There are three user roles defined in CloudAdvisor: Super User, Administrator, and Audit User. Each role has different privileges and access rights, and the roles assigned to your user account govern what you can see and do when you log into CloudAdvisor.
Locally-created accounts are always Super User accounts. Accounts that are verified through the Active Directory (AD) can be assigned one or more of the available user roles.
To assign user roles to an AD account, you first set up three different groups in the Active Directory (AD): Super User Access Group, Administrator Access Group, and Audit User Access Group. Using the AD, you can then assign an individual CloudAdvisor user account to one or more of those three groups. If a user account is a member of multiple groups, CloudAdvisor uses the role with the most privileges when that user logs in. For more information on setting up the AD, see Active Directory Tab.
Super User
The Super User role has full administrative privileges in CloudAdvisor. Super Users can access any part of CloudAdvisor, can perform any task, and can access any file.
Super Users are either locally-created accounts or AD accounts that are members of the Super User Access Group.
Administrator
The Administrator role allows you to perform CloudAdvisor administrative services such as adding and removing VMs and creating DiscoveryPoints on existing VMs. An administrator can perform operations on those files to which he or she has access.
For example, if Jeff logs in as an Administrator and searches for "chocolate", he will find all of the files to which he has read access rights. If Sally logs in as a Super User and searches for "chocolate", she will find all files containing "chocolate", regardless of her access rights for any of the individual files.
Administrators are AD accounts that are members of the Administrator Access Group.
Audit User
The Audit User role allows you to perform a very limited set of actions in CloudAdvisor. Audit Users can view tags, Insight Profiles and Insight Policies, but they cannot change them. They cannot add or remove VMs or create DiscoveryPoints.
Audit Users can only perform file operations (view file details, download, or restore) on files to which they have read access.
Audit Users are AD accounts that are members of the Audit Users Access Group.
The following table provides a partial list of CloudAdvisor actions allowed or disallowed by role:
| Action | Super User | Administrator | Audit User | |
|---|---|---|---|---|
| Manage CloudAdvisor Users (for example, add, delete, change passwords, or add AD groups for user access) |
|
|
|
|
| Manage System Services (for example, DNS, NTP, SMTP, AD, or event notification policies) |
|
|
|
|
| Manage CloudAdvisor VMs, DiscoveryPoints, or network interfaces |
|
|
|
|
| Perform Discovery Searches | Results include all files regardless of the user's ACL access rights |
|
|
|
| Results limited to the files for which the user has ACL access rights |
|
|
|
|
| View File Details | All files in CloudAdvisor |
|
|
|
| Files for which the user has access (via ACLs) |
|
|
|
|
| Download Files | All files in CloudAdvisor |
|
|
|
| Files for which the user has access (via ACLs) |
|
|
|
|
| Restore Files | All files in CloudAdvisor |
|
|
|
| Files for which the user has access (via ACLs) |
|
|
|
|
Some CloudAdvisor capabilities allow the user to access file content. These are: Content Summary (displays extracted text in plain-text format), file download, and file restore. To prevent unauthorized access to file content, CloudAdvisor performs checks whether the logged-in user has read access to the file if the user is logged in as an Administrator or Audit User. Super Users are always allowed access to all files.
If a snapshot or backup containing the file is available, CloudAdvisor uses that as the basis for these checks. Otherwise, CloudAdvisor uses stored ACLs from its database of Insights (obtained during DiscoveryPoint processing).
The following checks must pass before access to a file is granted:
|
2.2 |
Copyright © 2018 HyTrust, Inc. All Rights Reserved. |
Follow us: |
