User Roles

    What Are User Roles?

    • Roles are assigned to users per business unit and provide them permission to perform specific actions.
    • Users can be assigned to one or more specific business units with a different role in each business unit.

    When User Roles are set to specific Business Units, you can:

    • Control which users can access backup data for services in a business unit.
    • Reveal data only to the departments it is relevant to within your organization.
    • Control which users can read and modify which service in a business unit.
    • Allow Master Admins to manage your entire OwnBackup organization.

    What Can Each Role Do?

    Read-Only users can:

    • View Production and Sandbox services on the business units of which they are a member
    • View and start backups
    • Export and download data
    • Compare snapshots
    • Submit Find jobs
    • Preview Restore and Replicate jobs
    • Preview Anonymization templates and jobs
    • View Job History.
    • Sandbox Seeding - View seeding templates configuration and schema
    • Sandbox Seeding - View seeds activity, reports, and download log files
    • Sandbox Seeding - Export seeding template objects hierarchy

    Seeder users can:

    • Add, rename, archive, and delete anonymized sandbox services in their business unit
    • Preview Anonymization templates and jobs
    • Sandbox Seeding - Seed Sandboxes using templates of non-production and/or anonymized data

    Developer users can:

    • Add, rename, archive, and delete anonymized sandbox services in their business unit
    • Submit Restore and Replicate on anonymized sandbox services
    • Submit anonymization on anonymized sandbox services
    • Preview anonymization templates and jobs
    • Sandbox Seeding - Create, clone, edit and delete seeding templates of non-production and/or anonymized data
    • Sandbox Seeding - Seed sandboxes using templates of non-production and/or anonymized data
    • Sandbox Seeding - Export and import seeding template objects hierarchy.

    DevOps users can:

    • Add, rename, archive, and delete sandbox services in their business unit
    • Submit Restore and Replicate on sandbox services
    • Manage Anonymization templates and run anonymization jobs on sandbox services
    • Sandbox Seeding - Create, clone, edit, and delete seeding templates
    • Sandbox Seeding - Seed sandboxes using templates of data
    • Sandbox Seeding - Export and import seeding template objects hierarchy.

    Admins users can:

    • Add, rename, archive, and delete services in the business unit they administer
    • Submit all Jobs on production and sandbox services
    • Access the Account Settings
    • Manage users and their roles in the business unit they administer
    • Manage services in the business unit they administer
    • Manage Anonymization templates and run anonymization jobs on sandbox services
    • Sandbox Seeding - Create, clone, edit, and delete seeding templates
    • Sandbox Seeding - Seed sandboxes using templates of data
    • Sandbox Seeding - Export and import seeding template objects hierarchy.

    The Account Master Admin can:

    • Do anything that an Admin can do
    • Master Admin cannot be demoted or deleted by anyone except for another Master Admin
    • Manage Advanced Key and IP restrictions
    • Manage the Account Settings
    • Manage the Account Security Settings
    • Manage Anonymization templates and run anonymization jobs on sandbox services
    • Sandbox Seeding - Create, clone, edit, and delete seeding templates
    • Sandbox Seeding - Seed sandboxes using templates of data
    • Sandbox Seeding - Export and import seeding template objects hierarchy.

    Role-Based Access Control: Phase 1 Business Unit Example

    Roles & Permissions

    Model

    Implications

    • Backup Servers: There is no impact on the location of Backups and no data will be moved to another server instance because of this change.
    • Single Sign-On: RBAC works with SSO (SAML). There is no change in the way you grant login access to each of the users in the system.
    • API: The API respects new roles and Business Units. It’s recommended for the API to use an admin user to get full access to jobs and backups on the service of which they’re working.
    • Cross-Region Accounts: At this time, we do not support cross-region accounts. If you need to manage two or more Production orgs hosted in different regions, you will have to have two separate OwnBackup accounts.
    • Backup: In order to backup organizations on different data centers, you would need a separate OwnBackup Account.
    • Account Setup: The OwnBackup Account setup is configured once for all Business Units (IP ranges, SSO, retention).
    • Advanced Key Management (AKM): AKM can only be configured by a Master Admin.
    • Auditing: There is no impact of reviewing all recent events. You can download the events as a CSV. 
    • Endpoints: Endpoints can only be created by a Master Admin.

    How to Create a New User in My Account

    • Go to Account Setting> Users and click Add User.
    • Input the email, choose the Business Unit, and select the role you wish to add the new user into.
    • You can add the user to other Business Units with different roles from the Business Unit tab.

    Click here to see a video demonstrating how you can create a new user account in OwnBackup.

    How to Hide a Service Containing Production Data from Users

    Services can be marked as ‘Containing Production Data’ in the Service Options Settings by Admins only.

    Once marked, the user with the ‘Developer’ or 'Seeder' Role will not be able to view this service. All other user roles will be able to view it.

    New services will be marked as ‘Containing Production Data’ by default for enhanced security. This flag can be removed by the service admin.

    FAQs

    Why is the Master Admin not showing in any of my Business Units?

    Master Admin can access everything in your OwnBackup account. As such, they cannot be members of specific business units.

    Why can’t a User see any Services?

    Check that they are a member of at least one business unit, containing at least one service. If the user is a member of a business unit, the user may not see a service that is marked as containing production data if their role is ‘Developer’ or 'Seeder'.

    Why can’t a User see a specific Service?

    Check that they are included as a member of the business unit(s) containing the services you wish them to see. If the User is a member of a business unit, the user may not see a service that is marked as containing production data if his or her role is ‘Developer’.

    Why Can’t I find a User when trying to add them to a Business Unit?

    They may already be a member of this business unit, or the user does not exist in your OwnBackup account.

    Why Can’t I see the ‘Account Settings’ page?

    Only the Master Admin and Admins can access the "Account Settings" page. If a user is an Admin of at least one business unit, he will be able to access the "Account Settings” page.

    Why Can’t I see the entire Job history?

    Each user will only see the Job history for the services that the user is allowed to view the business units of which they are a member.

    Why are Services missing in the dropdown when trying to Compare/Find/Replicate?

    Each user will only see the services that they are allowed to view, under the business units of which they are a member. For example, a Developer user role will not see a service containing production data.

     

    « Previous ArticleNext Article »