Skip to main content
Code42 Support

Best Practices For Custom Roles & Permissions

Applies to:
  • CrashPlan PROe
After you have an understanding of Managing User Roles, you're ready to customize roles and permissions. Our recommended best practices provide guidelines for developing custom roles in your Code42 environment using its powerful and complex permissions. Several standard roles are already preconfigured in your Code42 environment. These roles are thoroughly tested and provide for most common use cases.

Best practices

Process

We recommend this process for creating a new role in your Code42 environment:

  1. Check the existing roles to see if they meet your needs
  2. Make a duplicate of an existing role, then add or remove permissions as needed
  3. Test your customized role to ensure it behaves as expected
  4. Assign your custom role to users

Check existing roles first

Several standard roles are already preconfigured in your Code42 environment. These roles are thoroughly tested and provide for most common use cases.

Review the existing roles at Settings > Security > Roles.

Duplicate and modify an existing role

While you can create new roles and add permissions, we recommend starting with an existing role and changing permissions as needed for your environment.

CrashPlan PROe permissions are modular and affect specific actions. Because of this, combining certain role permissions or omitting other permissions can cause unexpected behavior for users.

Test your custom roles

Due to the complexity of the available permissions, it is vital to test your custom roles before deploying them to users.

After creating a custom role, assign it to a test user. Then sign in as that test user and try the functions you expect that user to perform. For example, if you're creating a custom role for a help desk technician, test the role by looking through user accounts, deactivating and reactivating a user, and restoring a file from the administration console.

Assign your custom role to users

After testing that your custom role behaves as expected, assign that role to users in your Code42 environment.

Considerations

Be careful with SYSADMIN

The SYSADMIN role contains the admin permission, which is granted to the local administrator account. Users with the admin permission can:

  • Read and write all information for all users, organizations, and settings
  • Grant or remove all permissions for all users, including themselves and other SYSADMIN users

Though users with the admin permission can read and write all information in the administration console, it does not include all other permissions. For example, a user with admin permission cannot perform admin restores for other users.

Limiting the number of accounts with the admin permission is a good way to minimize the risk of incorrect configuration (even accidental) of your Code42 environment.

Example custom roles

These examples come from actual requests made to our Customer Champions.

Read-only user

Desired functionality

An organization wants to have "read-only" help desk users. These read-only users need to view user information in the administration console, but should not have permission to interact with backups, namely:

  • pausing backups
  • resuming backups
  • performing archive maintenance

Starting role

Org Help Desk

Permissions

Starting Permissions Added Permissions Removed Permissions Final Permissions

computer.read

console.login

cpd.login

cpp.login

cps.login

org.read

pushrestore.limited

select

user.read

allcomputer.read

allorg.read

alluser.read

viewlogs

pushrestore.limited

select

allcomputer.read

allorg.read

alluser.read

computer.read

console.login

cpd.login

cpo.login

cpp.login

cps.login

org.read

user.read

viewlogs

Regulation-compliant backup user

Desired functionality

An organization needs to give a user permission to manage their backups, but that user should not be allowed to restore data from the administration console for compliance reasons.

The desired behavior requires two roles: the standard PROe User role, which allows users to sign in to the administration console, and a customized Desktop User role.

Starting roles

Desktop User

Permissions

Starting Permissions Added Permissions Removed Permissions Final Permissions

cpd.login

cps.login

restore.personal

select.personal

pushrestore

restore.personal

cpd.login

cps.login

pushrestore

select.personal

Standard role reference

The available standard roles, as well as the permissions, limitations, and recommended use cases for each are described in the table below.

For details about the specific permissions held by each role, review them in your administration console at Settings > Security > Roles.

Role Permission Summary Limitations Recommended Use Case
Admin Restore

Administrative

End user

  • None
No access to the CrashPlan web app or CrashPlan app Assign in conjunction with a role that has access to the CrashPlan web app and CrashPlan app
Admin Restore Limited

Administrative

End user

  • None
  • Restore limit is configurable from Settings > Organization (250 MB by default)
  • No access to the CrashPlan web app or CrashPlan app

Assign in conjunction with a role that has access to the CrashPlan web app and CrashPlan app

All Org Admin

Administrative

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app
No "root" level access

IT staff who need to perform administrative tasks, but who should not have "root" level access

All Org Manager

Administrative

Review statistics about all of the organizations in your Code42 environment and retrieve data

End user

  • None
Read-only access to prevent them from mistakenly changing settings or deleting data Executive users who need statistics, but not technical details, about your Code42 environment
Desktop User

Administrative

  • N/A

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app
Cannot interact with other users' data or change settings in your Code42 environment End users in your organization
Org Admin

Administrative

  • Read and write information for users, computers, and organizations within one organization and its children organizations

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app
  • Cannot read or write information outside their organization
  • Cannot access administration console command line
  • Cannot access system logs
Administrators who should only manage users and devices within a specific organization
Org Help Desk

Administrative

  • Read-only access to view users and devices within their organization
  • Restore files to the source user's devices using the administration console

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app
  • Cannot change settings
  • Cannot read or write information outside their organization
Help desk staff who can assist others within their organization, but not reconfigure any settings
Org Manager

Administrative

  • Read-only access to view users and devices within their organization
  • Restore files to the source user's devices using the administration console

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app
  • Cannot change settings
  • Cannot read or write information outside their organization
Executive users who need statistics, but not technical details, about their organization (not the entire Code42 environment)
PROe User

Administrative

  • Sign in to the administration console

End user

  • None
  • Cannot access other information or functions of CrashPlan PROe
End users in your organization
Push Restore

Administrative

  • Restore files from the administration console
  • View files within backup archives

End user

  • None
  • No read or write access to any user, organization, or device
Help desk staff who will assist others with restoring data. Assign in conjunction with a role that has access to the CrashPlan web app.
Remote File Selection

Administrative

  • View files within backup archives

End user

  • None
  • No read or write access to any user, organization, or device
Help desk staff who will monitor backups. Assign in conjunction with a role that has access to the CrashPlan web app.
Server Administrator

Administrative

  • Read and write information for users, computers, and organizations for your entire Code42 environment
  • Edit all all system information and settings (except tasks reserved for system administrator)

End user

  • Perform personal backups from the CrashPlan app and CrashPlan web app

Cannot perform tasks reserved for system administrator, such as editing the local administrator account password

IT staff who need administrative privileges for the Code42 environment

SYSADMIN

Administrative

  • Default role for the local administrator account
  • "Root-level" access
  • Read and write all information for all users, organizations, and settings
  • Grant and revoke SYSADMIN role for other users

End user

  • None

Grant with caution! The roles Server Administrator or All Org Admin may be more appropriate.