Skip to main content
Manage administrator roles for Enterprise Workloads
Updated over 5 months ago

What are administrator roles

Role Based Access Control (RBAC) enables organizations to limit privileged user access to a predefined set of administrator roles and data assets to create ethical walls and enforce privacy and control. RBAC also enables the implementation of a delegated administration structure to meet customers’ organizational, compliance, and security requirements. Thus, organizations can achieve their goals efficiently with a seamless, granular, extensible administrator role management of their entities.

Druva provides a set of predefined administrator roles for creating administrators to manage the Management Console. Druva also provides a flexibility to the cloud administrators to create custom administrator roles using the existing base roles. The predefined and custom administrator roles enable administrators to access and manage entities efficiently on the Management Console.

A role defines a set of tasks that administrators perform based on the rights assigned to them. Each role contains a set of rights, and each right contains a set of granular permissions that enable administrators to perform the tasks. The Roles tab on the Administrators page lists the predefined roles and custom roles created on the Management Console. Roles are assigned to the administrators at the time of their creation.

The following table depicts the relationship between the predefined, base, and custom roles that Druva offers:

RBAC_workflow.png

What are predefined administrator roles

By default, Druva defines the combinations of rights for the predefined administrator roles. The administrators cannot edit the rights of such predefined role assignments. The predefined roles are listed on the Roles tab.

By default, Druva provides the following seven predefined roles on the Roles tab:

  • Cloud administrator

  • Cloud administrator (View-only)

  • Organization administrator

  • Organization administrator (View-only)

  • Group administrator

  • Group administrator (View-only)

  • Data Protection Officer (DPO)


📝 Note


Administrators cannot delete any of the predefined roles.


The following table lists the predefined administrator roles that Druva provide:

Predefined administrator role

Description

Cloud administrator

With this role, the administrators manage the activities of all the organizations.

The role is associated with the following rights:

  • Backup and restore management

  • Server management

  • Admin management

  • Cache management

  • Reporting and alert management

  • Policy management

  • Disaster recovery management

For more details, see Role rights.

Cloud administrator (View-only)

With this role, the administrators have read-only access to all configurations within the organizations. They cannot perform any administration action on any entities of the Management Console. However, they can change their own profile-related settings, such as the name and time zone, and can view, download, and send reports and audit trails.

Organization administrator

With this role, the administrators manage the activities of one or more organizations assigned to them.

The role is associated with the following rights:

  • Backup and restore management

  • Server management

  • Admin management

  • Cache management

  • Reporting and alert management

  • Policy management

  • Disaster recovery management

For more details, see Role rights.

Organization administrator (View-only)

With this role, The administrators have read-only access to all configurations within the organization(s) they have access to. They cannot perform any administration action on the entities on the Management Console. However, they can change their own profile-related settings, such as name and time zone, and can view, download, and send reports.

Group administrator

With this role, the administrators manage the activities of one or more administrative groups that they are associated with.

The role is associated with the following rights:

  • Backup and restore management

  • Server management

  • Cache management

  • Reporting and alert management

  • Policy management

For more details, see Role rights.

Group administrator (View-only)

With this role, the administrators have read-only access to the administrative groups that they are associated with. However, they cannot manage any administrative group. They can also view, download, and send reports.

Data Protection Officer (DPO)

The DPO role is associated with the following rights:

  • Reporting and alert management

    • Configure the audit trail and reports

  • Backup and restore management

    • Enable and disable backup

    • Trigger backup

    • Restore data to the original or alternate location

    • Delete the warm and hot recovery points

  • Disaster recovery management

    • Launch failover

    • Disaster recovery restore

However, a DPO cannot access any configurations, create administrators, register servers and virtual machines, set up policies, or manage CloudCache.

Custom administrator roles

Druva also provides the flexibility to the cloud administrators to create custom administrator roles and assign selective access rights to the role based on the organization’s needs. The custom administrator roles are derived from the three base roles, such as the cloud administrator role, the organization administrator role, and the group administrator role. The custom roles impart distinct capabilities to the administrators to help them to manage entities on the Management Console. For example, you can create a custom cloud administrator role to back up and restore devices, and delete recovery points. You can create another custom cloud administrator role only to restore devices.

Only cloud and organization administrators can create administrators with custom administrator roles. An organization administrator can only create group administrators and group-derived administrators. For information about how you can create a custom administrator role, see Create custom administrator roles.


📝 Note


You can delete a custom administrator role if no administrator is associated with the role on the Management Console.


Important considerations

Before you create roles, review the following considerations:

  • Only the Druva Cloud Administrators, the Cloud Administrator for Enterprise workloadss, and the Druva cloud-derived administrators have access to the Administrators page on the Management Console. This page is not visible to the other administrators.

  • When you configure the Management Console, seven predefined roles appear on the Roles tab of the Administrators page.

  • You can assign only one role to an administrator. However, you can assign multiple administrators to one role.

  • You cannot edit or delete any predefined administrator roles from the Management Console. However, you can edit or delete all other custom administrator roles.

  • All the administrators can cancel the jobs on the Management Console except the administrators with the view-only rights.

  • The administrators with the custom administrator roles cannot create, edit, or delete the administrators and the administrator roles.

  • The group administrators and the group-derived administrators cannot perform any disaster recovery operations on the Management Console.

  • The administrators who do not have the right to restore databases and virtual machines to the original location but are configured with the right to restore to an alternate location can restore databases and virtual machines to the original location.

  • The administrators who have the rights to restore virtual machines can perform all actions related to the Instant Restore.

  • The administrators with the custom administrator roles with Restore to Original and Restore to Alternate rights can perform Instant Restore of virtual machines.

  • Migrate to production is governed based on whether the Instant Restore is on an original or alternate location. If you want to migrate the instantly restored VM to an alternate location, make sure you meet the prerequisites for vMotion before migrating to production because the virtual machines are migrated by using vMotion.

  • Migrate to production job for a VM cannot reuse the staging datastore used for the instant restore job of that VM. If you want to migrate a virtual machine to production, ensure you have another datastore on the same or different ESXi host, depending on whether you are migrating to the same or alternate host.

  • The administrators with the custom administrator roles for whom the delete rights are disabled will not be able to delete instantly restored virtual machines.

  • The administrators with the custom administrator roles for whom the restore rights are disabled will not be able to perform instant restore or migration of instantly restored virtual machines to production. However, they can delete instantly restored virtual machines.

  • Only a Druva Cloud Administrator can set a password policy for all the administrator accounts. For more information, see Create a password policy.

Role rights

Rights are the permissions that define the capabilities of an administrator role. An administrator role is created by assigning a combination of rights to the role. For example, the cloud administrator role is characterized by the combination of the following rights:

  • Backup and restore management

  • Server management

  • Admin management

  • Cache management

  • Reporting and alert management

  • Policy management

  • Disaster recovery management

You can create custom roles for administrators using the combination of the rights. Druva provides a set of customizable and non-customizable rights. By default, the non-customizable rights are granted to the administrator role and you cannot detach these rights from the role. However, you can clear the check boxes corresponding to the customizable rights assigned to the role to limit the capability of the role.

Druva provides the following access-control rights to manage the entities on the Management Console.

Rights

Description

Customizable/Non-customizable Right

Backup and restore management

Configure backup

Permission to create and edit the backup sets of the File server, MS-SQL server, backup store, and NAS share. It enables to attach a new backup set or detach an existing backup set from the CloudCache. It also enables to configure and reconfigure the VMwareand HyperV workloads.

Customizable

Perform backup

Permission to enable and disable the backups, and trigger backups for the workloads.

Customizable

Manage restore

Restore to original

Permission to restore virtual machines, files and folders, databases, and NAS shares to the original location.

Customizable

Restore to alternate

Permission to restore virtual machines, files and folders, databases, and NAS shares to an alternate location

Customizable

Delete recovery points

Permission to delete recovery points of servers, databases, and virtual machines.

Customizable

Server Management

Delete Devices

Permission to delete backup sets, proxies, servers, backup stores, virtual machines, ESXi servers, HyperV hosts, and NAS devices.

Customizable

Update client or proxy

Permission to upgrade the Hybrid Workloads agents, backup proxies, and backup stores on the servers, virtual machines, and databases.

Non-customizable

Register and Re-register server or proxy

Permission to register or re-register a server.

If the right is disabled, the Administrator will not be able to generate the activation token. Also, the Manage > Activation Token page will not be accessible.

Customizable

Change administrative group of server

Permission to change the administrative group associated with a server or a backup store.

Non-customizable

Admin management

Create, modify, or delete administrative groups

Permission to create, edit, and delete the administrative groups associated with the servers, virtual machines, and backup stores.

Non-customizable

Create, modify, or delete organizations

Permission to create, modify, and delete the organizations associated with the servers, virtual machines, and backup stores.

Non-customizable

Cache management

Manage Cloudcache servers

Permission to configure and upgrade the CloudCache, view the configuration and log files, and decommission the CloudCache.

Non-customizable

Reporting and alert management

View reports and alerts

Permission to view and download various Druva reports and view the alerts generated on the Management Console.

Customizable

Manage email schedules and subscriptions

You must have the View reports and alerts permission to enable this permission.

Permission to subscribe to the admin and non-admin users to emails related to reports and alerts.

Permission to update the email schedule.

Customizable

Policy management

Create, edit, or delete backup policy and retention policy

Permission to create, edit, and delete the backup and retention policy for the servers and virtual machines.

Non-customizable

Create, edit, or delete content rule

Permission to create, edit, and delete the content rule of the servers and virtual machines.

Non-customizable

Disaster recovery management

Add AWS account

Permission to create AWS account to maintain the AMI for the virtual machine.

Non-customizable

Delete AWS Proxies

Permission to delete AWS Proxies.

Customizable

Create, edit, or delete disaster recovery plan

Permission to create, edit, or delete the disaster recovery plan to recover the virtual machine in the AWS account in the event of a disaster.

Non-customizable

Perform DR failover

Permission to failover virtual machines and perform disaster recovery.

Non-customizable

Create a custom administrator role

Only a cloud administrator can create the cloud and the other administrator roles using the global Administrators menu on the Management Console.

Procedure

  1. Log in to the Management Console.

  2. On the menu bar click Settings > ManageAdministrators. Note that if organization is enabled, then click All Organizations and then click Settings > ManageAdministrators.

  3. On the Administrators page, click the Roles tab.

  4. Click New Role.
    The New Role window appears with the General tab opened, by default.

  5. On the General tab, provide the appropriate information in the following fields:

    • Base Role: Select the role to create the custom role from. For example, if you want to create a custom cloud administrator, select the Cloud Administrator option from the list.

    • New Role Name: The name of the custom role that you want to create. Druva appends the name that you had specified in this box to the role selected from the Base Role list and creates a custom role with the name as <base role>_<name>. For example, if you create a custom cloud administrator role with the name Delete_Recovery point_Not_Allowed, Druva creates a custom role with the following name: Cloud Administrator_Delete_Recovery point_Not_Allowed.

    • Description: A short description of the custom role that you want to create.

      NewRoleGeneral.PNG
  6. Click Next.
    The Role Customization tab displays a combination of rights specific to the base role selected on the G eneral tab.

  7. On the Role Customization tab, select or clear the check boxes corresponding to the rights under the various categories to create the custom role. For information about the rights, see Role rights.

    NewRoleCustomization.PNG

📝 Note


When you create a custom role using a base role, the default role has all the associated rights enabled for that role. You can clear the check boxes corresponding to the rights assigned to the role to remove a few granted rights. For example, when you create a custom cloud administrator role with no privilege to delete any recovery points, the created default custom role has all the rights from the base cloud administrator role. You can clear the Delete Recovery point check box to limit the right to delete the recovery points.


Click Finish.

Delete a custom role

Only the cloud administrator can delete the custom administrator roles on the Management Console. Before deleting a role, ensure that the role is not assigned to an administrator.


📝 Note


You cannot delete the predefined roles that Druva provides.


Procedure

  1. Log in to the Management Console.

  2. On the menu bar click Settings > ManageAdministrators. Note that if organization is enabled, then click All Organizations and then click Settings > ManageAdministrators.

  3. On the Administrators page, click the Roles tab.
    The Roles tab displays all the predefined and custom roles created by the cloud administrator.

  4. Select the check box corresponding to the custom role that you want to delete.

  5. Click Delete.

View the role details page

The role details page provides details of the Druva predefined and custom administrator roles.

Procedure

  1. Log in to the Management Console.

  2. On the menu bar click Settings > ManageAdministrators. Note that if organization is enabled, then click All Organizations and then click Settings > ManageAdministrators.

  3. On the Administrators page, click the Roles tab.
    The Roles tab displays all the predefined and custom roles created by the cloud administrator.

  4. Click the role for which you want to view details.
    The role details page appears.

  5. The Summary tab displays the following fields for the predefined roles:

    • Description: The short description of the role that gives an idea of the capabilities of the role.

    • #Mapped Administrators: The number of administrators on the Management Console associated with the role.

    • Rights: The various rights assigned to the role.

      RoleDetailsPage.PNG
  6. The Administrators tab displays the list of administrators associated with the role, along with their email addresses and details of the organizations they belong to. For predefined roles, click on the administrator name to view the administrator details.

    RoleDetailsPageAdministrators.PNG

📝 Note


The Organizations column is displayed only if organization is enabled.


Edit the custom role description

When you edit the rights assigned to a custom administrator role, you may want to update the corresponding description of the role. Using the Edit button on the role details page, you can update the description of the custom administrator role.

Procedure

  1. Log in to the Management Console.

  2. On the menu bar click Settings > ManageAdministrators. Note that if organization is enabled, then click All Organizations and then click Settings > ManageAdministrators.

  3. On the Administrators page, click the Roles tab.
    The Roles tab displays all the predefined and custom roles created by the cloud administrator.

  4. Click the role for which you want to update the description.

  5. On the role details page, click Edit.
    The Edit RoleDetails window appears.

    EditRoleDetails.PNG
  6. In the Description box, edit the description of the role.

  7. Click Save.

The Roles tab now displays the edited description of the role.

Edit rights of a custom role

You can change the combination of rights assigned to a custom administrator role by using the role details page. The changed rights for the administrator’s role apply from your next login to the Management Console.


📝 Note


You can edit rights assigned only to a custom administrator role.


Procedure

  1. Log in to the Management Console.

  2. On the menu bar click Settings > ManageAdministrators. Note that if organization is enabled, then click All Organizations and then click Settings > ManageAdministrators.

  3. On the Administrators page, click the Roles tab.
    The Roles tab displays all the predefined and custom roles created by the cloud administrator.

  4. Click the role for which you want to edit the rights assigned to a custom role.
    The role details page appears.

  5. In the Rights section, click Edit.
    The Edit Rights window appears with the check boxes selected for the rights assigned to the role.

    EditRoleRights.PNG
  6. Select and clear the check boxes corresponding to the rights to assign the role with a new combination. For more information about the rights, see Role rights.

  7. Click Save.

The Rights section on the role details page now lists the new combination of rights selected for the custom role.

Did this answer your question?