Manage Users & Roles
To manage user access to your Cohesity DataProtect as a Service, we recommend that you add users and groups. Once you create them, your users can start using your Cohesity DataProtect as a Service with their own logins.
Add Users
To add a user:
-
In DataProtect as a Service, navigate to Settings > Access Management and click the Users tab.
-
Click Add User.
Only the user with Admin privileges will be able to add a new user.
-
In the dialog, select Add User and enter:
-
Username. The user's email address.
-
Email Address. The user's email address again.
-
First Name. The user's first name in Cohesity DataProtect as a Service.
-
Last Name. Typically, the domain of your email address.
-
-
Under Roles and Access, assign an appropriate Role to this user. See Roles for more information.
-
Click Save.
The new user receives a welcome email with a link to reset their password, and appears in the list on the Users tab. From there, you can edit or delete the user, or prompt them to reset their password.
Manage Users
To change a user's settings, click the Actions menu (⋮) next to the user and select:
-
Edit. To update their Email Address, First Name, and/or Last Name.
-
Delete. To delete the user from your Cohesity DataProtect as a Service.
-
Reset Password. To send the user an email with a link to reset their password.
Change Password
To change your Cohesity DataProtect as a Service password:
-
In DataProtect as a Service, navigate to Settings > Access Management and click the user to open the User Details page.
-
Click Reset Password and follow the prompts.
Add SSO Users & Groups
If you have added Single Sign-on (SSO) toCohesity DataProtect as a Service, you can add users and groups from your SSO domain for additional user management.
To add SSO users and groups:
-
In DataProtect as a Service, navigate to Settings > Access Management.
- Click Add User on the Users tab.
-
In the dialog, select Add SSO Users & Groups and enter:
-
SSO Domain. The domain you used to add SSO.
-
SSO Users. The users in your SSO domain who need access to Cohesity DataProtect as a Service.
-
SSO Groups. The groups in your SSO domain who need access Cohesity DataProtect as a Service.
-
-
Click Save.
The new SSO users and groups you entered appear in the list on the Users tab. To group them, click the Domain column sort them by your SSO domain.
Click the Actions menu (⋮) next to the SSO user or group to Edit or Delete them.
Roles
The following table lists the default roles available in Cohesity DataProtect as a Service.
Roles | Description |
---|---|
Cohesity Support Admin | This role allows Cohesity Support to create a Super Admin user for the customer. Only Cohesity Support has access to this role, and it is typically used when the customer has lost access to a Super Admin user due to turnover and other events. |
DR Admin | DR Admin users have Viewer role privileges and can also create and manage DR related workflows and associated tasks. |
Gaia Admin | Gaia Admin users have Self Service Gaia role privileges and can view and manage details and results. |
Gaia Viewer | Gaia Viewer users have query and read-only access to Gaia. |
Helios platform | Helios Platform users have access management and helios access management privileges. |
Data Security |
Data Security users have Self Service Data Protection role privileges and can create DataLock Views and set DataLock expiration dates. Data Security user does not have the delete option. Change the user role to delete that particular user. |
High Classified | User who has High classified role can fetch cluster details needed for specific API calls. |
Operator | Operator users have Viewer role privileges and can run existing Protection Groups and create Recover Tasks. |
Replication | Replication users have access to setup and replicate data to another cluster. |
The combination of any custom role with Admin or Super Admin is supported. As a result, you can select a custom role along with Admin or Super Admin for a user. For example, you can create a custom role with Manage gflag privilege and select this custom role along with Admin or Super Admin to allow that user to manage Gflag and other administrative operations on a Cohesity cluster. However, you cannot combine a default role such as Viewer with the Admin or Super Admin role for a user.
Custom Roles and Privileges
You can select Add Custom Role to create a new role and define a specific set of privileges.
To create a custom role:
-
Navigate to Settings > Access Management.
-
Select Roles tab and click Add Custom Role.
-
Enter a name for the role in Name column. Role names cannot be edited after you create them.
Only letters, numbers, spaces and the special characters
. - _
are allowed. - You can optionally provide a description for the role in Description column.
-
Set the role's privileges by using the toggles and check boxes. For a description of the privileges, see Privileges.
In the Add Role screen, hover your mouse over the privilege name to display its description in a pop-up tooltip.
Privileges
The privileges for all workflows are described below.
Access Management Privileges
Workflow | Privileges | Description |
---|---|---|
Access Management | View Users | Allows viewing users, groups and other access control information. |
Manage Users | Allows modifying users, groups and other access control information. If the user's access is restricted to specific Objects, then this privilege is not granted, even if the role grants it. | |
View API Key | Allow user to view other users' API Keys. | |
Manage API Key | Allow user to modify other users' API Keys. | |
Manage S3 Keys | Allow user to manage and view other users' S3 keys. | |
Cohesity DataProtect as a Service Access Management | Manage super admins on Helios | Allows the user to manage super admins on Helios. |
View super admins on Helios | Allows the user to view super admins on Helios. | |
Manage admins on Helios | Allows the user to manage admins on Helios. | |
View admins on Helios | Allows the user to view admins on Helios. | |
Manage Helios MFA | Allow users to modify Helios level MFA settings. | |
View Audit Logs | Allows the user to view audit logs and related settings. | |
Manage Audit Logs | Allows the user to manage audit log settings. | |
View Access Scopes | Allows the user to view access scopes in Helios. | |
Manage Access Scopes | Allows the user to manage access scopes in Helios. | |
Manage Session Management | Allows the user to view and modify session management configuration in Helios. |
Helios Privileges
Workflow | Privileges | Description |
---|---|---|
DataProtect Service | Search Objects | Allows the user to perform search of objects. |
Configure Regions | Allows the user to configure regions in Helios Data Protect. | |
Manage Tags | Allows the user to manage tags. | |
Account Management on Helios | View Account properties on Helios | Allows viewing Account properties on Helios. |
Manage Account properties on Helios | Allows managing Account properties on Helios. | |
FortKnox Service | Helios FortKnox vault provision permission | Allows the user to modify vaults in Helios FortKnox service. |
Gaia Service | View Gaia | Allows the user to view Gaia details and results. |
Manage Gaia | Allows the user to manage Gaia details and results. | |
DataHawk Services | View Rules | Allows the user to view rules. |
Manage Rules | Allows the user to manage rules. | |
View Threat Scan | Allows users to view threat scan. | |
Manage Threat Scan | Allows users to manage threat scan. | |
Download Threat Scan Summary Report | Allows users to download threat scan summary report. | |
Integrate Third Party Threat Intelligence Feed | Allows users to integrate third party threat intelligence feed. | |
Manage Custom YARA Rules | Allows users to manage custom YARA rules. | |
View Data Classification Scan | Allows users to view data classification scan. | |
Manage Data Classification Scan | Allows users to manage data classification scan. | |
Download Data Classification Scan Summary Report | Allows users to download data classification scan summary report. | |
Manage Data Classification Policy | Allows users to manage data classification policy. | |
Manage Cluster Scanning Order | Allows users to manage cluster scanning order. | |
View Isolated Recovery Room | Allows the user to view isolated recovery room. | |
Manage Isolated Recovery Room | Allows the user to manage isolated recovery room. | |
View Isolated Recovery Plan | Allows the user to view isolated recovery plan. | |
Manage Isolated Recovery Plan | Allows the user to manage isolated recovery plan. | |
AntiRansomware Service | View AntiRansomware Rules | Allows users to view anti ransomware rules. |
Manage AntiRansomware Rules | Allow users to manage anti ransomware rules. | |
SiteContinuity Service | View SiteContinuity | Allows the user to view site continuity details and results. |
Manage SiteContinuity | Allows the user to manage site continuity details and results. |
Multi-Cluster Privileges
Workflow | Privileges | Description |
---|---|---|
Security Integration | View Security Integrations | Allows the user to view security integrations. |
Manage Security Integrations | Allows the user to modify Security Integrations. | |
FortKnox Self-Managed Service | FortKnox Self-Managed Vault provision permission | Allows the user to modify vaults in FortKnox Self-Managed service. |
Multi Cluster Management | Register clusters | Allows the users to register clusters. |
Unregister clusters | Allows the users to unregister clusters. | |
Multi cluster upgrade | Allows the user to perform multi cluster upgrade. | |
View Backup Configurations on Helios | Allows viewing backup Configurations and runs on Helios. | |
Manage Backup Configurations on Helios | Allows managing backup Configurations and runs on Helios. | |
View Cluster Configuration Backups | Allows the user to view Cluster Configuration Backups. | |
Modify Cluster Configuration Backups | Allows the user to modify Cluster Configuration Backups. | |
View Cluster Configuration Restores | Allows the user to view Cluster Configuration Restores. | |
Modify Cluster Configuration Restores | Allows the user to modify Cluster Configuration Restores. | |
Helios Simulator | View simulations | Allows the user to view simulations' details and results. |
Create and run simulations | Allows the user to create, modify, run and delete simulations. | |
Cluster Management | Manage Gflags | Allows the user to manage gflags through recipes. |
Snapshot Tagging | Enable or disable snapshot tagging feature | Allows the user to manage snapshot tagging feature, tag and untag snapshots. |
Restore from tagged snapshots | Allows the user to restore from snapshots tagged due to anomaly data ingest. | |
Quorum | View Quorum Groups | Allows the user to view quorum groups and their details. |
Create Quorum Groups | Allows the user to create and modify quorum groups. | |
Posture Advisor Service | View Posture Advisor | Allow users to view posture advisor. |
Manage Posture Advisor | Allow users to manage posture advisor. | |
Helios Alerts Service | View Alert Resolution, Notification and Silencing on Helios | Allows the user to view alert resolutions, notification rules and silence rules on Helios. |
Manage Alert Resolution, Notification and Silencing on Helios | Allows the user to resolve alerts and manage notification/silence rules on Helios. | |
RecoveryAgent | View Recovery Groups | Allows the user to view RecoveryAgent recovery groups. |
Manage Recovery Groups | Allows the user to create, edit, delete, and execute RecoveryAgent recovery groups. | |
View Blueprints | Allows the user to view RecoveryAgent blueprints. | |
Manage Blueprints | Allows the user to create, edit, delete, and execute RecoveryAgent blueprints. | |
Restore Infected Workloads | Allows the user to restore workloads flagged as infected during threat scans. | |
View Automation Hosts | Allows the user to view Automation Host configurations. | |
Manage Automation Hosts | Allows the user to configure, manage, and execute scripts on Automation Hosts. |
Local-Cluster Privileges
Workflow | Privileges | Description |
---|---|---|
Apps | Launch Apps Instances | Allows viewing apps, instances and app management information. For an app instance, access is restricted to the user who launched the app instance. |
Manage Apps and Instances | Allows install, uninstall and launch of the app, and pause, resume and stop of the app instance. User specific restrictions of app instance do not apply. | |
Organization Management | View Organizations | Allows viewing organizations registered on the cluster. |
Manage Organizations | Allows managing organizations registered on the cluster. | |
Switch Organization | Allows to switch to an organization's perspective and perform actions on their behalf. | |
Clone Management | View Clone Tasks | Allows the user to view Clone tasks. |
Manage Clone Tasks | Allows the user to create, modify and delete Clone tasks. | |
Free Node Management | View Free Nodes | Allows the user see information about free nodes. |
Cluster Management | View Cluster Details | Allows the user to view Cluster settings. The user cannot make changes. |
Manage Cluster | Allows the user to modify Cluster setup and to add and remove Nodes. | |
Cluster Support | Allows the user to perform support related operations such as collecting data and browsing logs. | |
Upgrade Cluster | Allows the user to upgrade and patch the Cluster. | |
Manage Patches | This privilege allows a User to apply or revert patches to the Cluster. | |
View Remote Clusters | Allows the user to view the Remote Clusters for remote access or replication. | |
Manage Remote Clusters | Allows the user to register and modify Remote Clusters for replication. | |
View External Targets | Allows the user to view External Targets for archival. | |
Manage External Targets | Allows the user to register and modify External Targets for archival. | |
View Audit Logs | Allows the user to view the Audit Logs. | |
View Alert Details | Allows the user to view alerts. The user cannot make changes. | |
Manage Alerts | Allows the user to resolve alerts and manage email addresses where alert notifications should be received. | |
View VLANs | Allows the user to view available VLANs. | |
Manage VLANs | Allows the user to modify VLANs. | |
View Bifrost VLANs | Allows the user to view available Bifrost VLANs. | |
View data-source connections | Allows a user to view data-source connections. | |
Modify data-source connections | Allows a user to create or modify data-source connections. | |
View data-source connectors | Allows a user to view data-source connectors. | |
Modify data-source connectors | Allows a user to create or modify data-source connectors. | |
Modify Bifrost VLANs | Allows the user to modify available Bifrost VLANs. | |
View Bifrost Connections | Allows a user to have view-only access to the available Bifrost Connections. | |
Modify Bifrost Connections | Allows a user to create or modify Bifrost Connections. | |
View Hybrid Extender Details | Allows the user to view the Hybrid Extender details. | |
Download Hybrid Extender | Allows the user to download Hybrid Extender VM or configuration file. | |
View AD and LDAP Details | Allows the user to view active directory and LDAP providers. The user cannot make changes. | |
Manage AD and LDAP | Allows the user to manage active directory and LDAP providers on the cluster. | |
View report schedules | Allows the user to view report schedules on cluster. The user cannot make changes. | |
Manage report schedules | Allows the user to manage report schedules on the cluster. | |
View NIS | Allows the user to view NIS providers on the cluster. | |
Manage NIS | Allows the user to manage NIS providers on the cluster. | |
View KERBEROS | Allows the user to view registered Kerberos providers on the cluster. | |
Manage KERBEROS | Allows the user to manage registered Kerberos providers on the cluster. | |
View S3 ABAC Details | Allows the user to view S3 ABAC configuration. The user cannot make changes. | |
Manage S3 ABAC | Allows the user to manage S3 ABAC configuration on the cluster. | |
View Account Security | Allows the user to view Account Security settings on the cluster. | |
Manage Account Security | Allows the user to modify Account Security settings on the cluster. | |
View Tags | Allows the user to view tags on the cluster. | |
Modify Tags | Allows the user to create/ modify tags on the cluster. | |
Manage Tags | Allows the user to apply/ remove tags on the cluster. | |
Manage Support Channel | Allows the user to modify Support Channel settings on the cluster. | |
Manage Linux user sudo access | Allows the user to grant linux user to bash shell access. | |
Allow access to Cohesity UI | Allows the user to access Cohesity cluster through UI. | |
Manage MFA | Allow users to modify cluster level MFA settings. | |
Manage Helios | Manage connection to Helios. | |
View Keystone Details | Allows the user to view Keystone configuration. The user cannot make changes. | |
Manage Keystone | Allows the user to manage Keystone configuration on the cluster. | |
Data Protection | View Protection Groups | Allows the user to view Protection Groups, Protection Sources and Protection Group runs. The user cannot make any changes. |
Manage Protection Groups | Allows the user to create, modify and delete Protection Groups as well as the ability to delete runs. | |
Delete snapshots | Allows user to delete snapshots. | |
Protection Group Operator | Allows the user to run, cancel or pause a Protection Group. | |
Manage Sources | Allows the user to register or delete a Protection Source and modify its information. If the user's access is restricted to specific Objects, then this privilege is not granted, even if the role grants it. | |
View Protection Policies | Allows the user to view Protection Policies. The user cannot make any changes. | |
Manage Protection Policies | Allows the user to create, modify and delete Protection Policies. | |
View agent upgrade tasks | This privilege allows a user to view agent upgrade tasks. | |
Create or modify agent upgrade tasks | This privilege allows a user to modify and create upgrade tasks. | |
Search objects | Allows the user to perform search of objects from sources registered on the cluster. | |
Manage agents | Allows the user to deploy and register the Cohesity agent on servers. | |
View Runbooks | Allows the user to list and view the created Runbooks. | |
Execute Runbooks | Allows the user to execute Runbooks. | |
Manage Runbooks | Allows the user to create, modify, remove and execute Runbooks. | |
Recovery Management | View Recover Tasks | Allows the user to view Recover and Clone Tasks. The user cannot make any changes. |
Manage Recover Tasks | Allows the user to create Recover Tasks. | |
Download File | Allows the user to download files. The user also needs the 'Manage Recover Tasks' privilege to download files. | |
Recover from External Targets | Allows the user to search External Targets and recover using data archived from a Remote Cluster. | |
Storage Management | Read Cohesity Views | Allows the user to view Cohesity Views. |
Manage Cohesity Views | Allows the user to create, modify and delete Cohesity Views. | |
Read Cohesity Storage Domains | Allows the user to view Cohesity Storage Domains. | |
Manage Cohesity Storage Domains | Allows the user to create and modify Cohesity Storage Domains. | |
Analytics Management | View Analytics Workbench | Allows the user to view Analytics Workbench related entities. |
Manage Analytics Workbench | Allows the user to modify Analytics Workbench related entities. | |
Reporting | Allows the user to generate and view reports. | |
Source Access Control | Data Security | Allows the user to lock a View and set its lock expiration date. |
Manage Enterprise File DataLock | Allows the user to decrease the Enterprise File DataLock expiration period and to delete a view with Enterprise File DataLock configured. | |
SMB Security | SMB Backup | This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. |
SMB Restore | This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. | |
Take ownership of SMB files | This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. | |
Manage system access control list on SMB files | Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator. | |
Source Management | Manage VMware Standalone Hosts | This privilege allows a User to manage VMware Standalone Hosts. |
Manage VMware VCenters | This privilege allows a User to manage all VMware VCenters. | |
Manage VMware VCloudDirector | This privilege allows a User to manage VMware VCloudDirector. | |
Manage HyperV SCVMM Servers | This privilege allows a User to manage HyperV SCVMM Servers. | |
Manage HyperV Standalone Hosts | This privilege allows a User to manage HyperV Standalone Hosts. | |
Manage HyperV Failover Clusters | This privilege allows a User to manage HyperV Failover Clusters. | |
Manage Acropolis Standalone Clusters | This privilege allows a User to manage Acropolis Standalone Clusters. | |
Manage Acropolis Generic Standalone Clusters | This privilege allows a User to manage Acropolis Generic Standalone Clusters. | |
Manage GCP IAM users | This privilege allows a User to manage GCP IAM users. | |
Manage AWS IAM users | This privilege allows a User to manage AWS IAM Users. | |
Manage Azure Subscriptions | This privilege allows a User to manage Azure Subscriptions. | |
Manage KVM OVirtualManager Sources | This privilege allows a User to manage KVM OVirtualManager Sources. | |
Manage Physical Servers | This privilege allows a User to manage Physical Servers. | |
Manage Office365 Domains | This privilege allows a User to manage Office365 Domains. | |
Manage SQL Servers | This privilege allows a User to manage SQL Servers. | |
Manage Oracle Servers | This privilege allows a User to manage Oracle Servers. | |
Manage Pure Storage Arrays | This privilege allows a User to manage Pure Storage Arrays. | |
Manage Nimble Storage Arrays | This privilege allows a User to manage Nimble Storage Arrays. | |
Manage Hyperflex Servers | This privilege allows a User to manage Hyperflex Servers. | |
Manage Active Directory Servers | This privilege allows a User to manage Active Directory Servers. | |
Manage Isilon Clusters | This privilege allows a User to manage Isilon Clusters. | |
Manage NetApp Clusters | This privilege allows a User to manage NetApp Clusters. | |
Manage NetApp VServers | This privilege allows a User to manage NetApp VServers. | |
Manage Generic NAS hosts | This privilege allows a User to manage Generic NAS hosts. | |
Manage Pure Flashblade Storage Arrays | This privilege allows a User to manage Pure Flashblade Storage Arrays. | |
Manage GPFS Cluster | This privilege allows a User to manage GPFS Cluster. | |
Manage Elastifile Clusters | This privilege allows a User to manage Elastifile Clusters. | |
Manage Exchange Servers | This privilege allows a User to manage Exchange Servers. | |
Manage Cassandra Clusters | This privilege allows a User to manage Cassandra Clusters. | |
Manage MongoDB Clusters | This privilege allows a User to manage MongoDB Clusters. | |
Manage Couchbase Clusters | This privilege allows a User to manage Couchbase Clusters. | |
Manage HDFS Sources | This privilege allows a User to manage HDFS sources of Hadoop Clusters. | |
Manage HBASE Sources | This privilege allows a User to manage HBASE sources of Hadoop Clusters. | |
Manage HIVE Sources | This privilege allows a User to manage HIVE sources of Hadoop Clusters. | |
Manage Kubernetes Sources | This privilege allows a User to manage Kubernetes sources. | |
Manage Universal Data Adapter Sources | This privilege allows a User to manage Universal Data Adapter sources. | |
Manage SAP HANA Sources | This privilege allows a User to manage SAP HANA sources. | |
Manage SFDC Adapter Sources | This privilege allows a User to manage SFDC Adapter sources. | |
Highly Classified | High Classified | User who has High classified privilege can fetch cluster details needed for specific API calls. |