Role-based access control overview

Edit online

Role-based access control allows you to set the resources and permissions available to IBM® Storage Defender Copy Data Management accounts.

Through role-based access control you can tailor IBM Storage Defender Copy Data Management for individual users, giving them access to the features and providers they need. Once providers are associated with a site, they can be added to a resource pool along with high level IBM Storage Defender Copy Data Management features such as Policies, Reports, and screens. Roles are then configured to define the actions that can be performed by the user of the account associated with the resource pool. These parameters are then associated with one or more user accounts, which can be native to IBM Storage Defender Copy Data Management or imported as part of an LDAP group.

Tip: Users that register providers, such as storage devices, or add resources to IBM Storage Defender Copy Data Management, such as jobs or customized reports, will have full access to interact with those providers or resources regardless of role-based access control restrictions. For example, if a user's permission allows them to register NetApp providers, they will also be able to view, edit, and unregister the NetApp providers that they registered, even if the necessary permissions are not assigned to them through role-based access control.

Configure role-based access control in the Access Control view on the Configure tab.

Resource Pools: A resource pool defines the resources that will be made available to an account. Every provider added to IBM Storage Defender Copy Data Management, such as storage devices and LDAP servers, can be included in a resource pool, along with individual IBM Storage Defender Copy Data Management functions and screens. This gives you the ability to finely-tune the experience of a user. For example, a resource pool could include only storage devices associated with a single vendor, with access to only the IBM Storage Defender Copy Data Management search and reporting functionality. When the resource pool is associated with a role and an account, the account user will only see the screens associated with search and reporting, and will only have access to the storage devices defined in the resource pool. See Configure resource pools.
Roles: Roles define the actions that can be performed on the resources defined in a resource pool. A resource pool defines the providers that will be made available to an account, such as storage devices, and resources, such as IBM Storage Defender Copy Data Management functions and screens; a role sets the permissions to interact with the resources defined in the resource pool. For example, if a resource pool is created that includes IBM Storage Defender Copy Data Management Backup and restore jobs, the role will determine how a user can interact with the jobs. Permissions can be set to allow a user to create, view, and run the Backup and restore jobs defined in a resource pool, but not delete them. Similarly, permissions can be set to create administrator accounts, allowing a user to create and edit other accounts, set up sites and resources, and interact with all of the available IBM Storage Defender Copy Data Management features. See Configure roles.
Accounts: An account associates a resource pool with a role. To enable a user to log on to IBM Storage Defender Copy Data Management and use its functions, you must first add the user to IBM Storage Defender Copy Data Management as a native user or as part of an imported group of LDAP users, then assign resource pools and roles to the user account. The account will have access to the resources and features defined in the resource pool as well as the permissions to interact with the resources and features defined in the role. See Configure accounts.