In this article:
This article details the user management that is included in Macrium Site Manager and the roles that affect Macrium SiteDeploy®.
Macrium Site Manager can be configured to allow different users on the Site Manager server or a Windows Active Directory Domain to log in to the Site Manager console, access different parts of the SiteDeploy® UI, and log in to Site Manager on the deployment media allowing the user to access golden image stores, create golden images, and deploy golden images.
By default, members of the Administrators group on the Site Manager server and members of Domain Administrators on the Site Manager server's domain can log in. Additional domains and permissions can be configured as described below:
Login Providers
Login providers serve as the interface between Site Manager and an authentication resource. There is a unique login provider for each authentication resource so that permissions for each resource can be managed independently by configuring the associated provider. The types of login providers currently exist are:
Login Provider Type | Authentication Resource | Included by Default | Notes |
|---|---|---|---|
| Server Local | User Account Control | Yes | Authenticates local users. Local administrator accounts will always have permission to access Site Manager and SiteDeploy®, unless the 'Disable Default Admin Access' registry key has been set as described in this article. |
| Primary Server Domain | Active Directory | Yes (if the Site Manager server is joined to a domain) | Authenticates users on the domain the Site Manager server is joined to. It is created automatically and can not be removed by the user. Domain Administrators can log in using this provider. Domain disconnections If the server is moved from its domain then the provider will be converted to a 'Domain' provider. A new 'Primary Server Domain' provider will be created when Site Manager reconnects to a domain. |
| Secondary Server Domain | Active Directory | Yes (if the Site Manager server is joined to a domain in a forest) | Authenticates users on domains within the forest the Site Manager server is joined to. It is created automatically and can not be removed. Domain disconnections If the server is moved from its domain then the provider will be converted to a 'Domain' provider. A new set of 'Secondary Server Domain' providers will be created on startup. |
| Domain | Active Directory | No | This provider interfaces with Active Directory domains other than the domain that the Site Manager server is connected to. |
Active Directory compatibility
Site Manager must connect with a Domain Controller which supports LDAP v3 for permissions to be set for accounts on the Domain. LDAP over SSL will be used if available.
Managing Login Providers
Disabling Domain Forest Searching
Site Manager automatically creates 'Local', 'Primary Server Domain', and 'Secondary Server Domain' providers on startup.
Users can stop Site Manager from creating domain providers by setting the registry value 'Configure default providers' in the key "HKEY_LOCAL_MACHINE\SOFTWARE\Macrium\Site Manager" to 0. This will prevent Site Manager from creating any providers except the primary domain and local computer providers.
While the automatic providers should cater to most needs, custom domain providers can be created to connect to domains outside of the forest the Site Manager server is in. Beware that members of authorized groups can only access Site Manager if they are on the same domain as the group. This differs from the automatic domain providers which support cross-domain authorization.
All providers are listed within the provider manager dialog. Providers can be configured or removed by clicking the respective buttons in the table. New providers can be created by clicking the 'Add' button, which opens the dialog to configure a new domain provider.
A domain provider can be configured with the following fields:
Field | Notes |
|---|---|
| Name | A friendly name that is displayed to users. If no name is provided then the provider will be named after the domain it is associated with. |
| Domain Controller | The hostname of a domain controller. This can be in the form of a DNS-style name, a NetBIOS address, or an IP address. Custom ports Site Manager will communicate with the domain controller using LDAP. To use custom ports (other than the default of 389 or 636) specify the domain controller in the hostname:port format. |
| Username | The username of an account on the domain. The credentials of this account will be used to perform any lookups against the LDAP server. |
| Password | The password of the account specified by the username entered in the previous field. |
| Display Order Priority | The order that the provider will appear in dropdown lists like on the login page and the permissions modal. There is also an option to hide the provider from lists other than the table in the provider manager which may be useful if there are unused automatically generated providers. |
After clicking 'Save', Site Manager will check the validity of the configuration. If a prover can be created then the configuration is saved and a provider is added to the list of providers in the previous window. Otherwise, an error message will appear explaining the problem.
Configuring Role-Based Permissions
Next to the 'Manage Provider' button on the security settings page is the 'Manage Permissions' button. Clicking this will open the permissions management window.
Permissions are configured separately for each provider. Select the correct provider from the dropdown before configuring permissions.
A table listing the active permissions is below the provider select field. Here the names of authorized users and groups are displayed. All members of an authorized group are given the permissions of that group (membership is applied transitively). Permissions can be deleted by clicking the 'Remove' button. Click 'Configure' to add permissions. Changes to permissions can be discarded by clicking 'Cancel'.
The structure of the directory is navigable through the tree on the left, which shows the folders and organizational units which have been configured on the domain. On the right is a table listing the users and groups in the selected folder. Rows can be selected using the checkbox and added to the permissions list when the 'Add' button is pressed.
All users and groups that are added to the active permissions listing are given the 'Viewer' role by default, this role has the most restricted access. To increase a user's or group's access further, select 'Edit' from the role column to access the role editor for the selected user or group.
The role editor displays all role options available for selection. Select the roles required for the user or group and apply changed roles using the 'Save' button. Roles can be combined where necessary. Selecting all the non-administrator roles is equivalent to granting the administrator role to the account.
Role | Description |
|---|---|
| Administrator | Grants full administrative access to SiteDeploy® and Site Manager. |
| Standard User (Viewer) | Grants minimum access to the Site Manager and SiteDeploy® user. A user with this role can view the majority of information available in Site Manager and SiteDeploy®, but can't make changes beyond configuring their own instance of the dashboard and table layouts. The repository browser and verification pages are unavailable to the user. The user will only be able to launch Macrium Reflect using the deployment media, and will not be able to log in to the Site Manager. |
| Backup Operator | Grants the same access as a 'Standard User' to Site Manager, but the user can enable or disable predefined backup plans, start, stop, or pause backups, start or stop remote syncs, access the repository browser (without access to backup contents) and verify backups. |
| Restore Operator | Grants the same access as a 'Standard User' to Site Manager, but the user can perform remote restores, generate and download rescue media, access the repository browser (and open backups), and verify backups. The user can log in to Site Manager using the deployment media but will only have access to the 'Restore Agent' button and the 'Launch Reflect' button. |
| Backup Manager | Grants the same access as a backup and restore operator to Site Manager, but the user can configure backup plans, definitions, schedules, repositories, remote syncs, agent tags, access to the repository browser (full access, including deletion), and full access to manage agents (add, remove, remote install, upgrade and perform maintenance actions including reboot agent, reset VSS and resync logs). The user can log in to Site Manager using the deployment media but will only have access to the 'Restore Agent' button and the 'Launch Reflect' button. |
| Deployment Operator | This grants the user the ability to perform deployments. The user will have access, in the deployment media, to start an endpoint-initiated deployment. The user can also start a centrally-initiated deployment in the 'Deployment Targets' tab of SiteDeploy®. |
| Deployment Manager | This grants the user full access to SiteDeploy®. The user will be able to create golden image stores, create deployment media, and perform both centrally-initiated and endpoint-initiated deployments. |
| Server Manager | Grants the same access as a 'Standard User' to Site Manager, but the user can configure server settings, configure repositories, access the repository browser (view listings only), manage agent licensing, perform agent maintenance actions (reboot agent, reset VSS and resync logs), generate rescue media and install server updates. |