Manage Users & Roles

To manage user access to your Cohesity DataProtect as a Service, we recommend that you add users and groups. Once you create them, your users can start using your Cohesity DataProtect as a Service with their own logins.

Add Users

To add a user:

1. In DataProtect as a Service, navigate to Settings > Access Management and click the Users tab.

2. Click Add User.

   Only the user with Admin privileges will be able to add a new user.

3. In the dialog, select Add User and enter:

   • Username. The user's email address.

   • Email Address. The user's email address again.

   • First Name. The user's first name in Cohesity DataProtect as a Service.

   • Last Name. Typically, the domain of your email address.

4. Under Roles and Access, assign an appropriate Role to this user. See Roles for more information.

5. Click Save.

The new user receives a welcome email with a link to reset their password, and appears in the list on the Users tab. From there, you can edit or delete the user, or prompt them to reset their password.

Manage Users

To change a user's settings, click the Actions menu (⋮) next to the user and select:

• Edit. To update their Email Address, First Name, and/or Last Name.

• Delete. To delete the user from your Cohesity DataProtect as a Service.

• Reset Password. To send the user an email with a link to reset their password.

Change Password

To change your Cohesity DataProtect as a Service password:

1. In DataProtect as a Service, navigate to Settings > Access Management and click the user to open the User Details page.

2. Click Reset Password and follow the prompts.

Add SSO Users & Groups

If you have added Single Sign-on (SSO) toCohesity DataProtect as a Service, you can add users and groups from your SSO domain for additional user management.

To add SSO users and groups:

1. In DataProtect as a Service, navigate to Settings > Access Management.

2. Click Add User on the Users tab.

3. In the dialog, select Add SSO Users & Groups and enter:

   • SSO Domain. The domain you used to add SSO.

   • SSO Users. The users in your SSO domain who need access to Cohesity DataProtect as a Service.

   • SSO Groups. The groups in your SSO domain who need access Cohesity DataProtect as a Service.

4. Click Save.

The new SSO users and groups you entered appear in the list on the Users tab. To group them, click the Domain column sort them by your SSO domain.

Click the Actions menu (⋮) next to the SSO user or group to Edit or Delete them.

Roles

The following table lists the default roles available in Cohesity DataProtect as a Service.

Roles	Description
Cohesity Support Admin	This role allows Cohesity Support to create a Super Admin user for the customer. Only Cohesity Support has access to this role, and it is typically used when the customer has lost access to a Super Admin user due to turnover and other events.
DR Admin	DR Admin users have Viewer role privileges and can also create and manage DR related workflows and associated tasks.
Gaia Admin	Gaia Admin users have Self Service Gaia role privileges and can view and manage details and results.
Gaia Viewer	Gaia Viewer users have query and read-only access to Gaia.
Helios platform	Helios Platform users have access management and helios access management privileges.
Data Security	Data Security users have Self Service Data Protection role privileges and can create DataLock Views and set DataLock expiration dates. Data Security user does not have the delete option. Change the user role to delete that particular user.
High Classified	User who has High classified role can fetch cluster details needed for specific API calls.
Operator	Operator users have Viewer role privileges and can run existing Protection Groups and create Recover Tasks.
Replication	Replication users have access to setup and replicate data to another cluster.

The combination of any custom role with Admin or Super Admin is supported. As a result, you can select a custom role along with Admin or Super Admin for a user. For example, you can create a custom role with Manage gflag privilege and select this custom role along with Admin or Super Admin to allow that user to manage Gflag and other administrative operations on a Cohesity cluster. However, you cannot combine a default role such as Viewer with the Admin or Super Admin role for a user.

Custom Roles and Privileges

You can select Add Custom Role to create a new role and define a specific set of privileges.

To create a custom role:

1. Navigate to Settings > Access Management.

2. Select Roles tab and click Add Custom Role.

3. Enter a name for the role in Name column. Role names cannot be edited after you create them.

   Only letters, numbers, spaces and the special characters . - _ are allowed.

4. You can optionally provide a description for the role in Description column.

5. Set the role's privileges by using the toggles and check boxes. For a description of the privileges, see Privileges.

   In the Add Role screen, hover your mouse over the privilege name to display its description in a pop-up tooltip.

Privileges

The privileges for all workflows are described below.

Access Management Privileges

Workflow	Privileges	Description
Access Management	View Users	Allows viewing users, groups and other access control information.
	Manage Users	Allows modifying users, groups and other access control information. If the user's access is restricted to specific Objects, then this privilege is not granted, even if the role grants it.
	View API Key	Allow user to view other users' API Keys.
	Manage API Key	Allow user to modify other users' API Keys.
	Manage S3 Keys	Allow user to manage and view other users' S3 keys.
Cohesity DataProtect as a Service Access Management	Manage super admins on Helios	Allows the user to manage super admins on Helios.
	View super admins on Helios	Allows the user to view super admins on Helios.
	Manage admins on Helios	Allows the user to manage admins on Helios.
	View admins on Helios	Allows the user to view admins on Helios.
	Manage Helios MFA	Allow users to modify Helios level MFA settings.
	View Audit Logs	Allows the user to view audit logs and related settings.
	Manage Audit Logs	Allows the user to manage audit log settings.
	View Access Scopes	Allows the user to view access scopes in Helios.
	Manage Access Scopes	Allows the user to manage access scopes in Helios.
	Manage Session Management	Allows the user to view and modify session management configuration in Helios.

Helios Privileges

Workflow	Privileges	Description
DataProtect Service	Search Objects	Allows the user to perform search of objects.
	Configure Regions	Allows the user to configure regions in Helios Data Protect.
	Manage Tags	Allows the user to manage tags.
Account Management on Helios	View Account properties on Helios	Allows viewing Account properties on Helios.
	Manage Account properties on Helios	Allows managing Account properties on Helios.
FortKnox Service	Helios FortKnox vault provision permission	Allows the user to modify vaults in Helios FortKnox service.
Gaia Service	View Gaia	Allows the user to view Gaia details and results.
	Manage Gaia	Allows the user to manage Gaia details and results.
DataHawk Services	View Rules	Allows the user to view rules.
	Manage Rules	Allows the user to manage rules.
	View Threat Scan	Allows users to view threat scan.
	Manage Threat Scan	Allows users to manage threat scan.
	Download Threat Scan Summary Report	Allows users to download threat scan summary report.
	Integrate Third Party Threat Intelligence Feed	Allows users to integrate third party threat intelligence feed.
	Manage Custom YARA Rules	Allows users to manage custom YARA rules.
	View Data Classification Scan	Allows users to view data classification scan.
	Manage Data Classification Scan	Allows users to manage data classification scan.
	Download Data Classification Scan Summary Report	Allows users to download data classification scan summary report.
	Manage Data Classification Policy	Allows users to manage data classification policy.
	Manage Cluster Scanning Order	Allows users to manage cluster scanning order.
	View Isolated Recovery Room	Allows the user to view isolated recovery room.
	Manage Isolated Recovery Room	Allows the user to manage isolated recovery room.
	View Isolated Recovery Plan	Allows the user to view isolated recovery plan.
	Manage Isolated Recovery Plan	Allows the user to manage isolated recovery plan.
AntiRansomware Service	View AntiRansomware Rules	Allows users to view anti ransomware rules.
	Manage AntiRansomware Rules	Allow users to manage anti ransomware rules.
SiteContinuity Service	View SiteContinuity	Allows the user to view site continuity details and results.
	Manage SiteContinuity	Allows the user to manage site continuity details and results.

Multi-Cluster Privileges

Workflow	Privileges	Description
Security Integration	View Security Integrations	Allows the user to view security integrations.
	Manage Security Integrations	Allows the user to modify Security Integrations.
FortKnox Self-Managed Service	FortKnox Self-Managed Vault provision permission	Allows the user to modify vaults in FortKnox Self-Managed service.
Multi Cluster Management	Register clusters	Allows the users to register clusters.
	Unregister clusters	Allows the users to unregister clusters.
	Multi cluster upgrade	Allows the user to perform multi cluster upgrade.
	View Backup Configurations on Helios	Allows viewing backup Configurations and runs on Helios.
	Manage Backup Configurations on Helios	Allows managing backup Configurations and runs on Helios.
	View Cluster Configuration Backups	Allows the user to view Cluster Configuration Backups.
	Modify Cluster Configuration Backups	Allows the user to modify Cluster Configuration Backups.
	View Cluster Configuration Restores	Allows the user to view Cluster Configuration Restores.
	Modify Cluster Configuration Restores	Allows the user to modify Cluster Configuration Restores.
Helios Simulator	View simulations	Allows the user to view simulations' details and results.
	Create and run simulations	Allows the user to create, modify, run and delete simulations.
Cluster Management	Manage Gflags	Allows the user to manage gflags through recipes.
Snapshot Tagging	Enable or disable snapshot tagging feature	Allows the user to manage snapshot tagging feature, tag and untag snapshots.
	Restore from tagged snapshots	Allows the user to restore from snapshots tagged due to anomaly data ingest.
Quorum	View Quorum Groups	Allows the user to view quorum groups and their details.
	Create Quorum Groups	Allows the user to create and modify quorum groups.
Posture Advisor Service	View Posture Advisor	Allow users to view posture advisor.
	Manage Posture Advisor	Allow users to manage posture advisor.
Helios Alerts Service	View Alert Resolution, Notification and Silencing on Helios	Allows the user to view alert resolutions, notification rules and silence rules on Helios.
	Manage Alert Resolution, Notification and Silencing on Helios	Allows the user to resolve alerts and manage notification/silence rules on Helios.
RecoveryAgent	View Recovery Groups	Allows the user to view RecoveryAgent recovery groups.
	Manage Recovery Groups	Allows the user to create, edit, delete, and execute RecoveryAgent recovery groups.
	View Blueprints	Allows the user to view RecoveryAgent blueprints.
	Manage Blueprints	Allows the user to create, edit, delete, and execute RecoveryAgent blueprints.
	Restore Infected Workloads	Allows the user to restore workloads flagged as infected during threat scans.
	View Automation Hosts	Allows the user to view Automation Host configurations.
	Manage Automation Hosts	Allows the user to configure, manage, and execute scripts on Automation Hosts.

Local-Cluster Privileges

Workflow	Privileges	Description
Apps	Launch Apps Instances	Allows viewing apps, instances and app management information. For an app instance, access is restricted to the user who launched the app instance.
	Manage Apps and Instances	Allows install, uninstall and launch of the app, and pause, resume and stop of the app instance. User specific restrictions of app instance do not apply.
Organization Management	View Organizations	Allows viewing organizations registered on the cluster.
	Manage Organizations	Allows managing organizations registered on the cluster.
	Switch Organization	Allows to switch to an organization's perspective and perform actions on their behalf.
Clone Management	View Clone Tasks	Allows the user to view Clone tasks.
	Manage Clone Tasks	Allows the user to create, modify and delete Clone tasks.
Free Node Management	View Free Nodes	Allows the user see information about free nodes.
Cluster Management	View Cluster Details	Allows the user to view Cluster settings. The user cannot make changes.
	Manage Cluster	Allows the user to modify Cluster setup and to add and remove Nodes.
	Cluster Support	Allows the user to perform support related operations such as collecting data and browsing logs.
	Upgrade Cluster	Allows the user to upgrade and patch the Cluster.
	Manage Patches	This privilege allows a User to apply or revert patches to the Cluster.
	View Remote Clusters	Allows the user to view the Remote Clusters for remote access or replication.
	Manage Remote Clusters	Allows the user to register and modify Remote Clusters for replication.
	View External Targets	Allows the user to view External Targets for archival.
	Manage External Targets	Allows the user to register and modify External Targets for archival.
	View Audit Logs	Allows the user to view the Audit Logs.
	View Alert Details	Allows the user to view alerts. The user cannot make changes.
	Manage Alerts	Allows the user to resolve alerts and manage email addresses where alert notifications should be received.
	View VLANs	Allows the user to view available VLANs.
	Manage VLANs	Allows the user to modify VLANs.
	View Bifrost VLANs	Allows the user to view available Bifrost VLANs.
	View data-source connections	Allows a user to view data-source connections.
	Modify data-source connections	Allows a user to create or modify data-source connections.
	View data-source connectors	Allows a user to view data-source connectors.
	Modify data-source connectors	Allows a user to create or modify data-source connectors.
	Modify Bifrost VLANs	Allows the user to modify available Bifrost VLANs.
	View Bifrost Connections	Allows a user to have view-only access to the available Bifrost Connections.
	Modify Bifrost Connections	Allows a user to create or modify Bifrost Connections.
	View Hybrid Extender Details	Allows the user to view the Hybrid Extender details.
	Download Hybrid Extender	Allows the user to download Hybrid Extender VM or configuration file.
	View AD and LDAP Details	Allows the user to view active directory and LDAP providers. The user cannot make changes.
	Manage AD and LDAP	Allows the user to manage active directory and LDAP providers on the cluster.
	View report schedules	Allows the user to view report schedules on cluster. The user cannot make changes.
	Manage report schedules	Allows the user to manage report schedules on the cluster.
	View NIS	Allows the user to view NIS providers on the cluster.
	Manage NIS	Allows the user to manage NIS providers on the cluster.
	View KERBEROS	Allows the user to view registered Kerberos providers on the cluster.
	Manage KERBEROS	Allows the user to manage registered Kerberos providers on the cluster.
	View S3 ABAC Details	Allows the user to view S3 ABAC configuration. The user cannot make changes.
	Manage S3 ABAC	Allows the user to manage S3 ABAC configuration on the cluster.
	View Account Security	Allows the user to view Account Security settings on the cluster.
	Manage Account Security	Allows the user to modify Account Security settings on the cluster.
	View Tags	Allows the user to view tags on the cluster.
	Modify Tags	Allows the user to create/ modify tags on the cluster.
	Manage Tags	Allows the user to apply/ remove tags on the cluster.
	Manage Support Channel	Allows the user to modify Support Channel settings on the cluster.
	Manage Linux user sudo access	Allows the user to grant linux user to bash shell access.
	Allow access to Cohesity UI	Allows the user to access Cohesity cluster through UI.
	Manage MFA	Allow users to modify cluster level MFA settings.
	Manage Helios	Manage connection to Helios.
	View Keystone Details	Allows the user to view Keystone configuration. The user cannot make changes.
	Manage Keystone	Allows the user to manage Keystone configuration on the cluster.
Data Protection	View Protection Groups	Allows the user to view Protection Groups, Protection Sources and Protection Group runs. The user cannot make any changes.
	Manage Protection Groups	Allows the user to create, modify and delete Protection Groups as well as the ability to delete runs.
	Delete snapshots	Allows user to delete snapshots.
	Protection Group Operator	Allows the user to run, cancel or pause a Protection Group.
	Manage Sources	Allows the user to register or delete a Protection Source and modify its information. If the user's access is restricted to specific Objects, then this privilege is not granted, even if the role grants it.
	View Protection Policies	Allows the user to view Protection Policies. The user cannot make any changes.
	Manage Protection Policies	Allows the user to create, modify and delete Protection Policies.
	View agent upgrade tasks	This privilege allows a user to view agent upgrade tasks.
	Create or modify agent upgrade tasks	This privilege allows a user to modify and create upgrade tasks.
	Search objects	Allows the user to perform search of objects from sources registered on the cluster.
	Manage agents	Allows the user to deploy and register the Cohesity agent on servers.
	View Runbooks	Allows the user to list and view the created Runbooks.
	Execute Runbooks	Allows the user to execute Runbooks.
	Manage Runbooks	Allows the user to create, modify, remove and execute Runbooks.
Recovery Management	View Recover Tasks	Allows the user to view Recover and Clone Tasks. The user cannot make any changes.
	Manage Recover Tasks	Allows the user to create Recover Tasks.
	Download File	Allows the user to download files. The user also needs the 'Manage Recover Tasks' privilege to download files.
	Recover from External Targets	Allows the user to search External Targets and recover using data archived from a Remote Cluster.
Storage Management	Read Cohesity Views	Allows the user to view Cohesity Views.
	Manage Cohesity Views	Allows the user to create, modify and delete Cohesity Views.
	Read Cohesity Storage Domains	Allows the user to view Cohesity Storage Domains.
	Manage Cohesity Storage Domains	Allows the user to create and modify Cohesity Storage Domains.
Analytics Management	View Analytics Workbench	Allows the user to view Analytics Workbench related entities.
	Manage Analytics Workbench	Allows the user to modify Analytics Workbench related entities.
	Reporting	Allows the user to generate and view reports.
Source Access Control	Data Security	Allows the user to lock a View and set its lock expiration date.
	Manage Enterprise File DataLock	Allows the user to decrease the Enterprise File DataLock expiration period and to delete a view with Enterprise File DataLock configured.
SMB Security	SMB Backup	This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
	SMB Restore	This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file.
	Take ownership of SMB files	This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.
	Manage system access control list on SMB files	Required to perform a number of security-related functions, such as controlling and viewing audit messages. This privilege identifies its holder as a security operator.
Source Management	Manage VMware Standalone Hosts	This privilege allows a User to manage VMware Standalone Hosts.
	Manage VMware VCenters	This privilege allows a User to manage all VMware VCenters.
	Manage VMware VCloudDirector	This privilege allows a User to manage VMware VCloudDirector.
	Manage HyperV SCVMM Servers	This privilege allows a User to manage HyperV SCVMM Servers.
	Manage HyperV Standalone Hosts	This privilege allows a User to manage HyperV Standalone Hosts.
	Manage HyperV Failover Clusters	This privilege allows a User to manage HyperV Failover Clusters.
	Manage Acropolis Standalone Clusters	This privilege allows a User to manage Acropolis Standalone Clusters.
	Manage Acropolis Generic Standalone Clusters	This privilege allows a User to manage Acropolis Generic Standalone Clusters.
	Manage GCP IAM users	This privilege allows a User to manage GCP IAM users.
	Manage AWS IAM users	This privilege allows a User to manage AWS IAM Users.
	Manage Azure Subscriptions	This privilege allows a User to manage Azure Subscriptions.
	Manage KVM OVirtualManager Sources	This privilege allows a User to manage KVM OVirtualManager Sources.
	Manage Physical Servers	This privilege allows a User to manage Physical Servers.
	Manage Office365 Domains	This privilege allows a User to manage Office365 Domains.
	Manage SQL Servers	This privilege allows a User to manage SQL Servers.
	Manage Oracle Servers	This privilege allows a User to manage Oracle Servers.
	Manage Pure Storage Arrays	This privilege allows a User to manage Pure Storage Arrays.
	Manage Nimble Storage Arrays	This privilege allows a User to manage Nimble Storage Arrays.
	Manage Hyperflex Servers	This privilege allows a User to manage Hyperflex Servers.
	Manage Active Directory Servers	This privilege allows a User to manage Active Directory Servers.
	Manage Isilon Clusters	This privilege allows a User to manage Isilon Clusters.
	Manage NetApp Clusters	This privilege allows a User to manage NetApp Clusters.
	Manage NetApp VServers	This privilege allows a User to manage NetApp VServers.
	Manage Generic NAS hosts	This privilege allows a User to manage Generic NAS hosts.
	Manage Pure Flashblade Storage Arrays	This privilege allows a User to manage Pure Flashblade Storage Arrays.
	Manage GPFS Cluster	This privilege allows a User to manage GPFS Cluster.
	Manage Elastifile Clusters	This privilege allows a User to manage Elastifile Clusters.
	Manage Exchange Servers	This privilege allows a User to manage Exchange Servers.
	Manage Cassandra Clusters	This privilege allows a User to manage Cassandra Clusters.
	Manage MongoDB Clusters	This privilege allows a User to manage MongoDB Clusters.
	Manage Couchbase Clusters	This privilege allows a User to manage Couchbase Clusters.
	Manage HDFS Sources	This privilege allows a User to manage HDFS sources of Hadoop Clusters.
	Manage HBASE Sources	This privilege allows a User to manage HBASE sources of Hadoop Clusters.
	Manage HIVE Sources	This privilege allows a User to manage HIVE sources of Hadoop Clusters.
	Manage Kubernetes Sources	This privilege allows a User to manage Kubernetes sources.
	Manage Universal Data Adapter Sources	This privilege allows a User to manage Universal Data Adapter sources.
	Manage SAP HANA Sources	This privilege allows a User to manage SAP HANA sources.
	Manage SFDC Adapter Sources	This privilege allows a User to manage SFDC Adapter sources.
Highly Classified	High Classified	User who has High classified privilege can fetch cluster details needed for specific API calls.