Partner-managed Afi customers can enable partner access and allow partner administrators to access and manage their backups. Access is granted automatically when partner administrator adds customer account directly from the partner control panel by using Google Workspace or Microsoft 365 domain admin credentials. In other cases, when a partner adds a customer by ID or when a customer creates account via a partner onboarding link, the access is disabled by default and should be explicitly granted by a customer account administrator on the Configuration → Partner Access tab.
Partner Access tab is displayed only for partner-managed accounts, so if a customer doesn't see this tab, they need to refresh the page and the tab will appear once the application gets new account settings.
After the access is granted, partner account administrators will be able to configure and manage customer's backup account.
Partner access permissions explained
This section explains the available partner access permissions and what level of access each of them grants.
- Browse resources and tasks - partner account administrators can go inside a customer account in the Afi partner portal, can see a list of resources and their protection statuses, check backup activity, but can't manage or access the backups without additional permissions.
- Manage access - partner account administrators can manage access to a customer account and tenants inside the account. Access settings are configurable on per-account level on the Configuration → Admins and on tenant-level on the Service → Settings → Access groups tabs. When configuring access settings for a customer account or its tenants, please make sure that the corresponding customer account context is selected in the customer selection dropdown on top of the screen.
- Manage tenant settings - partner account administrators can update tenant-level settings (for example, enable extended self-service access for Shared drives or SharePoint sites in a customer tenant). Please note that this setting alone doesn't grant access to manage SLA policies, access permissions or other objects/rules inside a customer tenant.
- Add new tenants - grants partner account administrators an ability to add additional tenants under a customer account (a customer account can contain several Google Workspace, Microsoft 365 or Kubernetes tenants). Not used at the moment - the corresponding functionality will be added in the next service updates, meanwhile, additional tenants can be added under a customer account only by its customer account administrators.
- Configure SLA - partner account administrators can configure backup SLA policies for a customer on the Service → Settings → SLA tab.
- Assign SLA and initiate backup - partner account administrators are able to protect resources (User/Shared Drive/Sharepoint site/Team/etc) in a customer's tenants and manage auto-protection rules on the Service → Protection → AAD groups or the Service → Protection → Organizational units tabs.
- Delete backups - partner account administrators can schedule a delayed deletion (deletion in 7 days) for backups in a customer account.
- Manage notifications - partner account administrators can configure service notifications recipients for a customer tenant on the Configuration → Notifications tab.
- Manage secrets - partner account administrators can configure custom encryption keys for backups in a customer tenant on the Service → Settings → Secrets tab. Should be enabled together with the Configure SLA permission.
- Manage apps - partner account administrators can enable Public API access in a customer account and manage API keys.
- View audit - partner account administrators are able to view audit log events for a customer account (history of export and recovery operations, system settings changes, etc).
- View alerts - partner account administrators are able to view alerts for a customer account (for example, alerts regarding possible ransomware incidents).
- Browse backup data - partner account administrators are able to browse backup data for all backups in a customer account, but can't export the data or preview email/chat messages without additional permissions.
- Preview email and chats content - partner account administrators are able to see email and chat messages content in all backups in a customer account.
Data recovery and export
- In-place recovery - partner account administrators can trigger a recovery operation that restores selected items (for example, emails/files) in a backup at the same paths where they were during a backup. This recovery mode should be used with caution as it will overwrite files if they have been changed since the point in time when the backup was done.
- Recovery to another folder - partner account administrators are able to recover backup data to a separate folder/location inside a restore destination resource. This is the safest recovery option which guarantees that no data will be accidentally overwritten.
- Recovery to another resource - partner account administrators are able to recover backup data in another resource. This option should be enabled together with one of the following options - Recovery to another folder or In-place recovery.
- Data export - partner account administrators are able to download backup data from all backups in a customer account.