Role-Based Access Control
With NAKIVO Backup & Replication, you can use role-based access control to improve the security of your data protection activities. By assigning unique roles, administrators limit the operations available to users in the UI and deny unauthorized access. These roles include permissions that you can customize at both broad and granular levels.
Free Trial of NAKIVO
Backup & Replication for One Year
Role-based access control (RBAC) in NAKIVO Backup & Replication
Preset and Customizable User Roles
Restrict access to NAKIVO Backup & Replication at broad and granular levels to grant users just enough access rights to do their jobs while limiting access to other activities. Use the preset roles to assign rights to users and specify the operations they can perform in the UI without spending time on configuring permissions. These roles include administrator, backup operator, recovery operator and view only user. Create new roles by customizing permissions and access levels to meet your data protection administration needs. This flexibility in designing new roles from scratch offers greater control of your backup and recovery activities.
Tighter Security with Access Control
Whether to prevent accidental mismanagement or a malicious attack, incorporating access controls into a broader data protection plan is the first line of defense. Role-based access control provides users with varying levels of access. Users can be granted permissions to view, edit or run backup and recovery jobs. By ensuring that only authorized and authenticated users have access to data management activities, administrators gain greater visibility into their operations. When combined with a multi-tenant deployment, such controls can isolate the backup data of each business unit and give unit-level administrators full control over their environment only.
Enterprise-Wide Identity Consistency
With role-based access, you can configure Active Directory integration of domain users and groups to keep user identities consistent across your entire infrastructure. Active Directory is Microsoft’s object management product for authenticating and granting access to users, devices and applications. Use the Active Directory Configuration Wizard to easily run the integration then confirm its success with the Test Integration tool. Once users have been added, assign, edit or delete roles at any time. NAKIVO Backup & Replication automatically synchronizes with Active Directory and users are authenticated by entering their Active Directory login credentials.
Edit and Reassign User Roles
After you create and assign roles to NAKIVO Backup & Replication users, you can edit, clone or delete these custom roles at any time to meet new needs or changing circumstances. You can apply any changes to multiple users at once with bulk actions. Role-based access control ensures that your data protection activities are secure even when circumstances and employees change. If you modify the roles of users or terminate a user’s access to NAKIVO Backup & Replication, these changes take effect immediately. For users whose roles have been cancelled, simply log out to prevent them from accessing the software.
Simple Division of Responsibilities
Divide responsibilities between positions to reduce slowdown from bottlenecks and improve recovery time. An administrator can design and supervise business-wide data protection strategies while lower-level users carry out operational tasks. In NAKIVO Backup & Replication, administrators can grant one user a set of permissions to schedule and manage backups while another can be on-call to run recoveries as needed. Assign view-only access to managers for oversight over data protection tasks or to in-house legal staff for data compliance checks. Manage the whole process from the intuitive web user interface to ensure that roles are up to date with changing circumstances.
Granular DRaaS and BaaS Management
With multi-tenant deployments of NAKIVO Backup & Replication, managed service providers (MSPs) offer customers backup as a service (BaaS) and disaster recovery as a service (DRaaS). As “master tenant” users, MSPs can use role-based access control to assign roles to their customers (tenants) in the self-service portal. Preset roles include self-service administrator and self-service user. When an MSP grants tenants permissions to perform certain backup and recovery tasks, the MSP retains full visibility of the entire multi-tenant environment and monitors all processes from a single pane of glass. Tenants, nevertheless, are completely isolated and cannot view the roles of other tenants.
Assess Current Roles
Businesses with a large number of employees are at risk of loose data access rules. Unrestricted business-wide access increases the probability of accidental deletions, disruptions by rogue administrators and successful phishing attacks. Conversely, overly centralized backup and recovery processes may inhibit efficiency, resulting in retention gaps and slower recovery times. Assess current roles by listing who is responsible for each portion of the backup and recovery process. Calculate how often different parts of the business rely on data recovery. Map which administrators are responsible for each part. Verify you can meet your RTOs and RPOs. Mark where bottlenecks and redundancies exist.
Formulate and Communicate to Users
Establish consistency by formulating and communicating backup and recovery objectives to users. Guidelines should be designed to achieve the business’s strategic objectives but include specific instructions for each business unit. Formulate achievable RTOs and RPOs to make disaster recoveries predictable and administrators accountable. Define specific backup schedules to prevent retention policy gaps. Stipulate specific destinations and sources to ensure that backups are organized and readily accessible. Cross-reference guidelines with users’ roles so that employees have access to perform their jobs. Contain users’ permissions to their responsibilities to limit data mismanagement.
Multi-Tenant Environments: DRaaS and BaaS for Customers
Multi-tenancy allows Managed Service Providers (MSPs) to offer customers disaster recovery as a service (DRaaS) and backup as a service (BaaS). Multi-tenancy separates tenants, that is, customers, into their own isolated environments for backup and recovery operations. As an MSP, create user roles for both your employees and your customers. Build employee roles that can provide IT support and troubleshooting to customers. Assign the self-service administrator or self-service user role from the presets to your tenants or create custom roles. Tenants remain completely isolated and cannot see the roles of other tenants. They can, in turn, assign roles and permissions to users in their environments.
Plan and Modify Roles
Use the information from your assessment to create a comprehensive user role framework. The framework should be a living document reflecting the business’s current distribution of roles. This will help in the future to both investigate data loss events and reassign roles if processes become inefficient. Decide whether a centralized or decentralized backup and recovery process works best for your business. In either setup, assign users for each step of the process: configuration, managing backup and recovery jobs, scheduling, user roles, and accessing support and help center services. Keep the number of authorized users low to minimize the potential for data loss.
Audit and Fine-Tune
Regularly monitor and test how well role-based access controls support current operations. Personnel and priorities shift quickly for businesses, which means that IT procedures well-suited to earlier circumstances may suddenly be ineffective. Fast-growing businesses, in particular, may outpace their backup and recovery capacity without noticing it until it is too late. Stay protected by updating user roles and guidelines to match changing priorities. Consult previous user role frameworks to determine how different setups affect recovery times. Regularly test your RTOs and RPOs with mock disaster recoveries to have an accurate reading of your situation.
Multi-Tenant Environments: Separate Business Units
Multi-tenancy enables businesses to create separate backup and recovery environments for each business unit. This setup gives geographically dispersed branches more independence, which can increase recovery times and reduce bottlenecks. For businesses working with sensitive information, multi-tenancy isolates critical data from normal workflow operations. To effectively employ business unit multi-tenancy, clearly delineate tasks between central and unit-level administrators. Retention policy gaps can easily emerge if user roles overlap but functional responsibilities are unclear. Audit business unit processes with test recoveries to confirm that effective data protection practices are in place.
What are the available user roles?
NAKIVO Backup & Replication comes with four built-in preset user roles: administrator, backup operator, recovery operator, and view only. Administrators can also create unique custom user roles to suit their operations by combining permissions and access levels. Custom user roles can be reassigned, edited, cloned or deleted at any time.
What are permissions?
Permissions are authorized actions that specific users may perform. In NAKIVO Backup & Replication, permissions are grouped into categories that cover jobs, such as backup or recovery, configuration settings, user profiles and access to support. Administrators can customize what users can view and use by choosing access levels for each permission.
What are access levels?
Access levels refer to the type of access users have to the UI. Administrators can deny access to certain users. They can also allow users to view only, run only or full access to the UI. Custom access gives administrators fine-grained control of user interactions with NAKIVO Backup & Replication.
Can I integrate Active Directory with role-based access?
Yes, Active Directory can be fully integrated with NAKIVO Backup & Replication and AD domain credentials can be used to access the UI. The AD Configuration Wizard allows users to import AD groups into the role-based access control panel. Once groups are imported, administrators can perform bulk actions on multiple users.
Does role-based access control work with a multi-tenant setup?
Yes, “master tenants” can assign user roles in a multi-tenant setup to give business units or customers more control over their backup and recovery operations. Each tenant’s data and roles are isolated from the other tenants’ while the master tenant has full visibility and control of the entire instance.
Can users have more than one role?
No, users can only be assigned one role. If you need to give users a unique role to cover multiple responsibilities, design a new custom role with specific permissions and access levels. You can either clone an existing role and edit it, or build a completely new role from scratch.
Need Help?NAKIVO’s Support Team is always here to help if you encounter any issues. If you need assistance:
- Search the user guide and the online knowledge base
- Contact support via the chat in the web UI
- Contact us by email or phone
NAKIVO Community Forum is a valuable information resource where you can:
- Ask and answer questions about NAKIVO Backup & Replication
- Participate in discussions
- Share your expertise