Managing identity and access

You can use the Identity and access management panel (IAM) to manage identity providers, users, and user roles in HYCU for AWS.

The scope of tasks you can perform depends on roles assigned to you and the selected context:

• Subscription:

  Task	Instructions
  Add, edit, or remove identity providers from HYCU for AWS	“Managing identity providers”
  Add, deactivate, or remove users	“Managing users”
  Add or remove user roles	“Managing roles”

• Protection set:

  Task	Instructions
  Add users	“Managing users”
  Assign or unassign user roles	“Managing roles”

Managing identity providers

You can integrate HYCU with identity providers that support the OpenID Connect authentication protocol, such as Google, Microsoft, and Okta, to give users the possibility to securely sign in to HYCU for AWS by using these identity providers, without the need to maintain dedicated credentials for HYCU for AWS.

Adding an identity provider to HYCU

Procedure

1. In the Identity Providers dialog box, click  New.

2. Enter a name for the identity provider.

3. From the Type drop-down menu, select one of the following types of identity providers, and then follow the instructions:

   Identity provider type	Instructions
   Google	In the Client ID field, enter the application ID that is generated by the identity provider. In the Client secret field, enter the application secret that is associated with the client ID and generated by the identity provider.
   Microsoft	In the Client ID field, enter the application ID that is generated by the identity provider. In the Client secret field, enter the application secret that is associated with the client ID and generated by the identity provider. In the Issuer field, enter the URL of the issuer of the identity provider.
   Okta
   OIDC
   Cognito

4. Click Copy to clipboard to copy the redirect URL that you need to input when you create the application integration with HYCU for AWS.

5. Click Save.
6. Configure your identity provider and enter the redirect URL that you copied. For details on the required format, see the identity provider documentation.

You can later do the following:

• Edit information about any of the existing identity providers by clicking  Edit and making the required modifications.

• Delete any of the existing identity providers by clicking  Delete.

Managing users

The HYCU for AWS user management system provides security mechanisms to help prevent unauthorized users from accessing protected data. Only users that are given specific rights have access to the data protection environment. These users can be authenticated either by HYCU or any of the supported identity providers. For details on identity providers, see “Managing identity providers”.

Consideration

The scope of tasks you can perform depends on the UI context. In the Protection set context, you can only add users but cannot deactivate or remove them.

Adding a user

1. In the IAM panel, click New User.

2. In the New User dialog box, enter the email address of the user that you want to add.

3. Optional, if the user will log on using an identity provider. Select Generate password to automatically generate a password. The user must change the generated password during the first log on.

   i Important  If the user has no identity provider configured and you do not generate a password, the user will not able to log on to HYCU for AWS.

4. Select one of the following options:

   • Assign to subscription

     Assign the user to the subscription.

   • Assign to protection set

     From the list of protection sets, select the one to which you assign the user.

     t Tip  You can search for a protection set by entering its name in the Protection set search field and then pressing Enter. By selecting the Name check box, you select all protection sets at once.

5. From the Role drop-down menu, select the role for the user.

   You can select more than one role if needed. For more information about user roles, see “HYCU for AWS roles”.

6. Click Save.

Deactivating a user

Consideration

When you deactivate a user, the user can no longer perform any actions. However, the inactive account is preserved in AWS, including all of the data that the user has backed up.

Procedure

1. In the IAM panel, from the list of available users, select the user that you want to deactivate.

2. Click Deactivate. The Deactivate dialog box opens.

3. Click Deactivate to confirm the deactivation of the user.

Deleting a user

Considerations

• You cannot delete yourself from HYCU for AWS.

• Any upcoming data protection tasks related to the user that you delete will be automatically assigned to you.

Procedure

1. In the IAM panel, from the list of available users, select the one that you want to delete.

   t Tip  You can also search for a user by entering their name in the Search field.

2. Click  Remove. The Remove dialog box opens.

3. Click Remove to confirm that you want the selected user to be deleted from HYCU for AWS.

Managing roles

A role determines the scope of actions that can be performed in the HYCU for AWS data protection environment by a specific user. This means that access to data and information within the data protection environment is limited based on the assigned role. As an administrator, you can manage these roles and define what actions can be performed by each user.

Considerations

• At least one user with the Administrator role assigned must exist in the data protection environment for each subscription, at the subscription level.

• User roles are inherited from the subscription level to all protection sets under one subscription. User roles set in a protection set are local to that protection set.

HYCU for AWS roles

A user can be assigned one or more of the following roles:

Role	Allowed actions
Viewer	Acquire information about instances, buckets, policies, targets, tasks, events, and protection sets in the data protection environment.
Backup Operator	Acquire the same information as Viewer, define backup strategies, and back up instances and buckets.
Restore Operator	Acquire the same information as Viewer and restore instances and buckets.
Administrator	Perform all actions in the data protection environment.

Assigning or unassigning roles

Consideration

If you plan to remove your own Administrator role, keep in mind the following:

• At least one user with the Administrator role assigned must exist in the data protection environment for each subscription.
• You will not be able to change your role back to Administrator yourself.

Procedure

1. In the IAM panel, from the list of available users, select the user for whom you want to change the roles and then click  Edit.

2. In the Edit Role dialog box, from the drop-down list, select the roles that you want to assign or unassign. You can select or deselect roles individually or you can click Select all to select all roles at once.

3. Click Save to save the selected roles.