Skip to main content
Code42 Support

Security settings reference

Available in:

StandardPremiumEnterprise
Small Business
Applies to:

Overview

This article is a reference guide for settings used to manage security keys, roles, LDAP, Radius, and Single Sign-On.

Keys

Security Key Settings

 

Item Description
a Require SSL to access console

Forces all web requests to use SSL. This setting impacts:

  • Access to the administration console
  • Single sign-on configuration
  • Code42 API requests
Before requiring ssl
Import CA-signed keystore, and configure the Website protocol, host, and port to use https and port 4285.
b SSL Keystore Displays the file name of the Java keystore last imported.
c Import Keystore

Imports your own SSL keystore into this Code42 server.

  • The Code42 server comes with a self-signed SSL certificate.
  • The imported keystore replaces any previously installed SSL certificate.
  • The keystore is stored within the Code42 server's embedded database.
d Export Keystore Exports the currently installed SSL keystore to a file. This option is not available if the default self-signed keystore is in use.
e Reset Keystore Deletes the existing keystore and randomly generates a new self-signed SSL keystore.
f RSA Public Key Displays the public RSA key used for transport security.
g RSA Private Key Displays the private RSA key used for transport security.
h Change RSA Key Pair

Changes the RSA key pair used for transport security. This change requires a restart of the authority server to take effect.

Changing RSA keys will break server connections
Changing the RSA key pair will break any current connections between this authority server and other Code42 servers. We do not recommend it in multiple-server configurations. Restoring the connections requires manually adjusting server databases.

Roles

The Roles screen displays all user roles and the specific permissions assigned to each role. You can add, copy, and edit user roles from this screen. To assign user roles, go to the specific user's User Details > Action Menu > Edit > Roles. You may also assign roles within your existing LDAP integration settings, using the role-name script.

The SYSADMIN role has full read-write access to all orgs, users, and configuration settings. Users with the SYSADMIN role can grant any permission to themselves and to any other role or user. Other admin users with read-write access are allowed to grant only the permissions granted to themselves. When a permission is removed from an admin role, admins with the updated role can no longer grant the removed permission to any other user.

Roles

Item Description
a Roles Lists all currently available roles.
b Copy role Creates a new role with all the permissions of an existing role.
c Edit role Edits a user-created role. The standard, built-in roles cannot be edited.
d Delete role Deletes a user-created role. The standard, built-in roles cannot be deleted.
e Permissions Lists the permissions assigned to a role.
f Add Creates a new role with custom permissions.
g Users Displays the number of users currently assigned the selected role. Click to display a list of those users.

Add or edit roles

Edit roles

 

Item Description
a Role Specifies the name of the role.
b Permissions editor Determines which permissions are assigned to this role.

Standard role reference

The available standard roles, as well as the permissions, limitations, and recommended use cases for each are described in the table below.

For details about the specific permissions held by each role, review them in your administration console at Settings > Security > Roles.

Role Permission Summary Limitations Recommended Use Case
Admin Restore

Administrative

End user

  • None
No access to the administration console or Code42 app Assign in conjunction with a role that has access to the administration console and Code42 app
Admin Restore Limited

Administrative

End user

  • None
  • Restore limit is configurable from Settings > Organization (250 MB by default)
  • No access to the administration console or Code42 app

Assign in conjunction with a role that has access to the administration console and Code42 app

All Org Admin

Administrative

End user

  • Perform personal backups from the Code42 app and administration console
No "root" level access

IT staff who need to perform administrative tasks, but who should not have "root" level access

All Org Legal Admin
(version 6.5.x and later) 

Legal Admin

(version 6.0.x and earlier)

Administrative

End user

  • Perform personal backups from the Code42 app
  • No "root" level access
  • Cannot change settings
  • Read-only view of users, devices, and organizations
Legal personnel who need to place custodians on legal hold, and administer legal holds and perform data collection related to legal holds for the entire Code42 environment
All Org Manager

Administrative

  • Review statistics about all organizations and retrieve data
  • Use the Reporting web app to view data for all organizations

End user

  • None
Read-only access to prevent them from mistakenly changing settings or deleting data Executive users who need statistics, but not technical details, about your Code42 environment
All Org Search

Administrative

  • Use the File Search web app to:
    • Search backed-up files in across all organizations
    • Download files that appear in search results
  • Use the Reporting web app to view data for all organizations

End user

  • None
No access to the administration console or Code42 app Information security or legal personnel who need to examine backed-up files across your entire Code42 environment
All Org Security Viewer
On-premises Code42 environments only

Administrative

End user

  • None
Cannot change settings in your Code42 environment Information security personnel who need to retrieve information from devices that use endpoint monitoring.

Customer Cloud Admin

Code42 cloud  only

Administrative

  • Read and write information for users, computers, and organization settings for the user's Code42 environment
  • Read and write to plans within the user's Code42 environment
  • Use the Reporting web app to view data for the user's Code42 environment
  • View the Subscriptions screen for the user's organization or organizations.

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot access administration console command line
  • Cannot access system logs
Administrators who need administrative privileges for the Code42 environment
Desktop User

Administrative

  • N/A

End user

  • Perform personal backups from the Code42 app and administration console
Cannot interact with other users' data or change settings in your Code42 environment End users in your organization
Org Admin

Administrative

  • Read and write information for users, computers, and organization settings for the user's organization and its child organizations
  • Read and write to plans within the user's organization and its child organizations
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot read or write information outside their organization
  • Cannot access administration console command line
  • Cannot access system logs
Administrators who should only manage users and devices within a specific organization
Org Help Desk

Administrative

  • View (read-only) users and devices in the user's organization and its child organizations
  • Restore files to the source user's devices using the administration console
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot change settings
  • Cannot read or write information outside their organization
Help desk staff who can assist others within their organization, but not reconfigure any settings

Org Legal Admin

(version 6.5.x and later only) 

Administrative

  • Use the Legal Hold web app to:
    • Create, modify, and deactivate legal holds
    • Restore files for legal hold collection purposes (push restore) for users within their organization and its child organization
  • Perform web restores for other users that are within their organization and its child organizations
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app
  • No "root" level access
  • Cannot change settings
  • Read-only view of users, devices, and organizations
  • Cannot restore files for users outside their organization and its child organizations
Legal personnel who need to place custodians on legal hold and administer legal holds for the entire Code42 environment, but who only need to restore files from users within their organization. 
Org Manager

Administrative

  • View (read-only) users and devices in the user's organization and its child organizations
  • Restore files to the source user's devices using the administration console
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot change settings
  • Cannot read or write information outside their organization
Executive users who need statistics, but not technical details, about their organization (not the entire Code42 environment)
Org Search

Administrative

  • Use the File Search web app to:
    • Search backed-up files in the user's organization and child organizations
    • Download files that appear in search results
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • None
No access to the administration console or Code42 app Information security or legal personnel who need to examine backed-up files in their organization (not the entire Code42 environment)
Org Security Viewer
On-premises Code42 environments only

Administrative

  • Use the Reporting web app to view data for user's organization and its child organizations
  • Use the Security Center to view data for user's organization and its child organizations

End user

  • None
Cannot change settings in the organization Information security personnel who need to retrieve information from devices that use endpoint monitoring.
PROe User

Administrative

  • Sign in to the administration console

End user

  • None
  • Cannot access other information or functions of Code42 for Enterprise
End users in your organization
Push Restore

Administrative

  • Restore files from the administration console
  • View files within backup archives

End user

  • None
  • No read or write access to any user, organization, or device
Help desk staff who will assist others with restoring data. Assign in conjunction with a role that has access to the administration console.
Remote File Selection

Administrative

  • View files within backup archives

End user

  • None
  • No read or write access to any user, organization, or device
Help desk staff who will monitor backups. Assign in conjunction with a role that has access to the administration console.
Security Center User

Administrative

End user

  • None
  • Does not directly grant access to view or manage other users. Use this role in addition to an administrative role such as Org Admin.
Information security personnel who need to review information about devices that use endpoint monitoring.
Server Administrator

Administrative

  • Read and write information for all users, computers, and organizations
  • Read and write to all plans
  • Edit all all system information and settings (except tasks reserved for system administrator)
  • Use the Reporting web app to view data for all organizations

End user

  • Perform personal backups from the Code42 app and administration console

Cannot perform tasks reserved for system administrator, such as editing the local administrator account password

 

IT staff who need administrative privileges for the Code42 environment

SYSADMIN
On-premises Code42 environments only

Administrative

  • Default role for the local administrator account
  • "Root-level" access
  • Read and write all information for all users, organizations, and settings
  • Grant and revoke SYSADMIN role for other users
  • Use the Reporting web app to view data for all organizations
  • Use the File Search web app to:
    • Search backed-up files in across all organizations
    • Download files that appear in search results
  • Use the Security Center to view data for all organizations

End user

  • None

Grant with caution! The roles Server Administrator or All Org Admin may be more appropriate.

LDAP

For LDAP information please see the dedicated LDAP page.

RADIUS

RADIUS Server Setup

Item Description
a Server Name Identifies the RADIUS server within your Code42 environment.
b Address

Specifies hostname or IP address and port of the RADIUS server, in the format: hostname:port

  • The word "testing" will be displayed briefly during the connection test. Wait for the test to complete before clicking Save.
  • A green checkmark and the word "Reachable" indicates successful communication.
  • A message saying "Failed" in red to the right of the Address field, indicates unsuccessful communication. Check the hostname or IP address of your RADIUS server.
c Shared Secret Sets the shared encryption key that the authority server and RADIUS server use to communicate securely.
d Attributes Sets the attribute/value pairs you want to send to the RADIUS server with each access request. Either the NAS-Identifer or NAS-IP-Address attribute/value pair is required.
e Timeout seconds Sets the timeout period for all RADIUS requests.
f Protocol

Sets the protocol used for communication with the RADIUS server:

  • CHAP - more secure method of authentication that does not transmit password in plain text.
  • PAP - less secure method of authentication that transmits password in plain text.

Single sign-on

When Single Sign-On (SSO) is enabled, your Code42 environment delegates all authentication and authorization to the organization's identity provider for a single source of trust. You are able to centrally control all authentication—users never enter a password into Code42 applications or the administration console. Authentication and authorization is delegated (redirected) to an identity provider, where the login is performed.

For SSO configuration instructions, see Single Sign-On.

Single Sign On Settings

Item Description
a Service Provider Metadata URL Displays the URL for the authority server's SAML 2.0 metadata file. This file is used by the identity provider(s).
b Identify Provider(s)

Displays the configured SSO identity provider(s) and identity federation(s).

c Identity federation Click to view, modify, or delete the identity federation.
d Add identity provider Click to add an identity provider from the identity federation.
e Identity provider Click to view, modify, or delete the identity provider.
f Edit this provider Click to modify the identity provider or identity federation.
g Delete this provider Click to delete the identity provider or identity federation. Identity providers cannot be deleted while they are in use by the default organization settings or specific organizations.
h Add Identity Provider or Federation Click to configure a standalone identity provider or identity federation.
i Identity Provider Details Displays a read-only view of identity provider or identity federation configuration, including metadata URL and attribute mapping. Click Edit this provider to modify the configuration.

Identity provider metadata

The following screen appears when configuring a standalone identity provider or identity federation.

Enter Identity Provider Metadata

Item Description
a Identity Provider metadata URL

Sets the URL for the standalone identity provider or identity federation metadata file. The authority server must be able to access this URL.

b Continue Click to obtain configuration values from the metadata file referenced by the URL.

Identity provider settings

The following screen appears when configuring a standalone identity provider or identity federation after you enter a metadata URL and click Continue, or when configuring an identity provider from an identity federation.

Edit Identity Provider

Item Description
a Identity Provider metadata URL / Choose identity provider
  • For standalone identity providers and identity federations, Identity Provider metadata URL contains the URL for the identity provider or identity federation metadata file. The authority server must be able to access this URL.
  • For identity providers in a federation, Choose identity provider lists the identity providers in the federation. Select an identity provider from the list.
b Update Click to check the metadata file referenced by the URL for changes.
c Display name Sets the name of your organization's SSO identity provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the Code42 applications and administration console.
d Path to identify provider display name
(federations only)

Sets the path to identity provider display names in the identity federation metadata XML file.
Example path: //mdui:DisplayName

  • When the path is configured, display names for identity providers are pulled from the federation metadata XML file and presented to users as a choice when they sign in using SSO.

  • When the path is not configured, the full paths for the identity providers are displayed.

e Use default mapping Enables or disables default mapping between Code42 platform username attributes and SSO username attributes.
f Username

Maps Code42 platform usernames to the SSO name identifier or a custom attribute.

  • Select Use nameId to use the SSO name identifier.

  • Select Use Attribute tag to enter a custom SSO attribute.

g Email Maps Code42 platform user email addresses to an SSO attribute.
h First name Maps Code42 platform user first names to an SSO attribute.
i Last name Maps Code42 platform user last names to an SSO attribute.

SCIM user accounts

Available in Code42 cloud environments only

SCIM User Accounts

Item Description
a SCIM user User who performs directory sync between the Code42 administration console and SSO providers. These users also appear under the users screen in the administration console. 
b Create New User Click to create a new SCIM user.

Create a new user 

Available in Code42 cloud environments only

To view this screen, go to SCIM user accounts, and click Create New User.

Create a new SCIM user account

Item Description
a Username Enter the username for your SCIM user account. 
b Select an SSO provider Displays a list of all of the SSO providers in your Code42 environment. 

SSO override

Available in Code42 cloud environments only

SSO Override

Item Description
a Username field Enter the username of an existing user to use local authentication instead of SSO. Click + to add the user.
b List of SSO override users List of all of the users in your Code42 environment who use local authentication.
c X Remove user from SSO override. If the user is in an organization where SSO is enabled, they will immediately start using SSO for authentication.

Storage server security settings

Viewing the Security settings from the administration console of a storage server presents a limited number of options for SSL.

Storage server security settings

Item Description
a Require SSL to access console

Enables or disables SSL for all web requests. If enabled, also configure Website protocol, host and port at Settings > Server to use https and port 4285.

b SSL Keystore

Java keystore that contains your key materials.

c Import Keystore

Imports your own SSL keystore into this Code42 server. The imported keystore replaces any previously installed SSL certificate. The Code42 server comes with a self-signed SSL certificate. The keystore is stored within the Code42 server's embedded database.

d Export Keystore

Exports the currently installed SSL keystore to a file.

e Reset Keystore

Deletes existing keystore and randomly generates a new SSL keystore.