User Roles

    What Are User Roles?

    • Roles are assigned to users per Business Unit and give them permission to perform certain actions.
    • Users can be assigned to one or more specific Business Units with a different Role in each Business Unit.

    When User Roles are set to specific Business Units, you can:

    • Control which users can access backup data for Salesforce services in a Business Unit.
    • Reveal data only to the departments it is relevant to within your organization.
    • Control which users can read and modify which Salesforce Service in a Business Unit.
    • Allow Master Admins to manage your entire OwnBackup organization.

    What Can Each Role Do?

    Read-Only users can:

    • View Production and Sandbox services on the Business Units of which they are a member.
    • Export and download data.
    • Compare snapshots.
    • Submit Find jobs.
    • Preview Restore and Replicate jobs.
    • Preview Anonymization.
    • View Job History.
    • Enhanced Sandbox Seeding - View seeding templates configuration and schema
    • Enhanced Sandbox Seeding - View seeds activity, reporting and download log files
    • Enhanced Sandbox Seeding - Export seeding template objects hierarchy

    Seeder user can:

    • Add, rename, archive and delete Anonymized Sandbox services in their Business Unit
    • Enhanced Sandbox Seeding - Seed Sandboxes using templates of non-production and/or anonymized data
      * subject to un-checking 'Containing Production Data', see definitions below

    Developer user can:

    • Add, rename, archive, and delete Anonymized Sandbox Services in their Business Unit.
    • Submit Restore and Replicate on Anonymized Sandbox Services.
    • Submit Anonymization on Anonymized Sandbox Services.
      * subject to un-checking 'Containing Production Data', see definitions below
    • Enhanced Sandbox Seeding - Create, clone, edit and delete seeding templates of non-production and/or anonymized data
    • Enhanced Sandbox Seeding - Seed Sandboxes using templates of non-production and/or anonymized data
    • Enhanced Sandbox Seeding - Export and import seeding template objects hierarchy
    • Preview Anonymization templates and jobs

    DevOps user can:

    • Add, rename, archive and delete Sandbox Services in their Business Unit.
    • Submit Restore and Replicate on Sandbox Services.
    • Manage Anonymization templates and run anonymization jobs on sandbox services
    • Enhanced Sandbox Seeding - Create, clone, edit and delete seeding templates
    • Enhanced Sandbox Seeding - Seed Sandboxes using templates of data
    • Enhanced Sandbox Seeding - Export and import seeding template objects hierarchy

    Admins users can:

    • Manage any BU they administer.
    • Add, rename, archive, and delete services in the Business Unit they administer.
    • Submit all Jobs on Production and Sandbox services.
    • Access the Account Settings.
    • Manage users and their roles in the Business Unit they administer.
    • Manage services in the Business Unit they administer.

    The Account Master Admin can:

    • Do anything that an Admin can and cannot be demoted or deleted by one.
    • Manage the entire OwnBackup Platform with access to everything.
    • Manage Master Encryption Keys, IP restrictions.
    • Manager the Account Settings.
    • Manager the Account Security Settings.

    Role-Based Access Control: Phase 1 Business Unit Example

    Roles & Permissions

    Model

    Implications

    • Backup Servers - There is no impact on the location of Backups and no data will be moved to another server instance because of this change.
    • Single Sign-On - RBAC works with SSO (SAML). There is no change in the way you grant login access to each of the users in the system.
    • API – The API respects new roles and Business Units. It’s recommended for the API to use an admin user to get full access to jobs and backups on the service of which they’re working.
    • Cross-Region Accounts – At this time, we do not support cross-region accounts. If you need to manage two or more Production orgs hosted in different regions, you will have to have two separate OwnBackup accounts.
    • Backup - In order to backup organizations on different data centers, you would need a separate OwnBackup Account.
    • Account Setup - The OwnBackup Account setup is configured once for all Business Units (IP ranges, SSO, retention).
    • Advanced Key Management (AKM) – AKM can only be configured by a Master Admin.

    How to Create a New User in My Account

    • Go to Account Setting > Users and click Add User.
    • Input the email and choose the Business Unit and role you wish to add the new user into.
    • You can add the user to other Business Units with different roles from the Business Unit tab.

    Click hereto see a video demonstrating how you can create a new user account in OwnBackup.

     

    How to Hide a Service Containing Production Data from Users

    Services can be marked as ‘Containing Production Data’ in the Service Options Settings by Admins only.

    Once marked, the user with ‘Developer’ or 'Seeder' Role will not be able to view this service. All other user roles will be able to view it.

    New services will be marked as ‘Containing Production Data’ by default for enhanced security. This flag can be removed by the service admin.

    FAQ

    Why is the Master Admin not showing in any of my Business Units?

    Master Admin can access everything in your OwnBackup Account, as such, they cannot be members of specific Business Units.

    Why can’t a User see any Services?

    Check that they are a member of at least one Business Unit containing at least one Service. If the user is a member of a Business Unit, the user may not see a service that is marked as containing production data if their role is ‘Developer’ or 'Seeder'.

    Why can’t a User see a specific Service?

    Check that they are included as a member of the Business Unit(s) containing the Services you wish them to see. If the User is a member of a Business Unit, the user may not see a Service that is marked as containing production data if his or her role is ‘Developer’.

    Why Can’t I find a User when trying to add them to a Business Unit?

    They may already be a member of this Business Unit or the user does not exist in your OwnBackup Account.

    Why Can’t I see the ‘Account Settings’ page?

    Only the Master Admin and Admins can access the ‘Account Settings’ page. If a user is an Admin of at least one Business Unit, he will be able to access the ‘Account Settings” page.

    Why Can’t I see the entire Job history?

    Each user will only see the Job history for Services the user is allowed to view Business Units of which they are a member.

    Why are Services missing in the dropdown when trying to Compare/Find/Replicate?

    Each user will only see Services they are allowed to view under Business Units of which they are a member. For example, a Developer user role will not see a service containing production data.

     

    « Previous ArticleNext Article »


    Contact Us

    Sometimes you just want to talk to someone. Our Customer Support team is available by phone for urgent Production issues:

    Standard Plan: Monday – Friday: 9:00 AM – 6:00 PM Local Business Hours

    Premier Plan: 24/7