What are administrator roles
Role Based Access Control (RBAC) enables organizations to limit privileged user access to a predefined set of administrator roles and data assets to create ethical walls and enforce privacy and control. RBAC also enables the implementation of a delegated administration structure to meet customers’ organizational, compliance, and security requirements. Thus, organizations can achieve their goals efficiently with a seamless, granular, extensible administrator role management of their entities.
Druva provides a set of predefined administrator roles for creating administrators to manage the Management Console. Druva also provides a flexibility to the cloud administrators to create custom administrator roles using the existing base roles. The predefined and custom administrator roles enable administrators to access and manage entities efficiently on the Management Console.
A role defines a set of tasks that administrators perform based on the rights assigned to them. Each role contains a set of rights, and each right contains a set of granular permissions that enable administrators to perform the tasks. The Roles tab on the Administrators page lists the predefined roles and custom roles created on the Management Console. Roles are assigned to the administrators at the time of their creation.
The following table depicts the relationship between the predefined, base, and custom roles that Druva offers:
What are predefined administrator roles
By default, Druva defines the combinations of rights for the predefined administrator roles. The administrators cannot edit the rights of such predefined role assignments. The predefined roles are listed on the Roles tab.
By default, Druva provides the following seven predefined roles on the Roles tab:
Cloud administrator
Cloud administrator (View-only)
Organization administrator
Organization administrator (View-only)
Group administrator
Group administrator (View-only)
Data Protection Officer (DPO)
📝 Note
Administrators cannot delete any of the predefined roles.
The following table lists the predefined administrator roles that Druva provide:
Predefined administrator role | Description |
Cloud administrator | With this role, the administrators manage the activities of all the organizations.
The role is associated with the following rights:
For more details, see Role rights. |
Cloud administrator (View-only) | With this role, the administrators have read-only access to all configurations within the organizations. They cannot perform any administration action on any entities of the Management Console. However, they can change their own profile-related settings, such as the name and time zone, and can view, download, and send reports and audit trails. |
Organization administrator | With this role, the administrators manage the activities of one or more organizations assigned to them.
The role is associated with the following rights:
For more details, see Role rights. |
Organization administrator (View-only) | With this role, The administrators have read-only access to all configurations within the organization(s) they have access to. They cannot perform any administration action on the entities on the Management Console. However, they can change their own profile-related settings, such as name and time zone, and can view, download, and send reports. |
Group administrator | With this role, the administrators manage the activities of one or more administrative groups that they are associated with.
The role is associated with the following rights:
For more details, see Role rights. |
Group administrator (View-only) | With this role, the administrators have read-only access to the administrative groups that they are associated with. However, they cannot manage any administrative group. They can also view, download, and send reports. |
Data Protection Officer (DPO) | The DPO role is associated with the following rights:
However, a DPO cannot access any configurations, create administrators, register servers and virtual machines, set up policies, or manage CloudCache. |
Custom administrator roles
Druva also provides the flexibility to the cloud administrators to create custom administrator roles and assign selective access rights to the role based on the organization’s needs. The custom administrator roles are derived from the three base roles, such as the cloud administrator role, the organization administrator role, and the group administrator role. The custom roles impart distinct capabilities to the administrators to help them to manage entities on the Management Console. For example, you can create a custom cloud administrator role to back up and restore devices, and delete recovery points. You can create another custom cloud administrator role only to restore devices.
Only cloud and organization administrators can create administrators with custom administrator roles. An organization administrator can only create group administrators and group-derived administrators. For information about how you can create a custom administrator role, see Create custom administrator roles.
📝 Note
You can delete a custom administrator role if no administrator is associated with the role on the Management Console.
Important considerations
Before you create roles, review the following considerations:
Only the Druva Cloud Administrators, the Cloud Administrator for Enterprise workloadss, and the Druva cloud-derived administrators have access to the Administrators page on the Management Console. This page is not visible to the other administrators.
When you configure the Management Console, seven predefined roles appear on the Roles tab of the Administrators page.
You can assign only one role to an administrator. However, you can assign multiple administrators to one role.
You cannot edit or delete any predefined administrator roles from the Management Console. However, you can edit or delete all other custom administrator roles.
All the administrators can cancel the jobs on the Management Console except the administrators with the view-only rights.
The administrators with the custom administrator roles cannot create, edit, or delete the administrators and the administrator roles.
The group administrators and the group-derived administrators cannot perform any disaster recovery operations on the Management Console.
The administrators who do not have the right to restore databases and virtual machines to the original location but are configured with the right to restore to an alternate location can restore databases and virtual machines to the original location.
The administrators who have the rights to restore virtual machines can perform all actions related to the Instant Restore.
The administrators with the custom administrator roles with Restore to Original and Restore to Alternate rights can perform Instant Restore of virtual machines.
Migrate to production is governed based on whether the Instant Restore is on an original or alternate location. If you want to migrate the instantly restored VM to an alternate location, make sure you meet the prerequisites for vMotion before migrating to production because the virtual machines are migrated by using vMotion.
Migrate to production job for a VM cannot reuse the staging datastore used for the instant restore job of that VM. If you want to migrate a virtual machine to production, ensure you have another datastore on the same or different ESXi host, depending on whether you are migrating to the same or alternate host.
The administrators with the custom administrator roles for whom the delete rights are disabled will not be able to delete instantly restored virtual machines.
The administrators with the custom administrator roles for whom the restore rights are disabled will not be able to perform instant restore or migration of instantly restored virtual machines to production. However, they can delete instantly restored virtual machines.
Only a Druva Cloud Administrator can set a password policy for all the administrator accounts. For more information, see Create a password policy.
Role rights
Rights are the permissions that define the capabilities of an administrator role. An administrator role is created by assigning a combination of rights to the role. For example, the cloud administrator role is characterized by the combination of the following rights:
Backup and restore management
Server management
Admin management
Cache management
Reporting and alert management
Policy management
Disaster recovery management
You can create custom roles for administrators using the combination of the rights. Druva provides a set of customizable and non-customizable rights. By default, the non-customizable rights are granted to the administrator role and you cannot detach these rights from the role. However, you can clear the check boxes corresponding to the customizable rights assigned to the role to limit the capability of the role.
Druva provides the following access-control rights to manage the entities on the Management Console.
Rights | Description | Customizable/Non-customizable Right |
Backup and restore management |
|
|
Configure backup | Permission to create and edit the backup sets of the File server, MS-SQL server, backup store, and NAS share. It enables to attach a new backup set or detach an existing backup set from the CloudCache. It also enables to configure and reconfigure the VMwareand HyperV workloads. | Customizable |
Perform backup | Permission to enable and disable the backups, and trigger backups for the workloads. | Customizable |
Manage restore |
|
|
Restore to original | Permission to restore virtual machines, files and folders, databases, and NAS shares to the original location. | Customizable |
Restore to alternate | Permission to restore virtual machines, files and folders, databases, and NAS shares to an alternate location | Customizable |
Delete recovery points | Permission to delete recovery points of servers, databases, and virtual machines. | Customizable |
Server Management |
|
|
Delete Devices | Permission to delete backup sets, proxies, servers, backup stores, virtual machines, ESXi servers, HyperV hosts, and NAS devices. | Customizable |
Update client or proxy | Permission to upgrade the Hybrid Workloads agents, backup proxies, and backup stores on the servers, virtual machines, and databases. | Non-customizable |
Register and Re-register server or proxy | Permission to register or re-register a server.
If the right is disabled, the Administrator will not be able to generate the activation token. Also, the Manage > Activation Token page will not be accessible. | Customizable |
Change administrative group of server | Permission to change the administrative group associated with a server or a backup store. | Non-customizable |
Admin management |
|
|
Create, modify, or delete administrative groups | Permission to create, edit, and delete the administrative groups associated with the servers, virtual machines, and backup stores. | Non-customizable |
Create, modify, or delete organizations | Permission to create, modify, and delete the organizations associated with the servers, virtual machines, and backup stores. | Non-customizable |
Cache management |
|
|
Manage Cloudcache servers | Permission to configure and upgrade the CloudCache, view the configuration and log files, and decommission the CloudCache. | Non-customizable |
Reporting and alert management |
|
|
View reports and alerts | Permission to view and download various Druva reports and view the alerts generated on the Management Console. | Customizable |
Manage email schedules and subscriptions | You must have the View reports and alerts permission to enable this permission.
Permission to subscribe to the admin and non-admin users to emails related to reports and alerts.
Permission to update the email schedule. | Customizable |
Policy management |
|
|
Create, edit, or delete backup policy and retention policy | Permission to create, edit, and delete the backup and retention policy for the servers and virtual machines. | Non-customizable |
Create, edit, or delete content rule | Permission to create, edit, and delete the content rule of the servers and virtual machines. | Non-customizable |
Disaster recovery management |
|
|
Add AWS account | Permission to create AWS account to maintain the AMI for the virtual machine. | Non-customizable |
Delete AWS Proxies | Permission to delete AWS Proxies. | Customizable |
Create, edit, or delete disaster recovery plan | Permission to create, edit, or delete the disaster recovery plan to recover the virtual machine in the AWS account in the event of a disaster. | Non-customizable |
Perform DR failover | Permission to failover virtual machines and perform disaster recovery. | Non-customizable |
Create a custom administrator role
Only a cloud administrator can create the cloud and the other administrator roles using the global Administrators menu on the Management Console.
Procedure
Log in to the Management Console.
On the menu bar click Settings > ManageAdministrators. Note that if organization is enabled, then click All Organizations and then click Settings > ManageAdministrators.
On the Administrators page, click the Roles tab.
Click New Role.
The New Role window appears with the General tab opened, by default.On the General tab, provide the appropriate information in the following fields:
Base Role: Select the role to create the custom role from. For example, if you want to create a custom cloud administrator, select the Cloud Administrator option from the list.
New Role Name: The name of the custom role that you want to create. Druva appends the name that you had specified in this box to the role selected from the Base Role list and creates a custom role with the name as <base role>_<name>. For example, if you create a custom cloud administrator role with the name Delete_Recovery point_Not_Allowed, Druva creates a custom role with the following name: Cloud Administrator_Delete_Recovery point_Not_Allowed.
Description: A short description of the custom role that you want to create.
Click Next.
The Role Customization tab displays a combination of rights specific to the base role selected on the G eneral tab.On the Role Customization tab, select or clear the check boxes corresponding to the rights under the various categories to create the custom role. For information about the rights, see Role rights.
📝 Note
When you create a custom role using a base role, the default role has all the associated rights enabled for that role. You can clear the check boxes corresponding to the rights assigned to the role to remove a few granted rights. For example, when you create a custom cloud administrator role with no privilege to delete any recovery points, the created default custom role has all the rights from the base cloud administrator role. You can clear the Delete Recovery point check box to limit the right to delete the recovery points.
Click Finish.
Delete a custom role
Only the cloud administrator can delete the custom administrator roles on the Management Console. Before deleting a role, ensure that the role is not assigned to an administrator.
📝 Note
You cannot delete the predefined roles that Druva provides.
Procedure
Log in to the Management Console.
On the menu bar click Settings > ManageAdministrators. Note that if organization is enabled, then click All Organizations and then click Settings > ManageAdministrators.
On the Administrators page, click the Roles tab.
The Roles tab displays all the predefined and custom roles created by the cloud administrator.Select the check box corresponding to the custom role that you want to delete.
Click Delete.
View the role details page
The role details page provides details of the Druva predefined and custom administrator roles.
Procedure
Log in to the Management Console.
On the menu bar click Settings > ManageAdministrators. Note that if organization is enabled, then click All Organizations and then click Settings > ManageAdministrators.
On the Administrators page, click the Roles tab.
The Roles tab displays all the predefined and custom roles created by the cloud administrator.Click the role for which you want to view details.
The role details page appears.The Summary tab displays the following fields for the predefined roles:
Description: The short description of the role that gives an idea of the capabilities of the role.
#Mapped Administrators: The number of administrators on the Management Console associated with the role.
Rights: The various rights assigned to the role.
The Administrators tab displays the list of administrators associated with the role, along with their email addresses and details of the organizations they belong to. For predefined roles, click on the administrator name to view the administrator details.
📝 Note
The Organizations column is displayed only if organization is enabled.
Edit the custom role description
When you edit the rights assigned to a custom administrator role, you may want to update the corresponding description of the role. Using the Edit button on the role details page, you can update the description of the custom administrator role.
Procedure
Log in to the Management Console.
On the menu bar click Settings > ManageAdministrators. Note that if organization is enabled, then click All Organizations and then click Settings > ManageAdministrators.
On the Administrators page, click the Roles tab.
The Roles tab displays all the predefined and custom roles created by the cloud administrator.Click the role for which you want to update the description.
On the role details page, click Edit.
The Edit RoleDetails window appears.In the Description box, edit the description of the role.
Click Save.
The Roles tab now displays the edited description of the role.
Edit rights of a custom role
You can change the combination of rights assigned to a custom administrator role by using the role details page. The changed rights for the administrator’s role apply from your next login to the Management Console.
📝 Note
You can edit rights assigned only to a custom administrator role.
Procedure
Log in to the Management Console.
On the menu bar click Settings > ManageAdministrators. Note that if organization is enabled, then click All Organizations and then click Settings > ManageAdministrators.
On the Administrators page, click the Roles tab.
The Roles tab displays all the predefined and custom roles created by the cloud administrator.Click the role for which you want to edit the rights assigned to a custom role.
The role details page appears.In the Rights section, click Edit.
The Edit Rights window appears with the check boxes selected for the rights assigned to the role.Select and clear the check boxes corresponding to the rights to assign the role with a new combination. For more information about the rights, see Role rights.
Click Save.
The Rights section on the role details page now lists the new combination of rights selected for the custom role.