Units and administrative accounts

To manage units and administrative accounts, in the Cyber Protect web console, go to Settings > Accounts. The Accounts panel shows the Organization group with the tree of units (if any), as well as the list of administrative accounts on the selected hierarchical level.

Units

The Organization group is automatically created when you install the management server. With the Acronis Cyber Protect Advanced license, you can create child groups called units, which typically correspond to units or departments of the organization, and add administrative accounts to the units. This way, you can delegate the protection management to other people whose access permissions will be strictly limited to the corresponding units. For information about how to create a unit, refer to Creating units.

Every unit can have child units. The administrative accounts of the parent unit have the same rights in all child units. The Organization group is the top-level parent unit, and administrative accounts on this level have the same rights in all units.

Administrative accounts

Any account that is able to sign in to the Cyber Protect web console is administrative account.

In the Cyber Protect web console, any administrative account can view or manage anything on or below the hierarchical level of its unit. For example, an administrative account in the organization has access to this top level and therefore access to all the units of this organization, while an administrative account in a specific unit can access only this unit and its child units.

Which accounts can be administrative?

If the management server is installed on a Windows machine that is included in an Active Directory domain, you can grant administrative rights to local users, or users and user groups within the Active Directory domain forest.

By default, the management server establishes an SSL/TLS-protected connection to the Active Directory domain controller. If this is not possible, no connection will be established. However, you can allow nonsecure connections, by editing the auth-connector.json5 file.

To use a secure connection, ensure that LDAP over SSL (LDAPS) is configured for your Active Directory.

To configure LDAPS for Active Directory

  1. On the domain controller, create and install an LDAPS certificate that meets the Microsoft requirements.

    For more information on how to perform these operations, refer to Enable LDAP over SSL with a third-party certification authority in the Microsoft documentation.

  2. On the domain controller, open Microsoft Management Console and verify that the certificate exists under Certificates (Local Computer) > Personal > Certificates.
  3. Restart the domain controller.
  4. Verify that LDAPS is enabled.

To allow nonsecure connections to the domain controller

  1. Log in to the machine where the management server is installed.
  2. Open the auth-connector.json5 file for editing.

    The auth-connector.json5 file is located in %ProgramFiles%\Acronis\AuthConnector.

  3. Navigate to the sync section, and in every "connectionMode" line, replace "ssl_only" with "auto".

    In the auto mode, a nonsecure connection is established if a TLS connection is not possible.

  4. Restart Acronis Service Manager Service as described in To restart Acronis Service Manager Service.
If the management server is not included in an Active Directory domain or if it is installed on a Linux machine, you can grant administrative rights only to local users and groups.

To learn how to add an administrative account to the management server, refer to Adding administrative accounts.

Administrative account roles

Each administrative account is assigned a role with the predefined rights that are necessary for specific tasks. The administrative account roles are the following:

  • Administrator
    This role provides full administrative access to the organization or a unit.

  • Read-only
    This role provides read-only access to the Cyber Protect web console. It only allows gathering diagnostic data, such as system reports. The read-only role does not allow browsing backups or browsing the content of backed-up mailboxes.

  • Auditor
    This role provides read-only access to the Activities tab in the Cyber Protect web console. For more information about this tab, refer to The Activities tab. This role does not allow gathering or exporting any data, including system information of the management server.

Any changes in the roles are shown on the Activities tab.

Inheritance of roles

Roles in a parent unit are inherited by its child units. If the same user account has different roles assigned in the parent unit and in a child unit, it will have both roles.

Also, roles can be explicitly assigned to a specific user account or inherited from a user group. Thus, a user account can have both a specifically assigned role and an inherited one.

If a user account has different roles (assigned and/or inherited), it can access objects and perform actions allowed by any of these roles. For example, a user account with an assigned read-only role and inherited administrator role will have administrator rights.

In the Cyber Protect web console, only explicitly assigned roles for the current unit are shown. Any possible discrepancies with the inherited roles are not displayed. We strongly recommend that you assign administrator, read-only, and auditor roles to separate accounts or groups, in order to avoid possible issues with the inherited roles.

Default administrators

In Windows

When the management server is being installed on a machine, the following happens:

  • The Acronis Centralized Admins user group is created on the machine.

    On a domain controller, the group is named DCNAME $ Acronis Centralized Admins. Here, DCNAME stands for the NetBIOS name of the domain controller.

  • All members of the Administrators group are added to the Acronis Centralized Admins group. If the machine is in a domain but is not a domain controller, local (non-domain) users are then excluded. On a domain controller, there are no non-domain users.
  • The Acronis Centralized Admins and the Administrators groups are added to the management server as organization administrators. If the machine is in a domain but is not a domain controller, the Administrators group is not added, so that local (non-domain) users do not become organization administrators.

You can delete the Administrators group from the list of the organization administrators. However, the Acronis Centralized Admins group cannot be deleted. In the unlikely case that all organization administrators have been deleted, you can add an account to the Acronis Centralized Admins group in Windows, and then log in to the Cyber Protect web console by using this account.

In Linux

When the management server is being installed on a machine, the root user is added to the management server as an organization administrator.

You can add other Linux users to the list of management server administrators, as described later, and then delete the root user from this list. In the unlikely case that all organization administrators have been deleted, you can restart the acronis_asm service. As a result, the root user will be automatically re-added as an organization administrator.

Administrative account in multiple units

An account can be granted administrative rights in any number of units. For such an account, as well as for administrative accounts on the organization level, the unit selector is shown in the Cyber Protect web console. By using this selector, this account can view and manage each unit separately.

An account that has permissions for all units in an organization does not have permissions for the organization. Administrative accounts on the organization level must be added to the Organization group explicitly.

How to populate units with machines

When an administrator adds a machine via the web interface, the machine is added to the unit managed by the administrator. If the administrator manages multiple units, the machine is added to the unit chosen in the unit selector. Therefore, the administrator must choose the unit prior to clicking Add.

When installing agents locally, an administrator provides their credentials. The machine is added to the unit managed by the administrator. If the administrator manages multiple units, the installer prompts to choose a unit to which the machine will be added.