18 User Management

N2WS is built for a multi-user environment. At the configuration stage, you define a user that is the root user. The root user can create additional users, depending on the edition of N2WS you are subscribed to. Additional users are helpful if you are a managed service provider, in need of managing multiple customers from one N2WS server or if you have different users or departments in your organization, each managing their own AWS resources. For instance, you may have a QA department, a Development Department, and an IT department, each with their own AWS accounts. Select Server Settings > Users.

The following are the types of users you can define. Delegate users are defined after users are created.

  • Independent

  • Managed

18.1 Independent Users

Independent users are completely separate users. The root user can create such a user, reset its password, and delete it with all its data, but it does not manage this user’s policies and resources. Independent users can:

  • Log-in to N2WS

  • Create their own accounts

  • Manage their backup

  • Mange policies and resources of managed users that were assigned to them

Independent users can have Managed users assigned to them by the root/admin in the Users management screen. An Independent user can log on, manage the backup environment of their assigned Managed users, and receive alerts and notifications on their behalf.

18.2 Managed Users

Managed Users are users who can log on and manage their backup environment, or the root/admin user or independent user can do it for them. The root user can perform all operations for managed users: add, remove and edit accounts, manage backup policies, view backups, and perform recovery. Furthermore, the root user, or independent user, can receive alerts and notifications on behalf of managed users. The root/admin user can also configure notifications for any managed user and independent users can configure notifications for their managed users (section 17.3.1.) To create a managed user, select New and choose Managed as the User Type. If the root user does not want managed users to log in at all, they should not receive any credentials.

Managed users may be managed by Independent users. See section 18.1.

18.3 User definitions

When editing a user, the root user can modify email, password, type of user, and resource limitations.

The user name cannot be modified once a user is created.

Users who are created in N2WS via IdP integration (section 19) cannot be edited, only deleted.

To define a user:

  1. If you are the root or admin user, in the toolbar, select Server Settings.

  2. In the left panel, select the Users tab. The Users screen opens.

  3. Select New.

  4. In the User name, Email, and Password boxes, type the relevant information.

  5. Select the User Type option. For Independent and Managed type details, see sections 18.1 and 18.2.

  6. If the user can recover at the file level, select Allow File Level Recovery.

  7. To enable Cost Explorer calculations:

    1. Verify that Cost Explorer is enabled for CPM. See section 25.

    2. Select Allow Cost Explorer. The default is to deny the calculations.

    3. In AWS, allow the CPM Cost Explorer feature. See section 225.1.15.1.1.

    4. For information about Cost Explorer, see section 25.

  8. In the Max Number of Accounts, Max Number of Instances, Max Non-instance EBS (GiB), Max RDS (GiB), Max Redshift Clusters, Max DynamoDB Tables (GiB), and Max Controlled Entities boxes, select the value for the respective resource limitation from its list.

    1. The value for Max Controlled Entities is the maximum number of allowed instances and RDS database resources.

If you leave the resource limitation fields empty, there is no limitation on resources, except the system level limitations that are derived from the licensed N2WS edition used.

18.4 Delegates

Delegates are a special kind of user, which is managed via a separate screen. Delegates are similar to IAM users in AWS:

  • They have credentials used to log on and access another user’s environment.

  • The access is given with specific permissions. By default, if no permissions are allowed, the delegate will only have permissions to view the settings and environment and to monitor backups.

  • Allowing all permissions will allow the non-root delegate the permissions of the original user except for notification settings.

Using IAM User credentials is not recommended as they are less secure than using IAM roles.

For each user, whether it is the root user, an independent user, or a managed user, the Manage Delegates command in the Users list screen that opens the Delegates screen for that user. Selecting an existing entry in the Delegates column also opens the Delegates screen for that user.

You can add as many delegates as needed for each user and also edit any delegate’s settings.

To add a delegate:

Once a user is defined as a delegate, the name cannot be changed.

  1. Select a user.

  2. Select Manage Delegates and then select New.

  3. In the Delegate Name box, type the name of the new delegate.

  4. Enter a valid Email and set the Password.

  5. Permissions are denied by default. To allow permissions, select the relevant ones for this delegate:

  • Perform Recovery – Can perform recovery operations.

  • Change Accounts – Can add and remove AWS accounts as well as edit accounts and modify credentials.

  • Change Backup - Can change policies: adding, removing, and editing policies and schedules, as well as adding and removing backup targets.

  • Change Settings and S3 Repositories – Root delegates can change Notifications, Users and General Settings, and S3 Repositories.

By default, the delegate will only have permissions to view the settings and environment and to monitor backups.

Allowing all permissions will grant the non-root delegate the permissions of the original user except for notification settings.

When in Edit mode, the root user can reset passwords for delegates.

18.5 Usage Reports

The root user can also use the user management screen to download CSV usage reports for each user, which can be used for accounting and billing. The usage report will state how many accounts this user is managing, and for each account, how many instances and non-instance storage is backed up.

Reporting is now available for daily tracking of resources that were configured as a backup target on each policy. The Reports tab contains two levels of detail for Usage Reports. Users can download the following Usage Reports, both of which are filterable by user and time frame. The report can be created as a Scheduled Report or for Immediate Report Generation. In each case, select Detailed for usage per account or Anonymized for aggregated account usage per user. See sections 17.8 and 17.10.2.

Data saved to the reports is compliant with the EU’s General Data Protection Regulation (GDPR).

18.6 Audit Reports

N2WS will record every operation initiated by users and delegates. This is important when the admin needs to track who performed an operation and when. By default, audit logs are kept for 30 days. The root user can:

  • Modify the audit log retention value in the Cleanup tab of the General Settings screen. See section 9.4.

  • Download audit reports for specific users or delegates. See section 17.10.

Included in the audit reports are:

  • A timestamp

  • The event type

  • A description of the exact operation.

  • In the report of all users, the user with delegate information, if any

18.7 Configuring for SES

Amazon Simple Email Service (SES) is a cloud-based email sending service that N2WS uses to effortlessly distribute reports. The AWS SES parameters are configured in Server Settings > General Settings.

Currently, the only regions that are available for the SES service are Asia Pacific (Mumbai), Asia Pacific (Sydney), EU (Frankfurt), EU (Ireland), US East (N. Virginia), US West (Oregon).

To allow N2WS to configure the AWS SES parameters:

  1. In the toolbar, select Server Settings > General Settings.

  2. Select the Simple Email Service tab.

  3. Select Enable SES Configuration.

  4. Complete the parameters. When finished, select Save to confirm the parameters.

  • Sender Email Address – The ‘From’ e-mail address.

  • Verify Email Address – Select to verify address.

  • SES Region – Select the region for the SES service.

  • Authentication Method – Select a method and supply additional information if prompted:

    • IAM User Credentials – Enter AWS Access Key ID and Secret Access Key.

    • CPM Instance IAM Role – Additional information is not needed.

    • Account – In the Account list, select one of the CPM accounts defined in the Accounts tab.

Amazon will respond with an Email Address Verification Request for the region to the defined address. The Amazon verification e-mail contains directions for completing the verification process, including the amount of time the confirmation link is valid.

Currently, the Scheduled Reports are sent using the defined SES email identity if the reports are run with Schedules or the Run Now option.