User Administration and Security - Capabilities and Permitted Actions by Feature

Table of Contents

Features

The following table lists the features with their required capability and the required association in the CommCell Console. The Associated CommCell Entities column lists the minimal level of CommCell object association a user needs to perform the function. To see the information in this table sorted by capability and associated CommCell object, see the Capabilities and Permitted Actions.

1-Touch

Description Capability Associated CommCell Entities
1-touch Boot CD-ROM for Mass Storage Recognition Administrative Management CommCell

Activity Control

Activity Control can be set from the following CommCell Levels.

Description Capability Associated CommCell Entities
CommCell Administrative Management CommCell
Client Computer Group Client Computer Group
Client Agent Management Client
Agent Agent
Subclient Subclient

Advanced File System iDataAgent Options

On Demand Data Protection

Description Capability Associated CommCell Entities
Run on demand data protection jobs Data Protection/Management Operations Backup set
Create a new on-demand backup set Agent Management
File System Multi-Streaming Data Protection/Management Operations Agent

Restore Data Using a Map File and Restore by Jobs

Description Capability Associated CommCell Entities
If data is being recovered to the same destination as the original data protection operation In Place Recovery At least subclient level association at the source client
If data is being recovered to a different destination than the original data protection operation: Source Client Out of Place Recovery At least backup set/instance association
If data is being recovered to a different destination than the original data protection operation: Destination Client (same platform as the source Client) In Place Recovery At least Agent level association
If data is being recovered to a different destination than the original data protection operation: Destination Client (different platform from the source Client) In Place Recovery At least Client level association

Agents

Description Capability Associated CommCell Entities
Modify and perform operations specific to an agent. Agent Management Agent
Install an agent on the CommCell.

Note: This operation requires this capability only when the Authentication for Agent Installs feature is enabled. The Administrative Management capability is also required to add clients to a client computer group if Authentication for Agent Installs feature is enabled.

Administrative Management, Installation CommCell, Agent

Alerts

Description Capability Associated CommCell Entities
Configure alerts for CommCell objects. The necessary associated object depends on the entity for which the alert is created. Alert Management Client Computer Group, Client, Agent, Backup Set, Instance/Partition, Subclient, Library, MediaAgent, Storage Policy, Tracking Policy
Disable advisories.
Add/edit/clone/delete thresholds.
Modify an alert on a schedule or schedule policy. CommCell
Delete an alert from a schedule or schedule policy. Administrative Management CommCell
Create alert rules.
Use alert rules to create alerts.

Alternate Data Paths (GridStor)

Description Capability Associated CommCell Entities
Configure a storage policy copy for alternate data paths, and delete data paths from the copy. Storage Policy Management Storage Policy

Application-Free Restore

This operation includes the following.

Description Capability Associated CommCell Entities
Restore databases directly to a disk from the CommCell Console without the use of the database application.

Out of Place Recover (Source Client)

Browse (Destination Client)

In Place Recover (Destination Client)

The Out of Place Recover capability at the backup set or instance at the source client

and

The Browse and In Place Recover capabilities at the agent level of the destination client

Archive

Description Capability Associated CommCell Entities
Configure and perform archive operations. Data Protection/Management Operations Archive Set, Instance, Subclient
Configure offline archive options in Outlook Add-In. Local administrative privileges are required by users logged into the Outlook Add-In client. N/A

Audit Trail

Description Capability Associated CommCell Entities
Track the operations of users who have access to the CommCell and set or modify the Audit Trail settings. Administrative Management CommCell

Automatic Updates/Upgrade

Description Capability Associated CommCell Entities
Configure, download, and install software updates and upgrades. Administrative Management CommCell

Auxiliary Copy

Description Capability Associated CommCell Entities
Run an auxiliary copy operation. Administrative Management CommCell
Run an auxiliary copy operation for a storage policy. Storage Policy Management Storage Policy

Backup Copy

Description Capability Associated CommCell Entities
  • Copy the snapshots of the data to any media.
  • Create additional standby copies of data.
Data Protection/Management Operations

Storage Policy Management

Client/Subclient

Storage Policy

Backup Set

Description Capability Associated CommCell Entities
Create, modify, and delete a backup set. Agent Management Backup Set

Browse

Perform a browse operation at the following CommCell levels.

Description Capability Associated CommCell Entities
Client Browse

Note: Users with Browse capability can browse all of the data.

Client
Agent Agent
Backup Set Backup Set
Instance/Partition Instance/Partition
Replication Set Replication Set
Subclient Subclient

Browse Recoveries and Find Recoveries from Notes and Windows File System

Description Capability Associated CommCell Entities
Perform advanced message recovery operations such as find recoveries and browse recoveries from Notes using the IBM Notes Add-In.

You can also perform ACL-based browse and restore for the Windows File System.

End User Access

Note: Users with End User capabilities can browse data owned by them. Assigning End User Access capability helps to maintain multiple user profiles on the same laptop (or desktop) and ensures that users have the ability to browse and restore only the data to which they have access.

CommCell

Content Indexing and Search

Description Capability Associated CommCell Entities
  • Configure and perform Offline Content Indexing
  • Delete Content Indexing server
Administrative Management CommCell
Search CommCell domain for data related to the logged in user with permissions to the user on the associated object End User Access CommCell/Client group/Client/Agent/Backup Set
Search CommCell domain for data related to any user on the associated object Compliance Search CommCell/Client group/Client/Agent/Backup Set
Add/Modify Annotations to discovered items Annotation Management CommCell/Client group/Client/Agent/Backup Set
  • Create/Modify/Delete Legal Holds
  • Add search items to Legal Hold
  • Retrieve data from Legal Hold
Legal Hold Management CommCell/Client group/Client/Agent/Backup Set
  • Create/Modify/Delete Tags
  • Associate/Dissociate Tags to discovered items
Tag Management CommCell/Client group/Client/Agent/Backup Set

Client

Perform the following functions for a client.

Description Capability Associated CommCell Entities
Register a client from the client level Administrative Management CommCell
  • Modify
  • Enable privacy
  • Set the job priority
  • Create an Oracle RAC client
  • Create a DB2 MultiNode pseudo-client
Agent Management Client

Client Computer Group

Description Capability Associated CommCell Entities
Modify/Delete client computer group properties Administrative Management Client Computer Group or CommCell
Add clients to a client group when there are user groups in the Associated Groups list on the Security tab in the Client Group dialog box Agent Management, User Management Client, Client
Add clients to a client group when there are no user groups in the Associated Groups list on the Security tab in the Client Group dialog box Agent Management Client
Delete clients from a client group Administrative Management, Agent Management Client Computer Group, Client

Control Panel

Add or modify the parameters available in the Control Panel.

Description Capability Associated CommCell Entities
License Administration License Management CommCell
Display No capability required No objects required
All other Administrative Management CommCell

CommCell Migration

Description Capability Associated CommCell Entities
Migrate clients from one CommCell to another. Administrative Management CommCell

CommServe

Description Capability Associated CommCell Entities
Modify CommServe properties. Administrative Management CommCell

Custom Calendar

Description Capability Associated CommCell Entities
Define custom calendars to suit the needs of your organization Administrative Management CommCell

Data Aging

Description Capability Associated CommCell Entities
Run a data aging operation Administrative Management CommCell

Data Collection

Perform Data Collection operations at the following CommCell Levels.

Description Capability Associated CommCell Entities
Agent Agent Management Agent
Subclient Agent Scheduling Subclient

Data Compression

Description Capability Associated CommCell Entities
Enable software compression for the Agent Agent Management Agent
Enable hardware compression for a data path from a storage policy copy to which the data path is associated Storage Policy Management Storage Policy

Data Encryption

Set Data Encryption at the following CommCell Levels.

Description Capability Associated CommCell Entities
Client Agent Management Client
Subclient Agent

Data Interface Pairs

Description Capability Associated CommCell Entities
Configure data interface pairs Administrative Management CommCell

Data Multiplexing

Description Capability Associated CommCell Entities
Configure a copy for Data Multiplexing Storage Policy Management Storage Policy

Data Protection

Note: The associated object is the object from which the data protection operation is being initiated.

Description Capability Associated CommCell Entities
Configure and perform the following data protection operations:
  • Backups including synthetic full backups
  • Compliance Archiving
  • Migration Archiving
Data Protection/Management Operations Backup Set/Archive Set, Instance/Partition, Subclient

Data Verification

Perform the following data verification functions.

Description Capability Associated CommCell Entities
Perform a data verification operation Administrative Management CommCell
Configure a storage policy copy for data verification Storage Policy Management Storage Policy

Database Space Check Interval

Description Capability Associated CommCell Entities
Set the Database Space Check Interval Administrative Management CommCell

Deconfigure

De-configure the following CommCell Objects.

Description Capability Associated CommCell Entities
MediaAgent MediaAgent Management CommCell
Client Agent Management Client
Agent Agent

Deployment

Description Capability Associated CommCell Entities
Interactive Install when the CommServe Authentication is available Administrative Management CommCell
Remote Install Administrative Management, Installation
Silent Install Administrative Management
Register a Client
Uninstall and repair software using the CommCell Console

Disaster Recovery Backup

Description Capability Associated CommCell Entities
Configure and perform Disaster Recovery Backups Administrative Management CommCell

Erase Backup/Archived Data

Description Capability Associated CommCell Entities
Configure and perform an Erase Data by Browsing or Erase Stubs operation. Administrative Management CommCell

Erase Backup/Archived Data from the DataArchiver Outlook Add-In

Description Capability Associated CommCell Entities
Perform the following Erase Data operations from the DataArchiver Outlook Add-In:
  • Browse and Erase Data
  • Find and Erase Data
End User Access, Administrative Management CommCell

Event Viewer

Description Capability Associated CommCell Entities
Set the maximum number of events to be retained in the Event Viewer. No rights are required. No rights are required.

Filters

Perform the following filters functions.

Description Capability Associated CommCell Entities
Create Global Filters. Administrative Management CommCell
  • Enable global filters for a subclient.
  • Create data protection filters for a subclient.
Agent Management Subclient
Enable CSVDE filtering for discovery operations. Agent Management Agent

Hardware Maintenance

Modify the following hardware maintenance settings.

Description Capability Associated CommCell Entities
  • Library Maintenance
  • Drive Maintenance
  • Media Expiration
  • Drive Cleaning Thresholds
Administrative Management CommCell

In Place Recover

Browse and recover to the same place as the original data protection operation. These operations include the following.

Description Capability Associated CommCell Entities
  • Copyback
  • Restore
  • Recovery
  • Retrieve
In Place Recover Client/Agent/Backup Set/Instance/Partition/Replication Set

Index Cache

See MediaAgent.

Instance/Partition

Description Capability Associated CommCell Entities
Create, modify, and delete an instance/partition. Agent Management Instance/Partition

Job Management

Note: When performing an action on multiple jobs in the Job Controller, the correct capability and object association for all of the selected jobs are necessary. If a user is missing the correct capability, the group action cannot be performed on any of the jobs. The user who initiated a job can perform Job Controller functions for that job regardless of capability or object association.

Description Capability Associated CommCell Entities
Perform the following Job Management configuration functions:
  • Set the job priority of an Agent.
  • Queue jobs.
  • Set the job update interval.
  • Determine if a job should be preemptible or restartable.
Administrative Management CommCell
Perform the following Job Controller functions:
  • Suspend, resume and kill selected jobs and groups of jobs.
  • Change the job priority of a scheduled job, or running or groups of running jobs from the Job Controller.
  • Start a job in a suspended state.
Job Management CommCell

Library and Drive Configuration

Description Capability Associated CommCell Entities
Configure and de-configure libraries and drives. Administrative Management CommCell
  • Configure and de-configure libraries and drives associated with a MediaAgent.
  • Automatically add the user group (the user belongs) to the newly-configured libraries.
MediaAgent Management

To enable these tasks or operations, set the value of the Media Management configuration parameter Provide user with MediaAgent management rights additional capabilities for libraries, data paths, and storage policies to 1.

MediaAgent
  • Create/delete or modify scratch pools.
  • Move media between scratch pools.
  • Reset library, library controller.
  • Full scan.
  • Mark library fixed.
  • Properties of library, master drive pool, drive pool, drive, and media.
  • Validate drive.
  • Mark a drive cleaned.
  • Mark a drive replaced.
  • Mark a drive fixed.
  • Clean drive.
  • Reset drive.
  • Unload drive.
  • Import media, cleaning media.
  • Load media.
  • Mark media full, bad, and appendable.
  • Mark media exported, prevent media export, export media.
  • Verify media.
  • Move media.
  • Delete media.
  • Update barcode.
  • Unload media.
  • Export media or schedule export media.

    Note: Users who are not a member of the View All user group would not be able to view/browse the export locations. However, they can manually enter the export location and successfully complete the export operation.

  • Recall media
  • View contents.
  • Migrate disk library.
  • Inventory, Scheduled Inventory for Blind Library.
  • Stamp media in stand alone libraries.
Library Administration Library
  • Erase spare media.
  • Delete contents.
  • Overwrite Media options.
  • Create/delete or modify scratch pools.
  • Move media between scratch pools.
  • Reset library, library controller.
  • Full scan.
  • Mark library fixed.
  • Properties of library, master drive pool, drive pool, drive, and media.
  • Validate drive.
  • Mark a drive cleaned.
  • Mark a drive replaced.
  • Mark a drive fixed.
  • Clean drive.
  • Reset drive.
  • Unload drive.
  • Import media, cleaning media.
  • Load media.
  • Mark media full, bad, and appendable.
  • Mark media exported, prevent media export, export media.
  • Verify media.
  • Move media.
  • Delete media.
  • Update barcode.
  • Unload media.
  • Export media or schedule export media.

    Note: Users who are not a member of the View All user group would not be able to view/browse the export locations. However, they can manually enter the export location and successfully complete the export operation.

  • Recall media
  • View contents.
  • Migrate disk library.
  • Inventory, Scheduled Inventory for Blind Library.
  • Stamp media in stand alone libraries.
Library Management

Library Management is a superior capability with critical library management rights, in addition to all the rights in Library Administration capability.

Library

License

Description Capability Associated CommCell Entities
Add and update a license. License Management and Administrative Management CommCell

List Media

View the list of media required for browse/data recovery operations.

Description Capability Associated CommCell Entities
Client Browse Client
Agent Agent
Backup Set Backup Set
Instance/Partition Instance/Partition
Subclient Subclient

Log Files

Note: The function of viewing log files does not require security.

Description Capability Associated CommCell Entities
Send and view log files. No rights are required. No rights are required.

MediaAgent

Description Capability Associated CommCell Entities
Modify MediaAgent properties including the Index Cache, and perform MediaAgent operations. MediaAgent Management MediaAgent

Name Change

Description Capability Associated CommCell Entities
Client name change Administrative Management CommCell
MediaAgent name change Media Management MediaAgent

NAS Client Configuration

Description Capability Associated CommCell Entities
Configure NAS clients Administrative Management CommCell

Operation Window

Operation Rules can be defined at the following CommCell levels.

Description Capability Associated CommCell Entities
CommCell Administrative Management CommCell
Client Computer Group Administrative Management Client Computer Group
Client Agent Management Client
Agent Agent Management Agent
Subclient Agent Management Subclient

Out of Place Recover

Browse and recover to a different place than the original data protection operation. These operations include the following.

Description Capability Associated CommCell Entities
  • Copyback
  • Restore
  • Recovery
  • Retrieve
Out of Place Recover (Source Client)

In Place Recover (Destination Client)

At least Backup Set or Instance/Partition at the source client/Replication Set

and

The In Place Recovery capability at the agent level of the destination client. If the destination client is on a different platform than the source client (for example, a Unix File System client and a Windows File System client), then In Place Recovery with at least client level association at the destination client is needed.

Pre/Post

Description Capability Associated CommCell Entities
Configure Agent Management Agent
Add pre/post processes for data recovery operations Agent Management and the In Place or Out of Place Recover capability Agent
Remove a pre/post process for data protection/archive operations Agent Management and Data Protection/Management Operations Agent
Configure pre/post processes for Disaster Recovery Backup operations Administrative Management CommCell

Recovery Point

Description Capability Associated CommCell Entities
Schedule the creation and back up of a Recovery Point. Agent Scheduling Replication Set
  • Create Recovery Point.
  • Back up Recovery Point.
Data Protection/Management Operations

Reports

Note: To generate the Job Schedule Report, a user must be a member of the Master user group or have Report Management capability, and have the capability to view schedules in the CommCell Console.

Description Capability Associated CommCell Entities
Run reports on the CommCell Console that contain CommCell information. Report Management CommCell
View reports on Web Console. Report Management CommCell
Build Custom reports on the Web Console. Report Management CommCell
Import and export report templates on the Web Console. Report Management CommCell
View the SLA Report and the Backup Job Summary Report on the Web Console.

Note: A user must also be a member of the Master user group to view these reports.

Report Management CommCell
Run a Job, Storage, or Vault tracker report and schedule all reports on the CommCell Console. Report Management None
Download reports from the Software Store.
  • Report Management
  • Installation
CommCell
Publish reports to the Download Center.
  • Report Management
  • Download Center Management
CommCell

Replication Pair

Description Capability Associated CommCell Entities
Delete a Replication Pair. Agent Management Replication Set
Start/suspend/resume/abort Replication Pairs. Job Management

Replication Set

Description Capability Associated CommCell Entities
  • Modify and delete a Replication Set.
  • Create, modify, and delete a Replication Pair.
Agent Management Replication Set
Start/suspend/resume/abort Replication Sets. Job Management

Schedule Policy

Note: Only a user who created the schedule policy or a user who is associated with all of the objects associated with the schedule policy can change the schedule pattern.

Description Capability Associated CommCell Entities
  • Delete an alert from a schedule or schedule policy.
  • Create, clone, disable, and modify an Auxiliary Copy schedule policy.
  • Run the schedules of the Auxiliary Copy policy immediately.
  • View the storage policies and storage policy copies associated with the Auxiliary Copy policy.
Administrative Management CommCell
Modify an alert on a schedule or schedule policy. Alert Management CommCell
  • Create, clone, and modify a Data Protection schedule policy.
  • Decouple a scheduled job from a Data Protection schedule policy.
  • Run the schedules of a Data Protection schedule policy immediately.
Agent Scheduling

and

Data Protection/Management Operations at the level for which the schedules were created.

Agent, Backup Set, Instance/Partition

/Subclient

Associate a data protection schedule policy with a subclient. Agent Scheduling

Scheduling

Note: The user who created the schedule can also view it without any capability or object association.

Description Capability Associated CommCell Entities
  • Add, modify, disable, delete, and view data protection operation schedules.
  • Delete an alert from a schedule or schedule policy.
Agent Scheduling

and

Data Protection/Management Operations

Note: This operation also requires the Data Protection/Management Operations, In Place Recover, and Out of Place Recover capabilities respectively for Data Protection and Data Recovery Schedule.

Agent, Backup Set, Instance/Partition

/Subclient

Add, modify, disable, delete, and view data recovery operation schedules. Agent Scheduling

and

In Place Recover and/or Out of Place Recover

Note: This operation also requires the Data Protection/Management Operations, In Place Recover, and Out of Place Recover capabilities respectively for Data Protection and Data Recovery Schedule.

  • Schedule administration operations such as Data Aging, Auxiliary Copy, Disaster Recovery backup, Data Verification, Automatic Update, Erase Data by Browsing/Erase Stubs, Drive Cleaning, and Report.
  • View, delete, disable, or modify the above schedules.
  • Run a scheduled task immediately.
  • Set Holidays.
Administrative Management CommCell
Create schedules for the Vault Tracker Policy.

Note: The user who creates a schedule can view, delete, disable, or modify the schedules without any capability or object association.

Vault Tracker Operations Entities other than CommCell

Single Sign On

Description Capability Associated CommCell Entities
Enable Single Sign On to use Active Directory credentials to access the CommServe as well. User Management CommCell

Snapshots

Description Capability Associated CommCell Entities
Configure, activate, and deactivate snapshots. Agent Management Agent

Storage Policy and Storage Policy Copy

Description Capability Associated CommCell Entities
  • Create and delete storage policies and storage policy copies.
  • Create and delete storage policy copies including inline copies.
  • Migrate media.
Storage Policy Management CommCell
  • Modify a storage policy or storage policy copy.
  • Enable an Incremental Storage Policy.
  • Prune, disable, and manually retain a data protection operation on a copy.
  • Set Inline Copy
Storage Policy Management Storage Policy
Create, modify, and delete storage policies and storage policy copies associated with a MediaAgent. MediaAgent Management

To enable these tasks or operations, set the value of the Media Management configuration parameter Provide user with MediaAgent management rights additional capabilities for libraries, data paths, and storage policies to 1.

MediaAgent

Streams

Description Capability Associated CommCell Entities
Combine the data streams of a storage policy copy. Storage Policy Management Storage Policy

Subclient Policy

Note: The associated object is the object from which the data protection operation is being initiated.

Description Capability Associated CommCell Entities
Create a subclient policy with subclient association.
  • Agent Management
  • View
Agent for Agent Management

Storage Policy for View

Clone a subclient policy that retains the subclient association of the original policy. Agent Management Backup Set

Subclient

Description Capability Associated CommCell Entities
Create, modify, and delete a subclient. Agent Management Backup set

Synthetic Full

See Data Protection.

User Accounts and Passwords

Description Capability Associated CommCell Entities
Change media and network passwords. You can also change user accounts. Administrative Management CommCell

User Administration - Search Console

Description Capability Associated CommCell Entities
Configure disk space utilization and search result display for each user. Administrative Management CommCell

User Administration and Security

Description Capability Associated CommCell Entities
  • Add, delete, and modify a CommCell user.
  • Add, delete, and modify a user group.
  • Associate/disassociate a user group to a CommCell object.
User Management CommCell
Associate/disassociate a user group that you are a member of to the entity. User Management Entities other than CommCell
Set the Automatically Add New Users to the View All group option. Administrative Management CommCell

Vault Tracker Feature

Description Capability Associated CommCell Entities
Add, delete, and modify any of the following objects or operations:
  • Actions
  • Containers
  • Export Media from Backup/Auxiliary Copy Operations
  • Export Media using the Export Media Wizard
  • Iron Mountain ID
  • Library
  • Location
  • Media Repository
  • Recall Media
  • Vault Tracker Policy
  • Vault Tracker Alerts
  • Vault Tracker Reports

    Note: This operation also requires the Report Management capability. Only information about objects available with the user's current Vault Tracker Operations capability level are displayed in the report.

Vault Tracker Operations CommCell
  • Actions: details, set container, abort, picked up, reached destination
  • Containers: modify, delete, move all media, remove all media
  • Library: view and modify at the Vault tracker policy
  • Location: modify, delete
  • Media Repository: modify, delete, update barcode, add media
  • Tracking Policy: run, modify, delete, view media, view schedules, create schedules, set holidays
Vault Tracker Operations Entities other than CommCell

Virtual Machine Restore

Description Capability Associated CommCell Entities
Recover guest files and folders to their original location. In Place Recover Client/Agent
Recover full virtual machines to their original location. In Place Full Machine Recovery

End users performing the restore must own the virtual machines being recovered.

CommCell Console users performing the restore must own or have an association with the virtualization client protecting the virtual machine.

Client/Agent
Recover guest files and folders to a different destination client. Out of Place Recover

and

In Place Recover

Client/Agent
Recover full virtual machines to a location other than the original location. Out of Place Full Machine Recovery

End users performing the restore must own the virtual machines being recovered.

CommCell Console users performing the restore must own or have an association with the virtualization client protecting the virtual machine.

Client/Agent