User configuration

Only a user having the ADMINISTRATOR role is allowed to manage Arkeia Network Backup users.

User management tasks include the following:

Add a new user

When creating a new user, the administrator must provide following information:

Click on Create to save the new user.

Modify a user

The name of an existing user cannot be changed. Any other user property can be modified: the role, the email and the restoration rights.

Click on Update to save the changes.

Change password

To change a password, it is necessary to know the old password. Users who have forgotten their password will have to be deleted, then added as a new user.

Remove a user

Select the user to remove from the Select a user list, then click on Delete... to remove the user.

User restoration rights

It is possible to associate restoration rights to Arkeia Network Backup users having the USER role. Such restoration rights cannot be set either for administrators or for operators. As a matter of fact, administrators and operators have no restoration restrictions by default.

Restoration rights make it possible to define which backed up data a given user is allowed to restore, based on its full path. As a reminder, a data full path is defined like this in Arkeia Network Backup: machine_name!plugin_name:[volume]:/path.

User restoration rights are made of rules, each rule specifying explicitely whether a user is allowed to restore or not a given backed up path.

Next part provides detailed information about restoration rights rules.

Restoration rights rules

User restoration rights are configured through the definition of a list of rules. There are two kind of rules:

  1. a default general rule provides a generic restore rights policy to apply to data paths for which no exception is specified. When setting up user restoration rights, the administrator must select one of the two following default rules:
  2. rules specific to a given data path are actually exceptions to the configured 'default rule'. It is valid to setup no exception at all. In such a case, the 'default rule' only defines which data path the user is allowed to restore. So, if no exception is defined, either the user is allowed to restore all backed up data or it is allowed to restore nothing (which is equivalent to a disabled user).

    Of course, in most cases, you want to setup exceptions. You can set as many exceptions as you want to a given user. There are two kinds of exceptions:

    As we can see above, denied paths are prefixed by a small red icon, while allowed paths are prefixed by a small green icon.

    Clicking the icon changes the exception state (from denied to allowed or from allowed to denied).

Examples

To make things clearer, let's see some useful examples of restoration rights. Again, a valid restore rights policy must include one sole default rule plus as many exceptions as you want.

  1. a user who is allowed to restore any backed up data.

  2. a user who is allowed to restore any data from the client machines 'foo' and 'foobar'.

  3. a user who is allowed to restore any data except those from the client machines 'foo' and 'foobar'.

  4. a user who is only allowed to restore the 'c:/data' directory of the client machine 'foo'.

  5. a user who is only allowed to restore the MySQL databases of the client machine 'foo'.

  6. a user who is allowed to restore the 'c:/data' directory of the client machine 'foo', but not the 'c:/data/secret' sub-directory.

Conflicting rules

Example 6 above raises one important question: what happens if conflicting exceptions are defined ?

The answer is quite simple: if conflicting exceptions are defined, then the most restrictive deny exception among the conflicting exceptions is actually applied.

Examples:

  1. This:

    is equivalent to this:

  2. This:

    is equivalent to this:

  3. This:

    is an interesting conflicting rule making it possible to restore the machine 'foo' except its 'c:/data' directory.

Limitations

Here are some limitations of this system: