1 Nickel

Role based access control (RBAC) in Data Domain

This post is to list various Data Domain users, roles and their activities/ privileges.

This is called as RBAC (Role based access control) in short, is an authentication policy that controls which DD System Manager controls and CLI commands a user can access on a system.

List of users:

1) Sysadmin, Admin, Limited admin.

2) The User, Security officer, Backup-operator.

3) None, The Tenant admin, The Tenant user.

-          A Sysadmin is the default admin user.

-          An admin can configure and monitor the entire Data Domain system. Most configuration features and commands are available only to admin role users.

-          The limited-admin role can configure and monitor the Data Domain system with some limitations. Users who are assigned this role cannot perform data deletion operations, edit the registry or enter bash or SE mode.

o   The user role can monitor the system, change their own password, and view system status. The user role cannot change the system configuration.

o   The Security role is for a security officer who can manage other security officers, authorize procedures that require security officer approval, and perform all tasks supported for user-role users. Only the sysadmin user can create the first security officer and that first account cannot be deleted. After the first security officer is created, only security officers can create or modify other security officers.

o   The Backup-operator role can perform all tasks permitted for user role users, create snapshots for MTrees, import, export, and move tapes between elements in a virtual tape library, and copy tapes across pools.

Ø  The role of None is used for DD Boost authentication and tenant-users. A None role can log in to a Data Domain system and can change their password, but cannot monitor or configure the primary system.

Ø  The Tenant Admin role can be appended to the other (non-tenant) roles when the Secure Multi-Tenancy (SMT) feature is enabled. A tenant-admin user can configure and monitor a specific tenant unit as well as schedule and run backup operations for the Tenant.

Ø  The Tenant User role can be appended to the other (non-tenant) roles when the SMT feature is enabled. It enables a user to monitor a specific tenant unit and change the user password.

References: DDOS administration guides from EMC support site.

0 Kudos