access_policy_register: access_policy_admin
# Lists of all well-known roles and their implications:
#
# Here 'well-known' means that these roles are used either without reference to a resource server,
# or with the reference equal to 'tenant-id'.
#
# Role names starting with exclamation mark (!) are special:
# - if such a name is present in definition of a composite user role whose name coincides with part
# of the special name that follows exclamation mark, this is so-called self-reference role (e.g.,
# !root_admin in definition of root_admin role).
# - if such a name is encountered in list of 'implied access policies for registered entity' of a
# resource server or a client, corresponding composite user role is added to server's/client's
# access token 'as-is', without being expanded to list of its constituent roles.
#
# It looks like these not expanded composite roles are needed to support certain services that only
# check caller's access token for presence of certain composite roles but not their equivalent
# implied roles.
roles:
# user composite roles
root_admin: [ tenant_admin, user_admin, "!root_admin", backup_admin, dr_infra_admin, dr_admin, backup_storage_admin, "agent_manager::admin", "storage_migration::root" ]
partner_admin: [ tenant_admin, user_admin, "!partner_admin", backup_admin, dr_infra_admin, dr_admin, backup_storage_admin, "agent_manager::admin", "storage_migration::admin" ]
company_admin: [ tenant_admin, user_admin, backup_admin, access_policy_admin, "!company_admin", dr_admin, backup_storage_admin, "agent_manager::admin", unit_admin ]
unit_admin: [ tenant_admin, user_admin, backup_admin, "!unit_admin", backup_storage_admin ]
backup_user: [ backup_admin, "!backup_user" ] # bad hacky role, MUST be replaced by normal backup self-service role
# total_protection_admin: [ backup_admin, security_admin ]
backup_admin: [ backup_agent_admin, tenant_viewer, "task_manager::viewer","task_manager::issuer", "credentials_store::owner",
"resource_manager::admin", "policy_manager::admin", "vault_manager::admin", "alert_manager::admin", "storage::readwrite",
"agent_manager::agent_unregistrator", "agent_manager::agent_unregistrar",
"agent_manager::agent_viewer", "apn::requestor", "scan_service::admin",
"agent_manager::host_manager", "index_manager::admin", "!backup_admin",
"credentials_store::admin", "storage::storage_readwrite" ]
# backup_user
# security_admin: [ security_agent_admin ]
backup_agent_admin: [ "oauth2_client_admin(backup_agent)", "resource_manager::admin",
"agent_manager::agent_registrator", "agent_manager::agent_registrar"
]
# security_agent_admin: [ oauth2_client_admin ]
backup_storage_admin: [ "oauth2_client_admin(backup_storage)", infra_admin ]
hci_admin: [ backup_storage_admin ]
dr_admin: [ "oauth2_client_admin(dr)", "dr_service::admin" ]
dr_infra_admin: [ "oauth2_client_admin(dr_infra_admin)", "!dr_infra_admin" ]
# ap_security_agent: []
backup_storage_engine: [ usage_reporter ]
tenant_admin: [ tenant_viewer , "!tenant_admin"] # manage (create, update, delete) tenants, tenant settings (incl branding etc), licenses/quotas in tenant
# atomic roles (set of permissions)
tenant_viewer: [] # read access to tenants
user_admin: [] # manage (create, update, delete) users, user groups and user access policies in tenant
oauth2_client_admin: [] # manage (create, update, delete) OAuth2 clients and associated access policies in tenant
usage_reporter: [] # report (update) usage in tenant
infra_admin: [] # manage (create, update, delete) storage installations in tenant
# legacy roles
storage_readonly: [ "storage::readonly" ]
storage_readwrite: [ "storage::readwrite" ]
storage_replication_master: [ "storage::replication_master" ]
anonymous: [ "oauth2_client_admin(backup_agent)", "oauth2_client_admin(backup_storage)", "!anonymous", "agent_manager::agent_registrator", "agent_manager::agent_registrar" ]
# resource servers defines how (with what access) different services must register and what access policies this services will get in their Access Tokens
# the format is the following:
#
# service_name: <- name of the service
# implied_access_policies_for_registered_entity: <- list of policies that will be implicitly added to any token issued for the service
# - { role: "task_manager::issuer", path: "some_queue" }
# roles: <- list of roles defines with this resource server (in the scope of this resource server)
# role1: [] <- some role
# role2: [service_name::role1] <- some role with implication to the role of the same service
#
resource_servers:
hierarchy_resolver:
roles:
consumer: []
dr_service:
implied_access_policies_for_registered_entity:
- "apn::requestor"
- "credentials_store::owner"
- "oauth2_client_admin(dr)" # to be able to re-register VPN server client when migrating a tenant
- "policy_manager::admin"
- "resource_manager::admin"
- "scheduler::admin"
- "task_manager::trusted_viewer"
- "task_manager:dr-service:consumer"
- "task_manager:dr-service:issuer"
- "task_manager:dr-vpn-service:issuer"
- "task_manager:runvm_delta_create:issuer"
- "task_manager:runvm_delta_delete:issuer"
- "task_manager:runvm_gateway:issuer"
- "task_manager:runvm_vm_create:issuer"
- "task_manager:runvm_vm_delete:issuer"
- "task_manager:runvm_vm_finalize:issuer"
- "vault_manager::admin"
- "tenant_viewer"
- "task_manager:queue_run_vm_to_drc:issuer"
- "task_manager:queue_finalize_vm_in_drc:issuer"
- "task_manager:queue_delete_prepared_for_dr:issuer"
- "task_manager:queue_prepare_for_dr:issuer"
- "task_manager:queue_unmount_vm_in_drc:issuer"
- "task_manager:queue_unmount_vm:issuer"
- "task_manager::viewer"
roles:
admin: [] # manage DR in company
vpn_appliance: [] # role for VPN Appliance
vpn_server: [] # role for VPN Server
runbook_manager:
implied_access_policies_for_registered_entity:
- "task_manager:queue_runbooks:issuer"
- "task_manager:queue_runbooks:consumer"
- "dr_service::admin"
- "task_manager::trusted_viewer"
- "tenant_viewer"
- "task_manager::viewer"
roles:
admin: []
provision_manager:
implied_access_policies_for_registered_entity:
- "task_manager:dr-service:issuer"
- "task_manager:queue_catalog_decommission_tasks:issuer"
- "task_manager:queue_catalog_decommission_tasks:viewer"
- "tenant_viewer"
roles:
admin: []
resource_manager:
implied_access_policies_for_registered_entity:
- "hierarchy_resolver::consumer"
- "task_manager:rm_decommission:consumer"
- "tenant_viewer"
roles:
admin: [] # manage (register, update, unregister) resources, alias for c2c_resource_manager::admin(tenant), computer_resource_manager::admin(tenant)
zmqgw:
implied_access_policies_for_registered_entity:
- "credentials_store::consumer"
- "vault_manager::admin"
- "resource_manager::admin"
- "policy_manager::admin"
- "policy_management::read"
- "task_manager::importer"
- "task_manager::viewer"
- "tenant_viewer"
roles:
admin: []
ams:
implied_access_policies_for_registered_entity:
- "credentials_store::consumer"
- "vault_manager::admin"
- "resource_manager::admin"
- "policy_manager::admin"
- "task_manager::issuer"
- "task_manager::viewer"
- "tenant_admin"
roles:
admin: []
backup_notification_service:
implied_access_policies_for_registered_entity:
- "tenant_viewer"
roles:
admin: []
wb_migration:
implied_access_policies_for_registered_entity:
- "credentials_store::owner"
- "website_backup_manager::admin"
- "tenant_viewer"
roles:
admin: []
task_manager:
implied_access_policies_for_registered_entity:
- "task_manager::cluster_sync"
- "hierarchy_resolver::consumer"
- "tenant_viewer"
roles:
viewer: [] # list tasks (without taking into account which task queues they belongs) in tenant
issuer: [] # push tasks into a specific task queue in tenant
consumer: [] # pop task from a specific task queue in tenant
admin: [] # full access
downstream_sync: [] # accept tasks from downstream Task Manager services
cluster_sync: [] # sync state in a Task Manager cluster
scheduler:
implied_access_policies_for_registered_entity:
- "policy_manager::admin"
- "vault_manager::admin"
- "tenant_viewer"
roles:
admin: []
credentials_store:
implied_access_policies_for_registered_entity:
- "hierarchy_resolver::consumer"
- "task_manager:credentials_decommission:consumer"
- "tenant_viewer"
roles:
admin: [] # access rights to read credentials object metadata (not secret) and add external ids
consumer: [] # full read access plus access to read the credentials object secret
owner: [] # full credentials object management access rights, with the exception of reading the secret
alert_inspector:
implied_access_policies_for_registered_entity:
- "task_manager::issuer"
- "policy_manager::admin"
- "resource_manager::admin"
- "alert_manager::admin"
- "tenant_viewer"
policy_manager:
roles:
admin: []
frs:
roles:
admin: []
corp-wl:
roles:
admin: []
bitdefender-cleanset:
roles:
admin: []
endpoint_protection_manager:
implied_access_policies_for_registered_entity:
- "task_manager:dr_backup_queue:issuer"
- "task_manager:cleanup:issuer"
- "task_manager::trusted_viewer"
- "task_manager::importer"
- "task_manager::issuer"
- "task_manager::consumer"
- "scheduler::admin"
- "vault_manager::admin"
- "resource_manager::admin"
- "policy_manager::admin"
- "alert_manager::admin"
- "oauth2_client_admin(backup_agent)"
- "tenant_viewer"
- "apn::requestor"
backup_policy_manager:
implied_access_policies_for_registered_entity:
- "task_manager:dr_backup_queue:issuer"
- "task_manager:cleanup:issuer"
- "scheduler::admin"
- "vault_manager::admin"
- "resource_manager::admin"
- "policy_manager::admin"
- "tenant_viewer"
virtual_policy_manager:
implied_access_policies_for_registered_entity:
- "task_manager::issuer"
- "scheduler::admin"
- "vault_manager::admin"
- "resource_manager::admin"
eapp_policy_manager:
implied_access_policies_for_registered_entity:
- "task_manager::issuer"
- "scheduler::admin"
- "vault_manager::admin"
- "resource_manager::admin"
archive_policy_manager:
implied_access_policies_for_registered_entity:
- "task_manager::issuer"
- "scheduler::admin"
- "vault_manager::admin"
- "tenant_viewer"
archive_browse_service:
implied_access_policies_for_registered_entity:
- "storage::readonly"
- "notary::admin"
- "tenant_viewer"
c2c_archmgmt_agent:
implied_access_policies_for_registered_entity:
- "storage::readwrite"
- "task_manager:queue_c2c_retention:consumer"
- "task_manager:queue_c2c_migration:consumer"
- "task_manager::trusted_viewer"
- "c2c_backup_manager::admin"
- "vault_manager::admin"
- "tenant_viewer"
o365_c2c_backup_agent:
implied_access_policies_for_registered_entity:
- "storage::readwrite"
- "task_manager:queue_o365_backup:consumer"
- "task_manager:queue_o365_backup_inc:consumer"
- "task_manager:queue_o365_restore:consumer"
- "task_manager:queue_o365_discovery:consumer"
- "task_manager::trusted_viewer"
- "c2c_backup_manager::admin"
- "vault_manager::admin"
- "notary::admin"
- "tenant_viewer"
gsuite_c2c_backup_agent:
implied_access_policies_for_registered_entity:
- "storage::readwrite"
- "task_manager:queue_gsuite_backup:consumer"
- "task_manager:queue_gsuite_backup_inc:consumer"
- "task_manager:queue_gsuite_restore:consumer"
- "task_manager:queue_gsuite_discovery:consumer"
- "task_manager::trusted_viewer"
- "c2c_backup_manager::admin"
- "vault_manager::admin"
- "notary::admin"
- "tenant_viewer"
- "task_manager:queue_gsuite:consumer"
email_archiver:
implied_access_policies_for_registered_entity:
- "storage::readwrite"
- "task_manager:queue_email_archiver_restore:consumer"
- "task_manager::trusted_viewer"
- "c2c_backup_manager::admin"
- "vault_manager::admin"
- "tenant_viewer"
website_c2c_backup_agent:
implied_access_policies_for_registered_entity:
- "storage::readwrite"
- "task_manager:queue_website:consumer"
- "task_manager::trusted_viewer"
- "website_backup_manager::admin"
- "vault_manager::admin"
- "credentials_store::consumer"
- "tenant_viewer"
c2c_backup_manager:
implied_access_policies_for_registered_entity:
- "task_manager::issuer"
- "task_manager:queue_c2c_acc_registration:consumer"
- "task_manager:queue_c2c_protection:consumer"
- "task_manager:queue_c2c_upgrade:consumer"
- "task_manager::trusted_viewer"
- "scheduler::admin"
- "vault_manager::admin"
- "policy_manager::admin"
- "tenant_viewer"
- "credentials_store::owner"
- "credentials_store::consumer"
website_backup_manager:
implied_access_policies_for_registered_entity:
- "task_manager::issuer"
- "task_manager:queue_website_protection:consumer"
- "task_manager::trusted_viewer"
- "scheduler::admin"
- "vault_manager::admin"
- "tenant_viewer"
simple_backup_manager:
implied_access_policies_for_registered_entity:
- "task_manager::issuer"
- "scheduler::admin"
- "vault_manager::admin"
- "tenant_viewer"
protection_status_service:
implied_access_policies_for_registered_entity:
- "policy_manager::admin"
- "resource_manager::admin"
- "alert_manager::admin"
- "tenant_viewer"
vault_manager:
implied_access_policies_for_registered_entity:
- "task_manager::issuer"
- "task_manager:vm_decommission:consumer"
- "scheduler::admin"
- "tenant_viewer"
roles:
admin: []
index_manager:
implied_access_policies_for_registered_entity:
- "task_manager:queue_catalog_indexer_tasks:issuer"
- "task_manager:queue_catalog_indexer_tasks:viewer"
- "task_manager:queue_catalog_indexer_hpriority_tasks:issuer"
- "task_manager:queue_catalog_indexer_hpriority_tasks:viewer"
- "task_manager:queue_catalog_index_tasks:consumer"
- "task_manager:queue_catalog_decommission_tasks:consumer"
- "vault_manager::admin"
- "index_manager_agent::admin"
- "tenant_viewer"
index_manager_agent:
implied_access_policies_for_registered_entity:
- index_manager::registration
- "tenant_viewer"
catalog_manager:
implied_access_policies_for_registered_entity:
- "task_manager:queue_catalog_browser_tasks:issuer"
- "catalog_browser::admin"
- "tenant_viewer"
roles:
admin: []
catalog_browser:
implied_access_policies_for_registered_entity:
- "task_manager:queue_catalog_browser_tasks:consumer"
- "catalog_manager::admin"
- "index_manager::index_operator"
- "tenant_viewer"
catalog_indexer:
implied_access_policies_for_registered_entity:
- "task_manager:queue_catalog_indexer_tasks:consumer"
- "task_manager:queue_catalog_indexer_hpriority_tasks:consumer"
- "credentials_store::consumer"
- "storage::readwrite"
- "tenant_viewer"
- "index_manager::index_operator"
- "index_manager::task_executor"
alert_manager:
implied_access_policies_for_registered_entity:
- "hierarchy_resolver::consumer"
- "tenant_viewer"
roles:
admin: []
storage:
implied_access_policies_for_registered_entity:
roles:
readonly: []
readwrite: []
replication_master: []
apn:
roles:
requestor: []
node: []
agent_manager:
implied_access_policies_for_registered_entity:
- "agent_manager::admin"
- "policy_manager::admin"
- "tenant_viewer"
- "task_manager:ATP_ResourceDiscovery:issuer"
- "task_manager:ATP_RemoteInstall:issuer"
- "task_manager:ATP_CheckCreds:issuer"
- "task_manager:ATP_RegisterHost:issuer"
- "apn::requestor"
roles:
agent_registrator: []
agent_registrar: []
agent_unregistrator: []
agent_unregistrar: []
agent_viewer: []
agent_conn_state_reporter: []
host_manager: []
host_uploader: []
ou_uploader: []
admin: []
agent_gateway:
implied_access_policies_for_registered_entity:
- "agent_manager::agent_conn_state_reporter"
- "tenant_viewer"
stats_server:
implied_access_policies_for_registered_entity:
- "vault_manager::admin"
- "tenant_viewer"
am_eventproc_service:
implied_access_policies_for_registered_entity:
- "task_manager::viewer"
- "vault_manager::admin"
- "resource_manager::admin"
- "policy_manager::admin"
- "alert_manager::admin"
- "tenant_viewer"
am_playbook_service:
implied_access_policies_for_registered_entity:
- "agent_manager::host_manager"
- "task_manager::viewer"
- "vault_manager::admin"
- "resource_manager::admin"
- "policy_manager::admin"
- "alert_manager::admin"
- "task_manager:ATP_FixNowMicrosoft:issuer"
- "task_manager:ATP_FixNowThirdParty:issuer"
- "agent_manager::agent_viewer"
- "tenant_viewer"
- "scan_service::viewer"
- "apn::requestor"
atp_grpm_addon:
implied_access_policies_for_registered_entity:
- "scan_service::admin"
- "policy_manager::admin"
- "vault_manager::admin"
- "tenant_viewer"
alerts_feed_manager:
implied_access_policies_for_registered_entity:
- "resource_manager::admin"
- "policy_manager::admin"
- "alert_manager::admin"
- "task_manager::issuer"
- "tenant_viewer"
scan_service:
implied_access_policies_for_registered_entity:
- "task_manager::admin"
- "vault_manager::admin"
- "hierarchy_resolver::consumer"
- "tenant_viewer"
- "ams::admin"
roles:
agent: []
admin: []
viewer: []
monitoring:
implied_access_policies_for_registered_entity:
roles:
provider: []
viewer: []
admin: []
api_gateway:
implied_access_policies_for_registered_entity:
- "tenant_viewer"
files_protect_service:
implied_access_policies_for_registered_entity:
- "notary::user"
- "tenant_viewer"
storage_migration:
implied_access_policies_for_registered_entity:
roles:
root: []
admin: []
platform_storagemgr:
implied_access_policies_for_registered_entity:
- "storage::readwrite"
- "tenant_viewer"
roles:
storage_addr_requester: []
client_crt_requester: []
agent_resources:
roles:
read: []
cyber_scripting_executor:
roles:
admin: []
atp_agent:
roles:
admin: []
operation: []
av_scanner: []
component_manager: []
notifier: []
policy_manager: []
policy_reader: []
remote_desktop: []
remote_assistance: []
scheduled_notification: []
vapm_info: []
atp_scan_agent:
roles:
admin: []
atp_downloader:
roles:
admin: []
configurator: []
readonly: []
update_controller:
roles:
admin: []
notifier: []
readonly: []
mi_monitoring:
roles:
admin: []
model_manager: []
scheduler: []
sh_inventory:
roles:
admin: []
hwi_scanner: []
swi_scanner: []
hwi_viewer: []
swi_viewer: []
# possible agents that may be registered (installed) which also need their own Access Tokens
clients:
agent_core:
implied_access_policies_for_registered_entity:
- "agent_manager::agent_registrator"
- "agent_manager::agent_registrar"
- "agent_manager::agent_unregistrator"
- "agent_manager::agent_unregistrar"
- "agent_manager::agent_viewer"
- "agent_manager::unit_configuration_viewer"
- "oauth2_client_admin(backup_agent)" # hack for 9.0 summit, to be removed when proper registration token -> jwt exchange is implemented https://pmc.acronis.com/browse/PLTFRM-14881
- "apn::node"
- "agent_resources::read"
allowed_registrators: [ oauth2_client_admin ]
computer_backup_agent:
public_client_id: cf55edc2-02c0-11e8-ba89-0ed5f89f718b # backup agent installer for ABC 7.7
implied_access_policies_for_registered_entity:
- "task_manager::consumer"
- "credentials_store::consumer"
- "storage::readwrite"
- "policy_manager::admin"
- "resource_manager::admin"
- "task_manager:queue1:consumer"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of backup agent in backup management services
mms: # role for mms unit of agent_core
implied_access_policies_for_registered_entity:
- "credentials_store::consumer"
- "credentials_store::owner"
- "policy_manager::admin"
- "resource_manager::admin"
- "storage::readwrite"
- "task_manager::consumer"
- "tenant_viewer"
- "platform_storagemgr::storage_addr_requester"
- "platform_storagemgr::client_crt_requester"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of backup agent in backup management services
respect_barriers: true
backup_storage_engine:
public_client_id: cf55fae2-02c0-11e8-ba89-0ed5f89f718b
implied_access_policies_for_registered_entity:
- backup_storage_engine
allowed_registrators: [ oauth2_client_admin(backup_storage) ] # Registration / deregistration of storage engine in backup management services
vpn-appliance:
public_client_id: cf55fd62-02c0-11e8-ba89-0ed5f89f718b
implied_access_policies_for_registered_entity:
- "!company_admin"
- "task_manager:dr-vpn-service:consumer"
- "dr_service::vpn_appliance"
allowed_registrators: [ oauth2_client_admin(dr) ] # Registration / deregistration of vpn appliance (running on customer side) to enable connectivity with customer primary / recovery servers (running on Acronis cloud side)
vpn-server:
public_client_id: cf560398-02c0-11e8-ba89-0ed5f89f718b # dr deployment system
implied_access_policies_for_registered_entity:
- "!company_admin"
- "task_manager:dr-vpn-service:consumer"
- "dr_service::vpn_server"
allowed_registrators: [ oauth2_client_admin(dr) ] # Registration / deregistration of vpn server (server side for vpn appliance)
dr_backup_agent:
implied_access_policies_for_registered_entity:
- "task_manager:dr_backup_queue:consumer"
- "task_manager:cleanup:consumer"
- "storage::readwrite"
allowed_registrators: [ oauth2_client_admin(dr_infra_admin) ]
run_vm_agent:
implied_access_policies_for_registered_entity:
- "task_manager:runvm_delta_create:consumer"
- "task_manager:runvm_delta_delete:consumer"
- "task_manager:runvm_gateway:consumer"
- "task_manager:runvm_vm_create:consumer"
- "task_manager:runvm_vm_delete:consumer"
- "task_manager:runvm_vm_finalize:consumer"
- "task_manager:dr_backup_queue:consumer"
- "task_manager:cleanup:consumer"
- "credentials_store::consumer"
- "vault_manager::admin"
- "storage::readwrite"
- "agent_resources::read"
allowed_registrators: [ oauth2_client_admin(dr_infra_admin) ] # Registration / deregistration of run vm agent on Acronis cloud side
run_vm_controller:
implied_access_policies_for_registered_entity:
- "credentials_store::consumer"
- "storage::readonly"
allowed_registrators: [ oauth2_client_admin(dr_infra_admin) ]
run_vm_gateway:
allowed_registrators: [ oauth2_client_admin(dr_infra_admin) ]
atp-agent:
implied_access_policies_for_registered_entity:
- "task_manager:ATP_*:consumer"
- "task_manager:ATP_*:issuer"
- "task_manager:SHI_VA:issuer"
- "task_manager:x#ATP_*:consumer"
- "task_manager::trusted_viewer"
- "task_manager:cti.a.p.tm.queue.v1.0~a.swd.deploy.v1.0:consumer"
- "task_manager:cti.a.p.tm.queue.v1.0~a.swd.deploy.v1.0:issuer"
- "agent_manager::host_uploader"
- "agent_manager::ou_uploader"
- "monitoring::provider"
- "scan_service::agent"
- "storage::readwrite"
- "policy_manager::admin"
- "vault_manager::admin"
- "tenant_viewer"
- "credentials_store::consumer"
- "resource_manager::admin"
- "agent_resources::read"
- "atp_downloader::admin"
- "sh_inventory::admin"
- "sh_inventory::swi_scanner"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of atp agent on Acronis cloud side
atp-downloader:
implied_access_policies_for_registered_entity:
- "atp_downloader::admin"
- "atp_agent::vapm_info"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of atp downloader
sync-unit:
implied_access_policies_for_registered_entity:
- "policy_manager::admin"
- "scheduler::admin"
- "agent_resources::read"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of sync unit on Acronis cloud side
# ap_security_agent
backupAgent: # legacy
implied_access_policies_for_registered_entity:
- "task_manager::consumer"
- "storage::readwrite"
- "policy_manager::admin"
- "resource_manager::admin"
- "agent_manager::agent_registrar"
- "oauth2_client_admin(backup_agent)"
- "tenant_viewer"
- "task_manager:queue1:consumer"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of backup agent in backup management services
respect_barriers: true
active_protection:
implied_access_policies_for_registered_entity:
- "alert_manager::admin"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of active_protection on Acronis cloud side
cgw:
implied_access_policies_for_registered_entity:
- "frs::admin"
- "corp-wl::admin"
- "bitdefender-cleanset::admin"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of cgw on Acronis cloud side
cyber-protect-service:
implied_access_policies_for_registered_entity:
- "frs::admin"
- "corp-wl::admin"
- "bitdefender-cleanset::admin"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of cyber-protect-service on Acronis cloud side
task-manager:
implied_access_policies_for_registered_entity:
- "task_manager::delegate"
allowed_registrators: [ oauth2_client_admin(backup_agent) ]
storageNode: # legacy
implied_access_policies_for_registered_entity:
- "credentials_store::consumer"
- "credentials_store::owner"
- "storage::readwrite"
- "tenant_viewer"
allowed_registrators: [ oauth2_client_admin(backup_storage) ]
catalog-browser: # local catalog-browser unit
implied_access_policies_for_registered_entity:
- "task_manager:queue_catalog_browser_tasks:consumer"
- "catalog_manager::admin"
- "index_manager::index_operator"
- "tenant_viewer"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # local catalog-browser unit
credentials-store: # agent-side credentials store unit
allowed_registrators: [ oauth2_client_admin(backup_agent) ]
scheduler-unit:
implied_access_policies_for_registered_entity:
- "atp_agent::scheduled_notification"
- "mi_monitoring::scheduler"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of scheduler
tray-monitor:
implied_access_policies_for_registered_entity:
- "task_manager::viewer"
- "agent_resources::read"
allowed_registrators: [ oauth2_client_admin(backup_agent) ] # Registration / deregistration of tray-monitor
superset:
allowed_registrators: [ services_registrar ]
device-sense:
implied_access_policies_for_registered_entity:
- "task_manager:cti.a.p.tm.queue.v1.0~a.device_sense.queue_scan.*:consumer"
- "task_manager:cti.a.p.tm.queue.v1.0~a.device_sense.queue_scan.*:viewer"
- "task_manager:cti.a.p.tm.queue.v1.0~a.device_sense.queue_filter.*:consumer"
- "task_manager:cti.a.p.tm.queue.v1.0~a.device_sense.queue_filter.*:viewer"
allowed_registrators: [ oauth2_client_admin(backup_agent), oauth2_client_admin(self) ]
mi-monitoring:
implied_access_policies_for_registered_entity:
- "task_manager::trusted_viewer"
- "task_manager:MI_*:consumer"
- "task_manager:MI_*:issuer"
- "task_manager:CSE_*:issuer"
- "alert_manager::admin"
- "atp_agent::policy_reader"
- "cyber_scripting_executor::admin"
- "policy_management::read"
- "agent_resources::read"
allowed_registrators: [ oauth2_client_admin(backup_agent), oauth2_client_admin(self) ]
update-controller:
implied_access_policies_for_registered_entity:
- "task_manager:x#UpdateFeatureSet:issuer"
- "task_manager:x#UpdateFeatureSet:consumer"
- "task_manager:x#UpdateAgent:consumer"
- "task_manager:x#ATP_RemoteInstall:consumer"
- "task_manager:x#ATP_RegisterHost:consumer"
- "task_manager:ATP_CheckCreds:consumer"
- "task_manager::trusted_viewer"
- "agent_resources::read"
allowed_registrators: [ oauth2_client_admin(backup_agent), oauth2_client_admin(self) ]
sh-inventory: # software and hardware inventory unit
implied_access_policies_for_registered_entity:
- "task_manager:SHI_*:consumer"
- "task_manager::viewer"
- "resource_manager::admin"
- "monitoring::provider"
- "agent_resources::read"
- "atp_agent::notifier"
allowed_registrators: [ oauth2_client_admin(backup_agent), oauth2_client_admin(self) ]