Access model

cBackup user management is based on Yii2 RBAC model as implementation of CSRC NIST RBAC. You can read about Yii2 RBAC in framework official documentation or in Yii2 cookbook. If you are used to Yii v1 RBAC model, make sure you update your knowledge, because Yii2 RBAC is different by obsoleting Role-Task-Permission chain and changing inheritance model.

Note

At this moment RBAC model only limits access to API calls. Later it will be extended to handle access to different cBackup parts and functionality.

User management

Alongside with regular users, there're three system users, that are considered as 'protected'. These users can't be deleted or disabled, but you still are able to change passwords and access tokens for them:

  • Username: cBackup Service; login: JAVACORE
    is used as relation accessor between Java daemon and cBackup API

  • Username: cBackup Console; login: CONSOLE_APP
    is used for writing logs from console workers.

  • Username: Admin; login: ADMIN
    is created during installation process and used as root access to cBackup.

Access rights

These entries represent RBAC model access-level entities of two types: Roles and Permissions. RBAC implements hierarchical access model. Role can have other role or permission as a heir. And permission can belong to a permission or to have other permission as a heir. Both entities can be standalone and not related to any other enity. There're also three 'protected' entries:

  • admin, type: Role
    system entity for root user;

  • APICore, type: Permission
    system entity for JAVACORE user granting him permission to invoke private API calls;

  • APIReader, type: Permission
    system entity granting permission to invoke public API calls.

Rights assignment

These entries represent RBAC entities assignment to particular users. User can inherit both Roles and Permissions, granting access to certain permission with all related derivation tree (if exists).