Protection/Management Operations

• Schedule Policy

• Entities associated with the schedule policy

Run the schedules of a Data Protection schedule policy immediately.

• Agent Scheduling

• Data Protection/Management Operations at the level for which the schedules were created.

Agent, Backup Set, Instance/Partition/Subclient

Decouple a scheduled job from a Data Protection schedule policy.

• Edit Schedule Policy

• Agent Scheduling

• Data Protection/Management Operations at the level for which the schedules were created.

Schedule Policy

Create and clone an auxiliary copy schedule policy.

Create Schedule Policy

CommCell

• Storage Policy Management

• Data Protection/Management Operations

• Agent Scheduling

Storage Policy

Modify an auxiliary copy schedule policy.

Edit Schedule Policy

Schedule Policy

Add entities to or remove entities from an auxiliary copy schedule policy.

Edit Schedule Policy Associations

Schedule Policy

• Disable an auxiliary copy schedule policy.

• View the storage policies and storage policy copies associated with the Auxiliary Copy schedule policy.

Storage Policy Management

Storage Policy

Run the schedules of the auxiliary copy schedule policy immediately.

Operations on Storage Policy \ Copy

Storage Policy

Add, modify, disable, delete, and view data protection operation schedules.

• Agent Scheduling

• Data Protection/Management Operations

Note: This operation also requires the Data Protection/Management Operations, In Place Recover, and Out of Place Recover permissions respectively for Data Protection and Data Recovery Schedule.

Agent, Backup Set, Instance/Partition/Subclient

Add, modify, disable, delete, and view data recovery operation schedules.

• Agent Scheduling

• In Place Recover and/or Out of Place Recover

Note: This operation also requires the Data Protection/Management Operations, In Place Recover, and Out of Place Recover permissions respectively for Data Protection and Data Recovery Schedule.

• Schedule administration operations such as Data Aging, Auxiliary Copy, Disaster Recovery backup, Data Verification, Automatic Update, Delete Data Using the CommCell Console, Drive Cleaning, and Report.

• View, delete, disable, or modify the above schedules.

• Run a scheduled task immediately.

• Set Holidays.

Administrative Management

CommCell

Delete an alert from a schedule or schedule policy.

Administrative Management

Note:

• If the alert is on a data protection schedule or schedule policy, the Data Protection/Management Operations permission is needed.

• If the alert is on a backup copy schedule or schedule policy, the Data Protection/Management Operations and Storage Policy Management permissions are needed.

Client Computer Group, Client, Agent, Backup Set, Instance/Partition, Subclient, Library, MediaAgent, Storage Policy, Tracking Policy

Note: The necessary associated object depends on the entity for which the alert is created.

Modify an alert on a schedule or schedule policy.

Alert Management

CommCell

Create schedules for the Vault Tracker Policy.

Note: The user who creates a schedule can view, delete, disable, or modify the schedules without any capability or object association.

Vault Tracker Operations

Entities other than CommCell

Task

Permission

Entity

Create a security association: a three-way mapping of a role, users, and entities.

View

This permission is required if security was enabled for roles. For information on enabling security for roles, see Enabling Security on Roles.

Role

Add, delete and modify a user

Add, delete and modify a user group

Add, delete and modify a domain

The users, user groups, or domains that are included in the security association

Change security settings

The entities that are included in the security association

A role that includes all of the same permissions as the role included in the security association

The entities that are included in the security association

Example

User A wants to assign Role1 to User Group1 on Client001 and MediaAgent001.

Role1 has the Administrative Management and Agent Management permissions.

User A must have the following:

• Add, delete and modify a user group on User Group1

• Change security settings on Client001 and MediaAgent001

• Administrative Management and Agent Management permissions on Client001 and MediaAgent001

Enable Single Sign On to use Active Directory credentials to access the CommServe

Add, delete and modify a domain

Domain

Configure, activate, and deactivate snapshots.

Agent Management

Agent

Add, delete, and configure a storage array in the Array Management application.

Administrative Management

CommCell

• Create and delete storage policies and storage policy copies.

• Create and delete storage policy copies including inline copies.

• Migrate media.

Storage Policy Management

MediaAgent / Client Computer Group

• Modify a storage policy or storage policy copy.

• Enable an Incremental Storage Policy.

• Prune, disable, and manually retain a data protection operation on a copy.

• Set Inline Copy.

Storage Policy Management

Storage Policy / Client Computer Group

Create, modify, and delete storage policies and storage policy copies associated with a MediaAgent.

MediaAgent Management

To enable these tasks or operations, go to Control Panel > Media Management, and on the Service Configuration tab, set Provide user with MediaAgent management rights additional capabilities for libraries, data paths, and storage policies to 1.

MediaAgent / Client Computer Group

Job operations. For example, marking a job bad, changing job retention.

Agent Management

Storage Policy / Client

Combine the data streams of a storage policy copy.

Storage Policy Management

Storage Policy / Client Computer Group

Create a subclient policy.

• Create Subclient Policy: on CommCell

• Agent Management: on backup sets that are associated with the subclient policy.

• CommCell

• Backup Set

• Edit subclient policy name and description.

• Create, modify, or delete a subclient under a subclient policy.

Edit Subclient Policy

Subclient Policy

Edit subclient policy associations.

• Edit Subclient Policy Associations

• Agent Management: on backup sets that are being associated or disassociated.

• Subclient Policy

• Backup Set

Clone a subclient policy.

• View: on subclient policy

• Create Subclient Policy: on CommCell

• Subclient Policy

• CommCell

Delete a subclient policy.

Delete Subclient Policy

Subclient Policy

Change security settings for subclient policy.

Change Security Settings

Subclient Policy

Create and delete a subclient.

Agent Management

Backup set

Modify a subclient.

Agent Management

Subclient

• Control Panel > System > Change Passwords: Change the media and network passwords.

• Control Panel > User Account Management: Change user accounts.

Administrative Management

CommCell

Configure disk space utilization and search result display for each user.

Administrative Management

CommCell

Create, edit, and delete a role.

Change security settings

Any entity on which you want to perform the task.

Create a user.

Add, delete and modify a user

CommCell

Edit and delete a user.

Add, delete and modify a user

User

Create a user group.

Add, delete and modify a user group

CommCell

Edit and delete a user group and an external group.

Add, delete and modify a user group

User Group

Add a domain.

Add, delete and modify a domain

CommCell

Edit and delete a domain.

Add, delete and modify a domain

Domain

Add an external user.

Add, delete and modify a user

Domain

Add an external group.

Add, delete and modify a user group

Domain

Transfer the ownership of entities.

• Change security settings

• CommCell

• If the new owner is a user (not a user group), Add, delete and modify a user

• new owner

• If the new owner is a user group, you must be the CommCell administrator or a member of the user group

• not applicable

Add, delete, and modify any of the following objects or operations:

• Actions

• Containers

• Export Media from Backup/Auxiliary Copy Operations

• Export Media using the Export Media Wizard

• Iron Mountain ID

• Library

• Location

• Media Repository

• Recall Media

• Vault Tracker Policy

• Vault Tracker Alerts

Vault Tracker Reports Note: This operation also requires the Report Management permission. Only information about objects available with the user's current Vault Tracker Operations permission level are displayed in the report.

Vault Tracker Operations

CommCell

• Actions: details, set container, abort, picked up, reached destination

• Containers: modify, delete, move all media, remove all media

• Library: view and modify at the Vault tracker policy

• Location: modify, delete

• Media Repository: modify, delete, update barcode, add media

• Tracking Policy: run, modify, delete, view media, view schedules, create schedules, set holidays

Vault Tracker Operations

Entities other than CommCell

Recover guest files and folders to their original location.

In Place Recover

Client/Agent

Recover full virtual machines to their original location.

In Place Full Machine Recovery

End users performing the restore must own the virtual machines being recovered.

CommCell Console users performing the restore must own or have an association with the virtualization client protecting the virtual machine.

Client/Agent

Recover guest files and folders to a different destination client.

Out of Place Recover

and

In Place Recover

Client/Agent

Recover full virtual machines to a location other than the original location.

Out of Place Full Machine Recovery

End users performing the restore must own the virtual machines being recovered.

CommCell Console users performing the restore must own or have an association with the virtualization client protecting the virtual machine.

Client/Agent

Attach virtual machine disks of a backed up virtual machine (source virtual machine) to an existing virtual machine (target virtual machine)

Out of Place Recover

Client/Agent

Perform a Virtualize Me operation

Administrative management

Browse

End User Access

Out-of-place

Recover

In Place Recover

Install Package/Update or Install Client

Agent Management

Overwrite on Restore

Clients and Client Computer Groups where you installed the Windows File System Agent.

• Configure remote access between Windows clients.

• Update the client computer or client computer group VPN Config tab.

VPN Management

CommCell

Run the incremental backup jobs, but not cancel or suspend the backup job.

Data Protection Operations

Clients managed using Web Console.

Pause, resume, or kill the backup job.

Job Management

Clients managed using Web Console.

Perform the following in the Web Console:

• Restore the backed up data to the same place/different place as the original data protection operation

• Restore backed up data from a specific date or time range

Users can have either of these groups of permissions:

• Browse, In Place Recover, and Out of Place Recover

• End User Access

  (For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Perform the following in the Web Console:

• Add a new content path

• Modify/Delete the existing content path created by another user

• Exclude specific content

Agent Management

Clients managed using Web Console.

Perform the following in the Web Console:

• Restore the backed up data to the same place/different place as the original data protection operation

• Restore backed up data from a specific date or time range

Users can have either of these groups of permissions:

• Browse, In Place Recover, and Out of Place Recover

• End User Access

  (For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Download one or more backed up files and folders to a specific location in the computer used for accessing the Web Console.

Users can have either of these groups of permissions:

• Browse, Compliance Search, and Download

• End User Access and Download

  (For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Preview files on the Web Console

Users can have either of these groups of permissions:

• Compliance Search and Download

• End User Access and Download

  (For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Upload one or more files and folders to a specific location in the client computer from the Web Console.

Users can have either of these groups of permissions:

• Browse and Upload

• End User Access and Upload

  (For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Share files and folders with other users.

Sharing

Clients managed using Web Console.

User can browse backed up data and live (not backed up) data on the client computer.

User can also browse data on network share location.

Applies To: File System agents

Users can have either of these groups of permissions:

• Browse and Live Browse

• End User Access and Live Browse

  (For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Search the data backed up from the client computer.

The search capability provided in the Web Console also allows users to search through the contents of the backup data.

Users can have either of these groups of permissions:

• Browse and Compliance Search

• End User Access

  (For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Delete the data backed up from the client computer.

Users can have either of these permissions:

• Browse

• End User Access

  (For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Open the Restore Files page.

For CommCell users: Browse

For domain users: Browse or End User Access

(For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Synchronize a set of files and folders with up to three computers at once.

Users can have either of these groups of permissions:

• Browse, In Place Recover, and Out of Place Recover

• End User Access, In Place Recover, and Out of Place Recover

  (For end user access, you must enable the end user access control list option for the client computer)

Clients managed using Web Console.

Make a copy of a virtual machine.

Clone VM

Virtual machines created using Web Console.

Create a snapshot backup of a virtual machine.

Create VM Snapshot

Virtual machines created using Web Console.

Delete a virtual machine.

Delete VM

Virtual machines created using Web Console.

Delete snapshot backups of a virtual machine.

Delete VM Snapshot

Virtual machines created using Web Console.

Edit the settings for a virtual machine.

Edit VM

Virtual machines created using Web Console.

Power off a virtual machine.

Power OFF VM

Virtual machines created using Web Console.

Power on a virtual machine.

Power ON VM

Virtual machines created using Web Console.

Refresh the connection to the hardware.

Refresh VM

Virtual machines created using Web Console.

Extend the life of a virtual machine to a specified date.

Renew VM

Virtual machines created using Web Console.

Revert a virtual machine to a previous snapshot backup.

Revert VM Snapshot

Virtual machines created using Web Console.

Create a workflow

Create Workflow

Any entity

Deploy a workflow

Agent Management

Client where the Workflow Engine is installed

Deploy a business logic workflow

• Administrative Management

• Agent Management

• CommCell

• Client where the Workflow Engine is installed

Execute or run a workflow

Execute Workflow

Workflow

Edit a workflow

Edit Workflow

Workflow

Delete a workflow

Delete Workflow

Workflow