To configure role-based access control for SnapCenter users, you can add users or groups and assign role. The role determines the options that SnapCenter users can access.
About this task
- SnapCenter includes several predefined roles.
You can either assign these roles to the user or create new roles.
- AD Users and AD Groups that are added to SnapCenter RBAC must have the READ permission on the Users Container and the Computers Container in the Active Directory.
- After you assign a role to a user or group that contains the appropriate permissions, you must assign the user access to SnapCenter assets, such as hosts and storage connections.
This enables users to perform the actions for which they have permissions on the assets that are assigned to them.
- You should assign a role to the user or group at some point to take advantage of RBAC permissions and efficiencies.
- You can assign assets like host, resource groups, policy, storage connection, plug-in, and credential to the user while creating the user or group.
- The minimum assets that you should assign an user to perform certain operations are as follows:
Operation |
Assets assignment |
Protect resources |
host, policy |
Backup |
host, resource group, policy |
Restore |
host, resource group |
Clone |
host, resource group, policy |
Clone lifecycle |
host |
Create a Resource Group |
host |
- When a new node is added to a Windows cluster or a DAG (Exchange Server Database Availability Group) asset and if this new node is assigned to a user, you must reassign the asset to the user or group to include the new node to the user or group.
You should reassign the RBAC user or group to the cluster or DAG to include the new node to the RBAC user or group. For example, you have a two-node cluster and you have assigned an RBAC user or group to the cluster. When you add another node to the cluster, you should reassign the RBAC user or group to the cluster to include the new node for the RBAC user or group.
- If you are planning to replicate Snapshot copies, you must assign the storage connection for both the source and destination volume to the user performing the operation.
You should add assets before assigning access to the users.
Attention: If you are using the SnapCenter Plug-in for VMware vSphere functions, to protect VMs, VMDKs, or datastores, you use the VMware vSphere GUI to add a vCenter user to a SnapCenter Plug-in for VMware vSphere role. The vCenter documentation contains information about adding a user to a role in vCenter
The SnapCenter concepts documentation contains more information about SnapCenter role-based access control (RBAC).
Concepts
Procedure
-
In the left navigation pane, click Settings.
- In the Settings page, click .
- In the Add Users/Groups from Active Directory or Workgroup page:
For this field… |
Do this… |
Access Type |
Select either Domain or workgroup For Domain authentication type, you should specify the domain name of the user or group to which you want to add the user to a role.
By default, it is pre-populated with the logged in domain name.
Note: You must register the untrusted domain in the page.
|
Type |
Select either User or Group Note: SnapCenter supports only security group and not the distribution group.
|
User Name |
- Type the partial user name, and then click Add.
Note: The user name is case-sensitive.
- Select the user name from the search list.
Note: When you add users from a different domain or an untrusted domain, you should type the user name fully because there is no search list for cross domain users.
Repeat this step to add additional users or groups to the selected role.
|
Roles |
Select the role to which you want to add the user. |
- Click Assign, and then in the Assign Assets page:
- Select the type of asset from the Asset drop-down list.
- In the Asset table, select the asset.
The assets are listed only if the user has added the assets to SnapCenter.
- Repeat this procedure for all of the required assets.
- Click Save.
- Click Submit.
After you finish
After adding users or groups and assigning roles, refresh the resources list.