Administration Domains

Download this manual as a PDF file

The Domains page (Administration > Domains) lets you organize devices into separate domains and delegate their management to domain administrators.

Service providers typically use this feature to restrict the scope of administrators to a subset of network devices.

Domains are only available with an Enterprise license.

Restorepoint Domains

Access to administer Restorepoint domains is highly controlled by the use of different access permissions assigned to the user.

How Domains Work

Restorepoint has a concept of a global domain and domains specific to a customer or administrative group. This section explains the hierarchical nature of the elements controlled within a domain. As you can see in the diagram, control flows from the bottom elements to the top. For example, Rules are part of a Policy. A Policy is applicable to a Device, and so on. This is important to understand when configuring domain permissions, since domain permissions respect this hierarchy.

Restorepoint Domain Hierarchy example

Rules That Govern Domains

The following rules and examples are provided to give you context into how domains work. This is not something that requires user configuration.

Rule: If any entity can be assigned other domain-specific entities, then the entity cannot belong to more than one domain.

Example: If a user and a schedule are in Domain C, but a given command is in Domain A and the schedule is also in Domain A, then the user cannot see a schedule that contains the command belonging to Domain A. This prevents the user from seeing anything that doesn't belong to the Domain to which the user belongs.

Domain rule example one.

Rule: A relationship between non-global entities can only exist if they share a Domain.

Example: If a schedule belongs to Domain C, it cannot contain commands that belong to Domain A.

Domain rule example two.

Rule: If two entities share a Domain, a user cannot remove the shared Domain without breaking the relationship. However, a user can change the shared Domain to global.

Example: If a command is in a schedule and both share Domain A, a user cannot remove Domain A.

Domain rule example three.

Rule: If a resource is assigned to another, the relationship must be removed before deleting the resource.

Example: A user cannot delete a command that is assigned to a schedule.

Domain example four.

Rule: A non-global entity cannot be assigned to global entities.

Example: A non-global command cannot be assigned to a global schedule.

Domain rule example five.

Domain Permissions

The following rules apply when you need to consider user permissions as they apply to domains:

Domain Permission Rules

  • Rule 1: If a resource is assigned to a single domain, user permissions under that domain should be used to allow the user to view or modify the resource.
  • Example: Because User A in Domain A has both the Command View and Modify permissions under Domain A, the user can view and modify every command assigned to Domain A.

    • Domain permission example one.

  • Rule 2: If a resource is assigned to more than one domain, only users assigned to the global domain (or users with the permissions to modify that resource on the specified domains) can modify the resource if they have the permissions. Users within the same domain as the resource can view it if they have the correct permission assigned in that domain.
  • Example: "Command 123" has both Domain A and B. User A (from Domain A) has both the Command View and Modify permissions and is able to see " Command 123", but not modify it.
  • User B has Command View and Modify permissions under the Global domain, so they can both modify and view "Command 123".

    • Domain permission example two.

  • Rule 3: If a resource is assigned to the global domain, all users can see the resource but only users with the Modify permission in global domain can modify the resource.
  • Example: User A belongs to Domain A and can see the "global Command 123", but can’t modify it even if they have the Modify permission because they are in Domain A. However, User B has the Modify permission and is in the Global domain, so they can edit the global "Command 123".

    • Domain permission example three.

Managing Domains

The Domain Management page allows you to create, modify, and delete Administration Domains. This page is only displayed if you are logged in as a Global Administrator.

Click Administration > Domains on the menu to display the domain list:

Image of the Restorepoint Domains page

To add a new domain:

  1. Click Add Domain. The New Domain page appears:

    Image of the Restorepoint Add Domain page

  1. Complete the following details:

    • Name. Type a name for the domain, for example Customer Name, Business Unit, and so on.
    • Contact. (Optional) Type the name of the main contact for the domain.
    • Telephone. (Optional) Type a contact telephone number.
    • Email. (Optional) Type a contact email.
    • Address. (Optional) Type a customer or Business Unit address.
    • Notes. (Optional) Type any additional information.

  2. Click the Devices tab to use the device selector and add devices to the domain. Additionally, you can configure the following:

    • Max. devices: the maximum permitted number of devices that can be added to this domain.
    • One or more IP address ranges that are allowed for this domain.
    • A domain-wide NAT IP address, which overrides the system-wide setting. For more information, see Network Address Translation (NAT). This setting can be overridden by the device-specific setting.
    • The devices that are part of the new domain.

  3. Click the Branding tab (optional) to customize the top left-hand side corner image that will be displayed to a Domain Administrator. Click Choose File to locate a suitable image file on your PC. For best results, the logo should be exactly 100 pixels wide and up to 100 pixels tall, and no more than 40KB in size.

    • Remove License Info. Hides the expiration date for users in this domain.
    • Remove Serial Number. Hides the appliance serial number for users in this domain.
    • Remove Help Menu. Disables access to help for users in this domain.

  4. Click the License tab (optional) to restrict the domain to expire on a certain date. Click Enforce License to enable the function, and choose a date.

    • Disable Schedule. Stops all scheduled jobs for this domain when a defined date is reached.
    • Prevent User Login. Disables users of this domain from accessing the appliance when a defined date is reached

  5. Click Save. The system returns to the domain list.

To edit an existing domain, click the name of the domain.

Administrator Roles

If Administration Domains are enabled, administrators have either a global or a domain scope:

  • Global Users. Have visibility and can operate on all the devices on the system, regardless of the domain the devices are assigned to. Logs and status pages display information about all the devices defined on the system. Global users can also assign global credentials to a device that is assigned to a domain.
  • Domain Users. Users with at least one domain set. Their visibility is restricted to devices in their own domains. Logs and status pages only display information on the devices in the selected domains.

Restorepoint supports six built-in user roles:

  • Global Admin. A "Super User" that has full control on any aspect of the appliance:
    • create/modify/delete devices in any domain
    • create/modify/delete global and domain administrators
    • initiate backups and restores
    • change the appliance configuration
    • an encryption password that allows Restorepoint to transition from the lock-down state to the normal state
  • Global Backup. Backup Operator; can perform backups/restores of devices in any domain, but cannot modify devices, users, or appliance configuration.
  • Global View Only. Monitor Operator; can only view existing backups and verify that the system is operating normally.
  • Domain Admin. Has full control of devices and users in their domain. Does not have visibility of devices in other domains, cannot modify the appliance configuration, or transition the appliance from lock-down state to normal state. Logs and status screens only display information related to the domain.
  • Domain Backup. Can perform backups and restores of devices in their domain.
  • Domain View Only. Can only view existing backups, access logs, and status information of devices in their domain.

You can also define custom user roles. For more information, see Custom User Roles.

You can use the Users page to add or delete administrator or modify their password, scope, or permissions.

Adding a New Domain User

To add a new domain user:

  1. Select Administration > Users from the menu. Restorepoint displays the User Management page.

  2. Click Add User. Restorepoint displays the New User page as shown:

  3. Complete the following fields:

    • Full Name. Type the full name of the user.
    • Username. Type the new username (up to 16 characters).
    • Password. Type the password for the new user (passwords must be between 8 and 24 characters long).
    • Role. Select the privilege level from the drop-down list. See for the privileges associated with each admin level.

    4. Privileges

    View Only

    Backup

    Admin

    View devices/configurations

    Y

    Y

    Y

    Run device operations

    N

    Y

    Y

    Add users/devices; modify system

    N

    N

    Y

    Table 4 : Default Administrator privilege levels (simplified)

    Encryption Password

    This field appears if an Admin-level administrator is selected. The encryption password must be between 8 and 24 characters long and must be different from the administrator password.

    Domains

    Assign the user to one or more domains to restrict the user’s scope:

    Image of the Restorepoint Edit User page

  4. Click Update. The updated Users page appears:

Image of the Restorepoint User Management page

Editing Devices

If Administration Domains are enabled, you can use the Domain drop-down menu in the Edit Device modal to move a device from a domain to another.

Image of the Restorepoint Device Details page

The domain selector will only be displayed if you are logged on as a Global Administrator.