Managing user access

By using role-based access control, you can set the resources and permissions available to IBM Spectrum Protect Plus user accounts.

You can tailor IBM Spectrum Protect Plus for individual users, giving them access to the features and resources that they require.

Once resources are available to IBM Spectrum Protect Plus, they can be added to a resource group along with high-level IBM Spectrum Protect Plus items such as a hypervisor and individual screens.

Roles are then configured to define the actions that can be performed by the user associated with the resource group. These actions are then associated with one or more user accounts. The combination of of one or more roles and a resource group is a permission set. User accounts may have more than one permission set applied.

Use the following sections of the Accounts pane to configure role-based access:
Resource Groups
A resource group defines the resources that are available to a user. Every resource that is added to IBM Spectrum Protect Plus can be included in a resource group, along with individual IBM Spectrum Protect Plus functions and screens. By defining resource groups, you can fine tune the user experience. For example, a resource group could include an individual hypervisor, with access to only backup and reporting functionality. When the resource group is associated with a role and a user, the user will see only the screens that are associated with backup and reporting for the assigned hypervisor.
Restriction: Do not assign a role-based access control (RBAC) user to more than one VMware resource group. Users that have been assigned to the Tag and Categories resource group and then are also assigned to either Hosts and Clusters or VMs and Templates will result in data not being displayed for the Hosts and Clusters view or the VMs and Templates view. Only information for Tags and Categories will be displayed when that is selected as a view when performing operations.
Roles
Roles define the actions that can be performed on the resources that are defined in a resource group. While a resource group defines the resources that will be made available to a user account, a role sets the permissions to interact with the resources defined in the resource group. For example, if a resource group is created that includes backup and restore jobs, the role determines how a user can interact with the jobs.
Permissions can be set to allow a user to create, view, and run the backup and restore jobs that are defined in a resource group, but not delete them. Similarly, permissions can be set to create administrator accounts, allowing a user to create and edit other accounts, set up sites and resources, and interact with all of the available IBM Spectrum Protect Plus features.
User accounts
A user account associates a resource group with a role. To enable a user to log in to IBM Spectrum Protect Plus and use its functions, you must first add the user as an individual user (referred to as a native user) or as part of an imported group of LDAP users, and then assign resource groups and roles to the user account. The account will have access to the resources and features that are defined in the resource group as well as the permissions to interact with the resources and features that are defined in the role.

Example: Assigning multiple permission sets to a user account

The combination of a resource group and role is known as a permission set. Multiple permission sets may be associated with a user account. You must first create the resource group and role and then make those part of a permission set. As an example, you can create a user account that only has access to certain screens, custom resource groups, custom roles, users, and a specific vCenter called vCenter1. In this example, we will create two permission sets and assign those sets to the user account.

Create the ViewResourceGroup for the screens to which the user should have access. In this example, add the User, Role, and Resource Group screens only. Next, create the CreateResourceGroup with the screens to which the user should have access. Again, select User, Role, and Resource Group screens only. For more information on creating a resource group, see Creating a resource group.

Create empty roles CreateRole and ViewRole. For more information on creating a role, see Creating a role.

Create the user account and add the two permission sets that follow to the account and set the password. For more information on creating an individual user, see Creating a user account for an individual user or see Creating a user account for an LDAP group for creating a user account for an LDAP group.

  • Permission set 1 will consist of the ViewResourceGroup and the ViewRole.

  • Permission set 2 will consist of the CreateResourceGroup and the CreateRole.

Enter a username and set the password for the user account. Click Add new permission. Expand Permission 1 and select the ViewRole role and the ViewResourceGroup resource group. Click Add new permission. Expand Permission 2 and select the CreateRole role and the CreateResourceGroup resource group. Click Create User.
Grant permissions to the user account to create a custom resource group and only view any resource groups that are created by the user. For information on editing resource groups, see Editing a resource group and for information on editing roles, see Editing a role. Edit the following resource groups and roles:
  • CreateRole: Select Resource Group > Create, Edit, Delete and click Update Role.
  • CreateResourceGroup: Select Accounts > Resource Group > All and click Add Resources. Click Update Resource Group.
  • ViewRole: Select Resource Group > View and click Update Role.
Grant permissions to the user account to create a custom role and only view the roles created by the user. Edit the following resource groups and roles:
  • CreateRole: Select Role > Create, Edit, Delete and click Update Role.
  • CreateResourceGroup: Select Accounts > Role > All and click Add Resources. Click Update Resource Group.
  • ViewRole: Select Role > View and click Update Role.
Grant permission to the user account to create users and only view users created by the user. Edit the following resource groups and roles:
  • CreateRole: Select User > Create, Edit, Delete and click Update Role.
  • CreateResourceGroup: Select Accounts > User > All and click Add Resources. Click Update Resource Group.
  • ViewRole: Select User > View and click Update Role.
Grant permission to the user account to add VMs from a specified vCenter to a resource group created by the user. Edit the following resource groups and roles:
  • ViewRole: Select Virtualized Systems > View and click Update Role.
  • ViewResourceGroup: Select Virtualized System > VMware > Hosts and Clusters > vCenter1 and click Add Resources. Click Update Resource Group.
    Note: In this example, vCenter1 is the fictional name of a vCenter that has been registered in IBM Spectrum Protect Plus.