Recommended Secure Configuration for FedRAMP Compliance

26 February 2026

This page provides Recommended Secure Configuration (RSC) guidance for Helios for Government (FedRAMP), in alignment with FedRAMP RSC requirements, specifically FRR‑RSC‑01 and FRR‑RSC‑02.

FRR‑RSC‑01: Top‑Level Administrative Accounts Guidance

Control Objective

Ensure that top‑level administrative (Super Admin) accounts are securely assigned, accessed, operated, and decommissioned to minimize the risk of unauthorized access and misuse of privileged functions.

Assignment of Super Admin Accounts

Initial Super Admin Access

Initial access to Helios for Government (FedRAMP) is performed using onboarding Salesforce credentials provided in the welcome email. Following first login, a minimum of two (2) active Super Admin accounts must be created to ensure continuity of operations.

  • Super Admin privileges may only be assigned through explicit role assignment within Access Management.

Super Admin users may be:

  • SSO‑configured users, or

  • Local users explicitly assigned the Super Admin role.

Adding a Local Super Admin User

Only an existing Admin or Super Admin can add new users. The following secure process is used:

  1. In Cloud Protection Service, navigate to Settings > Access Management.

  2. Click Add User.

  3. Select the drop-down icon to choose an email address or enter a new email address.

  4. Enter the Username, First Name, and Last Name.

  5. Under Roles and Access, assign Super Admin role to this user.

  6. (Optional) Under Organization role and access, choose a Role, Organization, and Accessible Systems. You can select the icon to define role and access for different organizations.

    This option is available only if Organization Management from Helios is on.

  7. Click Save.

Upon successful creation, the user receives a system‑generated welcome email with account activation details.

Adding Super Admins Using Single Sign‑On (SSO)

By default, users authenticated through a configured Identity Provider (IdP) may log in if their role mapping permits access. Administrators may also explicitly add SSO users or groups.

To add SSO users or groups:

  1. In Cloud Protection Service, navigate to Settings > Access Management.

  2. Click Add User and select Add SSO Users & Groups.

  3. Choose an SSO Domain.

    1. SAML: Security Assertion Markup Language (SAML) is an XML-based protocol used for SSO login.

    2. OpenID Connect: OpenID Connect is an open authentication protocol that uses OAuth2.0 framework.

  4. Provide the SSO Users or SSO Groups name. The name of the SSO user group should be the same as your identity provider and Cohesity Helios. Also note that the matching of groups is case sensitive.

  5. Under Roles and Access, select Service Provider User or Organization User. If you select Organization User, then you can skip the next step and proceed.

  6. (Optional) Under Organization role and access, choose a Role, Organization, and Accessible Systems. You can select the + icon to define role and access for different organizations.

  7. Click Save.

If a user is part of any group, then the privileges will be a union of the privileges of the user and the group.

Privileges and Responsibilities of Super Admins

Super Admin users have full access to all actions and workflows within the Cohesity Dashboard. For information on the privelges, see Privileges.

Secure Operation of Super Admin Accounts

Super Admin accounts are operated by explicitly assigning the Super Admin role to either:

  • An SSO‑configured user, or

  • A locally managed user account.

No other mechanism is supported for obtaining Super Admin privileges.

Decommissioning of Super Admin Accounts

To securely remove a Super Admin account:

  1. Navigate to Settings > Access Management.

  2. Select the action menu for the target Super Admin user.

  3. Choose Delete.

  4. Enable Revoke access for user for all Cohesity services.

  5. Confirm deletion.

At least one active Super Admin account must remain at all times. Deleting all Super Admin users is not permitted.

FRR‑RSC‑02: Top‑Level Administrative Accounts Security Settings Guidance

Control Objective

Ensure that security‑critical configuration settings are restricted to Super Admin users to protect system confidentiality, integrity, availability, and auditability.

Super Admin–Restricted Security Settings

Only Super Admins can assign the following privileges to custom roles:

  • Manage gflags: Enables management of gflags through system recipes. gflags control low-level system configuration parameters that may affect system behavior and operational characteristics.

  • Highly Classified: Allows users with the Highly Classified privilege to fetch cluster details required for specific API calls.

Security Functionality Description

These Super Admin–only settings directly control low‑level system behavior and data immutability mechanisms. Misconfiguration could result in:

  • Unauthorized configuration changes.

  • Weakened data protection guarantees.

  • Loss of audit integrity.

Security Rationale

Restricting these settings to Super Admins ensures that:

  • Only explicitly authorized personnel can modify security‑critical parameters.

  • Administrative actions are fully auditable.

  • Risks to confidentiality, integrity, and availability are minimized in accordance with FedRAMP requirements.