Rubrik Permissions and Organisations

Rubrik Permissions

Under the configuration of tenants, there is the capability to use both Global or a Rubrik Organisation; this allows the restriction under RBAC to restrict and permit actions in Rubrik using Rubrik Organisations. These steps are outlined entirely in the User Guide - Chapter 4 - Multitenant Organizations.

During the Organisation Name and Users Phase, specify a name preferably, the tenant name and during Users, add a local/domain user as Organisation Administrator but untick: Create SLA, Manage Hosts and Manage Users. Org Admin is required to be able to see all resources that the Org has permission to see.

For the vCloud Director Plugin, the recommendation would be to consider the following when setting up the Organisation.

Permit based on vCloud Director Organisation or VDC

When configuring the Organisation, access can be granted to any level in the hierarchy within Cloud Director:

  • Cloud Director Cell

  • Cloud Director Organisation

  • Cloud Director Organisation VDC

This allows permissions to all objects at each of these hierarchal points

CDM 5.1.2 Specific Permissions

With additional RBAC control with CDM 5.1.2, permissions now need to be specified to allow instant recovery and exports.

Within the vCD View, we need to specify the Target vCD Organizations the Rubrik Organization has permission to restore into. Select the tab Target vCD Organizations and here we need to grant the vCD Cell, Org or VDC you wish to grant permissions that allow the users to restore into. For example:

vApp VM Folder Permissions

Since vApps are logical containers, consideration should be taken when permitting the folder created within the vCentre so that VM level actions can be performed, such as File/Folder Restore. This appears in a similar hierarchy to the vCD Components:

  • vCenter

  • Host

  • Folder

  • Individual VMs

Cloud Director creates us a folder for all VMs, we can permission the specific folder for this organisation:

SLA Permissions (Organization)

Finally, we can then assign permissions to define which SLAs are available through the Cloud Director plugin. This is on the next page inside the Organization configuration:

Using Direct Permissions (No Organizations)

The alternative to this is to use Global which requires the user account in Rubrik to be setup using Manage Authorization with the End-User role. You can see this in the Users section in Rubrik CDM:

Using Manage Authorization we can provide specific permissions:

PreviousTenant ManagementNextAssign SLA to vApps

Last updated