This topic helps you understand the PX-Backup Security, how it is useful to your enterprise, and how you can access it to define roles and assign roles to users.
PX-Backup Security is a built-in feature in PX-Backup. PX-Backup Security allows you to control user access to certain resources by setting governance policies and managing permissions for the application owners on the platform. PX-Backup Security is a role-based access control (RBAC) system that enables authorization for users or user groups through an existing OIDC authentication service such as Keycloak and Okta.
PX-Backup allows mapping users or user groups to specific roles. These roles control actions and permissions that a user is allowed to perform. Administrators set the scope of access and allow users to share resources.
PX-Backup Security allows administrators and application owners manage access to the following resources:
- Cloud Accounts
- Backup Locations
- Schedule policies
Kuberenetes administrators and application owners use PX-Backup Security to configure backups and restores, by providing a granular level of authorization to PX-Backup resources. PX-Backup security supports different levels of authorization across multiple PX-Backup deployments while retaining the same user management and authentication.
PX-Backup is managed using PX-Central which provides OIDC integration. PX-Backup Security for clusters is controlled by Kubernetes access control. Administrators can add their clusters in PX-Backup with the credentials or Kubeconfig assigned to them. PX-Backup inherits the permissions from Kubernetes and displays the resources that a user contains permission to access.
PX-Backup built-in roles
The PX-Backup built-in roles match user personas managing the Kubernetes infrastructure and applications:
Infrastructure administrator (px-backup.infra.admin): The infrastructure owner with administrator privileges for PX-Backup resources such as cloud accounts, backup locations, schedules, and rules. Infrastructure administrators create custom rules, in addition to the built-in rules in PX-Backup. Infrastructure owners or any user can create a shared resource pool to share backup locations, schedules, and backup rules with other users.
Application administrator (px-backup.app.admin): Application administrators can manage applications they own. Application administrators contain privileges for schedules and rules, and can use existing cloud accounts.
Application user (px-backup.app.user): The application users who can backup and restore applications, but cannot create a schedule policy or rules.
PX-Backup does not allow editing the built-in roles, but you can duplicate them.
If an Infrastructure administrator removes certain role permissions from a user, then the user is automatically assigned with the updated permissions. Thereafter, PX-Backup restricts any actions (for example, deleting) on the objects created by the user using the old permissions.
Access PX-Backup Security
Perform the following steps to access PX-Backup Security:
Log in to PX-Backup using the infrastructure administrator credentials.
Select the PX-Backup Security option from the profile menu in the lower left corner of the PX-Backup page.
The PX-Backup Security includes:
- Role Mapping: Displays all existing OIDC users (when you integrate PX-Backup with an external OIDC), and new users added by the infrastructure administrator using PX-Backup Keycloak.
- Roles: Displays the three built-in roles, by default, and new roles added by the infrastructure administrator.