How to configure Protector and vRO for restricted multi-user access

Ops Center Protector VMware Application Guide

Part Number

To maintain restricted access across multiple vSphere users within Protector, datastores must not be shared by those users.

Restoring involves mounting the entire datastore, meaning that a user performing a restore could potentially see another users data if they share a datastore.

To configure an environment where multiple vSphere users' restricted access in vSphere must be maintained when using the Protector Connector for vRO:

  1. The Protector Backup Administrator must perform the following steps:
    1. Set up an Protector VMware node corresponding to each vSphere user (Protector-vSphere user).
      Each Protector VMware node can act as a proxy to the same vCenter if required, to maintain user separation.
    2. Set up a Resource Group in Protector corresponding to each Protector-vSphere user.
    3. Restrict each Protector-vSphere user to their assigned Protector VMware node by placing it in their Resource Group. Any block storage nodes containing the relevant datastores will also need to be added to these resource groups.
      This prevents Protector-vSphere user seeing other user's backups.
    4. Set up an Protector-vSphere user Role and then map this Role and the corresponding Resource Group to an Access Control Profile for each Protector-vSphere user.
      Tip: Protector has a built-in vRO Role and Access Control Profile that can be cloned and modified for this purpose.
    5. Create an ACP Association for each Protector-vSphere user and map this ACP Association to the corresponding Access Control Profile.
    6. If you intend to use the 'Ad Hoc Backup' workflow from within vSphere, you must create an 'Ad Hoc Policy' and 'Ad Hoc Dataflow' for each Protector -vSphere user's VMware node. Restrict visibility of each policy and data flow using the Edit Permissions button in the inventory so that can only be seen by the corresponding user.
      This enables the vRO 'Ad Hoc Backup' Workflow, to perform a backup policy that is specific to the user that invokes it.
      Tip: Use the Description field to differentiate each 'Ad Hoc Dataflow', since there will be multiple data flows with the same name in the inventory.
  2. The vRO administrator must set a Protector Master for the Protector Connector for vRO to communicate with:
    1. From the vRealize Orchestrator Client select the Workflows tab.
    2. Locate Add Master from within Protector 'Configuration' worlflows.
    3. Right click on the workflow and select Start Workflow....
    4. Enter the Protector Master's DNS name (the friendly name or IP address can also be used here) and click Submit.
      Note: If running within Ops Center, the Protector REST API will not be available on the expected port (443). By default within Ops Center, the Protector REST API is available on port 20964. In this case enter the master connection details in the form <protector_ip>:<rest_api_port>
  3. Each Protector-vSphere user must provide their Protector user credentials for the Protector Connector for vRO to use when running workflows. Credentials are stored in the Protector plug-in so this step is only required once:
    1. From the vSphere Client right click on an object in the Navigator pane.
    2. Select the Add User workflow, enter the user's Protector credentials, then click Finish.