In Secure Multitenancy (SMT), permission to perform a task depends on the role that is assigned to a user. DDMC uses role-based access control (RBAC) to control these permissions.
All DDMC users can:
View all tenants
Create, read, update, or delete tenant units belonging to any tenant if the user is an administrator on the protection system hosting the tenant unit
Assign and unassign tenant units to and from a tenant if the user is an administrator on the system hosting the tenant unit
View tenant units belonging to any tenant if the user has any assigned role on the system hosting the tenant unit
To perform more advanced tasks depends on the role of the user, as follows:
admin role
A user with an
admin role can perform all administrative operations on a protection system. An
admin can also perform all SMT administrative operations on the system, including setting up SMT, assigning SMT user roles, enabling tenant self-service mode, creating a tenant, and so on. In the context of SMT, the
admin is typically referred to as the
landlord. In
DDOS, the role is known as the
sysadmin.
To have permission to edit or delete a tenant, you must be both a DDMC
admin and a
DDOS
sysadmin on all systems that are associated with the tenant units of that tenant. If the tenant does not have any tenant units, you need only to be a DDMC
admin to edit or delete that tenant.
limited-admin role
A user with a
limited-admin role can perform all administrative operations on a system as the
admin. However, users with the
limited-admin role cannot delete or destroy MTrees. In
DDOS, there is an equivalent
limited-admin role.
tenant-admin role
A user with a
tenant-admin role can perform certain tasks only when
tenant self-service mode is enabled for a specific tenant unit. Responsibilities include scheduling and running a backup application for the tenant and monitoring resources and statistics within the assigned tenant unit. The
tenant-admin can view audit logs, but RBAC ensures that only audit logs from the tenant units belonging to the
tenant-admin are accessible. In addition,
tenant-admins ensure administrative separation when tenant self-service mode is enabled. In the context of SMT, the
tenant-admin is referred to as the
backup admin.
tenant-user role
A user with a
tenant-user role can monitor the performance and usage of SMT components only on tenant unit(s) assigned to them and only when tenant self-service is enabled, but a user with this role cannot view audit logs for their assigned tenant units. Also,
tenant-users may run the
show and
list commands.
none role
A user with a role of
none is not allowed to perform any operations on a system other than changing their password and accessing data using DD Boost. However, after SMT is enabled, the
admin can select a user with a
none role from the system and assign them an SMT-specific role of
tenant-admin or
tenant-user. Then, that user can perform operations on SMT management objects.
management groups
BSPs (backup service providers) can use
management groups defined in a single, external AD (active directory) or NIS (network information service) to simplify managing user roles on tenant units. Each BSP tenant may be a separate, external company and may use a name-service such as AD or NIS.
With SMT management groups, the AD and NIS servers are set up and configured by the
admin in the same way as SMT local users. The
admin can ask their AD or NIS administrator to create and populate the group. The
admin then assigns an SMT role to the entire group. Any user within the group who logs in to the system is logged in with the role that is assigned to the group.
When users leave or join a tenant company, they can be removed or added to the group by the AD or NIS administrator. It is not necessary to modify the RBAC configuration on a system when users who are part of the group are added or removed.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\