Skip to main content
Druva Documentation

Manage administrator roles

This topic contains the following sections:

Overview

Role Based Access Control (RBAC) enables organizations to limit privileged user access to a predefined set of administrator roles and data assets to create ethical walls and enforce privacy and control. RBAC also enables the implementation of a delegated administration structure to meet customers’ organizational, compliance, and security requirements. Thus, organizations can achieve their goals efficiently with a seamless, granular, extensible administrator role management of their entities.

Phoenix provides a set of predefined administrator roles for creating administrators to manage the Phoenix Management Console. Phoenix also provides a flexibility to the cloud administrators to create custom administrator roles using the existing base roles. The predefined and custom administrator roles enable administrators to access and manage entities efficiently on the Phoenix Management Console.

A role defines a set of tasks that administrators perform based on the rights assigned to them. Each role contains a set of rights, and each right contains a set of granular permissions that enable administrators to perform the tasks. The Roles tab of the Administrators menu lists the predefined roles and custom roles created on the Phoenix Management Console. Roles are assigned to the Phoenix administrators at the time of their creation.

The following table depicts the relationship between the predefined, base, and custom roles that Phoenix offers:

RBAC_workflow.png

Predefined administrator roles

By default, Phoenix defines the combinations of rights for the predefined administrator roles. The administrators cannot edit the rights of such predefined role assignments. The predefined roles are listed on the Roles tab.

By default, Phoenix provides the following seven predefined roles on the Roles tab:

  • Cloud administrator
  • Cloud administrator (View only)
  • Organization administrator
  • Organization administrator (View only)
  • Group administrator
  • Group administrator (View only)
  • Data Protection Officer (DPO)

Note: Phoenix administrators cannot delete any of the predefined roles.

The following table lists the predefined administrator roles that Phoenix provide:

Predefined administrator role Description

Cloud administrator

With this role, the administrators manage the activities of all the organizations.

The role is associated with the following rights:

  • Backup and restore management
  • Server management
  • Admin management
  • Cache management
  • Reporting and alert management
  • Policy management
  • Disaster recovery management
  • Settings
For more details, see Role rights.

Cloud administrator (View only)

With this role, the administrators have the read-only access to all configurations within the organizations. They cannot perform any administration action on any entities of the Phoenix Management Console. However, they can change their own profile-related settings, such as the name and time zone, and can view, download, and send reports and audit trails.

Organization administrator

With this role, the administrators manage the activities of one or more organizations assigned to them.

The role is associated with the following rights:

  • Backup and restore management
  • Server management
  • Admin management
  • Cache management
  • Reporting and alert management
  • Policy management
  • Disaster recovery management

For more details, see Role rights.

Organization administrator (View only)

With this role, The administrators have the read-only access to all configurations within the organization(s) they have access to. They cannot perform any administration action on the entities on the Phoenix Management Console. However, they can change their own profile-related settings, such as name and time zone, and can view, download, and send reports and audit trails.

Group administrator

With this role, the administrators manage the activities of one or more administrative groups that they are associated with.

The role is associated with the following rights:

  • Backup and restore management
  • Server management
  • Cache management
  • Reporting and alert management
  • Policy management
  • Settings
For more details, see Role rights.

Group administrator (View only)

With this role, the administrators have the read-only access to the administrative groups that they are associated with. However, they cannot manage any administrative group. They can also view, download, and send reports and audit trails.

Data Protection Officer (DPO)

The DPO role is associated with the following rights:

  • Reporting and alert management
    • Configure the audit trail and reports
  • Backup and restore management
    • Enable and disable backup
    • Trigger backup
    • Restore data to the original or alternate location
    • Delete the warm, hot, cold, and thawed restore points
  • Disaster recovery management
    • Launch failover
    • Disaster recovery restore

However, a DPO cannot access any configurations, create administrators, register servers and virtual machines, set up policies, or manage Phoenix CloudCache.

Custom administrator roles

Phoenix also provides the flexibility to the cloud administrators to create custom administrator roles and assign selective access rights to the role based on the organization’s needs. The custom administrator roles are derived from the three base roles, such as the cloud administrator role, the organization administrator role, and the group administrator role. The custom roles impart distinct capabilities to the administrators to help them to manage entities on the Phoenix Management Console. For example, you can create a custom cloud administrator role to back up and restore devices, and delete snapshots. You can create another custom cloud administrator role only to restore devices.

Only cloud and organization administrators can create administrators with the custom administrator roles. An organization administrator can only create group administrator and group-derived administrator. For information about how you can create a custom administrator role, see Create custom administrator roles.

Note: You can delete a custom administrator role if no administrator is associated with the role on the Phoenix Management Console.

Important considerations

Before you create roles, review the following considerations:

  • Only the Druva cloud administrators, the Phoenix cloud administrators, and the Phoenix cloud-derived administrators have access to the Administrators page on the Phoenix Management Console. This page is not visible to the other administrators.
  • When you configure the Phoenix Management Console, seven predefined roles appear on the Roles tab of the Administrators page.
  • You can assign only one role to an administrator. However, you can assign multiple administrators to one role.
  • You cannot edit or delete any predefined administrator roles from the Phoenix Management Console. However, you can edit or delete all other custom administrator roles.
  • All the administrators can cancel the jobs on the Phoenix Management Console except the administrators with the view-only rights.
  • The administrators with the custom administrator roles cannot create, edit, or delete the Phoenix administrators and the administrator roles.
  • Only the cloud administrators and the DPOs can delete the cold snapshots of the devices on the Phoenix Management Console.
  • The group administrators and the group-derived administrators cannot perform any disaster recovery operations on the Phoenix Management Console.
  • The administrators who do not have the right to restore databases and virtual machines to the original location but are configured with the right to restore to an alternate location can restore databases and virtual machines to the original location.

Role rights

Rights are the permissions that define the capabilities of an administrator role. An administrator role is created by assigning a combination of rights to the role. For example, the cloud administrator role is characterized by the combination of the following rights:

  • Backup and restore management
  • Server management
  • Admin management
  • Cache management
  • Reporting and alert management
  • Policy management
  • Disaster recovery management
  • Settings

You can create custom roles for administrators using the combination of the rights. Phoenix provides a set of customizable and non-customizable rights.  By default, the non-customizable rights are granted to the administrator role and you cannot detach these rights from the role. However, you can clear the check boxes corresponding to the customizable rights assigned to the role to limit the capability of the role.

Phoenix provides the following access-control rights to manage the entities on the Phoenix Management Console.

Rights Description Customizable/Non-customizable Right
Backup and restore management

Configure backup

Permission to create and edit the backup sets of the File server, MS-SQL server, backup store, and NAS share. It enables to attach a new backup set or detach an existing backup set from the CloudCache. It also enables to configure and reconfigure the VMware and HyperV workloads.

Customizable

Perform backup

Permission to enable and disable the backups, and trigger backups for the workloads.

Customizable

Manage restore

Restore to original

Permission to restore virtual machines, files and folders, databases, and NAS shares to the original location.

Customizable

Delete snapshots

Permission to delete snapshots of servers, databases, and virtual machines.

Customizable

Server Management

Delete Devices

Permission to delete backup sets, proxies, servers, backup stores, virtual machines, ESXi servers, HyperV hosts, and NAS devices.

Customizable

Activate or configure server and proxy

Permission to activate the Phoenix agents, backup proxies and backup stores, and configure them to back up data from servers, virtual machines, and databases.

Non-customizable

Update client or proxy

Permission to upgrade the Phoenix agents, backup proxies, and backup stores on the servers, virtual machines, and databases.

Non-customizable

Re-register server or proxy

Permission to re-register a server, a VMware proxy or HyperV host that runs a virtual machine, or a backup store.

Non-customizable

Change administrative group of server

Permission to change the administrative group associated with a server or a backup store.

Non-customizable

Admin management

Create, modify, or delete administrative groups

Permission to create, edit, and delete the administrative groups associated with the servers, virtual machines, and backup stores.

Non-customizable

Create, modify, or delete organizations

Permission to create, modify, and delete the organizations associated with the servers, virtual machines, and backup stores.

Non-customizable

Cache management

Manage Cloudcache servers

Permission to configure and upgrade the Phoenix CloudCache, view the configuration and log files, and decommission the CloudCache.

Non-customizable

Reporting and alert management

View and download reports and view alerts

Permission to view and download various Phoenix reports and view the alerts generated on the Phoenix Management Console.

Non-customizable

Change report schedules

Permission to update the schedule of the report generation.

Non-customizable

Policy management

Create, edit, or delete backup policy and retention policy

Permission to create, edit, and delete the backup and retention policy for the servers and virtual machines.

Non-customizable

Create, edit, or delete content rule

Permission to create, edit, and delete the content rule of the servers and virtual machines.

Non-customizable

Disaster recovery management

Add AWS account

Permission to create AWS account to maintain the AMI for the virtual machine.

Non-customizable

Create, edit, or delete disaster recovery plan

Permission to create, edit, or delete the disaster recovery plan to recover the virtual machine in the AWS account in the event of a disaster.

Non-customizable

Perform DR failover

Permission to failover virtual machines and perform disaster recovery.

Non-customizable

Settings

Edit password policy

Permission to edit the password policy for all the Phoenix administrator accounts.

Non-customizable

Perform SSO configuration

Permission to configure Phoenix for single sign-on.

Non-customizable

Enable or disable SSO

Permission to enable or disable single sign-on for accounts of the Phoenix administrators.

Non-customizable

Create a custom administrator role

Only a cloud administrator can create the cloud and the other administrator roles using the global Administrators menu on the Phoenix Management Console.

Procedure

  1. Log in to the Phoenix Management Console.
  2. On the menu bar, click All Organizations.
  3. On the menu bar, click Manage > Administrators.
  4. On the Administrators page, click the Roles tab.
  5. Click Create Role.
    The Create Role window appears with the Summary tab opened, by default.
  6. On the Summary tab, provide the appropriate information in the following fields:
    • Name: The name of the custom role that you want to create.
    • Description: A short description of the custom role that you want to create.
    • Base Role: Select the role to create the custom role from. For example, if you want to create a custom cloud administrator, select the Cloud Administrator option from the list.

      Create_role_summary_tab.PNG
  7. Click Next.
    The Role Customization tab displays a combination of rights specific to the base role selected on the Summary tab.
  8. On the Role Customization tab, select or clear the check boxes corresponding to the rights under the various categories to create the custom role. For information about the rights, see Role rights.

    Create_role_role_customization_tab.PNG

Note: When you create a custom role using a base role, the default role has all the associated rights enabled for that role. You can clear the check boxes corresponding to the rights assigned to the role to remove a few granted rights. For example, when you create a custom cloud administrator role with no privilege to delete any snapshots, the created default custom role has all the rights from the base cloud administrator role. You can clear the Delete Snapshot check box to limit the right to delete the snapshots.

  1. Click Finish.

After you save the custom role, Phoenix appends the name that you had specified in the Name field to the role selected from the Base Role list and creates a custom role with the name as <base role>_<name>. For example, if you create a custom cloud administrator role with the name Delete_Snapshot_Not_Allowed, Phoenix creates a custom role with the following name: Cloud Administrator_Delete_Snapshot_Not_Allowed.

Delete a custom role

Only the cloud administrator can delete the custom administrator roles on the Phoenix Management Console. Before deleting a role, ensure that the role is not assigned to an administrator.

Note: You cannot delete the predefined roles that Phoenix provides.

Procedure

  1. Log in to the Phoenix Management Console.
  2. On the menu bar, click All Organizations.
  3. On the menu bar, click Manage > Administrators.
  4. On the Administrators page, click the Roles tab.
    The Roles tab displays all the predefined and custom roles created by the cloud administrator.
  5. Select the check box corresponding to the custom role that you want to delete.
  6. Click Delete.

View the role details page

The role details page provides details of the Phoenix predefined and custom administrator roles.

Procedure

  1. Log in to the Phoenix Management Console.
  2. On the menu bar, click All Organizations.
  3. On the menu bar, click Manage > Administrators.
  4. On the Administrators page, click the Roles tab.
  5. On the menu bar, click Manage > Administrators.
  6. On the Administrators page, click the Roles tab.
    The Roles tab displays all the predefined and custom roles created by the cloud administrator.
  7. Click the role for which you want to view details.
    The role details page appears.
  8. The role details page displays the following fields for the predefined roles:
    Field Description

    Description

    The short description of the role that gives an idea of the capabilities of the role.

    #Mapped Administrators

    The number of administrators on the Phoenix Management Console associated with the role.

    Rights

    The various rights assigned to the role.

    Mapped Administrators

    The list of Phoenix administrators associated with the role, along with their email addresses and details of the organizations they belong to.

    For predefined roles, click on the administrator name to view the administrator details.

    The following screenshot depicts the role details page for a sample predefined administrator role: 
    View_role_details_page.PNG

  9. The role details page displays the following fields for the custom administrator roles created on the Phoenix Management Console:
    Field Description

    Description

    The short description of the role that gives an idea of the capabilities of the role.

    Click Edit to update the description for the custom role. For more information, see Edit the custom role description.

    Base Role

    The Phoenix predefined administrator role from which the custom role is derived.

    Note: This field is displayed only for the custom administrator role.

    #Mapped Administrators

    The number of administrators on the Phoenix Management Console associated with the role.

    Rights

    The various rights assigned to the role.

    For custom roles, click Edit to update the rights assigned to the role. For more information, see Edit rights of a custom role.

    The following screenshot depicts the role details page for a sample custom administrator role:
    View_role_details_page_custom_roles.PNG
  10. Click Delete to delete the custom administrator role. For more information, see Delete a custom role.

Edit the custom role description

When you edit the rights assigned to a custom administrator role, you may want to update the corresponding description of the role. Using the Edit button on the role details page, you can update the description of the custom administrator role.

Procedure

  1. Log in to the Phoenix Management Console.
  2. On the menu bar, click All Organizations.
  3. On the menu bar, click Manage > Administrators.
  4. On the Administrators page, click the Roles tab.
  5. On the menu bar, click Manage > Administrators.
  6. On the Administrators page, click the Roles tab.
    The Roles tab displays all the predefined and custom roles created by the cloud administrator.
  7. Click the role for which you want to update the description.
    The role details page appears.
    View_role_details_page_custom_roles.PNG
  8. Click Edit.
    The Edit Role window appears.
  9. In the Description box, edit the description of the role.
  10. Click Save.

The Roles tab now displays the edited description of the role.

Edit rights of a custom role

You can change the combination of rights assigned to a custom administrator role by using the role details page. The changed rights for the administrator’s role apply from your next login to the Phoenix Management Console.

Note: You can edit rights assigned only to a custom administrator role.

Procedure

  1. Log in to the Phoenix Management Console.
  2. On the menu bar, click All Organizations.
  3. On the menu bar, click Manage > Administrators.
  4. On the Administrators page, click the Roles tab.
    The Roles tab displays all the predefined and custom roles created by the cloud administrator.
  5. Click the role for which you want to edit the rights assigned to a custom role.
    The role details page appears.
    View_role_details_page_custom_roles.PNG
  6. In the Rights section, click Edit.
    The Edit Rights window appears with the check boxes selected for the rights assigned to the role.
    Edit_custom_role_rights.PNG
  7. Select and clear the check boxes corresponding to the rights to assign the role with a new combination. For more information about the rights, see Role rights.
  8. Click Save.

The Rights section on the role details page now lists the new combination of rights selected for the custom role.