Advanced Permissions; Planning For Security - HP BB118BV - StorageWorks Data Protector Express Package User's Manual & Technical Reference

another user's permissions to an object should be restricted and you cannot restrict it yourself, notify your
Data Protector Express administrator.

Advanced Permissions

In this chapter

• Planning for Security

• About administrator permissions
• Adding New Users and Groups
• Effective Permissions
• Permissions Reference
This section provides a detailed summary of the security used by Data Protector Express. If it is your
responsibility to manage the security of your Data Protector Express catalog and you are working with
sensitive data, this section can help you set up a complex security system that meets your particular
security needs.
Permissions control what actions a user is allowed to perform within a given Data Protector Express
management domain. Users can be given extensive or limited permissions, allowing the Data Protector
Express administrator to distribute backup duties to various users and groups. This allows for a flexible,
non-centralized backup system while providing the highest degree of security for the network.
Planning for Security
How your security is arranged depends on your unique security needs. Before setting up your security
system, consider the following questions:
Is more than one Data Protector Express management domain required?
Protector Express management domains can provide a high level of security. If your security needs
require that access to some data be strictly limited, setting up a separate catalog is often the simplest way
to achieve this.
Data cannot be shared between Storage Domainswithout using advanced procedures. Media from one
catalog must be imported into a new catalog before the data on it can be read or used. When it is
imported, Data Protector Express requires the media password, if set. If you assigned the media a
password when it was created, the media cannot be imported without that password.
If you do not assign the media a password, the media can be easily imported into any catalog. As a
result, the data is actually less secure when there are two or more catalogs than it would be with just
one catalog. If you are relying on multiple catalogs for security purposes, make sure that each created
media is assigned a password.
There may be, however, some limitations on the number of catalogs you can set up. In particular,
machines (file or application servers and PC desktops) can only be an object in one catalog. Similarly,
volumes can only belong to one Data Protector Express management domain. Files in one Data Protector
Express management domain cannot, without importing the media, be shared with catalog objects in
other Data Protector Express management domains.
Thus your ability to set up separate Data Protector Express management domains is limited by the number
of backup devices you have and their respective locations on separate machines. For example, to set
up two catalogs, you would require at least two separate PC desktops or file or application servers,
each with at least one backup device.
Should some users be prevented access to some data?
or backup device and thus are members of the same Data Protector Express management domain.
However, there may be reasons to allow these groups to work with only their own data. For example,
an accounting group may share a common tape drive with a personnel group, although neither can
be allowed access to the files and directories of the other group.
The security needs of these situations can be addressed by carefully assigning permissions, particularly
to the machines, backup devices, media, volumes and directories.
Setting up separate Data
Multiple groups may share a single tape drive
User's Guide and Technical Reference
257