With CDP Enterprise and Advanced Editions, you can manage users and designate their permissions for browsing, backup and restore. There are three types of users based on their permissions:
- Super-users - A special user account used for system administration. Super-user has full privileges.
- Power-users - A special user account which is allowed to utilize the most of advanced featured. Power-user's permissions are configurable.
- Sub-user - A special user account with restricted permissions. Sub-user's permissions are configurable and lay in bounds of Power-user's permissions.
Power-users, sub-users and groups can be enabled/disabled in CDP Configuration. See Configuring Product Features.
The permissions are described further.
|Tip CDP Standard Edition
In CDP Standard Edition there are only super-users. They are added via CDP Configuration Utility. See Setting CDP Server Users.
You can change administrator's name and password in Configuration. See Configuring User Options.
A super-user has complete control over the CDP Server. A super-user can access and configure anything in the server. His/her permissions cannot be changed.
In organizations, super-user accounts are often provided for authorized experienced individuals.
The super-user creates power-users and sub-users and grants them permissions to use the various resources in the CDP Server.
All the users and groups in the server are visible for super-users.
Super-users should not be treated as power-users as super-users are not allowed to be added to groups or be assigned permissions on Agents or Volumes or be administrators of sub-users.
Super-user can create, edit, delete, import Volumes. Only super-user can remove a Disk Safe.
Only a super-user can change the owner of an Agent.
Power-users can be allowed to create and administrate sub-users.
Power-users can not assign permissions to their sub-users if they do not have these permissions themselves.
The number of sub-users assigned to a power-user is unlimited if it is not restricted in the power-user settings.
A power-user can see only groups that he/she belongs to and sub-users that he owns.
Power-users or groups can have the following permissions on Volumes:
- Create Disk Safes in the Volume
- Close Disk Safes in the Volume
- Delete Disk Safes in the Volume
- Change a Disk Safe's Agent Assignment
- Change a Disk Safe's Quota
- Vacuum a Disk Safe
Power-users can see (not edit) Volumes they have permission on. Path of Volume is hidden.
Sub-users and power-users do not need Volume permissions to restore or browse files or edit Disk Safe settings.
Power-users can be allowed to create and administrate Agents.
A power-user can be an Owner of an Agent. A power-user that creates an Agent is an owner by default.
A power-user can own an unlimited number of Agents and MySQL Add-ons if it is not restricted in the power-user settings.
The Owner has a full configurable set of Agent permissions. A power-user can have the following permissions on Agent (permissions can be activated by selecting the appropriate checkboxes in the User properties window):
- Edit Agent
- Edit Policies
- Edit Agent's Users
- Edit Disk Safe:
- Change name and description of the Disk Safe
- Change Compression Type
- Edit Devices and Device Settings
- Change Encryption Passphrase
- Manage Recovery Points (Merge Recovery Points and Lock/Unlock Recovery Points)
A power-user can have the following restore permissions (permissions can be activated by selecting the appropriate checkboxes in the User properties window):
- Browse Files
- Download Files (force checks browse files)
- Restore Files (force checks browse files)
- Bare-Metal Restore
- Control Panel Restore (force checks browse files)
- MySQL Restore
Sub-users can have only one Administrator (an Owner). It is not allowed to create sub-users with multiple Administrators.
Only a power-user can be an Owner of a sub-user.
Sub-users can not have permissions that their power-user owners do not have.
Groups and other users are not visible for sub-users.
A group contains a collection of power-users to apply its permissions to. A group is granted permissions the same as a power-user. Power-users can belong to more than one group.
Only power-users can be members of groups.
A power-user's permissions are the culmination of their user-level permissions, plus all of their group permissions.
In case a group has not been granted any permissions, but a specific power-user in that group has these very permissions, then the power-user still has these permissions.
If a group has been granted full-control access on an agent, but a specific power-user in that group has permissions set on that agent that are less than full-control, then the group permissions will be used.
If a power-user belongs to multiple groups, and two or more of those groups have permissions set on the same resource (i.e. agent), then the most liberal group-level permissions are applied. If one group has less than full-control access, but another group has full-control, the power-user will be granted full-control access.