I’ve been doing some work with Rubrik in our lab and thought it worth covering some of the basic features that I think are pretty neat. In this edition of Rubrik Basics, I thought I’d quickly cover off how to get started with the Role Based Access Control (RBAC) feature.
The concept of RBAC is not a new one. It is, however, one of the first things that companies with more than one staff member ask for when they have to manage infrastructure. Rubrik uses the concept of Roles to deliver particular access to their environment. The available roles are as follows:
- Administrator role – Full access to all Rubrik operations on all objects;
- End User role – For assigned objects: browse snapshots, recover files and Live Mount; and
- No Access role – Cannot log in to the Rubrik UI and cannot make REST API calls.
The End User role has a set of privileges that align with the requirements of a backup operator role.
|Download data from backups||Data download only from assigned object types:
|Live Mount or Export virtual machine snapshot||Live Mount or Export a snapshot only from specified virtual machines and only to specified target locations.|
|Export data from backups||Export data only from specified source objects.|
|Restore data over source||Write data from backups to the source location, overwriting existing data, only for assigned objects, and only when ‘Allow overwrite of original’ is enabled for the user account or group account.|
The good news is that Rubrik supports local authentication as well as Active Directory. You can then tie these roles to particular groups within your organisation. You can have more than one domain that you use for authentication, but I’ll cover that in a future post on multi-tenancy.
I don’t believe that the ability to create custom roles is present (at least in the UI). I’m happy for people from Rubrik to correct me if I’ve gotten that wrong.
Configuring access to the Rubrik environment for users is fairly straightforward. In this example I’ll be giving my domain account access to the Brik as an administrator. To get started, click on the Gear icon in the UI and select Users (under Access Management).
I don’t know who Grant Authorization is in real life, but he’s the guy who can help you out here (my dad jokes are both woeful and plentiful – just ask my children).
In this example I’m granting access to a domain user.
This example also assumes that you’ve added the domain to the appliance in the first place (and note that you can add multiple domains). In the dropdown box, select the domain the user resides in.
You can then search for a name. In this example, the user I’m searching for is danf. Makes sense, if you think about it.
Select the user account and click on Continue.
By default users are assigned No Access. If you have one of these accounts, the UI will let you enter a username and password and then kick you back to the login screen.
If I assign the user the End User role, I can assign access to various objects in the environment. Note that I can also provide access to overwrite original files if required. This is disabled by default.
In this example, however, I’m providing my domain account with full access via the Administrator role. Click on Assign to continue.
I can now log in to the Rubrik UI with my domain user account and do things.
And that’s it. In a future post I’ll be looking in to multi-tenancy and fun things you can do with organisations and multiple access levels.
It’s been too long since I wrote up a how-to article. But this one came from a really interesting problem. My colleagues were recently faced with an issue at a site where the customer wanted to upgrade from vSphere 5.1 to 5.5. Which was fine, but they’d forgotten / misplaced / couldn’t remember the SSO master password. So I’ve added a brief article covering the steps involved in getting it sorted out. Full credit to Michael, Vincent and our Partner SE Charles for piecing together the steps. I’m really just the messenger.
While you’re there, have a look through my other articles. While dated, some are still useful.
I’ve added a brief article covering the steps involved in installing the Cisco Prime DCNM in standalone mode – used for management and maintenance of Cisco fabrics. I had to re-install this software after a workstation replacement and thought it might be useful to document the steps required.