Skip to main content
Code42 Support

Best practices for custom roles and permissions

Available in:

StandardPremiumEnterprise
Small Business
Applies to:

Overview

After you have an understanding of Managing User Roles, you're ready to customize roles and permissions. Our recommended best practices provide guidelines for developing custom roles in your Code42 environment using its powerful and complex permissions.

Several standard roles are already preconfigured in your Code42 environment. These roles are thoroughly tested and provide for most common use cases.

Best practices

Process

We recommend this process for creating a new role in your Code42 environment:

  1. Check the existing roles to see if they meet your needs
  2. Make a duplicate of an existing role, then add or remove permissions as needed
  3. Test your customized role to ensure it behaves as expected
  4. Assign your custom role to users

Check existing roles first

Several standard roles are already preconfigured in your Code42 environment. These roles are thoroughly tested and provide for most common use cases.

Review the existing roles at Settings > Security > Roles.

Duplicate and modify an existing role

While you can create new roles and add permissions, we recommend starting with an existing role and changing permissions as needed for your environment.

Code42 for Enterprise permissions are modular and affect specific actions. Because of this, combining certain role permissions or omitting other permissions can cause unexpected behavior for users.

Test your custom roles

Due to the complexity of the available permissions, it is vital to test your custom roles before deploying them to users.

After creating a custom role, assign it to a test user. Then sign in as that test user and try the functions you expect that user to perform. For example, if you're creating a custom role for a help desk technician, test the role by looking through user accounts, deactivating and reactivating a user, and restoring a file from the administration console.

Assign your custom role to users

After testing that your custom role behaves as expected, assign that role to users in your Code42 environment.

Considerations

Be careful with SYSADMIN

The SYSADMIN role contains the admin permission, which is granted to the local administrator account. Users with the admin permission can:

  • Read and write all information for all users, organizations, and settings
  • Grant or remove all permissions for all users, including themselves and other SYSADMIN users

Though users with the admin permission can read and write all information in the administration console, it does not include all other permissions. For example, a user with admin permission cannot perform admin restores for other users.

Limiting the number of accounts with the admin permission is a good way to minimize the risk of incorrect configuration (even accidental) of your Code42 environment.

Example custom roles

These examples come from actual requests made to our Customer Champions.

Read-only user

Desired functionality

An organization wants to have "read-only" help desk users. These read-only users need to view user information in the administration console, but should not have permission to interact with backups, namely:

  • pausing backups
  • resuming backups
  • performing archive maintenance

Starter role

Org Help Desk

Permissions

Starting Permissions Added Permissions Removed Permissions Final Permissions

computer.read

console.login

cpd.login

cpd.restore

cpp.login

cps.login

org.read

plan.read

pushrestore.limited

select

user.read

allcomputer.read

allorg.read

alluser.read

viewlogs

pushrestore.limited

select

allcomputer.read

allorg.read

alluser.read

computer.read

console.login

cpd.login

cpd.restore

cpo.login

cpp.login

cps.login

org.read

user.read

viewlogs

Regulation-compliant backup user

Desired functionality

An organization needs to give users permission to manage their backups, but the users should not be allowed to restore data from the administration console for compliance reasons.

The desired behavior requires two roles: the standard PROe User role, which allows users to sign in to the administration console, and a customized Desktop User role.

Starter role

Desktop User

Permissions

Starting Permissions Added Permissions Removed Permissions Final Permissions

cpd.login

cps.login

cpd.restore

plan.create

restore.personal

select.personal

spd.login

pushrestore

restore.personal

cpd.login

cpd.restore

cps.login

plan.create

pushrestore

select.personal

spd.login

Backup-only user

Desired functionality

An organization needs to give users permission to back up data, but not restore it on their own. To restore data, the users must contact their IT department.

Starter role

Desktop User

Permissions

Starting Permissions Added Permissions Removed Permissions Final Permissions

cpd.login

cps.login

cpd.restore

plan.create

restore.personal

select.personal

spd.login

cpd.restore

restore.personal

select.personal

pushrestore

cpd.login

cps.login

plan.create

spd.login

Standard role reference

The available standard roles, as well as the permissions, limitations, and recommended use cases for each are described in the table below.

For details about the specific permissions held by each role, review them in your administration console at Settings > Security > Roles.

Role Permission Summary Limitations Recommended Use Case
Admin Restore

Administrative

End user

  • None
No access to the administration console or Code42 app Assign in conjunction with a role that has access to the administration console and Code42 app
Admin Restore Limited

Administrative

End user

  • None
  • Restore limit is configurable from Settings > Organization (250 MB by default)
  • No access to the administration console or Code42 app

Assign in conjunction with a role that has access to the administration console and Code42 app

All Org Admin

Administrative

End user

  • Perform personal backups from the Code42 app and administration console
No "root" level access

IT staff who need to perform administrative tasks, but who should not have "root" level access

All Org Legal Admin
(version 6.5.x and later) 

Legal Admin

(version 6.0.x and earlier)

Administrative

End user

  • Perform personal backups from the Code42 app
  • No "root" level access
  • Cannot change settings
  • Read-only view of users, devices, and organizations
Legal personnel who need to place custodians on legal hold, and administer legal holds and perform data collection related to legal holds for the entire Code42 environment
All Org Manager

Administrative

  • Review statistics about all organizations and retrieve data
  • Use the Reporting web app to view data for all organizations

End user

  • None
Read-only access to prevent them from mistakenly changing settings or deleting data Executive users who need statistics, but not technical details, about your Code42 environment
All Org Search

Administrative

  • Use the File Search web app to:
    • Search backed-up files in across all organizations
    • Download files that appear in search results
  • Use the Reporting web app to view data for all organizations

End user

  • None
No access to the administration console or Code42 app Information security or legal personnel who need to examine backed-up files across your entire Code42 environment
All Org Security Viewer
On-premises Code42 environments only

Administrative

End user

  • None
Cannot change settings in your Code42 environment Information security personnel who need to retrieve information from devices that use endpoint monitoring.

Customer Cloud Admin

Code42 cloud  only

Administrative

  • Read and write information for users, computers, and organization settings for the user's Code42 environment
  • Read and write to plans within the user's Code42 environment
  • Use the Reporting web app to view data for the user's Code42 environment
  • View the Subscriptions screen for the user's organization or organizations.

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot access administration console command line
  • Cannot access system logs
Administrators who need administrative privileges for the Code42 environment
Desktop User

Administrative

  • N/A

End user

  • Perform personal backups from the Code42 app and administration console
Cannot interact with other users' data or change settings in your Code42 environment End users in your organization
Org Admin

Administrative

  • Read and write information for users, computers, and organization settings for the user's organization and its child organizations
  • Read and write to plans within the user's organization and its child organizations
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot read or write information outside their organization
  • Cannot access administration console command line
  • Cannot access system logs
Administrators who should only manage users and devices within a specific organization
Org Help Desk

Administrative

  • View (read-only) users and devices in the user's organization and its child organizations
  • Restore files to the source user's devices using the administration console
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot change settings
  • Cannot read or write information outside their organization
Help desk staff who can assist others within their organization, but not reconfigure any settings

Org Legal Admin

(version 6.5.x and later only) 

Administrative

  • Use the Legal Hold web app to:
    • Create, modify, and deactivate legal holds
    • Restore files for legal hold collection purposes (push restore) for users within their organization and its child organization
  • Perform web restores for other users that are within their organization and its child organizations
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app
  • No "root" level access
  • Cannot change settings
  • Read-only view of users, devices, and organizations
  • Cannot restore files for users outside their organization and its child organizations
Legal personnel who need to place custodians on legal hold and administer legal holds for the entire Code42 environment, but who only need to restore files from users within their organization. 
Org Manager

Administrative

  • View (read-only) users and devices in the user's organization and its child organizations
  • Restore files to the source user's devices using the administration console
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot change settings
  • Cannot read or write information outside their organization
Executive users who need statistics, but not technical details, about their organization (not the entire Code42 environment)
Org Search

Administrative

  • Use the File Search web app to:
    • Search backed-up files in the user's organization and child organizations
    • Download files that appear in search results
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • None
No access to the administration console or Code42 app Information security or legal personnel who need to examine backed-up files in their organization (not the entire Code42 environment)
Org Security Viewer
On-premises Code42 environments only

Administrative

  • Use the Reporting web app to view data for user's organization and its child organizations
  • Use the Security Center to view data for user's organization and its child organizations

End user

  • None
Cannot change settings in the organization Information security personnel who need to retrieve information from devices that use endpoint monitoring.
PROe User

Administrative

  • Sign in to the administration console

End user

  • None
  • Cannot access other information or functions of Code42 for Enterprise
End users in your organization
Push Restore

Administrative

  • Restore files from the administration console
  • View files within backup archives

End user

  • None
  • No read or write access to any user, organization, or device
Help desk staff who will assist others with restoring data. Assign in conjunction with a role that has access to the administration console.
Remote File Selection

Administrative

  • View files within backup archives

End user

  • None
  • No read or write access to any user, organization, or device
Help desk staff who will monitor backups. Assign in conjunction with a role that has access to the administration console.
Security Center User

Administrative

End user

  • None
  • Does not directly grant access to view or manage other users. Use this role in addition to an administrative role such as Org Admin.
Information security personnel who need to review information about devices that use endpoint monitoring.
Server Administrator

Administrative

  • Read and write information for all users, computers, and organizations
  • Read and write to all plans
  • Edit all all system information and settings (except tasks reserved for system administrator)
  • Use the Reporting web app to view data for all organizations

End user

  • Perform personal backups from the Code42 app and administration console

Cannot perform tasks reserved for system administrator, such as editing the local administrator account password

 

IT staff who need administrative privileges for the Code42 environment

SYSADMIN
On-premises Code42 environments only

Administrative

  • Default role for the local administrator account
  • "Root-level" access
  • Read and write all information for all users, organizations, and settings
  • Grant and revoke SYSADMIN role for other users
  • Use the Reporting web app to view data for all organizations
  • Use the File Search web app to:
    • Search backed-up files in across all organizations
    • Download files that appear in search results
  • Use the Security Center to view data for all organizations

End user

  • None

Grant with caution! The roles Server Administrator or All Org Admin may be more appropriate.