This topic helps you understand the Portworx Backup Security, how it is useful to your enterprise, and how you can access it to define roles and assign roles to users.
Portworx Backup Security is a built-in feature in Portworx Backup. Portworx Backup Security allows you to control user access to certain resources by setting governance policies and managing permissions for the application owners on the platform. Portworx Backup Security is a role-based access control (RBAC) system that enables authorization for users or user groups through an existing OIDC authentication service such as Keycloak and Okta.
Portworx Backup allows mapping users or user groups to specific roles. These roles control actions and permissions that a user is allowed to perform. Administrators set the scope of access and allow users to share resources.
Portworx Backup Security allows administrators and application owners manage access to the following resources:
- Cloud Accounts
- Backup Locations
- Schedule policies
Kubernetes administrators and application owners use Portworx Backup Security to configure backups and restores, by providing a granular level of authorization to Portworx Backup resources. Portworx Backup security supports different levels of authorization across multiple Portworx Backup deployments while retaining the same user management and authentication.
Portworx Backup is managed using Portworx Central which provides OIDC integration. Portworx Backup Security for clusters is controlled by Kubernetes access control. Administrators can add their clusters in Portworx Backup with the credentials or Kubeconfig assigned to them. Portworx Backup inherits the permissions from Kubernetes and displays the resources that a user contains permission to access.
Portworx Backup built-in roles
The Portworx Backup built-in roles match user personas managing the Kubernetes infrastructure and applications:
Infrastructure administrator (px-backup.infra.admin): The infrastructure owner with administrator privileges for Portworx Backup resources such as cloud accounts, backup locations, schedules, and rules. Infrastructure administrators create custom rules, in addition to the built-in rules in Portworx Backup. Infrastructure owners or any user can create a shared resource pool to share backup locations, schedules, and backup rules with other users.
Application administrator (px-backup.app.admin): Application administrators can manage applications they own. Application administrators contain privileges for schedules and rules, and can use existing cloud accounts.
Application user (px-backup.app.user): The application users who can back up and restore applications, but cannot create a schedule policy or rules.
Portworx Backup does not allow editing the built-in roles, but you can duplicate them.
If an Infrastructure administrator removes certain role permissions from a user, then the user is automatically assigned with the updated permissions. Thereafter, Portworx Backup restricts any actions (for example, deleting) on the objects created by the user using the old permissions.
Access Portworx Backup Security
Perform the following steps to access Portworx Backup Security:
Log in to Portworx Backup using the infrastructure administrator credentials.
Select the Portworx Backup Security option from the profile menu in the lower left corner of the Portworx Backup page.
The Portworx Backup Security includes:
- Role Mapping: Displays all existing OIDC users (when you integrate Portworx Backup with an external OIDC), and new users added by the infrastructure administrator using Portworx Backup Keycloak.
- Roles: Displays the three built-in roles, by default, and new roles added by the infrastructure administrator.