Skip to content

Access Management

Afi backup provides flexible and granular role model for partner and customer access management, ensuring separation between customer organizations and enabling customer organization administrators to decide what level of access they want to grant to administrators of a partner organization which is managing their Afi account.

Our role model makes Afi suitable both for typical managed service provider scenarios when a partner fully manages a customer organization on their behalf as well as for reseller scenarios when a customer manages their Afi account themselves and their partner organization has access only to the billing management.

Access management use-cases supported by Afi include, but are not limited to:

  • configure partner organization administrators with full or limited access, including granting access only to a selected set of customers;
  • configure administrators and service operators within each customer organization with global (organization-wide), per tenant (data source), group-based, or per resource access;
  • allow customer organization administrators to restrict partner administrator access to their organization configuration and data;
  • enable limited self-service access for end users per each customer tenant.

This article focuses on partner-level access settings and how they interact with partner access settings configured on a customer organization level.

Partner administrator groups

By default, an Afi partner organization is created with a single administrator - a Google Workspace or a Microsoft 365 user who has set up the account. Partner organization administrators are configured in the partner context on the Configuration → Admins tab and can be granted access to the partner organization settings as well as to all or selected customers. To switch to the partner context, select All customers in the dropdown on top of the screen.

Organization Administrators is a default access group for administrator accounts with full access to an Afi partner organization. We recommend to configure at least two organization administrators for continuous access transition if one of the old administrators leaves the organization or its account is deleted/unavailable for any reason.

Partner organization administrators can also create custom access groups for administrators with a limited permission set and restrict their access to specific customer organizations if needed. This allows you to configure customer account managers according to the principle of least privilege, ensuring they have access only to the customer organizations for which they are responsible. Organization administrator permissions are explained in the following section.

Once you add a user to an access group, the Afi service will send them an email invitation to join the corresponding access group by the link provided in the email. To join the group, the user should follow the link and log in to the Afi portal with a user account specified in the invitation.

Administrators with limited permissions

The screenshot below shows how to create a custom partner administrator group with limited permission set - members of the configured Backup managers access group are able to view resource and tasks within customer tenants as well as manage and assign backup SLA policies, but don't have data access and can't manage partner or customer organization settings.

Administrators with selected customer access

The screenshot below shows how to create a custom partner administrator group with access to the selected customer organizations (see the Selected customers option in the Access scope).

Info

Customer tenants that were added under your organization before its promotion to Afi partner status remain as direct tenants of your partner organization after the promotion and are not available for selection in the customer selection dropdown. Please contact the Afi Support to convert a direct tenant to a customer organization.

Partner access restrictions

Customer organization administrators can granularly configure what kind of access to their organization settings and data they want to grant to their partner organization. Partner access permissions for a customer organization are managed by the customer organization administrators on the Configuration → Partner Access tab and define the maximum access level for this particular organization available to the partner administrators.

For example, if a customer has restricted content preview for email and chat messages as well as backup data export, this restriction will be applied to all access groups configured on the partner organization level and will override the corresponding permissions configured through the partner administorator acess groups.

Warning

If a partner organization administrator is also added as a customer organization or tenant administrator directly, access restrictions configured for the partner administrators won't apply to the permissions that are granted to this administrator on a customer level.

Default partner access permissions for a customer organization depend on how it is added under a partner account. When a customer organization is onboarded directly from inside the partner portal, Afi assumes that the partner administrators fully manage the customer organization and grants full partner access to it. Otherwise, partner access is disabled and should be enabled explicitly by a customer organization administrator.

Customer access management

When a partner organization has been granted the Manage access permission for a specific customer, the partner organization administrators with the Manage access permission on the partner organization level can configure access settings for this customer organization. To do it, they should select the corresponding customer in the context selection dropdown.

Customer organization administrators are managed on the Configuration → Admins tab and have full access to the corresponding customer account. It is also possible to configure per-tenant access for customer tenants under the customer organization and enable self-service access for end-users as described in the following guides:

Warning

It is preferable to manage all partner administrator access settings in the partner organization context and refrain from inviting partner administrators as customer organization or tenant administrators.