Super Administrator in Portworx Backup

Applicable to both Classic and Federated modes

A Super Administrator (super admin) in Portworx Backup is a role (not a user) with extensive privileges designed to provide unified control over all backup-related resources within a Portworx Backup deployment. This role is similar to a super-user in other systems, and grants the ability to manage clusters, Namespaces, cloud accounts, backups, restores, and more, regardless of who created them. There can be more than one user with a super admin role based on organizational needs.

The super admin has visibility and full access to the following Portworx Backup resources within the deployment. This includes resources created by other users, even those with administrative roles like infra admin (Infrastructure Administrator) or, in Classic mode, app admin (Application Administrator):

• Clusters
• Namespaces
• Virtual Machines
• Cloud accounts (Classic mode only)
• Backup locations
• Schedule policies
• Schedules
• Backup rules
• Backups
• Restores

A super admin can perform the following tasks:

• Can share all Portworx Backup (RBAC and non-RBAC) resources with any user, regardless of their role, even if the super admin is not the owner of those resources. Exception: super admins can only share backups that they personally created.
• Can share only self-owned backups while sharing all backups of a cluster (with Share Cluster backups option).
• Invite other users to any RBAC role or revoke access for those roles including the super admin role.
• View and manage all clusters added in a Portworx Backup deployment. This includes clusters added by themselves, other super admins and users with any other role in Portworx Backup.
• View and manage the backups, schedules, and restores of namespaces and VMs of all the clusters in the Portworx Backup deployment.
• View, edit, remove, and manage all common backup resources, both RBAC and non-RBAC (cloud accounts, backup locations, schedules, rules, schedule policies, backups, restores) owned by any user belonging to any role.
• View ownership details of both RBAC and non-RBAC Portworx Backup resources.
• Can differentiate between two clusters with the same name using their metadata from the Portworx Backup web console.

The super admin role provides the highest level of access in the Portworx Backup environment, and grants the ability to manage resources globally, while still adhering to certain operational restrictions to prevent conflicts and maintain ownership integrity across users. The following are a few such restrictions:

• Cannot delete or unshare clusters (revoke access from shared clusters) if backup schedules exist on that cluster. To delete or unshare a cluster, all associated backup schedules should be deleted.
• Can view and update the kubeconfig for clusters they own. For clusters owned by other users, super admins cannot edit the existing kubeconfig in place, but can replace it entirely with a new kubeconfig file.
• Cannot delete a backup location if other users have created backups using that backup location.
• Cannot share backups they do not own. Super admins can only share the backups that they have created, regardless of the associated cluster.
• Cannot override basic role assignment rules for the existing Portworx Backup roles.

Super admin role across operational modes

The super admin role is available in both Classic and Federated modes. However, the scope of managed resources and the set of built-in roles present in the deployment differ between modes:

Capability	Classic mode	Federated mode
Manage cloud accounts	Yes. The cloud credentials are stored centrally; super admin can view, edit, and delete all cloud accounts.	No. The cloud accounts are not used; each application cluster authenticates directly to the backup location using Workload Identity.
Manage backup locations	Yes	Yes
Manage clusters	Yes	Yes
Manage schedules and backups	Yes	Yes
Manage virtual machines	Yes	No. The KubeVirt virtual machine backup is not supported in Federated mode.
Initiate Cluster Discovery and automated onboarding	No	Yes. Super admin can trigger Cluster Discovery to automatically discover and onboard Gardener shoot clusters into Portworx Backup without manual kubeconfig registration.
Oversee app admin role	Yes. A super admin oversees all four built-in roles: super admin, infra admin, app admin, and app user	No. The px-backup-app.admin is not available in Federated mode; super admin oversees three roles: super admin, infra admin, and app user.
Invite users and manage role assignments	Yes. Super admin can invite users and assign roles for all four built-in roles	Yes. Super admin can invite users and assign roles for three built-in roles. The px-backup-app.admin cannot be assigned.

note

In Federated mode, the px-backup-app.admin role is not available. Users who are assigned the app admin role in Classic mode should be assigned the infra admin or app user role instead, depending on their required access level. For more information, see Add Portworx Backup Roles.

Assign super admin role to a user

note

You must be logged in with an account that already has the super admin role to assign the super admin role to another user.

To assign super admin role to a user, perform the following tasks:

1. Access the Portworx Backup web console and log in with your super admin credentials.

2. From the home page, go to the left navigation pane.

3. At the bottom of the left navigation pane, click User Profile and select User Management.

4. Choose the user to whom you want to assign the super admin role, click the vertical ellipsis at the end of the user row, and select Manage Roles.

5. In the Manage Roles window, click the Roles field and select px-backup-super-admin.

   

6. Click Save.

This user now has the Portworx Backup super admin role.

note

• In the Cloud settings page of the Portworx Backup web console, the OWNER column shows Unknown (user_ID) if a user has been deleted from Keycloak.
• When you revoke the super admin role of a user, their access to resources they do not own is revoked. However, backup schedules remain active and the revoked super admin continues to own scheduled backups (with full access) from such backup schedules. Take appropriate action to suspend or remove those schedules.

Assign super admin role to a group

To assign super admin role to a group:

1. Access the Portworx Backup web console and log in with your credentials.

2. From the home page, go to the left navigation pane.

3. At the bottom of the left navigation pane, click User Profile and select User Management.

4. In the User Management tab, navigate to User > Groups, choose the group to which you want to assign the super admin role, click the vertical ellipsis at the end of the group row, and select Manage Roles.

5. In the Manage Roles window, click the Roles field and select px-backup-super-admin.

   

6. Click Save.

This group now has the Portworx Backup super admin role.

Related topics

• Role matrix
• Revoke access