Afi G Suite backup application has flexible and granular role model which allows to:
- delegate backup administration to the group of trusted users (referred to as Backup Operators)
- configure limited self-service access for domain users
Role model granularity allows administrator to grant only limited set of permissions which will suite his/her own security and business needs - for example, Backup Operator group can be configured to be allowed to supervise backup progress and health and perform restore on user demand, but to be forbidden to browse any user's data. For security reasons self-service is closed by default and domain super administrator should explicitly enable it.
Any domain super administrator has full administrator access to domain's data and protection settings in Afi G Suite backup application. If user's Super Administrator role is removed then he will no longer has administrator access in Afi application as well. Administrator's access to the backup data can be limited either completely by restricting users data browse or partially by limiting mail content preview and/or data download.
How to Configure Backup Operator group and enable self-service
Backup Operator group is comprised of domain users trusted to perform a configured set of backup / restore / administration operations. After Afi application is installed Backup Operator group is empty so domain super administrator should explicitly add trusted users from the domain to the group and enable desired set of permissions.
To add user to Backup Operator group
- Go to Configuration → Roles & Self-service
- Open Manage accounts dialogue and choose Backup Operator users, then press apply
Assign Backup Operator permissions
This example configuration allows any member of Backup Operator group to configure protection settings for domain users and to recover their data on demand, but user data browse or download is forbidden.
Assign Self-service user permissions
This example configuration allows any domain user to login in Afi application, browse and download their backup data and recover Mail, Drive, Contacts or Calendar content.
Backup Operator permissions explained
- Configure SLA and initiate backup - member of Backup Operator group is able to configure per-resource (domain user or team drive) protection level (see Configuration → SLA for the full list of protection levels) and default protection level automatically assigned by Afi application for newly discovered domain resources.
- Access to users data - member of Backup Operator group is able to browse backed up data (Mail, Drive, Contacts, Calendars) for all protected resources, but can't preview email content and can't download emails, files or any other content from the backup.
- Preview email content - member of Backup Operator group is able to preview email content for all protected users.
- Download data from backup - member of Backup Operator group is able to download backed up data for any domain user
- Recover to another folder - member of Backup Operator group is able to recover any user's data in separate folder inside user's account named like Restored by AFI 2018-10-30 20:13:16. This is the safest recover option which guarantees that no useful data will be accidentally overwritten.
- Recover with overwrite option - member of Backup Operator group can trigger recover operation which restore all backed up items at the same path there they were during backup. This option should be used with caution as it can overwrite files if they have been changed since point in time when backup has been done.
- Recover to another account - member of Backup Operator group is able to recover any user's data in another user account (or in team drive for Drive files). This option should be used with one of the options Allow to recover to another folder (default) or Allow to recover with overwrite option.
Self-service permissions explained
- Access to users data - any domain user is able to browse his/her own data including Mail, Drive, Contacts and Calendars backup content, mail content preview is also enabled when user is browsing his/her own backup.
- Download data - any domain user is able to download emails or files from his/her own backup
- Recover to another folder - any domain user is able to recover his/her own data from any selected backup point in time (for example, a month ago) in separate folder inside his/her own account.