Source:Using Access Control Lists

From SEPsesam
Revision as of 14:11, 15 December 2021 by Sta (talk | contribs) (Removed draft)
Other languages:

Template:Copyright SEP AG en

Docs latest icon.png Welcome to the latest SEP sesam documentation version 5.0.0 Jaglion. For previous documentation version(s), check Using ACLs in v. ≤ Beefalo V2.


Overview

Keep in mind that the ACLs configuration in SEP sesam is version specific. For previous documentation versions, see Using ACLs in v. ≤ Beefalo V2.

An access control list (ACL) is a list of permissions attached to an object (e.g., client, location, backup, etc.). Use of ACL specifies conditions for a particular user or group to perform an operation on a specific object (e.g., client, location, backup, etc.).

SEP sesam 5.0.0 Jaglion provides enhanced authentication and authorization by only allowing users with superuser rights to configure ACLs. With ACLs, a superuser can configure permissions for any user or group with fine-grained access rights for locations, clients, backup tasks (or groups), media pools and schedules.

Before configuring ACLs, you need to activate authentication, configure the users, and specify their access rights. For details, see Configuring Database-Based Authentication.

Configuring permissions (ACLs)

In the SEP sesam GUI, you can configure ACLs for different objects, i.e., location, client, backup task, task group, media pool, and schedule. The object for which you want to configure ACLS must exist before you can add the relevant permissions in their properties (Permissions tab).
For details on how to configure SEP sesam objects (components), see: Configuring Location, Configuring Clients, Creating a Backup Task, Adding a Task to the Task Group, Creating a Schedule, or Configuring a Media Pool.

  1. Depending on the object for which you want to set ACLs (location, client, task, etc.), proceed as follows:
    • For location or client: From Main selection -> Components -> Topology, select the relevant location or a client (under the location) and double-click it (or click the Properties button). The Location/Client properties window appears.
    • For backup task or task group: From Main selection -> Tasks -> By Clients/By Groups, select the relevant backup task or a task group and double-click it (or click the Properties button). The Task/Task group properties window appears.
    • For media pool: From Main selection -> Components -> Media Pools, select the relevant media pool and double-click it (or click the Properties button). The Media pool properties window appears.
    • For schedule: From Main selection -> Scheduling -> Schedules, select the relevant schedule and double-click it (or click the Properties button). The Schedule properties window appears.
  2. Switch to the Permissions tab. (From now on, the procedure is the same for all objects.) Select a user or group for which you want to specify access rights.
    SEP Tip.png Tip
    You can also add a new user/group by clicking Add and selecting a relevant user/group from the drop-down list.

    Click OK to add the user/group.

    Authentication add user Beefalo V2.jpg

  3. Under the Permissions list, enable or disable access (in our example for a client) per user/group by selecting the Allow or Deny checkbox.
  4. Information sign.png Note
    • Only superuser has full access to all objects and can grant or restrict access for other user types. The backup and restore users can only check object-related results if the ACL for this object is set.
    • ACLs can be set for the ADMIN, BACKUP, OPERATOR, and RESTORE group. To ensure that your superuser(s) always have full access to all functionality, the following applies:
      • If database-based authentication is enabled, you cannot set ACL for superuser (the user superuser has access to all features).
      • In case of policy-based authentication, ACLs cannot be set for members of the SUPERUSER group (the SUPERUSER group has access to all features).
  5. Click OK to set up ACLs for the selected object (in our example for a client).
  6. Authentication permissions Beefalo V2.jpg

When the superuser configures ACLs, the list of ACL entries is saved in the SEP sesam database and takes effect immediately. This means that the new authorization settings (stored ACLs) are used for all further queries for the objects.

Information sign.png Note
Further restrictions of the GUI display might depend on the UI mode. For the backup, restore and operator users the UI mode is set to Advanced automatically and cannot be changed by these users (only superuser or admin can change it). For more details, see Selecting UI mode.