Groups & Permissions

Configure role-based access control (RBAC) for users.

Overview

DBackup uses a group-based permission system:

Groups contain sets of permissions
Users are assigned to groups
Users inherit all permissions from their group

Permission Model

User → Group → Permissions
                  │
                  ├── sources:read
                  ├── sources:write
                  ├── jobs:execute
                  └── ...

No Group = No Access

Users without a group have no permissions by default:

Cannot view any resources
Cannot perform any actions
Only access their profile

Managing Groups

View Groups

Go to Users → Groups tab
See all defined groups
View permission counts

Create Group

Click Create Group
Enter group name
Select permissions
Save

Edit Group

Click on a group
Modify permissions
Save

Changes apply immediately to all members.

Delete Group

Click group's menu (⋮)
Select Delete
Confirm

Members Lose Access

Users in deleted group lose all permissions until reassigned.

Permission Reference

Users & Groups

Permission	Description
`users:read`	View user list and details
`users:write`	Create, edit, delete users
`groups:read`	View groups and permissions
`groups:write`	Create, edit, delete groups

Database Sources

Permission	Description
`sources:read`	View configured sources
`sources:write`	Add, edit, delete sources

Storage Destinations

Permission	Description
`destinations:read`	View configured destinations
`destinations:write`	Add, edit, delete destinations

Backup Jobs

Permission	Description
`jobs:read`	View backup jobs
`jobs:write`	Create, edit, delete jobs
`jobs:execute`	Manually run jobs

Storage & History

Permission	Description
`storage:read`	Access Storage Explorer
`storage:download`	Download backup files
`storage:restore`	Restore from backups
`storage:delete`	Delete backup files
`history:read`	View execution history

Notifications

Permission	Description
`notifications:read`	View notification configs
`notifications:write`	Manage notification configs

User Profile

Permission	Description
`profile:update_name`	Change own display name
`profile:update_email`	Change own email
`profile:update_password`	Change own password
`profile:manage_2fa`	Enable/disable 2FA
`profile:manage_passkeys`	Add/remove passkeys

System

Permission	Description
`vault:read`	View encryption profiles
`vault:write`	Manage encryption profiles
`settings:read`	View system settings
`settings:write`	Modify system settings
`audit:read`	View audit logs

Recommended Groups

Administrator

Full access to everything:

All permissions enabled
Typically for IT/DevOps leads

Operator

Can run and monitor backups:

sources:read
destinations:read
jobs:read
jobs:execute
storage:read
storage:download
storage:restore
history:read
notifications:read
profile:*

Viewer

Read-only access:

sources:read
destinations:read
jobs:read
storage:read
history:read

Developer

Access to test/staging resources:

sources:read (with resource filtering)
jobs:read
jobs:execute
storage:read
storage:download
history:read
profile:*

Permission Inheritance

Permissions are additive:

User gets all permissions in their group
No permission = denied
No negative permissions (deny rules)

Example

"Backup Operator" group has:
├── jobs:read      ✓ Can view jobs
├── jobs:execute   ✓ Can run jobs
└── (no jobs:write)
                   ✗ Cannot edit jobs

Best Practices

Least Privilege

Give minimum permissions needed:

Start with viewer role
Add only what's required
Review regularly

Group Naming

Clear, descriptive names:

✅ "Backup Operators"
✅ "Database Admins"
❌ "Group 1"
❌ "Users"

Separation of Duties

Split critical functions:

Backup execution: Operators
Job configuration: Admins
Key management: Security team

Regular Audits

Periodically review:

Who has access to what
Unused permissions
Group memberships
Access to sensitive operations

UI Behavior

Missing Permissions

When user lacks permission:

UI elements are hidden
Direct URLs return 403
Actions are blocked

Permission Check Flow

User Action → Check Permission → Allow/Deny
                   │
              getUserPermissions()
                   │
              Group.permissions[]

Troubleshooting

User Can't Access Feature

Check:

User is in a group
Group has required permission
Permission name is correct
User logged in recently (session might be stale)

Permission Changes Not Applied

Try:

User logs out and back in
Clear browser cache
Verify group changes saved

Need Different Access Levels

Consider:

Create new group with specific permissions
Don't modify existing groups that work
Use meaningful group names

API Reference

Permission Format

{resource}:{action}

Examples:
- sources:read
- jobs:write
- storage:delete

Group Structure

json

{
  "id": "uuid",
  "name": "Backup Operators",
  "permissions": [
    "sources:read",
    "destinations:read",
    "jobs:read",
    "jobs:execute",
    "storage:read",
    "history:read"
  ]
}

Next Steps

User Management - Manage user accounts
SSO/OIDC - Enterprise authentication

Groups & Permissions ​

Overview ​

Permission Model ​

No Group = No Access ​

Managing Groups ​

View Groups ​

Create Group ​

Edit Group ​

Delete Group ​

Permission Reference ​

Users & Groups ​

Database Sources ​

Storage Destinations ​

Backup Jobs ​

Storage & History ​

Notifications ​

User Profile ​

System ​

Recommended Groups ​

Administrator ​

Operator ​

Viewer ​

Developer ​

Permission Inheritance ​

Example ​

Best Practices ​

Least Privilege ​

Group Naming ​

Separation of Duties ​

Regular Audits ​

UI Behavior ​

Missing Permissions ​

Permission Check Flow ​

Troubleshooting ​

User Can't Access Feature ​

Permission Changes Not Applied ​

Need Different Access Levels ​

API Reference ​

Permission Format ​

Group Structure ​

Next Steps ​