In DPX, all standard users are referred to as administrators.
Administrators are the authorized users of a DPX Enterprise. Each administrator has a password which is used for authentication.
Administrators are organized under administrator groups. Each administrator is a member of one administrator group.
Resources are assigned to administrator groups.
Privilege Classes are assigned to administrators.
Restrictions. Currently, full user management is only available through the desktop interface. The user management functionality through the web interface will be implemented in future versions of DPX.
By default, a special administrator named SYSADMIN exists, who is a member of the SYSADMIN administrator group. The SYSADMIN administrator group is always present in DPX.
All members of the SYSADMIN administrator group are special administrators and are not restricted in any way in DPX. All resources are automatically assigned to the SYSADMIN administrator group and full privileges are automatically assigned to the system administrators in the SYSADMIN group.
The SYSADMIN administrator cannot be created or deleted by a user and it is not displayed on the Configure Administrators window as a member of the SYSADMIN administrator group. The password for the SYSADMIN administrator is determined in the Administrator Password field on the Configure Enterprise window when the Enterprise is added or edited.
For administrator configuration, there are several types of resources in DPX:
Device Clusters
Node Groups
Job Folders
Tape Libraries
Media Pools
Administrator Groups
Keyrings
Each resource type can be viewed as a container containing objects in DPX. When you assign a resource, you are in fact assigning all the objects contained in it. For example, if you assign a node group called Sales to an administrator group, all the nodes within Sales will be assigned to that administrator group.
When a resource is assigned to an administrator group, each member of that group can potentially access that resource. However, the access may be restricted due to each member’s privilege classes.
If a new resource (such as a node group) is created by an administrator in an administrator group, that resource is automatically assigned to that administrator group. An existing resource may be assigned to additional existing administrator groups by an administrator with the appropriate privileges.
Note. If you assign an NDMP node to an administrator group, it is important that the proxy node also be assigned to that administrator group.
DPX comes pre-configured with the following default privilege classes:
Note that some privilege classes overlap in their privileges, but in general, they can be viewed as corresponding to different roles that a real user of DPX may play. Thus, one or more privilege classes should be assigned to each administrator.
It is possible to configure additional privilege classes in DPX, but this is only advisable for advanced users and with the help of Professional Services.
The following are example configurations based on some common scenarios.
The easiest configuration is to have only the SYSADMIN group in your Enterprise. This may be appropriate if you have a small Enterprise. All the resources are automatically assigned to the SYSADMIN group. You may assign trusted users as administrators to the SYSADMIN group.
If your Enterprise is small enough that you do not want to break up the resource assignments, but you have untrusted users, then you should configure one administrator group. This may be appropriate for small to medium enterprises where operations-level personnel needs to interact with DPX to load and unload tapes, for example.
All the resources you have configured should be assigned to one administrator group, and administrators with varying privilege classes should be created within that administrator group.
If you have a large Enterprise where you need to distinguish resources due to geography or business needs, it is best to create multiple administrator groups, each corresponding to such a distinction. A resource can be assigned to more than one administrator group, enabling selected resources to be shared among administrator groups.
If you have a large Enterprise where you expect to have layers of administrators for DPX, you may want to create a hierarchy of administrator groups. For example, if you want to create an administrator group that is in control of two geographically isolated administrator groups (AGx and AGy), you can create a new administrator group (AGa) with both administrator groups assigned to it. Any resource that is assigned to either AGx or AGy is automatically assigned to the members of AGa.
To launch the Configure Administrators window, click the Configure tab on the Function Tab bar of the window, then click Administrators in the task panel.
The first time the system administrator opens the Configure Administrators window, the sysadmin administrator group is visible in the Administrator tree in the left pane.
Below is a sample view of the Configure Administrators window.
Configure Administrators allows you to add new administrator groups to fulfill limited or broad functions.
Make sure you are in the Configure tab, and the Administrators section is selected.
In the left pane, select the Enterprise.
Add a new administrator group by doing one of the following:
Right-click the Enterprise icon to bring up the context menu and select Add Administrator Group.
From the menu toolbar, select Administrators > Add Administrator Group.
On the task panel select, click Add Administrator Group.
The Add Administrator Group dialog appears in the right pane of the Configure Administrators window.
Complete the active fields in the Add Administrator Group dialog.
AdminGroupName
Enter the name for the new administrator group. You can use up to 48 alphanumeric characters, no spaces.
Maximum Password Age
The Password Age is the number of days that a password can be used by an administrator before it expires.
Selecting Use Enterprise Setting imports the default password age set in the Edit Enterprise dialog. Selecting Set Password Age exposes an edit field in which you must enter a password applicable to this administrator group. The password age must be between 0 and 999, where 0 means “never expire”. For more information, see Editing an Enterprise Configuration in the DPX 4.9.x Reference Guide.
Comment
Enter an optional comment. You can use up to 48 alphanumeric characters, no spaces.
Select Add on the task menu at the top right of the right pane. If you are unable to see the task menu, resize the right pane.
The new administrator group appears in the Administrator tree in the left pane. The right pane changes to Edit Administrator Group.
Make sure you are in the Configure tab, and the Administrators section is selected.
Open the Edit Administrator Group dialog in the right pane by doing one of the following:
Right-click the administrator group name or icon to display a context menu. The selection is indicated by the selection check box next to the administrator group icon. Then select Edit.
In the left pane, select the administrator group you want to edit and do one of the following:
From the menu bar, select Administrators > Edit Administrator Group.
On the task panel, click Edit Administrator Group.
The Edit Administrator Group dialog appears in the right pane.
Revise the fields as needed.
Select Apply. The changes are now implemented.
Note. Before you can delete an administrator group, you must delete all of its administrators. See Deleting an Administrator below.
The SYSADMIN administrator group cannot be deleted.
Make sure you are in the Configure tab, and the Administrators section is selected.
Do one of the following:
Right-click the administrator group name or icon to display a context menu. The selection is indicated by the selection check box next to the administrator group icon. Then select Delete.
In the left pane, select the administrator group you want to delete and do one of the following:
From the menu bar, select Administrator > Delete Administrator Group.
On the task panel, click Delete Administrator Group.
The Proceed with administrator group deletion message box appears.
Click Yes. The administrator group disappears from the Administrator tree.
DPX allows you to add new administrators to administrator groups.
Make sure you are in the Configure tab, and the Administrators section is selected.
In the left pane, select the Administrator Group that you want to add the new administrator to.
Add a new administrator by doing one of the following:
Right-click the Administrator Group icon to bring up the context menu and select Add Administrator.
From the menu toolbar, select Administrator > Add Administrator.
On the task panel select, click Add Administrator.
The Add Administrator dialog appears in the right pane of the Configure Administrators window.
The fields displayed in the Add Administrator dialog depend on the Authentication Mode selected in the Edit Enterprise function: Native or LDAP. If a field is displayed in only one of the authentication modes, the applicable mode is indicated in brackets [] after the field name in the description below. Otherwise, the field is common to both modes.
For more information about Authentication Mode, see Editing an Enterprise Configuration in the DPX 4.9.x Reference Guide.
AdminGroupName
This field is populated automatically based on the administrator group previously selected.
Administrator Name [Native authentication mode]
Enter the user name for the new administrator. You can use up to 48 alphanumeric characters. If the name exists in native mode and you want to use it in LDAP mode, you must first remove the name from native mode.
Password [Native authentication mode]
Enter a password for the new administrator.
A valid password must meet the following criteria:
The password is between six and fourteen characters.
The password cannot include the user name or the strings “sysadmin”, “administrator” or “admin”.
The password contains English characters and at least one digit.
Confirm Password [Native authentication mode]
Enter the password again to confirm it.
LDAP Username [LDAP authentication mode]
The username is provisioned from the LDAP server, thus no password is necessary. DPX validates the username. UTF-8 encoded usernames are supported. The supported length of the username is up to 48 bytes ASCII or approximately 24 double bytes, depending on the language. Spaces are not supported in the username.
Forest walking or referral chasing is supported with AD.
The username must conform to the type selected in the Username Attribute field in the Edit Enterprise pane.
This field only appears when the LDAP mode is enabled.
Comment
Enter an optional comment.
Select Add. The new administrator appears in the Administrator tree in the left pane. You might need to refresh the view by clicking Administrators in the task panel.
An administrator can change the administrator group by using drag-and-drop in the left pane of the Configure Administrators window. If so privileged, an administrator can temporarily become a system administrator by being dragged to the SYSADMIN administrator group. In this case, the administrator’s original privilege classes will be preserved so that when they are dragged back to a different administrator group, they still have the same privilege classes.
Make sure you are in the Configure tab, and the Administrators section is selected.
Open the Edit Administrator dialog in the right pane by doing one of the following:
Right-click the administrator name or icon to display a context menu. The selection is indicated by the selection check box next to the administrator icon. Then select Edit.
In the left pane, select the administrator you want to edit and do one of the following:
From the menu bar, select Administrator > Edit Administrator.
On the task panel, click Edit Administrator.
The Edit Administrator dialog appears in the right pane.
Revise the Password and/or optional Comment fields as needed.
Select Apply. The changes are now implemented.
Note. Before you can delete an administrator you must unassign all of its resources.
Make sure you are in the Configure tab, and the Administrators section is selected.
Do one of the following:
Right-click the administrator name or icon to display a context menu. The selection is indicated by the selection check box next to the administrator icon. Then select Delete.
In the left pane, select the administrator you want to delete and do one of the following:
From the menu bar, select Administrator > Delete Administrator.
On the task panel, click Delete Administrator.
The Proceed with administrator deletion message box appears.
Click Yes. The administrator disappears from the Administrator tree.
Assigning resources to an administrator group involves giving that group access to various objects within DPX that are necessary for carrying out tasks such as backup, restore, and migrate. Resources such as Device Clusters, Node Groups, Tape Libraries, Media Pools, Job Folders, Administrator Groups, and Keyrings can be assigned to an administrator group. When a resource is assigned to a group, all members of that group can potentially access the resource, subject to their individual privilege classes.
Note. Resources are assigned to administrator groups. Privilege Classes are assigned to individual administrators.
In the left pane of the Configure Administrator window, click the Enterprise (globe) icon or select Administrator > Show Assignable from the menu bar. The Resource Tree will appear in the right pane.
Expand the left pane until you see the administrator group to which you want to assign resources.
Expand the Resource Tree in the right pane until you can see the resource you want to assign.
Select the checkbox of the resource you want to assign.
With your mouse, drag the resource to the left pane and drop it on the administrator group you want to assign the resource to. When you release the mouse button, the resource is assigned and appears in the left pane beneath the administrator group.
Note. The SYSADMIN administrator group is not draggable from the right pane.
In the left pane of the Configure Administrator window, click the Enterprise (globe) icon or select Administrator > Show Assignable from the menu bar. The Resource Tree will appear in the right pane.
Expand the left pane until you see the administrator to which you want to assign privilege classes.
Expand the privilege class tree in the right pane until you can see the privilege class you want to assign.
Select the checkbox of the privilege class you want to assign.
With your mouse, drag the privilege class to the left pane and drop it on the administrator you want to assign the privilege class to. When you release the mouse button, the privilege class is assigned and appears in the left pane beneath the administrator.
Note. You can also assign privilege classes by dragging them from one administrator to another in the left pane of the Configure Administrators window.
Make sure you are in the Configure tab, and the Administrators section is selected.
Do one of the following:
In the left pane, select the assigned resource you want to unassign. Then, from the menu bar, select Administrator > Unassign Resources.
A Confirm unassign resources message box appears.
Click Yes.
The resource disappears from the Administrator tree.
Make sure you are in the Configure tab, and the Administrators section is selected.
Do one of the following:
In the left pane, select the assigned privilege class you want to unassign. Then, from the menu bar, select Administrator > Unassign Privilege Classes.
A Confirm unassign privilege class message box appears.
Click Yes. The privilege class disappears from the Administrator tree.
Open the Administrator Group Report by doing one of the following:
Click the Reports Tab and select Administrator Group Report.
Right-click Reports on the Function Tab Bar and select Administrator Group Report from the context menu.
In the left pane of the Configure Administrators window, right-click on any administrator group name or icon to display a context menu. Then select Report.
From the menu bar of the Configure Administrators window, select Administrators > Administrator Group Report.
The Administrator Group Report window appears. The fields in this report are Name and Resources.
Click Create PDF File.
Complete the Generate Report dialog:
Enter the filename in the Title field.
Select the orientation.
Enter the full path to a directory that contains the font arialuni.ttf. If no directory is specified, the default font is applied to the report.
Select the Yes radio button to generate the report as a Microsoft Excel readable file with the .csv extension.
Click OK to generate the report. The report will open in an Acrobat window. To print the report, click the Acrobat Print icon.
When a report is generated, an Acrobat file named BEXReportReportName.pdf and, optionally, a Microsoft Excel readable file named BEXReportReportName.csv are created on your local disk. The report files are created in your computer’s default temporary directory, as defined by the environmental variable %TEMP% or %TMP%.
Open the Administrator Report by doing one of the following:
Click the Reports Tab and select Administrator Report.
Right-click Reports on the Function Tab Bar and select Administrator Report from the context menu.
In the left pane of the Configure Administrators window, right-click on any administrator name or icon to display a context menu. Then select Report.
From the menu bar of the Configure Administrators window, select Administrators > Administrator Report.
The Administrator Report window appears. The fields in this report are Name, Group Name, and Privilege Classes.
Click Create PDF File.
Complete the Generate Report dialog:
Enter the filename in the Title field.
Select the orientation.
Enter the full path to a directory that contains the font arialuni.ttf. If no directory is specified, the default font is applied to the report.
Select the Yes radio button to generate the report as a Microsoft Excel readable file with a .csv extension.
Click OK to generate the report. The report will open in an Acrobat window. To print the report, click the Acrobat Print icon.
When a report is generated, an Acrobat file named BEXReportReportName.pdf and, optionally, a Microsoft Excel readable file named BEXReportReportName.csv are created on your local disk. The report files are created in your computer’s default temporary directory, as defined by the environmental variable %TEMP% or %TMP%.
In the left pane, right-click an assigned resource to display a context menu. The selection is indicated by the selection check box next to the assigned resource icon. Then select Unassign.
Right-click the assigned privilege class to display a context menu. The selection is indicated by the selection check box next to the assigned resource icon. Then select Unassign.
Device Clusters, Node Groups, Tape Libraries, and Media Pools
These are the resources that an administrator can use in carrying out tasks such as backup, restore, and migrate.
Job Folders
Job folders contain the defined jobs that a particular administrator can carry out.
Administrator Groups
Administrator groups (other than the SYSADMIN administrator group) can be assigned to other administrator groups. See Hierarchical Administrator Groups.
Keyrings
Keyrings contain keys for data-encrypted jobs.
Backup Job Admin | The administrator can define backup jobs. |
Copy Job Admin | The administrator can define copy jobs. |
Device Admin | The administrator can configure device clusters, tape libraries, and devices. |
Device Operator | The administrator can operate devices. |
Job Operator | The administrator can reschedule and run jobs. |
License Admin | The administrator can update a license key. |
Media Admin | The administrator can configure media pools and media volumes. |
Migrate Job Admin | The administrator can define migration jobs. |
Node Admin | The administrator can configure node groups and nodes. |
Restore Job Admin | The administrator can define restore jobs. |
Restricted Restore Job Admin | This special administrator is just like the Restore Job Admin, except they cannot change the destination of the job. |
Site Admin | The administrator has all the assignable privileges. |
View Only Admin | The administrator can view all the windows in the management console. |
