User Administration and Security - Capabilities and Permitted Actions

Table of Contents

Capabilities

The sections list the operations available to a user who belongs to a user group with a particular capability and who is given an association at a specific level in the CommCell Console. The Associated CommCell Entities column lists the minimal level of CommCell Console object association a user needs to perform the function. To see this information sorted by feature, see the Capabilities and Permitted Actions (by Feature) topic.

Administrative Management

Associated CommCell Entities Available Tasks/Operations
CommCell
  • Software:
    • Install, uninstall, and repair software from the CommCell Console.
    • Configure, download, and install software updates and automatic upgrades.
  • 1-touch Boot CD-ROM for Mass Storage Recognition.
  • Set Activity Control from the CommCell Level.
  • Track the operations of users who have access to the CommCell and set or modify the Audit Trail settings.
  • Run an auxiliary copy operation.
  • Add or modify the parameters available in the Control Panel.

    Note: The license administration operation also requires the License Management permission at the CommCell level.

  • Migrate clients from one CommCell to another.
  • Modify CommServe, Client Group and Client Computer properties.
  • Define custom calendars to suit the needs of your organization.
  • Run a Data Aging operation.
  • Configure Data Interface Pairs.
  • Perform a Data Verification operation.
  • Set the Database Space Check Interval.
  • Configure and perform Disaster Recovery Backups.
  • Configure and perform an Erase Data by Browsing operation or Erase Stubs operation.
  • Create Global Filters.
  • Perform the following Job Management configuration functions:
    • Set the job priority of an Agent.
    • Queue jobs.
    • Set the job update interval.
    • Determine if a job should be preemptible or restartable.

    Note: When performing an action on multiple jobs in the Job Controller, the correct capability and object association for all of the selected jobs are necessary. If a user is missing the correct capability, the group action cannot be performed on any of the jobs. The user who initiated a job can perform Job Controller functions for that job regardless of capability or object association.

  • Configure and de-configure libraries and drives.
  • Change the name of a client.
  • Configure NAS clients.
  • Define Operation Rules at the CommCell level.
  • Perform the following functions for an Auxiliary Copy Schedule Policy:
    • Create, clone, disable, and modify.
    • Run the schedules of the policy immediately.
    • View the storage policies and storage policy copies associated with the policy.

    Note: Only a user who created the schedule policy or a user who is associated with all of the objects associated with the schedule policy can change the schedule pattern.

  • Alerts:
    • Delete an alert from a schedule or schedule policy.
    • Create alert rules.
    • Use alert rules to create alerts.
  • Schedule administration operations such as Data Aging, Auxiliary Copy, Disaster Recovery backup, Data Verification, Automatic Update, Erase Data by Browsing/Erase Stubs, Drive Cleaning, and Report, run a scheduled task immediately, and be able to view, delete, disable, or modify the above schedules.

    Note: The user who created the schedule can also view it without any capability or object association.

  • Set Holidays.
  • Change media and network passwords, and also change user accounts.
  • Set the Automatically Add New Users to the View All group option.
  • Configure disk space utilization and search result display for each user.
  • Configure and perform Offline Content indexing
  • Delete Content Indexing Server.
  • Register Client from Client level.
  • Configure pre/post processes for Disaster Recovery Backup operations
  • Install an agent on the CommCell

    Note: This operation requires this capability only when the Authentication for Agent Installs feature is enabled. The Administrative Management capability is also required to add clients to a client computer group if Authentication for Agent Installs feature is enabled.

  • Modify the following hardware maintenance settings:
    • Library Maintenance
    • Drive Maintenance
    • Media Expiration
    • Drive Cleaning Thresholds
  • Create/Edit/Delete a Billable Entity.
  • Assign Billable Entities to Subclient.
  • Create/Edit/Delete Cost Category.
  • Assign/un-assign storage resources to Cost Categories.
  • Delete Report Snapshot.
  • Delete Legal Hold.
  • Manage Resources.
  • Set Thresholds.
  • View and configure reports on the CommCell Console.
  • View reports on the Web Console.
  • Build and download reports on the Web Console.
  • Import and export report templates on the Web Console.
  • Publish reports to Download Center.
Client
  • Modify Client Computer properties.
  • Install an agent on the client in the CommCell.

    Note: This operation requires this capability only when the Authentication for Agent Installs feature is enabled. The Administrative Management capability is also required to add clients to a client computer group if Authentication for Agent Installs feature is enabled.

  • Install or uninstall software using the CommCell Console.

    Note: This operation requires this capability only when the Authentication for Agent Installs feature is enabled. The Administrative Management capability is also required to add clients to a client computer group if Authentication for Agent Installs feature is enabled.

Client Computer Group
  • Set Activity Control from the Client Computer Group level.
  • Define Operational Window rules from the Client Computer Group level.
  • Modify/Delete client computer group properties.
  • Delete clients from a client group.

    Note: This operation also requires the Agent Management capability at the client level.

Agent Management

Associated CommCell Entities Available Tasks/Operations
Client
  • Add clients to a client group when there are no user groups in the Associated Groups list on the Security tab in the Client Group dialog box.
  • Add clients to a client group when there are user groups in the Associated Groups list on the Security tab in the Client Group dialog box.

    Note: This operation also requires the User Management capability at the client level.

  • Delete clients from a client group.

    Note: This operation also requires the Administrative Management capability at the client computer group level.

  • Set Activity Control from the Client level.
  • Define Operational Window rules from the Client level.
  • Modify and set the job priority for a client.
  • Set Data Encryption at the Client level.
  • De-configure a client.
  • Enable privacy.
  • Create an Oracle RAC client.
  • Create a DB2 MultiNode pseudo-client.
Agent
  • Set Activity Control from the Agent level.
  • Modify and perform operations specific to an agent.
  • Enable software compression for an Agent.
  • Set Data Encryption at the Subclient level.
  • De-configure an agent.
  • Define operation rules at the Agent level.
  • Configure a pre/post process.
  • Add a pre/post process for data recovery operations.
  • Remove a pre/post process for data protection/archive operations.
  • Configure, activate, and deactivate snapshots.
  • Create a subclient policy with subclient association.

    Note:

    • This operation also requires the View capability at the storage policy level.
    • Any user can create a subclient policy that does not have any subclient association.
  • Create a Replication Set.
Subclient
  • Set Activity Control from the Subclient level.
  • Enable global filters for a subclient.
  • Create data protection filters for a subclient.
Backup Set
  • Create a new on-demand backup set.
  • Create, modify, and delete a backup set.
  • Create, modify, and delete a subclient.
  • Clone a subclient policy that retains the subclient association of the original policy.

    Note: Any user can create a subclient policy that does not have any subclient association.

Instance/Partition Create, modify, and delete an instance/partition.
Replication Set
  • Modify and delete a Replication Set.
  • Create, modify, and delete a Replication Pair.
Replication Pair Delete a Replication Pair.

Agent Scheduling

Note: This operation also requires the Data Protection/Management Operations, In Place Recover, and Out of Place Recover capabilities respectively for Data Protection and Data Recovery Schedule.

Associated CommCell Entities Available Tasks/Operations
Agent, Backup Set, Instance/Partition/Subclient
  • Create, clone, and modify a Data Protection Schedule Policy.
  • Decouple a scheduled job from a schedule policy.
  • Delete an alert from a schedule or schedule policy.
  • Run the schedules of a schedule policy immediately.
  • Associate a data protection schedule policy with a subclient.

    Note: Only a user who created the schedule policy or a user who is associated with all of the objects associated with the schedule policy can change the schedule pattern.

  • Add, modify, disable, delete, and view data protection operation schedules.
  • Add, modify, disable, delete, and view data recovery operation schedules.

    Note: The user who created the schedule can also view it without any capability or object association.

  • Schedule Data Collection Jobs at Agent and Subclient level.
Replication Set Schedule the creation and back up of a Recovery Point.

Alert Management

Associated CommCell Entities Available Tasks/Operations
Client Computer Group, Client, Agent, Backup Set, Instance/Partition, Subclient, Library, MediaAgent, Storage Policy, Tracking Policy
  • Configure alerts for CommCell objects. The necessary associated object depends on the entity for which the alert is created.
  • Disable Advisories.
  • Add/Edit/Clone/Delete Thresholds.
CommCell Modify an alert on a schedule or schedule policy.

Annotation Management

Associated CommCell Entities Available Tasks/Operations
CommCell/Client group/Client/Agent/Backup Set Add/edit annotations to discovered files/emails

Application-Free Restore

This operation includes the following.

Associated CommCell Entities Available Tasks/Operation
The Out of Place Recover capability at the backup set or instance at the source client

and

The Browse and In Place Recover capabilities at the agent level of the destination client

Restore databases directly to a disk from the CommCell Console without the use of the database application.

Browse

Associated CommCell Entities Available Tasks/Operations
CommCell/Client group/Client/Agent/Backup Set/Instance/Partition/Subclient/Replication Set
  • Perform a browse operation at the appropriate levels.
  • View the list of media required for browse/data recovery operations.
  • Search CommCell domain for data related to any user on the associated object.
  • View backup job history/backup data.

Compliance Search

Associated CommCell Entities Available Tasks/Operations
CommCell/Client group/Client/Agent/Backup Set Search CommCell domain for data related to any user on the associated object.

Data Protection/Management Operations

Associated CommCell Entities Available Tasks/Operations
Backup set Run on demand data protection jobs.
Agent
  • File System Multi-Streaming
  • Remove a pre/post process for data protection/archive operations.
  • Run/Schedule Data Collection Jobs.
Backup Set, Instance/Partition, Subclient
  • Configure and perform archive operations.
  • Configure and perform the following data protection operations:
    • Backups including synthetic full backups
    • Archives
    • Migrations

    Note: The associated object is the object from which the data protection operation is being initiated.

Agent, Backup Set, Instance/Partition

/Subclient

  • Add, modify, disable, delete, and view data protection operation schedules.

    Note: The user who created the schedule can also view it without any capability or object association.

  • Run/Schedule Data Collection Jobs.

If this task/operation is performed at the level for which the schedules were created:

  • Create, clone, and modify a Data Protection Schedule Policy.
  • Decouple a scheduled job from a schedule policy.
  • Run the schedules of a schedule policy immediately

    Note: Only a user who created the schedule policy or a user who is associated with all of the objects associated with the schedule policy can change the schedule pattern.

Replication Set
  • Create Recovery Point.
  • Back up Recovery Point.
Client, Subclient Backup copy:
  • Copy the snapshots of the data to any media.
  • Create additional standby copies of data.

Note: The backup copy operations also require the Storage Policy Management capability at the storage policy level.

Download

Associated CommCell Entities Available Tasks/Operations
CommCell/Client Computer Groups/Client Download one or more files and folders from the web console to a specific location on the local machine.

Download Center Management

Associated CommCell Entities Available Tasks/Operations
None
  • View Download Center in the Web Console.
  • View and download packages in the Download Center.
  • Publish reports to the Download Center.
  • Upload packages to Download Center.
  • Edit package information.
  • Delete packages from Download Center.

End User Access

Associated CommCell Entities Available Tasks/Operations
CommCell/Client group/Client/Agent/Backup Set
  • Search CommCell domain for data related to the logged in user with permissions to the user on the associated object.
  • Perform Browse, Restore, and Erase Data operations with the Windows File System (ACLs based) and IBM Notes Add-In.
  • UNIX File System: Perform restores by impersonating users. For more information, see Restores Using End-User Capability.

In Place Full Machine Recovery

Associated CommCell Entities Available Tasks/Operations
Client/Agent (virtualization only) Recover full virtual machines to their original location. The user performing the restore must own the virtual machines being recovered.

In Place Recover

Associated CommCell Entities Available Tasks/Operations
Client/Agent/Backup Set/Instance/Partition/Replication Set
  • Restore Data Using a Map File and Restore by Jobs
    • If data is being recovered to the same destination as the original data protection operation.
    • If data is being recovered to a different destination than the original data protection operation.
  • Browse and recover to the same place as the original data protection operation. These operations include:
    • Copyback
    • Restore
    • Recovery
    • Retrieve
  • Virtual machine recovery: recover guest files and folders to their original location. To recover full virtual machines to their original location, use the In Place Full Machine Recovery capability.
  • Add a pre/post processes for data recovery operations.
  • Add, modify, disable, delete, and view data recovery operation schedules.

    Note: The user who created the schedule can also view it without any capability or object association.

  • Automatic and manual mount point creation for snapshots that comprise a Recovery Point for ContinuousDataReplicator.
  • Search CommCell domain for data related to any user on the associated object.

Installation

Associated CommCell Entities Available Tasks/Operations
CommCell/Agent
  • Install the agent (Remote Install).

    Note: This operation requires this capability only when the Authentication for Agent Installs feature is enabled. The Administrative Management capability is also required to add clients to a client computer group if Authentication for Agent Installs feature is enabled.

  • View Download Center in the Web Console.
  • Download reports from the Software Store.
  • View and download packages in the Download Center.

Job Management

Associated CommCell Entities Available Tasks/Operations
CommCell
  • Suspend, resume and kill selected jobs and groups of jobs.

    Note: When performing an action on multiple jobs in the Job Controller, the correct capability and object association for all of the selected jobs are necessary. If a user is missing the correct capability, the group action cannot be performed on any of the jobs. The user who initiated a job can perform Job Controller functions for that job regardless of capability or object association.

  • Change the job priority of a scheduled job, or running or groups of running jobs from the Job Controller.
  • Start a job in a suspended state.
  • Start/suspend/resume/abort Replication Sets.
  • Start/suspend/resume/abort Replication Pairs.

Legal Hold Management

Associated CommCell Entities Available Tasks/Operations
CommCell/Client group/Client/Agent/Backup Set
  • Create and Modify Legal Hold.
  • Add search items to Legal Hold.
  • Retrieve data from Legal Hold.

Library Administration

Associated CommCell Entities Available Tasks/Operations
Library Perform the following functions:
  • Create/delete or modify scratch pools.
  • Move media between scratch pools.
  • Reset library, library controller.
  • Full scan.
  • Mark library fixed.
  • Properties of library, master drive pool, drive pool, drive, and media.
  • Validate drive.
  • Mark a drive cleaned.
  • Mark a drive replaced.
  • Mark a drive fixed.
  • Clean drive.
  • Reset drive.
  • Unload drive.
  • Import media, cleaning media.
  • Load media.
  • Mark media full, bad, and appendable.
  • Mark media exported, prevent media export, export media.
  • Verify media.
  • Move media.
  • Delete media.
  • Update barcode.
  • Unload media.
  • Export media or schedule export media.

    Note: Users who are not a member of the View All user group would not be able to view/browse the export locations. However, they can manually enter the export location and successfully complete the export operation.

  • Recall media
  • View contents.
  • Migrate disk library.
  • Inventory, Scheduled Inventory for Blind Library.
  • Stamp media in stand alone libraries.

Library Management

Library Management is a superior capability with critical library management rights, in addition to all the rights in Library Administration capability.

Associated CommCell Entities Available Tasks/Operations
Library Perform the following functions:
  • Erase spare media.
  • Delete contents.
  • Overwrite Media options.
  • Create/delete or modify scratch pools.
  • Move media between scratch pools.
  • Reset library, library controller.
  • Full scan.
  • Mark library fixed.
  • Properties of library, master drive pool, drive pool, drive, and media.
  • Validate drive.
  • Mark a drive cleaned.
  • Mark a drive replaced.
  • Mark a drive fixed.
  • Clean drive.
  • Reset drive.
  • Unload drive.
  • Import media, cleaning media.
  • Load media.
  • Mark media full, bad, and appendable.
  • Mark media exported, prevent media export, export media.
  • Verify media.
  • Move media.
  • Delete media.
  • Update barcode.
  • Unload media.
  • Export media or schedule export media.

    Note: Users who are not a member of the View All user group would not be able to view/browse the export locations. However, they can manually enter the export location and successfully complete the export operation.

  • Recall media
  • View contents.
  • Migrate disk library.
  • Inventory, Scheduled Inventory for Blind Library.
  • Stamp media in stand alone libraries.

License Management

Associated CommCell Entities Available Tasks/Operations
CommCell Add or modify the License Administration parameters in the Control Panel.

Note: This operation also requires the Administrative Management permission at the CommCell level.

Live Browse

Associated CommCell Entities Available Tasks/Operations
CommCell/Client group/Client User can browse both backup and non-backed up (live) data on the client computer.

MediaAgent Management

Associated CommCell Entities Available Tasks/Operations
CommCell Deconfigure the MediaAgent CommCell object.
MediaAgent
  • Modify MediaAgent properties including the Index Cache, and perform MediaAgent operations.
  • Change the name of a MediaAgent.

To enable these tasks or operations, set the value of the Media Management configuration parameter Provide user with MediaAgent management rights additional capabilities for libraries, data paths, and storage policies to 1.

  • Access Library and Drive Configuration window to configure or deconfigure libraries and drives.
  • Create, modify, and delete storage policies and storage policy copies using libraries associated with a MediaAgent.
  • Add data paths to a MediaAgent.
  • Add the user group (the user belongs) to the newly-configured libraries.

Out of Place Full Machine Recovery

Associated CommCell Entities Available Tasks/Operations
Client/Agent (virtualization only) Recover full virtual machines to a location other than the original location. The user performing the restore must own the virtual machines being recovered.

Out of Place Recover

Associated CommCell Entities Available Tasks/Operations
Backup Set, Replication Set, or Instance/Partition at the source client

and

Browse and In Place Recovery capability at the agent level of the destination client.

If the destination client is on a different platform than the source client (for example, a Unix File System client and a Windows File System client), then Browse and In Place Recovery with at least client level association at the destination client is needed.

  • Restore Data Using a Map File and Restore by Jobs
    • Source Client
  • Browse and recover to a different place than the original data protection operation. These operations include:
    • Copyback
    • Restore
    • Recovery
    • Retrieve
  • Virtual machine recovery: recover guest files and folders to a different destination client. To recover full virtual machines to a location other than the original location, use the Out of Place Full Machine Recovery capability.
  • Add a pre/post processes for data recovery operations.
  • Add, modify, disable, delete, and view data recovery operation schedules.

    Note: The user who created the schedule can also view it without any capability or object association.

  • Automatic and manual mount point creation for snapshots that comprise a Recovery Point for ContinuousDataReplicator.
  • Search CommCell domain for data related to any user on the associated object.

Report Management

Associated CommCell Entities Available Tasks/Operations
CommCell
  • Run reports on the CommCell Console that contain CommCell information.
  • View reports on Web Console.
  • Build and download reports on the Web Console.
  • Import and export report templates on the Web Console.
  • Publish reports to Download Center.
  • View the SLA Report and the Backup Job Summary Report on the Web Console. A user must also be a member of the Master user group to view these reports.

Note: To generate the Job Schedule Report, a user must be a member of the Master user group or have Report Management capability, and have the capability to view schedules in the CommCell Console.

None Run a Job, Storage, or Vault tracker report and schedule all reports.

Sharing

Associated CommCell Entities Available Tasks/Operations
Any entity User can share files and folders with other users from the web console.

Storage Policy Management

Associated CommCell Entities Available Tasks/Operations
Storage Policy
  • Configure a storage policy copy for alternate data paths, and delete data paths from the copy.
  • Enable Hardware Compression for a data path from a storage policy copy to which the data path is associated.
  • Configure a storage policy copy for data multiplexing.
  • Configure a storage policy copy for data verification.
  • Modify a storage policy or storage policy copy.
  • Enable an Incremental Storage Policy.
  • Prune, disable, and manually retain a data protection operation on a copy.
  • Set Inline Copy.
  • Combine the data streams of a storage policy copy.
  • Backup copy:
    • Copy the snapshots of the data to any media.
    • Create additional standby copies of data.

    Note: The backup copy operations also require the Data Protection/Management Operations capability at the client or subclient level.

Storage Policy Run an auxiliary copy operation for a storage policy.
CommCell
  • Create and delete storage policies and storage policy copies.
  • Create and delete storage policy copies, including inline copies.
  • Migrate media.

Tag Management

Associated CommCell Entities Available Tasks/Operations
CommCell/Client group/Client/Agent/Backup Set
  • Create/Modify/Delete Tags.
  • Associate/Dissociate Tags to discovered items.

Upload

Associated CommCell Entities Available Tasks/Operations
CommCell/Client group/Client Upload one or more files and folders to a specific location in the client computer from the web console.

User Management

Associated CommCell Entities Available Tasks/Operations
CommCell
  • Add, delete, and modify a CommCell user.
  • Add, delete, and modify a user group.
  • Associate/disassociate a user group to any CommCell entity.
  • Configure Single Sign On.
  • Add clients to a client group.
Client Add clients to a client group when there are user groups in the Associated Groups list on the Security tab in the Client Group dialog box.

Note: This operation also requires the Agent Management capability at the client level.

Entities other than CommCell Associate/disassociate a user group that you are a member of to the entity.

Example

You are a member of user group UG001. UG001 has User Management as the capability and Client001 as the associated entity.
You are also a member of user groups UG005, UG009, and UG015. These groups do not have User Management as a capability.
You are not a member of UG022.

From the Security tab in the Client Computer Properties for Client001 dialog box, you can add groups UG005, UG009, and UG015 to the Associated Groups list.
You cannot add group UG022.

Vault Tracker Operations

Associated CommCell Entities Available Tasks/Operations
CommCell Add, delete, and modify any of the following objects or operations:
  • Actions
  • Containers
  • Export Media from Backup/Auxiliary Copy Operations
  • Export Media using the Export Media Wizard
  • Iron Mountain ID
  • Library
  • Location
  • Media Repository
  • Recall Media
  • Tracking Policy
  • Vault Tracker Alerts
  • Vault Tracker Reports

    Note: This operation also requires the Report Management capability. Only information about objects available with the user's current Vault Tracker Operations capability level are displayed in the report.

Entities other than CommCell
  • Actions: details, set container, abort, picked up, reached destination
  • Containers: modify, delete, move all media, remove all media
  • Library: view and modify at the Vault tracker policy
  • Location: modify, delete
  • Media Repository: modify, delete, update barcode, add media
  • Tracking Policy: run, modify, delete, view media, view schedules, create schedules, set holidays
  • Vault Tracker Policy: create

View

Associated CommCell Entities Available Tasks/Operations
CommCell, Client Computer Groups, Client Computers, Libraries, MediaAgents, Storage Policies, Vault Tracker Policies View the component details of the selected entity.