CPM is built for a multi-user environment. At the configuration stage, you define a user that is the root user. The root user can create additional users (depending on the edition of CPM you are subscribed to). Additional users are helpful if you are a managed service provider, in need of managing multiple customers from one CPM server or if you have different users or departments in your organization, each managing their own AWS resources. For instance, you may have a QA department, a Development Department and IT department, each with their own AWS account/s. Click the Users button.
There are two types of users you can define: independent users and managed users
Independent users are completely separate users. The root user can create such a user, reset its password, and delete it with all its data, but it does not manage what this user’s policies and resources. Independent users can:
- Log-in to CPM
- Create their own accounts
- Manage their backup
- Manage policies and resources of managed users that were assigned to them
Independent users can have Managed users assigned to them by the root/admin in the Users management screen. An Independent user can log on, manage the backup environment of their assigned Managed users, and receive alerts and notifications on their behalf.
Managed Users are users who can log on and manage their backup environment, or the root/admin user or independent user, can do it for them. The root user can perform all operations for managed users: add, remove and edit accounts, manage backup policies, view backups and perform recovery. Furthermore, the root user, or independent user, can receive alerts and notifications on behalf of managed users, although manage users can also define notifications and get them directly. To create a managed user, click the Add New User button in the Manage Users screen, and fill in the type as Managed. If the root user does not want managed users to login at all, they should not receive any credentials.
Managed users may be managed by Independent users. See section 16.1.
When editing a user, the root user can modify email, password, type of user, and resource limitations.
Note: The user name cannot be modified once a user is created.
Note: Users who are created in CPM via IdP integration (see chapter 17) cannot be edited, only deleted.
To define users:
- If you are the root or admin user, at the top of any CPM screen, click the Manage Users button. The Manage Users screen opens.
- Click the Add New User button.
- In the Username, Email and Password boxes, type the relevant information.
- In the User Type list, select the user type. For type details, see sections 16.1 and 16.2.
In the Max Number of Accounts, Max Number of Instances, Max Non-instance EBS (GiB), Max RDS (GiB), Max Redshift Clusters, and Max DynamoDB Tables (GiB) boxes, type the value for the respective resource limitation.
Note: If you leave these resource limitation fields empty, there is no limitation on resources, except the system level limitations that are derived from the CPM edition used.
Delegates are a special kind of user, which is managed via a separate screen. Delegates are similar to IAM users in AWS:
- They have credentials used to log on and access another user’s environment.
- The access is given with specific permissions.
Warning: Using IAM User credentials is not recommended as they are less secure than using IAM roles.
For each user, whether it is the root user, an independent user or a managed user, there is a button delegates that redirects to the delegates screen for that user:
You can add as many delegates as needed for each user and also edit any delegate’s settings:
To add a new delegate:
- Select a user. Note: Once a user is defined as a delegate, the name cannot be changed.
- Click the Add New Delegate button.
- In the Username list, select the new delegate.
The user is added as a delegate with the following permissions set to deny:
- Allow Recovery – Perform recovery operations
- Allow Account Changes – Add and remove AWS accounts, edit accounts, modify credentials
- Allow Backup Changes – Change policies and their schedule and add and remove backup targets
Edit the delegate to set the above permissions to allow.
The default allow permissions are:
- Viewing the settings.
- Viewing the environment.
- Monitoring backups.
In a separate button in the delegates screen, the root user can reset passwords for delegates.
There are three permissions for delegates:
- Allow recovery – Can perform recovery operations
- Allow Account Changes – Can add and remove AWS accounts as well as edit accounts and modify credentials
- Allow Policy Changes– Can change policies: adding, removing and editing policies and schedules, as well as adding and removing backup targets
By default, all are denied, which means that the delegate will only have permissions to view the settings and environment and to monitor backups.
Allowing all permissions will allow the delegate the permissions of the original user except for notification settings.
For delegates of the root/admin user, they will not be able to change notification settings, General Settings, or manage users.
The root user can also use the user management screen to download CSV usage reports for each user, which can be used for accounting and billing. The usage report will state how many accounts this user is managing, and for each account, how many instances and non-instance storage is backed up.
CPM will record every operation initiated by users and delegates. This is important when the admin needs to track who performed an operation and when. By default, audit logs are kept for 30 days. The root user can:
- Modify the audit log retention value in the Cleanup section of the General Settings screen. See section 8.4.
- Download audit reports for specific users or delegates by clicking audit report in the users or delegates screen.
- Download the audit report for all users by clicking the link audit report (all users) at the bottom of CPM’s main screen.
Included in the audit reports are:
- A timestamp.
- The event type.
- A description of the exact operation.
- In the report of all users, the user with delegate information, if any.