The user authorization and authentication mechanism of PlateSpin Protect is based on user roles, and controls application access and operations that users can perform. The mechanism is based on Integrated Windows Authentication (IWA) and its interaction with Internet Information Services (IIS).
The role-based access mechanism enables you to implement user authorization and authentication in several ways:
Restricting application access to specific users
Allowing only specific operations to specific users
Granting each user access to specific workloads for performing operations defined by the assigned role
Every PlateSpin Protect instance has the following set of operating system-level user groups that define related functional roles:
Workload Protection Administrators: Have unlimited access to all features and functions of the application. A local administrator is implicitly part of this group.
Workload Protection Power Users: Have access to most features and functions of the application, with some limitations such as restrictions in the capability to modify system settings related to licensing and security.
Workload Protection Operators: Have access to a limited subset of system features and functions, sufficient to maintain day-to-day operation.
When a user attempts to connect to PlateSpin Protect, the credentials provided through the browser are validated by IIS. If the user is not a member of one of the Workload Protection roles, connection is refused.
Table 5-1 Workload Protection Roles and Permission Details
|
Workload Protection Role Details |
Administrators |
Power Users |
Operators |
|---|---|---|---|
|
Add Workload |
Allowed |
Allowed |
Denied |
|
Remove Workload |
Allowed |
Allowed |
Denied |
|
Configure Protection |
Allowed |
Allowed |
Denied |
|
Prepare Replication |
Allowed |
Allowed |
Denied |
|
Run (Full) Replication |
Allowed |
Allowed |
Allowed |
|
Run Incremental |
Allowed |
Allowed |
Allowed |
|
Pause/Resume Schedule |
Allowed |
Allowed |
Allowed |
|
Test Failover |
Allowed |
Allowed |
Allowed |
|
Failover |
Allowed |
Allowed |
Allowed |
|
Cancel Failover |
Allowed |
Allowed |
Allowed |
|
Abort |
Allowed |
Allowed |
Allowed |
|
Dismiss (Task) |
Allowed |
Allowed |
Allowed |
|
Settings (All) |
Allowed |
Denied |
Denied |
|
Run Reports/Diagnostics |
Allowed |
Allowed |
Allowed |
|
Failback |
Allowed |
Denied |
Denied |
|
Reprotect |
Allowed |
Allowed |
Denied |
In addition, PlateSpin Protect software provides a mechanism based on security groups that define which users should have access to which workloads in the PlateSpin Protect workload inventory.
To set up a proper role-based access to PlateSpin Protect:
Add users to the required user groups detailed in Table 5-1. See your Windows documentation.
Create application-level security groups that associate these users with specified workloads. See Managing PlateSpin Protect Security Groups and Workload Permissions.