Afi G Suite backup application has a flexible and granular role model which allows to:
- delegate backup administration to the group of trusted users (referred to as Backup Operators)
- configure limited self-service access for domain users
Role model granularity allows an administrator to grant only a limited set of permissions which will suit his/her own security and business needs - for example, the Backup Operator group can be configured to be allowed to supervise backup progress and health and perform restore on user demand, but to be forbidden to browse any user's data. For security reasons self-service is disabled by default and domain super administrator should explicitly enable it.
Any domain super administrator has full administrator access to the domain's data and protection settings in Afi G Suite backup application. If Super Administrator role is removed then the user will no longer have administrator access in Afi application as well. Administrator's access to the backup data can be limited either completely by restricting users' data browse option or partially by limiting mail content preview and/or data download.
How to Configure Backup Operator group and enable self-service
Backup Operator group is comprised of domain users trusted to perform a configured set of backup/restore/administration operations. Once Afi application is installed Backup Operator group is empty so domain super administrator should explicitly add trusted users from the domain to the group and confuger a set of permissions.
To add a user to Backup Operator group
- Go to Configuration → Roles & Self-service
- Open Manage accounts dialogue and choose Backup Operator users, then press apply
Assign Backup Operator permissions
This example configuration allows any member of Backup Operator group to configure protection settings for domain users and to recover their data on demand, but user data browse or download is forbidden.
Assign Self-service user permissions
This example configuration allows any domain user to login in Afi application, browse and download their backup data and recover Mail, Drive, Contacts or Calendar content.
Once you enable self-service, end-users will be able to login to Afi service (app.afi.ai) using their Microsoft 365 or Google Workspace credentials.
Backup Operator permissions explained
- Configure SLA and initiate backup - a member of Backup Operator group is able to configure per-resource (domain user, Shared Drive, SharePoint, Team or Group) protection level (see Configuration → SLA for the full list of protection levels) and the default protection level automatically assigned by Afi application for newly discovered domain resources.
- Access to users' data - a member of Backup Operator group is able to browse backed up data (Mail, Drive, Contacts, Calendars) for all protected resources, but can't preview email content and can't download emails, files, or any other content from the backup.
- Preview email content - a member of Backup Operator group is able to preview email content for all protected users.
- Download data from backup - member of Backup Operator group is able to download backed up data for any domain user
- Recover to another folder - a member of Backup Operator group is able to recover any user's data to a separate folder inside user's account with a Restored by AFI $DATE name. This is the safest recovery option which guarantees that no user data will be accidentally overwritten.
- Recover with overwrite option - a member of Backup Operator group can trigger a recovery operation which restores all backed up items at the same path where they were during a backup. This option should be used with caution as it can overwrite files if they have been changed since the point in time when the backup was done.
- Recover to another account - a member of Backup Operator group is able to recover any user's data in another user account (or in team drive for Drive files). This option should be used with one of the options Allow to recover to another folder (default) or Allow to recover with overwrite option.
Self-service permissions explained
- Access to users data - any domain user is able to browse his/her own data including Mail, Drive, Contacts and Calendars backup content, mail content preview is also enabled when user is browsing his/her own backup.
- Download data - any domain user is able to download emails or files from his/her own backup
- Recover to another folder - any domain user is able to recover his/her own data from any selected backup point in time (for example, a month ago) in a separate folder inside his/her own account.