• No results found

Managing Access Control in PresSTORE

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Managing Access Control in PresSTORE"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

Managing Access Control in PresSTORE

This article describes the functions to limit access for users in PresSTORE and discusses some scenarios as examples how to to configure non-administrator restore functions.

The PresSTORE Process Access Permissions

During installation, the PresSTORE job is set up to run with the highest privileges

possible. The PresSTORE process (nsd on Unix systems, nsd.exe on Windows) runs with the root account on Unix and with system account on Windows. This is necessary to read all files during sync and backup, please do not attempt to use this for own user

limitations.

Login Access to PresSTORE

Before working with PresSTORE via web GUI, a user has to authenticate by typing user name and password. This pair is then checked using operating system functions. PresSTORE does not maintain account information itself, instead it checks whether the user is permitted to login on the host where PresSTORE is running.

On Unix—like hosts (Mac, Linux, Solaris), the so called Pluggable Authentication Module is used for the check, so the authentication method used by the server can be influenced via PAM administration.

The Omnipotent Administrator Account

The administrator accounts in PresSTORE are omnipotent, each administrator has unlimited access to PresSTORE's web GUI.

(2)

The following sketch shows the groups that enjoy administrator privileges in PresSTORE:

The groups are identified by their name except for the group 544 on Windows which is identified by its group id because the name changes with the localization.

In addition to these group memberships, the special user root (identified by name or, on Unix hosts, by the UID 0) is also administrator in PresSTORE.

The Operator Account

PresSTORE supports one more special account type: the Operator. This type of account is intended for non-administrator users who are allowed to maintain jobs and media.

Operators in PresSTORE are users who a members of the operating system level user group psops or PrnAdm. The group psops usually does not exist, the group PrnAdm exists on Helios servers.

(3)

Operators are permitted to

● start and stop jobs in PresSTORE ● run jukebox inventories

● move media to or from the mail slot in a jukebox ● label tapes

All other permissions of operators are the same as for normal users.

Access Control Functions in PresSTORE

Access control for users is maintained based on so called login areas. After login, the user will see only those login areas he/she may access. By permitting access to a login area, users are at the same time permitted to use the functions within a login area. Permissions for login areas are maintained on user group level. Please note that there is one special group named root that stands for “all administrators”, even if that root group does not exist on the operation system, e.g. as on Windows.

Furthermore, user preferences allow to set up restrictions on a user base, these restrictions are applied to the user logged in.

The following PresSTORE resources handle access permissions:

Login areas may be restricted to users belonging to configured operating system level groups. This means that the login area remains invisible for other users.

User preferences may restrict access permissions for each user. E.g. specific users may have access only to one login area (usually their own backup), while others have no such restriction.

Default user preferences can be preset by adopting the generic user preferences template.

(4)
(5)

Example: Allow restore operations of user's own data

This example shows a typical network with multiple workstation users.

Each user shall be permitted to restore his data from backup, but users shall not get access to other users data and the restore shall write to a predefined folder only. Access to other backups or archives shall be denied.

This setup can be achieved with the following steps:

● Create a Login Area for each user. Select the according backup index and set

path to the path of the user's backup.

● In the User Preferences for the according user, remove download and archive

from the list of Allowed operations and set the Login behavior to the above login area.

(6)

Example: Allow Archive and Restore Operations on Servers

This example assumes an archive solution of two servers.

Each user shall be permitted to archive data with one archive index, and all users may restore data to a specific folder on each server.

This setup can be achieved with the following steps:

● Restrict access to all login areas. Administrators may adopt PresSTORE's method to

restrict the access of the login areas General Setup and Job and Storage

Management to members of group root by setting Allow access for group(s) in all login areas to group root.

● Grant access to the required Archive Plan by adding a user group to the according

login area. If no group for these users exists, it is possible to create a new group, e.g. archivists in the operating system and declare users as members of that group.

● In the Client setup for the two servers, navigate to the Additional Options and

set the Paths to restore to the desired folder. In case multiple paths are entered, users may select one of these before restore.

References

Download now ( PDF - 6 Page - 270.27 KB )

Related documents

This presentation to be used in conjunction with:

Information technology equipment (ITE) Racks and cabinets Cabling pathways (not shown) Building steel Supplemental bonding grid (SBG) Conduits Rack bonding conductor

Security Management System

• Dedicated hardware for server applications (Main Server, Archive Server, Setup Server, workstation) is required - Navigator - Mainviewer - Camera Control - Archive Client -

SAS MDM 4.2. User s Guide. SAS Documentation

After creating the metadata for an entity type, you can use the Generate Jobs option from the entity type editor toolbar to create and publish jobs to the DataFlux Data

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

authorize individuals to represent them and can e-Services online tools but are prohibited from authorize a designee or attorney-in-fact to participating in tax

The relationship between anogenital distance and fertility, and genome-wide associations for anogenital distance in Irish Holstein-Friesian cows

We hypothesized that seasonal-calving, pasture-based cows in Ireland with short AGD have greater fertility performance than cows with long AGD, as observed in Canadian Holstein

Criminal law policy about KPK authorities in the perspective of criminal action in corruption in Indonesia

In the authority of the Corruption Eradication Commission the need for preventive strategic measures must be made and carried out directed at matters that cause corrupt

Abdominal Wall Hernia Mesh Repair Sonography of Mesh and Common Complications

Sonography shows an anechoic fluid collection (S) at the superficial surface of the wavy echogenic mesh (arrows) after repair of a ventral midline incisional hernia..

New Modelling Capabilities in Commercial Software for High-Gain Antennas

Abstract —This paper presents an overview of selected new modelling algorithms and capabilities in commercial software tools developed by TICRA. A major new area is design and