The Domains page (Administration > Domains) lets you organize devices into separate domains and delegate their management to domain administrators.
Service providers typically use this feature to restrict the scope of administrators to a subset of network devices.
Domains are only available with an Enterprise license.
Restorepoint Domains
Access to administer Restorepoint domains is highly controlled by the use of different access permissions assigned to the user.
How Domains Work
Restorepoint has a concept of a global domain and domains specific to a customer or administrative group. This section explains the hierarchical nature of the elements controlled within a domain. As you can see in the diagram, control flows from the bottom elements to the top. For example, Rules are part of a Policy. A Policy is applicable to a Device, and so on. This is important to understand when configuring domain permissions, since domain permissions respect this hierarchy.
Rules That Govern Domains
The following rules and examples are provided to give you context into how domains work. This is not something that requires user configuration.
Rule: If any entity can be assigned other domain-specific entities, then the entity cannot belong to more than one domain.
Example: If a user and a schedule are in Domain C, but a given command is in Domain A and the schedule is also in Domain A, then the user cannot see a schedule that contains the command belonging to Domain A. This prevents the user from seeing anything that doesn't belong to the Domain to which the user belongs.
Rule: A relationship between non-global entities can only exist if they share a Domain.
Example: If a schedule belongs to Domain C, it cannot contain commands that belong to Domain A.
Rule: If two entities share a Domain, a user cannot remove the shared Domain without breaking the relationship. However, a user can change the shared Domain to global.
Example: If a command is in a schedule and both share Domain A, a user cannot remove Domain A.
Rule: If a resource is assigned to another, the relationship must be removed before deleting the resource.
Example: A user cannot delete a command that is assigned to a schedule.
Rule: A non-global entity cannot be assigned to global entities.
Example: A non-global command cannot be assigned to a global schedule.
Domain Permissions
The following rules apply when you need to consider user permissions as they apply to domains:
Domain Permission Rules
- Rule 1: If a resource is assigned to a single domain, user permissions under that domain should be used to allow the user to view or modify the resource.
- Example: Because User A in Domain A has both the Command View and Modify permissions under Domain A, the user can view and modify every command assigned to Domain A.
- Rule 2: If a resource is assigned to more than one domain, only users assigned to the global domain (or users with the permissions to modify that resource on the specified domains) can modify the resource if they have the permissions. Users within the same domain as the resource can view it if they have the correct permission assigned in that domain.
- Example: "Command 123" has both Domain A and B. User A (from Domain A) has both the Command View and Modify permissions and is able to see " Command 123", but not modify it.
- User B has Command View and Modify permissions under the Global domain, so they can both modify and view "Command 123".
- Rule 3: If a resource is assigned to the global domain, all users can see the resource but only users with the Modify permission in global domain can modify the resource.
- Example: User A belongs to Domain A and can see the "global Command 123", but can’t modify it even if they have the Modify permission because they are in Domain A. However, User B has the Modify permission and is in the Global domain, so they can edit the global "Command 123".
Managing Domains
The Domain Management page allows you to create, modify, and delete Administration Domains. This page is only displayed if you are logged in as a Global Administrator.
Click Administration > Domains on the menu to display the domain list:
To add a new domain:
-
Complete the following details:
- Name. Type a name for the domain, for example Customer Name, Business Unit, and so on.
- Contact. (Optional) Type the name of the main contact for the domain.
- Telephone. (Optional) Type a contact telephone number.
- Email. (Optional) Type a contact email.
- Address. (Optional) Type a customer or Business Unit address.
- Notes. (Optional) Type any additional information.
-
Click the
tab to use the device selector and add devices to the domain. Additionally, you can configure the following:- Max. devices: the maximum permitted number of devices that can be added to this domain.
- One or more IP address ranges that are allowed for this domain.
- A domain-wide NAT IP address, which overrides the system-wide setting. For more information, see Network Address Translation (NAT). This setting can be overridden by the device-specific setting.
- The devices that are part of the new domain.
-
Click the
tab (optional) to customize the top left-hand side corner image that will be displayed to a Domain Administrator. Click to locate a suitable image file on your PC. For best results, the logo should be exactly 100 pixels wide and up to 100 pixels tall, and no more than 40KB in size.- Remove License Info. Hides the expiration date for users in this domain.
- Remove Serial Number. Hides the appliance serial number for users in this domain.
- Remove Help Menu. Disables access to help for users in this domain.
-
Click the
tab (optional) to restrict the domain to expire on a certain date. Click to enable the function, and choose a date.- Disable Schedule. Stops all scheduled jobs for this domain when a defined date is reached.
- Prevent User Login. Disables users of this domain from accessing the appliance when a defined date is reached
-
Click Save. The system returns to the domain list.
To edit an existing domain, click the name of the domain.
Administrator Roles
If Administration Domains are enabled, administrators have either a global or a domain scope:
- Global Users. Have visibility and can operate on all the devices on the system, regardless of the domain the devices are assigned to. Logs and status pages display information about all the devices defined on the system. Global users can also assign global credentials to a device that is assigned to a domain.
- Domain Users. Users with at least one domain set. Their visibility is restricted to devices in their own domains. Logs and status pages only display information on the devices in the selected domains.
Restorepoint supports six built-in user roles:
- Global Admin. A "Super User" that has full control on any aspect of the appliance:
- create/modify/delete devices in any domain
- create/modify/delete global and domain administrators
- initiate backups and restores
- change the appliance configuration
- an encryption password that allows Restorepoint to transition from the lock-down state to the normal state
- Global Backup. Backup Operator; can perform backups/restores of devices in any domain, but cannot modify devices, users, or appliance configuration.
- Global View Only. Monitor Operator; can only view existing backups and verify that the system is operating normally.
- Domain Admin. Has full control of devices and users in their domain. Does not have visibility of devices in other domains, cannot modify the appliance configuration, or transition the appliance from lock-down state to normal state. Logs and status screens only display information related to the domain.
- Domain Backup. Can perform backups and restores of devices in their domain.
- Domain View Only. Can only view existing backups, access logs, and status information of devices in their domain.
You can also define custom user roles. For more information, see Custom User Roles.
You can use the Users page to add or delete administrator or modify their password, scope, or permissions.
Adding a New Domain User
To add a new domain user:
-
Select Administration > Users from the menu. Restorepoint displays the User Management page.
-
Click Add User. Restorepoint displays the New User page as shown:
-
Complete the following fields:
- Full Name. Type the full name of the user.
- Username. Type the new username (up to 16 characters).
- Password. Type the password for the new user (passwords must be between 8 and 24 characters long).
- Role. Select the privilege level from the drop-down list. See for the privileges associated with each admin level.
-
Click Update. The updated Users page appears:
Privileges |
View Only |
Backup |
Admin |
View devices/configurations |
Y |
Y |
Y |
Run device operations |
N |
Y |
Y |
Add users/devices; modify system |
N |
N |
Y |
Table 4 : Default Administrator privilege levels (simplified)
Encryption Password |
This field appears if an Admin-level administrator is selected. The encryption password must be between 8 and 24 characters long and must be different from the administrator password. |
Domains |
Assign the user to one or more domains to restrict the user’s scope: |
Editing Devices
If Administration Domains are enabled, you can use the Domain drop-down menu in the Edit Device modal to move a device from a domain to another.
The domain selector will only be displayed if you are logged on as a Global Administrator.