18. N2WS User Management

Learn about multi-tenancy in N2WS. Independent users, managed users, delegates, and delegate permissions. Usage and audit reports.

N2WS is built for a multi-user environment. At the configuration stage, you define a user that is the root user. The root user can create additional users (depending on the edition of N2WS you are subscribed to). Additional users are helpful if you are a managed service provider, in need of managing multiple customers from one N2WS server or if you have different users or departments in your organization, each managing their own AWS resources. For instance, you may have a QA department, a Development Department and IT department, each with their own AWS account/s. Click the Users button.

Figure 18‑1

There are two types of users you can define: independent users and managed users

Independent Users

Independent users are completely separate users. The root user can create such a user, reset its password, and delete it with all its data, but it does not manage what this user’s policies and resources. Independent users can:

Log-in to N2WS

Create their own accounts

Manage their backup

Mange policies and resources of managed users that were assigned to them

Independent users can have Managed users assigned to them by the root/admin in the Users management screen. An Independent user can log on, manage the backup environment of their assigned Managed users, and receive alerts and notifications on their behalf.

Managed Users

Managed Users are users who can log on and manage their backup environment, or the root/admin user or independent user, can do it for them. The root user can perform all operations for managed users: add, remove and edit accounts, manage backup policies, view backups and perform recovery. Furthermore, the root user, or independent user, can receive alerts and notifications on behalf of managed users. The root/admin user can also configure notifications for any managed user and independent users can configure notifications for their managed users (section 17.3.1.) To create a managed user, click the Add New User button in the Manage Users screen, and fill in the type as Managed. If the root user does not want managed users to login at all, they should not receive any credentials.

Managed users may be managed by Independent users. See section 18.1.

User definitions

When editing a user, the root user can modify email, password, type of user, and resource limitations.

Note: The user name cannot be modified once a user is created.

Note: Users who are created in N2WS via IdP integration (see section 19) cannot be edited, only deleted.

To define users:

  1. If you are the root or admin user, at the top of any N2WS screen, click the Manage Users button. The Manage Users screen opens.

Click the Add New User button.

In the User name, Email and Password boxes, type the relevant information.

In the User Type list, select the user type. For type details, see sections 18.1 and 18.2.

Figure 18‑2

In the Max Number of Accounts, Max Number of Instances, Max Non-instance EBS (GiB), Max RDS (GiB), Max Redshift Clusters, Max DynamoDB Tables (GiB), and Max Resource Control Entities boxes, type the value for the respective resource limitation.

The value for Max Resource Control Entities is the maximum number of allowed instances and RDS database resources.

Note: If you leave these resource limitation fields empty, there is no limitation on resources, except the system level limitations that are derived from the licensed N2WS edition used.


Delegates are a special kind of user, which is managed via a separate screen. Delegates are similar to IAM users in AWS:

They have credentials used to log on and access another user’s environment.

The access is given with specific permissions.

Warning: Using IAM User credentials is not recommended as they are less secure than using IAM roles.

For each user, whether it is the root user, an independent user or a managed user, there is a button delegates that redirects to the delegates screen for that user:

Figure 18‑3

You can add as many delegates as needed for each user and also edit any delegate’s settings:

To add a new delegate:

Note: Once a user is defined as a delegate, the name cannot be changed.

  1. Select a user.

Click the Add New Delegate button.

In the User name list, select the new delegate.

The user is added as a delegate with the following permissions set to deny:

Allow Recovery – Perform recovery operations

Allow Account Changes – Add and remove AWS accounts, edit accounts, modify credentials

Allow Backup Changes – Change policies and their schedule and add and remove backup targets

Edit the delegate to set the above permissions to allow.

The default allow permissions are:

  • Viewing the settings.
  • Viewing the environment.
  • Monitoring backups.

Figure 18‑4

In a separate button in the delegates screen, the root user can reset passwords for delegates.

Delegate Permissions

There are three permissions for delegates:

Allow recovery – Can perform recovery operations

Allow Account Changes – Can add and remove AWS accounts as well as edit accounts and modify credentials

Allow Policy Changes– Can change policies: adding, removing and editing policies and schedules, as well as adding and removing backup targets

By default, all are denied, which means that the delegate will only have permissions to view the settings and environment and to monitor backups.

Allowing all permissions will allow the delegate the permissions of the original user except for notification settings.

For delegates of the root/admin user, they will not be able to change notification settings, General Settings, or manage users.

Usage Reports

The root user can also use the user management screen to download CSV usage reports for each user, which can be used for accounting and billing. The usage report will state how many accounts this user is managing, and for each account, how many instances and non-instance storage is backed up.

Reporting is now available for daily tracking of resources that were configured as a backup target on each policy. The Reports tab contains two levels of detail for Usage Reports. Users can download the following Usage Reports, both of which are filterable by user and timeframe:

Download Usage Report for aggregated account usage per user.

Download Detailed Usage Report for usage per account.

Note: Data saved to the reports is compliant with the EU’s General Data Protection Regulation (GDPR).

Audit Reports

N2WS will record every operation initiated by users and delegates. This is important when the admin needs to track who performed an operation and when. By default, audit logs are kept for 30 days. The root user can:

Modify the audit log retention value in the Cleanup section of the General Settings screen. See section 9.4.

Download audit reports for specific users or delegates by clicking audit report in the users or delegates screen.

Download the audit report for all users by clicking the link audit report (all users) at the bottom of N2WS’ main screen.

Included in the audit reports are:

A timestamp.

The event type.

A description of the exact operation.

In the report of all users, the user with delegate information, if any.

Configuring for SES

Amazon Simple Email Service (SES) is a cloud-based email sending service that N2WS uses to effortlessly distribute reports. The AWS SES parameters are configured in the General Settings page.

Note: Currently, the only regions that are available for the SES service are EU (Ireland), US East (N. Virginia), US West (Oregon).

To allow N2WS to configure the AWS SES parameters, open the SES Settings section, and select Enabled in the SES configuration drop-down list.

Complete the parameters:

E-mail Address – The ‘From’ e-mail address.

SES Region – Select the region for the SES service.

Authentication method – Select a method and supply additional information if prompted:

IAM User Credentials – Enter AWS access and secret keys.

CPM Instance IAM Role – Additional information is not needed.

Account – In the Account list, select one of the CPM accounts defined in the Accounts tab.

When finished, click the Verify button to confirm the parameters. Amazon will respond with an Email Address Verification Request for the region to the defined address. The Amazon verification e-mail contains directions for completing the verification process, including the amount of time the confirmation link is valid.

Currently, the Scheduled reports are sent using the defined SES email identity if the reports are run with Schedules or the Run Now option.

Share this post →

Share on twitter
Share on linkedin
Share on facebook
Share on email

Limited Time Offer:

Activate a free trial of N2WS —and get $250

Try N2WS Backup & Recovery today —and we'll give you $250 in AWS credits.

*All new active trials will receive $250 in AWS credits for a limited time!