8.3.3 Limited User

A limited user will be able to do backups and restores of only certain systems and can do no UPSTREAM administrative functions.  A limited UPSTREAM User can not:

  • Create or delete unauthorized backup profiles, or even see them.
  • Perform a backup without using a profile they have rights to (no global).
  • Restore or even see data from other profiles, including vaulted copies.
  • Delete registry entries.

You may choose to allow pre existing user accounts for your UPSTREAM users or you can create new accounts.  The choice usually depends on your environment; if your Reservoir system has security in place, most administrators will use the existing security.  If you do not have an in-place Windows security system, most administrators will create a security system custom for UPSTREAM

If you’re using an existing security system, it’s possible that these accounts have some rights to the UPSTREAM directory and child objects already. If so, you'll need to explicitly deny access at the UPSTREAM directory level, and then add full control to the backup profile level for the profiles which they are responsible for.  

For Windows, regardless of which method you use, it is the most secure to not allow limited users the right to login locally at all.  If the user account belongs to a group that can log on locally, then you'll need to set the deny logon locally privilege (setting privileges is discussed above) to restrict the user or group from doing so.

The most secure way to create Limited Upstream Users is to create new user accounts that are not part of any pre-existing groups, as they will not have any inherited rights. You can then give them only enough credentials to do their job.

In Windows, to define a Limited UPSTREAM user, give users Full Control on the backup profile directories, and no access at all on all other directories in the Reservoir path. 

To do this, you’ll need to understand the directory structure of the UPSTREAM Reservoir system. If you accept the default install location, it looks like this:

<work path>\Backups\<backup profile name>. There will be one directory for each backup profile in the system.

The key to defining a limited user is to disallow, by default, all users (except UPSTREAM full users described below) access to all files in the <work path>\Backups directory and all of its subdirectories and then specifically enabling access to the <work path>\Backups\<backup profile name> directories for the backup profiles you wish the user to be able to access. 

It’s the <backup profile name> directory that you give the user ‘full control’. If you want a user to work with more than one profile, you’ll need to give him ‘full control’ for each directory.   

For example, to make the user Bob a limited user and then grant him backup and restore access to the BOBXP backup profile, go into the Windows Explorer, highlight the <work path>\BACKUPS\BOBXP directory (you can create it if it’s not already there), right click on the directory, select Properties and press the Security tab. Select the user you wish to grant permissions:


image2021-4-27_13-35-15.png

Highlight the user or group and press the Ok button. 

Highlight the user and press the Allow checkboxes for the options you wish to grant the user or group.  In the example below, we will grant the user Bob both backup and restore access.

image2021-4-27_13-36-1.png

To allow backups but deny restores and inquiries, allow the user or group read access and deny write access to the backup profile directory.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*