What Are User Roles?

• Roles are assigned to users per business unit and provide them permission to perform specific actions.
• Users can be assigned to one or more specific business units with a different role in each business unit.

When User Roles are set to specific Business Units, you can:

• Control which users can access backup data for services in a business unit.
• Reveal data only to the departments it is relevant to within your organization.
• Control which users can read and modify which service in a business unit.
• Allow Master Admins to manage your entire organization.

What Can Each Role Do?

Read-Only users can:

• View
• Export and download data
• Compare snapshots
• Submit Find jobs
• Preview Restore and Replicate jobs
• Preview Anonymization templates and jobs
• View Job History.
• Seeding - View seeding templates configuration and schema
• Seeding - View seeds activity, reports, and download log files
• Seeding - Export seeding template objects hierarchy
• Archive - Users can view the status and health of the Archive services in their Business Unit

Seeder can:

• Add, rename, archive and delete Sandbox services in their Business Unit
• Seeding - Seed Sandboxes/non-Prod instances using templates of non-production(services with “service contains production data” option unchecked) and/or data
• Preview Anonymization templates and jobs

Developers can:

• Add, rename, archive and delete Sandbox services in their Business Unit
• Submit Restore and Replicate jobs on Sandbox services
• Submit Anonymization jobs on Sandbox Services
• Seeding - Create, clone, edit and delete seeding templates of non-production and/or data
• Seeding - Seed Sandboxes/non-Prod instances using templates of non-production and/or data
• Seeding - Export and import seeding template objects hierarchy
• Preview anonymization templates and jobs
• Archive - Add, remove and edit services in their Business Unit
• Archive - Users will be able to import records from other services in their Business Unit

DevOps can:

• Add and rename Sandbox services in their Business Unit
• Submit Restore and Replicate jobs on Sandbox services
• Manage Anonymization templates and run anonymization jobs on sandbox services
• Seeding - Create, clone, edit and delete seeding templates
• Seeding - Seed Sandboxes/non-Prod instances using templates of data
• Seeding - Export and import seeding template objects hierarchy
• Archive - Add, remove and edit services in their Business Unit
• Archive - Users will be able to import records from other services in their Business Unit

Admins can:

• Add, rename, archive and delete services in the Business Unit they administer
• Submit all Jobs on Production and Sandbox services
• Access the Account Settings
• Add and remove users from Business Units they administer
• Manage users and their roles in the Business Unit they administer
• Manage services in the Business Unit they administer
• Seeding - Create, clone, edit and delete seeding templates
• Seeding - Seed Sandboxes/non-Prod using templates of data
• Seeding - Export and import seeding template objects hierarchy
• Manage Anonymization templates and run anonymization jobs on sandbox services
• Archive - Add, remove and edit services in their Business Unit
• Archive - Users will be able to import records from other services in their Business Unit

The account Auditing Reader can

• View Auditing Logs

The account Master Admin can:

• Do anything that an Admin can, but cannot be demoted or deleted by one
• Manage Advanced Key, IP Restrictions
• Manage the Account Settings
• Manage the Account Security Settings
• Seeding - Create, clone, edit and delete seeding templates
• Seeding - Seed Sandboxes/non-Prod instances using templates of data
• Seeding - Export and import seeding template objects hierarchy
• Manage Anonymization templates and run anonymization jobs on sandbox services
• Archive - Manage BYOK capabilities

Role-Based Access Control: Phase 1 Business Unit Example

Roles & Permissions

Model

Implications

• Backup Servers: There is no impact on the location of Backups and no data will be moved to another server instance because of this change.
• Single Sign-On: RBAC works with SSO (SAML). There is no change in the way you grant login access to each of the users in the system.
• API: The API respects new roles and Business Units. It’s recommended for the API to use an admin user to get full access to jobs and backups on the service of which they’re working.
• Cross-Region Accounts: At this time, we do not support cross-region accounts. If you need to manage two or more Production orgs hosted in different regions, you will have to have two separate Own accounts.
• Backup: In order to backup organizations on different data centers, you would need a separate Own Account.
• Account Setup: The Own Account setup is configured once for all Business Units (IP ranges, SSO, retention).
• Advanced Key Management (AKM): AKM can only be configured by a Master Admin.
• Auditing: There is no impact of reviewing all recent events. You can download the events as a CSV. 

• Endpoints: Endpoints can only be created by a Master Admin.

How to Create a New User in My Account

• Go to Account Setting> Users and click Add User.
• Input the email, choose the Business Unit, and select the role you wish to add the new user into.
• You can add the user to other Business Units with different roles from the Business Unit tab.

Click here to see a video demonstrating how you can create a new user account in Own.

How to Hide a Service Containing Production Data from Users

Services can be marked as ‘Containing Production Data’ in the Service Options Settings by Admins only.

Once marked, the user with the ‘Developer’ or 'Seeder' Role will not be able to view this service. All other user roles will be able to view it.

New services will be marked as ‘Containing Production Data’ by default for enhanced security. This flag can be removed by the service admin.

FAQs

Why is the Master Admin not showing in any of my Business Units?

Master Admin can access everything in your Own account. As such, they cannot be members of specific business units.

Why can’t a User see any Services?

Check that they are a member of at least one business unit, containing at least one service. If the user is a member of a business unit, the user may not see a service that is marked as containing production data if their role is ‘Developer’ or 'Seeder'.

Why can’t a User see a specific Service?

Check that they are included as a member of the business unit(s) containing the services you wish them to see. If the User is a member of a business unit, the user may not see a service that is marked as containing production data if his or her role is ‘Developer’.

Why Can’t I find a User when trying to add them to a Business Unit?

They may already be a member of this business unit, or the user does not exist in your Own account.

Why Can’t I see the ‘Account Settings’ page?

Only the Master Admin and Admins can access the "Account Settings" page. If a user is an Admin of at least one business unit, he will be able to access the "Account Settings” page.

Why Can’t I see the entire Job history?

Each user will only see the Job history for the services that the user is allowed to view the business units of which they are a member.

Why are Services missing in the dropdown when trying to Compare/Find/Replicate?

Each user will only see the services that they are allowed to view, under the business units of which they are a member. For example, a Developer user role will not see a service containing production data.