Security settings reference

Overview

This article is a reference guide for settings used to manage security keys, roles, LDAP, Radius, and Single Sign-On.

Keys

Security Key Settings

Item		Description
a	Require SSL to access console	Forces all web requests to use SSL. This setting impacts: Access to the Code42 console Single sign-on configuration Code42 API requests Before requiring ssl Install a CA-signed SSL certificate, and configure the Website protocol, host, and port to use https and port 4285.
b	SSL Keystore	Displays the Java keystore that contains your key materials.
c	Import Keystore	Imports your own SSL keystore into this enterprise server. The enterprise server comes with a self-signed SSL certificate. The imported keystore replaces any previously installed SSL certificate. The keystore is stored within the enterprise server's embedded database.
d	Export Keystore	Exports the currently installed SSL keystore to a file. This option is not available if the default keystore is in use.
e	Reset Keystore	Deletes the existing keystore and randomly generates a new SSL keystore.
f	RSA Public Key	Displays the public RSA key used for transport security.
g	RSA Private Key	Displays the private RSA key used for transport security.
h	Change RSA Key Pair	Changes the RSA key pair used for transport security. We recommend that you dump the enterprise server's database before changing the key pair. Changing rsa keys will break server Connections Changing the RSA key pair will break any current connections between this master server and other Code42 servers. We do not recommend it in multiple-server configurations. Restoring the connections requires manually adjusting server databases.

Roles

The Roles screen displays all user roles and the specific permissions assigned to each role. You can add, copy, and edit user roles from this screen. To assign user roles, go to the specific user's User Details > Action Menu > Edit > Roles. You may also assign roles within your existing LDAP integration settings, using the role name script.

The SYSADMIN role has full read-write access to all orgs, users, and configuration settings. Users with the SYSADMIN role can grant any permission to themselves and to any other role or user. Other admin users with read-write access are allowed to grant only the permissions granted to themselves. When a permission is removed from an admin role, admins with the updated role can no longer grant the removed permission to any other user.

Roles

Item		Description
a	Roles	Lists all currently available roles.
b	Copy Role	Creates a new role.
c	Edit Role	Edits the role. Default roles cannot be edited.
d	Delete Role	Deletes the role. Default roles cannot be deleted.
e	Permissions	Lists the permissions assigned to a role.
f	Add	Creates a new role with custom permissions.
g	Users	Displays the number of users currently assigned the selected role. Click to display a list of those users.

Add or edit roles

Edit roles

Item		Description
a	Role	Specifies the name of the role.
b	Permissions Editor	Determines which permissions are assigned to this role.

Standard role reference

The available standard roles, as well as the permissions, limitations, and recommended use cases for each are described in the table below.

For details about the specific permissions held by each role, review them in your Code42 console at Settings > Security > Roles.

Role	Permission Summary	Limitations	Recommended Use Case
Admin Restore	Administrative Allows users to restore data using the Code42 console End user None	No access to the CrashPlan web app or CrashPlan app	Assign in conjunction with a role that has access to the CrashPlan web app and CrashPlan app
Admin Restore Limited	Administrative Allows users to restore a limited amount of data using the Code42 console (configurable limit) End user None	Restore limit is configurable from Settings > Organization (250 MB by default) No access to the CrashPlan web app or CrashPlan app	Assign in conjunction with a role that has access to the CrashPlan web app and CrashPlan app
All Org Admin	Administrative Read and write information for users, computers, and organizations for your entire Code42 environment Read and write to all plans (for enterprise servers using SharePlan) Access the Code42 console command line interface View and cancel jobs in the archive maintenance queue View system logs End user Perform personal backups from the CrashPlan app and CrashPlan web app CrashPlan PROe Sync & share from the SharePlan app and SharePlan web app SharePlan	No "root" level access	IT staff who need to perform administrative tasks, but who should not have "root" level access
All Org Manager	Administrative Review statistics about all of the organizations in your Code42 environment and retrieve data End user None	Read-only access to prevent them from mistakenly changing settings or deleting data	Executive users who need statistics, but not technical details, about your Code42 environment
Desktop User	Administrative N/A End user Perform personal backups from the CrashPlan app and CrashPlan web app CrashPlan PROe Sync & share from the SharePlan app and SharePlan web app SharePlan	Cannot interact with other users' data or change settings in your Code42 environment	End users in your organization
Org Admin	Administrative Read and write information for users, computers, and organizations within one organization and its children organizations Read and write to plans within one organization and its children (for enterprise servers using SharePlan) End user Perform personal backups from the CrashPlan app and CrashPlan web app CrashPlan PROe Sync & share from the SharePlan app and SharePlan web app SharePlan	Cannot read or write information outside their organization Cannot access Code42 console command line Cannot access system logs	Administrators who should only manage users and devices within a specific organization
Org Help Desk	Administrative Read-only access to view users and devices within their organization Restore files to the source user's devices using the Code42 console End user Perform personal backups from the CrashPlan app and CrashPlan web app CrashPlan PROe Sync & share from the SharePlan app and SharePlan web app SharePlan	Cannot change settings Cannot read or write information outside their organization	Help desk staff who can assist others within their organization, but not reconfigure any settings
Org Manager	Administrative Read-only access to view users and devices within their organization Restore files to the source user's devices using the Code42 console End user Perform personal backups from the CrashPlan app and CrashPlan web app CrashPlan PROe Sync & share from the SharePlan app and SharePlan web app SharePlan	Cannot change settings Cannot read or write information outside their organization	Executive users who need statistics, but not technical details, about their organization (not the entire Code42 environment)
PROe User	Administrative Sign in to the Code42 console End user None	Cannot access other information or functions of CrashPlan PROe or SharePlan	End users in your organization
Push Restore	Administrative Restore files from the Code42 console View files within backup archives End user None	No read or write access to any user, organization, or device	Help desk staff who will assist others with restoring data. Assign in conjunction with a role that has access to the CrashPlan web app.
Remote File Selection	Administrative View files within backup archives End user None	No read or write access to any user, organization, or device	Help desk staff who will monitor backups. Assign in conjunction with a role that has access to the CrashPlan web app.
Server Administrator	Administrative Read and write information for users, computers, and organizations for your entire Code42 environment Read and write to all plans (SharePlan only) Edit all all system information and settings (except tasks reserved for system administrator) End user Perform personal backups from the CrashPlan app and CrashPlan web app CrashPlan PROe Sync & share from the SharePlan app and SharePlan web app SharePlan	Cannot perform tasks reserved for system administrator, such as editing the local administrator account password	IT staff who need administrative privileges for the Code42 environment
SYSADMIN	Administrative Default role for the local administrator account "Root-level" access Read and write all information for all users, organizations, and settings Grant and revoke SYSADMIN role for other users End user None	Cannot perform admin restores for other users	Grant with caution! The roles Server Administrator or All Org Admin may be more appropriate.

LDAP

For LDAP information please see the dedicated LDAP page.

RADIUS

RADIUS Server Setup

Item		Description
a	Server Name	Identifies the RADIUS server within your Code42 environment.
b	Address	Specifies hostname or IP address and port of the RADIUS server, in the format: `hostname:port` The word "testing" will be displayed briefly during the connection test. Wait for the test to complete before clicking Save. A green checkmark and the word "Reachable" indicates successful communication. A message saying "Failed" in red to the right of the Address field, indicates unsuccessful communication. Check the hostname or IP address of your RADIUS server.
c	Shared Secret	Sets the shared encryption key that the master server and RADIUS server use to communicate securely.
d	Attributes	Sets the attribute/value pairs you want to send to the RADIUS server with each access request. Either the NAS-Identifer or NAS-IP-Address attribute/value pair is required.
e	Timeout seconds	Sets the timeout period for all RADIUS requests.
f	Protocol (4.1.6 and later)	Sets the protocol used for communication with the RADIUS server: CHAP - more secure method of authentication that does not transmit password in plain text. PAP - less secure method of authentication that transmits password in plain text.

Single sign-on

When single sign-on (SSO) is enabled in your master server, your Code42 environment delegates all authentication and authorization to the organization's identity provider for a single source of trust. You are able to centrally control all authentication - users never enter a password into Code42 applications or the Code42 console. Authentication and authorization is delegated (redirected) to an identity provider, where the login is performed.

For SSO configuration instructions, see Single Sign-On.

Code42 platform version 4.1.6

Single Sign On Settings

Item		Description
a	Service Provider Metadata URL	Displays the URL for the master server's SAML 2.0 metadata file. This file is used by the identity provider(s).
b	Identify Provider(s)	Displays the configured SSO identity provider(s) and identity federation(s).
c	Identity federation	Click to view, modify, or delete the identity federation.
d	Add identity provider	Click to add an identity provider from the identity federation.
e	Identity provider	Click to view, modify, or delete the identity provider.
f	Add Identity Provider or Federation	Click to configure a standalone identity provider or identity federation.
g	Edit this provider	Click to modify the identity provider or identity federation.
h	Delete this provider	Click to delete the identity provider or identity federation. Identity providers cannot be deleted while they are in use by the default organization settings or specific organizations.
i	Identity Provider Details	Displays a read-only view of identity provider or identity federation configuration, including metadata URL and attribute mapping. Click Edit this provider to modify the configuration.

Identity provider metadata

The following screen appears when configuring a standalone identity provider or identity federation.

Enter Identity Provider Metadata

Item		Description
a	Identity Provider metadata URL	Sets the URL for the standalone identity provider or identity federation metadata file. The master server must be able to access this URL.
b	Continue	Click to obtain configuration values from the metadata file referenced by the URL.

Identity provider settings

The following screen appears when configuring a standalone identity provider or identity federation after you enter a metadata URL and click Continue, or when configuring an identity provider from an identity federation.

Edit Identity Provider

Item		Description
a	Identity Provider metadata URL / Choose identity provider	For standalone identity providers and identity federations, Identity Provider Metadata URL contains the URL for the identity provider or identity federation metadata file. The master server must be able to access this URL. For identity providers in a federation, Choose identity provider lists the identity providers in the federation. Select an identity provider from the list.
b	Update	Click to check the metadata file referenced by the URL for changes.
c	Display name	Sets the name of your organization's SSO identity provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the Code42 applications and Code42 console.
d	Path to identify provider display name Federations only	Sets the path to identity provider display names in the identity federation metadata XML file. Example path: //mdui:DisplayName When the path is configured, display names for identity providers are pulled from the federation metadata XML file and presented to users as a choice when they sign in using SSO. When the path is not configured, the full paths for the identity providers are displayed.
e	Use default mapping	Enables or disables default mapping between Code42 platform username attributes and SSO username attributes.
f	Username	Maps Code42 platform usernames to the SSO name identifier or a custom attribute. Select Use nameId to use the SSO name identifier. Select Use Attribute tag to enter a custom SSO attribute.
g	Email	Maps Code42 platform user email addresses to an SSO attribute.
h	First name	Maps Code42 platform user first names to an SSO attribute.
i	Last name	Maps Code42 platform user last names to an SSO attribute.

Code42 platform version 4.1.4 & 4.1.5 (CrashPlan PROe only)

Single Sign On Settings

Item		Description
a	Enable	Enables or disables single sign-on. Additional configuration fields are only presented when SSO is enabled.
b	Identify provider name	Sets the name of your organization's SSO identity provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the CrashPlan app and Code42 console.
c	Identify provider metadata (URL)	Sets the URL to the ldP's metadata file. This location is specific to your SSO environment. The master server must be able to access this URL.
d	Service provider metadata	After a valid path to the identity provider metadata file has been entered, displays a link to the enterprise server's service provider metadata file is provided. The data contained at this URL must be used to configure your identity provider so your identity provider is able to accept auth requests from your Code42 environment. You can either configure SAML to use the presented URL or you can include the metadata file in your SAML configuration.
e	SSL certificate	Links to Settings > Security > Keys. You must have a valid, CA-signed SSL certificate installed both on the master server and your Identity Provider in order to successfully configure your Code42 environment to use SSO.

Storage server security settings

Viewing the Security settings from the Code42 console of a storage server presents a limited number of options for SSL.

Storage server security settings

Item		Description
a	Require SSL to access console	Enables or disables SSL for all web requests. If enabled, also configure Website protocol, host and port at Settings > Server to use https and port 4285.
b	SSL Keystore	Displays the Java keystore that contains your key materials.
c	Import Keystore	Imports your own SSL keystore into this enterprise server. The imported keystore replaces any previously installed SSL certificate. The enterprise server comes with a self-signed SSL certificate. The keystore is stored within the enterprise server's embedded database.
d	Export Keystore	Exports the currently installed SSL keystore to a file.
e	Reset Keystore	Deletes existing keystore and randomly generates a new SSL keystore.

Overview

Keys

Roles

Add or edit roles

Standard role reference

LDAP

RADIUS

Single sign-on

Code42 platform version 4.1.6

Identity provider metadata

Identity provider settings

Code42 platform version 4.1.4 & 4.1.5 (CrashPlan PROe only)

Storage server security settings

Related topics