2.3 Configuring User Authorization and Authentication

2.3.1 About PlateSpin Protect Role-Based Access

The user authorization and authentication mechanism of PlateSpin Protect is based on user roles, and controls application access and operations that users can perform. The mechanism is based on Integrated Windows Authentication (IWA) and its interaction with Internet Information Services (IIS).

The role-based access mechanism enables you to implement user authorization and authentication in several ways:

  • Restricting application access to specific users

  • Allowing only specific operations to specific users

  • Granting each user access to specific workloads for performing operations defined by the assigned role

Every PlateSpin Protect instance has the following set of operating system-level user groups that define related functional roles:

  • Workload Protection Administrators: Have unlimited access to all features and functions of the application. A local administrator is implicitly part of this group.

  • Workload Protection Power Users: Have access to most features and functions of the application, with some limitations such as restrictions in the capability to modify system settings related to licensing and security.

  • Workload Protection Operators: Have access to a limited subset of system features and functions, sufficient to maintain day-to-day operation.

When a user attempts to connect to PlateSpin Protect, the credentials provided through the browser are validated by IIS. If the user is not a member of one of the Workload Protection roles, connection is refused.

Table 2-1 Workload Protection Roles and Permission Details

Workload Protection Role Details

Administrators

Power Users

Operators

Add Workload

Allowed

Allowed

Denied

Remove Workload

Allowed

Allowed

Denied

Configure Protection

Allowed

Allowed

Denied

Prepare Replication

Allowed

Allowed

Denied

Run (Full) Replication

Allowed

Allowed

Allowed

Run Incremental

Allowed

Allowed

Allowed

Pause/Resume Schedule

Allowed

Allowed

Allowed

Test Failover

Allowed

Allowed

Allowed

Failover

Allowed

Allowed

Allowed

Cancel Failover

Allowed

Allowed

Allowed

Abort

Allowed

Allowed

Allowed

Dismiss (Task)

Allowed

Allowed

Allowed

Settings (All)

Allowed

Denied

Denied

Run Reports/Diagnostics

Allowed

Allowed

Allowed

Failback

Allowed

Denied

Denied

Reprotect

Allowed

Allowed

Denied

In addition, PlateSpin Protect software provides a mechanism based on security groups that define which users should have access to which workloads in the PlateSpin Protect workload inventory.

To set up a proper role-based access to PlateSpin Protect:

  1. Add users to the required user groups detailed in Table 2-1. See your Windows documentation.

  2. Create application-level security groups that associate these users with specified workloads. See Managing PlateSpin Protect Security Groups and Workload Permissions.

2.3.2 Managing PlateSpin Protect Access and Permissions

The following sections provide more information:

Adding PlateSpin Protect Users

Use the procedure in this section to add a new PlateSpin Protect user.

If you want to grant specific role permissions to an existing user on the PlateSpin Server host, see Assigning a Workload Protection Role to a PlateSpin Protect User.

  1. On your PlateSpin Server host, access the system’s Local Users and Groups console (Start > Run > lusrmgr.msc > Enter).

  2. Right-click the Users node, select New User, specify the required details, and click Create.

You can now assign a workload protection role to the newly created user. See Assigning a Workload Protection Role to a PlateSpin Protect User.

Assigning a Workload Protection Role to a PlateSpin Protect User

Before assigning a role to a user, determine the collection of permissions that best suits that user. See Table 2-1, Workload Protection Roles and Permission Details.

  1. On your PlateSpin Server host, access the system’s Local Users and Groups console (Start > Run > lusrmgr.msc > Enter).

  2. Click the Users node, and double-click the required user in the right pane.

  3. On the Member Of tab, click Add, find the required Workload Protection group, and assign it to the user.

It might take several minutes for the change to take effect. To attempt applying the changes manually, restart your server by using the RestartPlateSpinServer.exe executable.

To restart the PlateSpin Server:

  1. Before you attempt to restart the PlateSpin Server, pause all of your contracts, or verify that no replications, failovers, or failbacks are in progress. Do not continue until all workloads are idle.

  2. Go to the PlateSpin Server’s bin\RestartPlateSpinServer subdirectory.

  3. Double-click the RestartPlateSpinServer.exe executable.

    A command prompt window opens, requesting confirmation.

  4. Confirm by typing Y and pressing Enter.

You can now add this user to a PlateSpin Protect security group and associate a specified collection of workloads. See Managing PlateSpin Protect Security Groups and Workload Permissions.

2.3.3 Managing PlateSpin Protect Security Groups and Workload Permissions

PlateSpin Protect provides a granular application-level access mechanism that allows specific users to carry out specific workload protection tasks on specified workloads. This is accomplished by setting up security groups.

  1. Assign a PlateSpin Protect user a Workload Protection Role whose permissions best suit that role in your organization. See Assigning a Workload Protection Role to a PlateSpin Protect User.

  2. Access PlateSpin Protect as an administrator by using the PlateSpin Protect Web Interface, then click Settings > Permissions.

    The Security Groups page opens.

  3. Click Create Security Group.

  4. In the Security Group Name field, type a name for your security group.

  5. Click Add Users and select the required users for this security group.

    If you want to add a PlateSpin Protect user who was recently added to the PlateSpin Server host, it might not be immediately available in the user interface. In this case, first click Refresh User Accounts.

  6. Click Add Workloads and select the required workloads:

    Only users in this security group will have access to the selected workloads.

  7. Click Create.

    The page reloads and displays the your new group in the list of security groups.

To edit a security group, click its name in the list of security groups.