Introduction to User Management

This topic helps you understand the Portworx Backup User Management, how it is useful to your enterprise, and how you can access it to define roles and assign roles to users.

Overview

Portworx Backup User Management or simply User Mnagement module is a built-in feature in Portworx Backup. It allows you to control user access to certain resources by setting governance policies and managing permissions for the application owners on the platform. User Management is a role-based access control (RBAC) system that enables authorization for users or user groups through an existing OIDC authentication service such as Keycloak and Okta.

Portworx Backup allows mapping users or user groups to specific roles. These roles control actions and permissions that a user is allowed to perform. Administrators set the scope of access and allow users to share resources.

User Management allows administrators and application owners manage access to the following resources:

• Cloud accounts
• Backup locations
• Schedule policies
• Rules
• Roles

Kubernetes administrators and application owners use User Management to configure backups and restores, by providing a granular level of authorization to Portworx Backup resources. User Management supports different levels of authorization across multiple Portworx Backup deployments while retaining the same user management and authentication.

Portworx Backup is managed using Portworx Central which provides OIDC integration. Portworx Backup User Management for clusters is controlled by Kubernetes access control. Administrators can add their clusters in Portworx Backup with the credentials or kubeconfig assigned to them. Portworx Backup inherits the permissions from Kubernetes and displays the resources that a user contains permission to access.

Portworx Backup built-in roles

The Portworx Backup built-in roles match user personas managing the Kubernetes infrastructure and applications:

Super Administrator (px-backup-super.admin): this role in Portworx Backup introduces a centralized management capability for clusters, namespaces, backup resources, and other backup-related objects. This role is designed to provide unrestricted access to backup infrastructure, and overcomes the limitations of user-specific management. The super administrator or super admin role allows users to manage all objects created by any user within the Portworx Backup deployment, while adhering to specific restrictions to ensure operational integrity.

• Infrastructure administrator (px-backup-infra.admin): the infrastructure owner with administrator privileges for Portworx Backup resources such as cloud accounts, backup locations, schedules, and rules. Infrastructure administrators create custom rules, in addition to the built-in rules in Portworx Backup. Infrastructure owners or any user can create a shared resource pool to share backup locations, schedules, and backup rules with other users.

• Application administrator (px-backup-app.admin): application administrators can manage applications they own. Application administrators contain privileges for schedules and rules, and can use existing cloud accounts.

• Application user (px-backup-app.user): the application users who can back up and restore applications, but cannot create a schedule policy or rules.

note

• Portworx Backup does not allow to edit the default or built-in roles, but you can duplicate them.

• If a Super administrator removes certain role permissions from a user, then the user is automatically assigned with the updated permissions. Thereafter, Portworx Backup restricts any actions (for example, deleting) on the objects created by the user using the old permissions.

Access Portworx Backup User Management

Perform the following steps to access Portworx Backup User Management:

1. Log in to Portworx Backup web console using the infrastructure administrator credentials.

2. From the home page navigate to the bottom bar of left navigation pane.

3. Click User Profile icon at the bottom and choose Portworx Backup User Management option.

   

The Portworx Backup User Management includes:

• Role Mapping: displays all existing authorization provider users (commonly called as OIDC users) when you integrate Portworx Backup with an external OIDC along with any new users added by the infrastructure administrator using Portworx Backup Keycloak.

• Roles: displays the three built-in roles, by default along with any new roles added by the infrastructure administrator.