Afi G Suite Backup application has a flexible and granular role model which allows to:
- delegate backup administration to the group of trusted users (referred to as Backup Operators)
- configure limited self-service access for domain users
Role model granularity allows an administrator to grant only a limited set of permissions that will suit their own security and business needs - for example, the Backup Operator group can be configured to be allowed to supervise backup progress and health and perform restore on user demand, but to be forbidden to browse any user's data. For security reasons self-service is disabled by default and organisation administrator should explicitly enable it.
How to configure Administrator group
By default, an organisation account is created with a single administrator - it's a user who has set up the account. Organisation administrators can be added or removed at Configuration -> Admins tab and have the same level of permissions.
The administrator's access to the backup data can be limited either completely by restricting users' data browse option or partially by limiting mail content preview and/or data download.
Administrators are added by email and are required to have Google Workspace, Google Apps or Microsoft 365 business account to be able to sign-in to Afi application, but they don't need to belong to the Google Workspace / Microsoft 365 domains managed by the application. For example, one can set up an Afi account with Microsoft 365 domain and add an additional administrator with a Gmail account for backup purposes. For security reasons, a new administrator is added in two steps:
1. Organisation administrator invites a new administrator(s) and Afi service sends an email invitation with a sign-up link to their emails. At this point in time, an invitee doesn't have administrator access yet and needs to accept the invitation.
2. A user received an email invitation accepts it by clicking on the link and logging in Afi control panel with their Google account or Microsoft 365 account.
How to configure Backup Operator group and enable self-service
Backup Operator group is configured per Google Workspace or Microsoft 365 tenant and is comprised of domain users trusted to perform a configured set of backup/restore/administration operations in the given tenant. Once Afi application is installed, Backup Operator group is empty so domain super administrator should explicitly add trusted users from the domain to the group and configure a set of permissions.
To add a user to Backup Operator group
- Go to Service → Settings → Roles & Self-service
- Open Manage accounts dialogue and choose Backup Operator users, then press apply
Assign Backup Operator permissions
This example configuration allows any member of Backup Operator group to configure protection settings for domain users and to recover their data on demand, but user data browse or download is forbidden.
Assign Self-service user permissions
This example configuration allows any domain user to login in Afi application, browse and download their backup data and recover Mail, Drive, Contacts, Calendar or Sites content.
Once you enable self-service, end-users will be able to log in to Afi service (app.afi.ai) using their Microsoft 365 or Google Workspace credentials.
Backup Operator permissions explained
- Configure SLA and initiate backup - a member of Backup Operator group is able to configure per-resource (domain user, Shared Drive, SharePoint, Team or Group) protection level (see Service → Settings → SLA for the full list of protection levels) and the default protection level automatically assigned by Afi application for newly discovered domain resources.
- Access to users' data - a member of Backup Operator group is able to browse backed up data (Mail, Drive, Contacts, Calendars, Sites) for all protected resources, but can't preview email content and can't download emails, files, or any other content from the backup.
- Preview email content - a member of Backup Operator group is able to preview email content for all protected users.
- Download data from backup - a member of Backup Operator group is able to download backed up data for any domain user
- Recover to another folder - a member of Backup Operator group is able to recover any user's data to a separate folder inside user's account with a Restored by AFI $DATE name. This is the safest recovery option which guarantees that no user data will be accidentally overwritten.
- Recover with overwrite option - a member of Backup Operator group can trigger a recovery operation that restores all backed up items at the same path where they were during a backup. This option should be used with caution as it can overwrite files if they have been changed since the point in time when the backup was done.
- Recover to another account - a member of Backup Operator group is able to recover any user's data in another user account (or in a team drive for Drive files). This option should be used with one of the options Allow to recover to another folder (default) or Allow to recover with overwrite option.
Self-service permissions explained
- Access to users data - any domain user is able to browse their own data including Mail, Drive, Contacts and Calendars backup content, mail content preview is also enabled when user is browsing their own backup.
- Download data - any domain user is able to download emails or files from their own backup
- Recover to another folder - any domain user is able to recover their own data from any selected backup point in time (for example, a month ago) in a separate folder inside their own account.