User Configuration
In DPX, all standard users are referred to as administrators.
Administrators are the authorized users of a DPX Enterprise. Each administrator has a password which is used for authentication.
Administrators are organized under administrator groups. Each administrator is a member of one administrator group.
Resources are assigned to administrator groups.
Privilege Classes are assigned to administrators.
Restrictions. Currently, full user management is only available through the desktop interface. The user management functionality through the web interface will be implemented in future versions of DPX.
SYSADMIN and SYSADMIN Administrator Group
By default, a special administrator named SYSADMIN exists, who is a member of the SYSADMIN administrator group. The SYSADMIN administrator group is always present in DPX.
All members of the SYSADMIN administrator group are special administrators and are not restricted in any way in DPX. All resources are automatically assigned to the SYSADMIN administrator group and full privileges are automatically assigned to the system administrators in the SYSADMIN group.
The SYSADMIN administrator cannot be created or deleted by a user and it is not displayed on the Configure Administrators window as a member of the SYSADMIN administrator group. The password for the SYSADMIN administrator is determined in the Administrator Password field on the Configure Enterprise window when the Enterprise is added or edited.
Resources
For administrator configuration, there are several types of resources in DPX:
Device Clusters
Node Groups
Job Folders
Tape Libraries
Media Pools
Administrator Groups
Keyrings
Each resource type can be viewed as a container containing objects in DPX. When you assign a resource, you are in fact assigning all the objects contained in it. For example, if you assign a node group called Sales to an administrator group, all the nodes within Sales will be assigned to that administrator group.
When a resource is assigned to an administrator group, each member of that group can potentially access that resource. However, the access may be restricted due to each member’s privilege classes.
If a new resource (such as a node group) is created by an administrator in an administrator group, that resource is automatically assigned to that administrator group. An existing resource may be assigned to additional existing administrator groups by an administrator with the appropriate privileges.
Note. If you assign an NDMP node to an administrator group, it is important that the proxy node also be assigned to that administrator group.
Privilege Classes
DPX comes pre-configured with the following default privilege classes:
Backup Job Admin
The administrator can define backup jobs.
Copy Job Admin
The administrator can define copy jobs.
Device Admin
The administrator can configure device clusters, tape libraries, and devices.
Device Operator
The administrator can operate devices.
Job Operator
The administrator can reschedule and run jobs.
License Admin
The administrator can update a license key.
Media Admin
The administrator can configure media pools and media volumes.
Migrate Job Admin
The administrator can define migration jobs.
Node Admin
The administrator can configure node groups and nodes.
Restore Job Admin
The administrator can define restore jobs.
Restricted Restore Job Admin
This special administrator is just like the Restore Job Admin, except they cannot change the destination of the job.
Site Admin
The administrator has all the assignable privileges.
View Only Admin
The administrator can view all the windows in the management console.
Note that some privilege classes overlap in their privileges, but in general, they can be viewed as corresponding to different roles that a real user of DPX may play. Thus, one or more privilege classes should be assigned to each administrator.
It is possible to configure additional privilege classes in DPX, but this is only advisable for advanced users and with the help of Professional Services.
Example Configurations
The following are example configurations based on some common scenarios.
SYSADMIN Group Only
The easiest configuration is to have only the SYSADMIN group in your Enterprise. This may be appropriate if you have a small Enterprise. All the resources are automatically assigned to the SYSADMIN group. You may assign trusted users as administrators to the SYSADMIN group.
One Administrator Group
If your Enterprise is small enough that you do not want to break up the resource assignments, but you have untrusted users, then you should configure one administrator group. This may be appropriate for small to medium enterprises where operations-level personnel needs to interact with DPX to load and unload tapes, for example.
All the resources you have configured should be assigned to one administrator group, and administrators with varying privilege classes should be created within that administrator group.
Multiple Administrator Groups
If you have a large Enterprise where you need to distinguish resources due to geography or business needs, it is best to create multiple administrator groups, each corresponding to such a distinction. A resource can be assigned to more than one administrator group, enabling selected resources to be shared among administrator groups.
Hierarchical Administrator Groups
If you have a large Enterprise where you expect to have layers of administrators for DPX, you may want to create a hierarchy of administrator groups. For example, if you want to create an administrator group that is in control of two geographically isolated administrator groups (AGx and AGy), you can create a new administrator group (AGa) with both administrator groups assigned to it. Any resource that is assigned to either AGx or AGy is automatically assigned to the members of AGa.
Last updated