Access Control - Polystack Documentation

Overview

Ironcore Backup Solution (IBS) is restricted by default — newly created users and API tokens have no permissions until an administrator grants them. Access is governed by a role-based access control (RBAC) model with per-datastore and per-namespace permissions, supported by multiple authentication realms, multi-factor authentication, and revocable API tokens for automation. This page covers the full access control surface.

Prerequisites

Administrator role on the Polystack platform
For LDAP / Active Directory integration: a service account and connection details for the directory

Authentication Realms

Realm	Use Case	Notes
Built-in	Local users, system-independent	Default realm for service accounts and operators
Linux PAM	Operating system users on the backup host	Useful for tightly-controlled admin access
LDAP	Centrally-managed directory	Includes group sync
Active Directory	Microsoft AD integration	Includes group sync and SSO via Kerberos
OpenID Connect (OIDC)	Single sign-on to a central IdP	Most common modern federation

Configure LDAP

Deployment Console
CLI

Open Realms

Navigate to Backup Solution > Access Control > Realms.

Add an LDAP realm

Click Add > LDAP. Enter:

Realm name: corporate-ldap
Server: ldap://ldap.<your-domain>
Base DN: dc=polystack,dc=local
User attribute: uid
Bind DN: cn=ibs-svc,ou=services,dc=polystack,dc=local
Bind password: (service account password)

Enable group sync

Set:

Group base DN: ou=groups,dc=polystack,dc=local
Group filter: (objectClass=groupOfNames)
Sync schedule: daily 06:00

Test

Click Test. The Dashboard performs a probe bind and reports success.

Save

Click Save.

LDAP users can now log in. Group membership populates the @corporate-ldap realm.

Create an LDAP realm

ironcore-backup realm create \
  --type ldap \
  --realm corporate-ldap \
  --server "ldap://ldap.<your-domain>" \
  --base-dn "dc=polystack,dc=local" \
  --user-attr uid \
  --bind-dn "cn=ibs-svc,ou=services,dc=polystack,dc=local" \
  --bind-password-file /etc/ironcore/ldap-svc-password

Configure Active Directory

Deployment Console
CLI

Navigate to Realms > Add > Active Directory. Most fields mirror LDAP. The key differences:

Field	Active Directory Value
Server	`ldap://ad.<your-domain>`
User attribute	`sAMAccountName`
Default domain	`<your-domain>`
Group attribute	`memberOf`

ironcore-backup realm create \
  --type ad \
  --realm corp-ad \
  --server "ldap://ad.<your-domain>" \
  --default-domain "<your-domain>" \
  --bind-dn "CN=ibs-svc,OU=services,DC=corp,DC=local" \
  --bind-password-file /etc/ironcore/ad-svc-password

Configure OpenID Connect

For federated SSO to your central IdP:

OIDC realm

ironcore-backup realm create \
  --type openid \
  --realm corporate-sso \
  --issuer-url https://sso.<your-domain>/realms/corporate \
  --client-id ironcore-backup \
  --client-key /etc/ironcore/oidc-client-key.pem \
  --default-roles "Datastore.Reader@/datastore/ibs-primary/production"

Roles

IBS ships with a set of built-in roles. Each role is a named collection of privileges. Compose roles for the principle of least privilege.

Role	Typical Use	Key Privileges
Admin	Platform administrator	All privileges on all paths
Audit	Read-only auditor	View configuration and audit logs
Datastore.Admin	Datastore owner	Manage datastores, namespaces, backups
Datastore.Backup	Project member	Create backups in a specific datastore
Datastore.Reader	Read-only	List and restore from a datastore
Datastore.Powered	Power operator	Backup + Restore + Prune (no datastore admin)
Datastore.Audit	Datastore auditor	View snapshots and audit trail; no read of chunk data
Tape.Admin	Tape operator	Manage media pools, tape jobs
Sys.Audit	System auditor	Read system configuration

Grant a Role

Permissions are granted by combining (auth-id, role, path).

Component	Description
Auth-id	`user@realm` or `user@realm!token-name` for API tokens
Role	A built-in or custom role
Path	The scope — datastore, namespace, or `/` for global

Deployment Console
CLI

Open Access Control > Permissions > Add. Pick the user or token, the role, and the path.

Grant Datastore.Backup on a namespace

ironcore-backup acl update \
  --path /datastore/ibs-primary/production \
  --auth-id alice@polystack \
  --role Datastore.Backup

Grant Datastore.Reader to a group from LDAP

ironcore-backup acl update \
  --path /datastore/ibs-primary \
  --auth-id @audit-team@corporate-ldap \
  --role Datastore.Reader

Custom Roles

Compose roles for unusual access patterns:

Create a backup-only-no-restore role

ironcore-backup role create \
  --name BackupOnlyNoRestore \
  --privileges "Datastore.Backup,Datastore.AuditAudit-Log,Datastore.Audit"

API Tokens

API tokens are scoped, revocable credentials for automation. Each token has a unique secret that is shown only once at creation.

Deployment Console
CLI

Open API Tokens

Open Access Control > API Tokens > Add.

Choose token details

Set:

Owner: the user the token acts as
Token name: backup-job (the token ID becomes user@realm!backup-job)
Expiry: optional date or never
Privilege separation: enable — token receives no roles automatically

Copy the secret

Copy the secret. It is shown only once.

The secret cannot be recovered after the dialog closes. Store it in a vault.

Grant scoped roles

Use Permissions to grant only the roles the token needs — for example, Datastore.Backup on one namespace and nothing else.

Create an API token

ironcore-backup user token create \
  --user alice@polystack \
  --name backup-job \
  --privsep

Grant a scoped role

ironcore-backup acl update \
  --path /datastore/ibs-primary/production \
  --auth-id "alice@polystack!backup-job" \
  --role Datastore.Backup

Revoke the token

ironcore-backup user token delete \
  --user alice@polystack \
  --name backup-job

Use one API token per automation entry point (backup runner, monitoring exporter, sync orchestrator). Compromise of one does not require rotating the entire automation fleet.

Multi-Factor Authentication

Multi-factor authentication (MFA) applies to interactive logins. API tokens are not subject to MFA but should be tightly scoped.

Method	When to Use
TOTP	Time-based one-time passwords with any authenticator app
WebAuthn	Hardware security keys (YubiKey, Titan, etc.)
Single-use recovery codes	Backup access in case the primary factor is lost

Deployment Console
CLI

Open My Account

Click your username > Account Settings > TFA.

Add a factor

Click Add Factor. Choose TOTP or WebAuthn.

Save recovery codes

Save the recovery codes in a secure location. Each code is single-use.

Add a TOTP factor

ironcore-backup user tfa add --type totp

Enforce MFA Platform-Wide

Deployment Console
CLI

Open Access Control > TFA Policy. Set Required to enforce MFA for every realm except API token logins.

ironcore-backup tfa policy set --require all-interactive

Lockout Protection

IBS protects against brute-force attacks on MFA:

Setting	Default	Behaviour
Failed attempts before lockout	8	Per user
Lockout duration	15 minutes	Auto-expires
TFA reset by admin	Permitted	Requires Admin role

Audit Log

Every authentication, configuration change, and access grant is recorded in the audit log.

Source	Captured
Realm config	Create, update, delete
User config	Add, modify, remove, MFA changes
Token config	Create, delete, scope change
Role config	Create, update, delete
Permission grant	Add, remove
Failed logins	Username, source IP, timestamp

Deployment Console
CLI

Open Access Control > Audit Log. Filter by user, action type, or time range. Export as CSV for compliance reviews.

ironcore-backup audit log --since "30d ago" --action permission

Recommended Permission Model

The pattern below scales to typical production deployments.

Role Grant	Audience	Path
`Admin`	Platform admins	`/`
`Sys.Audit`	Audit team	`/`
`Datastore.Admin`	Datastore owner	`/datastore/<ds>`
`Datastore.Backup`	Project members	`/datastore/<ds>/<namespace>`
`Datastore.Reader`	Read-only viewers	`/datastore/<ds>/<namespace>`
`Tape.Admin`	Tape operator	`/system/tape`

Do not grant the global Admin role to API tokens used by jobs. Always scope tokens to the smallest required path.

Troubleshooting

`permission denied` on a path the user should have access to

Check the effective permissions:

ironcore-backup acl show --path /datastore/ibs-primary/production

Then check the user’s roles:

ironcore-backup user effective alice@polystack

LDAP group sync missing users

Confirm the LDAP filter matches the expected group and that the sync schedule has run. Re-run a sync manually:

ironcore-backup realm sync corporate-ldap

TFA lockout for legitimate user

Admin can unlock a user:

ironcore-backup user tfa unlock alice@polystack

API token returns `unauthorized`

The token may be deleted, expired, or scoped wrongly. Check:

ironcore-backup user token list --user alice@polystack
ironcore-backup acl show --auth-id "alice@polystack!backup-job"

Next Steps

Security and Encryption

Client-side encryption, ransomware protection, master keys

Notifications

Alert routing for failed logins and configuration changes

Audit Log

Audit trail of access and configuration events

Datastores

Per-datastore and per-namespace permissions

​Overview

​Authentication Realms

​Configure LDAP

Open Realms

Add an LDAP realm

Enable group sync

Test

Save

​Configure Active Directory

​Configure OpenID Connect

​Roles

​Grant a Role

​Custom Roles

​API Tokens

Open API Tokens

Choose token details

Copy the secret

Grant scoped roles

​Multi-Factor Authentication

Open My Account

Add a factor

Save recovery codes

​Enforce MFA Platform-Wide

​Lockout Protection

​Audit Log

​Recommended Permission Model

​Troubleshooting

​Next Steps

Security and Encryption

Notifications

Audit Log

Datastores

Overview

Authentication Realms

Configure LDAP

Configure Active Directory

Configure OpenID Connect

Roles

Grant a Role

Custom Roles

API Tokens

Multi-Factor Authentication

Enforce MFA Platform-Wide

Lockout Protection

Audit Log

Recommended Permission Model

Troubleshooting

Next Steps