How to assaign admin user roles in Backup portal? (Role-based access control, RBAC)

Info

To see how the admin user roles are currently defined for older customers, and what is the default setup for new customers, check this support article.


You can assign role-based access to either Users or Entra ID groups.

1. OPTION A)  Assign Roles for Users

To assign admin roles for users, enter the Users page and click the icon for the user you want to set user roles for. You can use filter for the Role column to view the users by their Role status. Users with any admin roles - whether they are based on Microsoft user roles or are assigned on Nexetic side - are indicated with green role icon. Users without any roles are displayed with grey role icons. Note that it is not indicated on Users page whether the user is covered by group-level role or not. Group-level roles can only be viewed on 'Role-based Access Control' page.

Next proceed to Chapter 3 of this support article to see the available admin role options.

role-users-page.png

 

2. OPTION B)  Assign Roles for Groups

Admin roles can also be assigned by Entra ID groups. Group-level roles are directly applied to all users in the group. To assign a group-level access role, click your username at the top-right corner of the page and select Role-based access control.

group-roles.png

You can see all the Entra ID groups for your tenant. You can Search for a group, Sort by group Name column or Filter by the Roles column.

Click the the Roles icon to assign a role for the group.

group-roles2.png

Groups that have been assigned roles are indicated with green Role icon under the group roles list. 

 

3. Role options

The available access roles are listed below. They can be assigned for users or Entra ID groups, as explained above.

  • Tenant-Wide Admin Access: Full admin rights with access to all users and pages. Can e.g. configure backups, view and restore users' data and data from SharePoint & Teams backup; i.e. the same rights as all Global Admins have. 
    • Note that tenant's Global Admins will always have full M365 Admin role in the backup portal and the role cannot currently be disabled or limited.
  • Tenant-Wide Admin Access - Read Only: Full viewing rights with access to all users and pages. Can search data and download SharePoint & Teams files, Teams channel posts and Planners from backup.
    • Cannot configure backups or restore data.
  • End User: Can view, search, download and restore their own data. Can also view the progress of their own restore tasks in the Task Manager.
  • Limited Admin Access: To allow access to certain pages / actions only, you can select any of the following:
    • All users and their backups. View all users and their backups.
    • SharePoint. View and download SharePoint & Teams files.
    • Teams Channels. View and download Teams channel posts.
    • Planner. View and download Planners.
    • Backup/Restore. Restore data and initiate backups manually.
    • Configure backups. Enable backups for user and organization data. Access to both Settings and Users pages.
    • Audit Log. View, filter and sort all events in Audit Log.

To assign a role, click one of the four radio buttons. If you select 'Limited Admin Access', also select the relevant sub-roles by clicking the slide switches.

select-roles.png

 

Note

In addition to what is allowed based on the assigned admin roles, any user - incl. End Users - can always view and download their own data from backup, including: Mail, OneDrive, Contacts, Calendar, and Teams private chats. End Users can also track the progress of their own restore tasks in the Task Manager.

 

Every time a user signs in to the backup portal, the system will check the Microsoft user role and the existence of any assigned access roles - on user or Entra ID group level. If any assigned roles exist, the access level is granted accordingly. If e.g. Helpdesk Administrator has been granted 'Planner' role, the user can only access their own backups and the organization's Planner backups.

If there are no assigned access roles in place, access level is granted based on the Microsoft user roles. To see how the admin user roles are currently defined for older customers, and what is the default setup for new customers, check this support article.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more