5 0 0:User Roles and Permissions
After activating authentication and configuring the users, you can grant or restrict access to SEP sesam Server, a specific resource, or an operation within SEP sesam Server by selecting the appropriate user type (superuser, admin, backup, operator or restore) when adding users to groups.
Each user type represents a specific role in SEP sesam with attached permissions (e.g. superuser has full control over SEP sesam) and these roles can be assigned to groups automatically, based on external configuration or when configuring authentication.
In addition to user roles, there are various user permissions that you can set (attach to a role) to control access to specific resources or operations.
User roles, based on the selected user type, are an access control mechanism for applying fine-grained control over access to the system and its options. The user type can be specified when configuring authentication and adding users to groups. For details, see About Authentication and Authorization.
SEP sesam currently provides 5 user types. The following list shows the available user types and their corresponding rights.
- Superuser (≥ Jaglion): The only user type with full control over the SEP sesam environment (previously Admin). This user type with superuser rights is automatically assigned exclusively to the Administrator user when database-based authentication is activated. If policy-based authentication is enabled, this user type with superuser rights is assigned to the Administrator, root and sesam users.
- Administrator: Administrators can administer the SEP sesam system and access the GUI objects (except permission management) if not restricted by ACLs.
- Operator: Operators can monitor the whole environment.
- Backup (≥ Jaglion): Backup users can access the GUI objects granted by ACLs. They are also allowed to start backups and restores.
- Restore: Restore users can access the GUI objects granted by ACLs. They are only allowed to start standard restores.
In addition, users can be assigned different permissions. This means that besides default permissions based on the selected user type, a superuser can also set custom user roles by configuring ACLs. For example, if you assign the Restore user permission to a specific backup task, that user can start the task-related backup.
To grant or restrict user access to certain objects, options, etc., you can set the following permissions:
- Permissions based on user type: Access to SEP sesam Server, a specific resource, an operation, and the GUI and Web UI options displayed depend on the user type you select. You can check which GUI/Web UI options are available depending on the selected user type in the below table.
- Access Control Lists (ACLs): The ACL determines which users or groups are granted access to specific objects (client, location, backup, etc.). Only users with superuser rights can configure ACLs. For details, see Using Access Control Lists
Available interface options according to user type
The operations and options available after login may differ depending on the user type. The following table shows which GUI and Web UI options are available depending on the user type. Note that almost all options are available in both interfaces, but may appear under a different name in the GUI and Web UI. For example, the Logging option in the GUI is called System Logs in the Web UI. For details on GUI and Web UI elements, see SEP sesam GUI and SEP sesam Web UI.
|Further restrictions of the GUI and Web UI display might depend on the custom roles with specific permissions and the UI mode. For the backup, restore and operator users the UI mode is set to Advanced automatically and cannot be changed by these users (only superuser or admin can change it). For more details, see Selecting UI mode in the GUI and UI mode in the Web UI.|
If you have problems logging in after updating to 5.0.0, see Troubleshooting Authentication.