Access Scope

Access Scope enables users to manage access to the resources in the Cohesity DataProtect as a Service, restricting their capabilities to only those resources. It helps the Managed Service Providers (MSPs) who manage multiple tenants and need to enforce strict access controls for different users.

Access Levels within the Access Scope

  • Source Level Access—Restricts user access to specific resources within the system. It focuses on individual resources.

  • Source Type Level Access—Grants access to all resources within a specific source type (e.g. VMware and O365 resources). It enables access to all resources of a particular source type.

  • Region Level Access—Defines access based on geographic regions. It enables access to resources within a specific region.

  • Service Level Access—Broadens access to all resources within a specific cloud service. It enables access across all resources of a particular cloud service.

Add Access Scope

  1. In DataProtect as a Service, navigate to Settings > Access Management and click the Access Scope tab.

  2. In the Access Scope tab, click Add Access Scope.

  3. Enter a name under the Name Column.

  4. Enter a description for the Access Scope under the Description column.

  5. Click the Edit icon.

  6. Select the resources that require Access Scope.

  7. Enable the Auto Assign option if required.

    The Auto Assign option ensures users access newly added resources without additional configuration.

  8. Click Continue.

  9. Click Add to add the Access Scope.

Assigning Access Scope to Users

Only users with the Helios Access Scope Management privilege can create or manage access scopes.

For New Users,

  1. In DataProtect as a Service, navigate to Settings > Access Management and click the Users tab.

  2. Click Add User.

  3. Turn on the Enable Access Scope option.

  4. Select an Access Scope under the Name drop-down and click Save. For more information on adding users, see Manage Users & Groups.

When a user has multiple access scopes, their permissions are combined, giving them access to all resources covered by those scopes.

For Existing Users,

  1. In DataProtect as a Service, navigate to Settings > Access Management and click the Users tab.

  2. Click the Actions menu () and then click Edit.

  3. Turn on the Enable Access Scope option.

Access Scopes cannot be deleted if there are active members (users) associated with them. This prevents accidental loss of access controls for users.

Difference Between Roles and Access Scopes

Roles and access scopes both serve to manage user access within the system, they operate differently and can be used together for more granular control.

Roles Access Scope
Roles define what actions a user can perform across the entire system, such as viewing data, running tasks, or managing users. For example, a "Super Admin" role grants full access to all actions and workflows, while a "Viewer" role limits a user to read-only access. Access Scopes restrict access to specific resources or objects, such as particular sources, adapters, regions, or services. This is particularly useful for Managed Service Providers (MSPs) who need to enforce strict access controls across multiple tenants.