Skip to main content

This article applies to Cloud.

Available in:

StandardPremiumEnterprise
Small Business
Code42 Support

Identity management reference

This article applies to Cloud.

Available in:

StandardPremiumEnterprise
Small Business

Overview

This article describes identity management settings. You can use identity management to control authentication and authorization in your Code42 environment. These settings are only available in Code42 cloud environments. 

Definitions

authentication: The process of identifying and verifying users in a system. Methods for authentication include: 

  • Local Code42 directory
  • Single sign-on (SSO)
  • Multi-factor authentication (MFA)

authentication provider: Allows access to Code42. When enabled, users sign in using the authentication provider instead of Code42. Examples of authentication providers include Okta, Google SSO, Ping, Azure AD, OneLogin, and Microsoft AD FS. 

Code42 User Directory Sync Tool: Uses LDAP to automate user management between your directory service and your Code42 environment. This differs from other provisioning providers because it uses LDAP rather SCIM.  

identity management: An IT administrative area or market that deals with users in a IT system and gives them access to the right resources within the system. 

identity provider (IdP): A general term to refer to a system that contains user identities. Identity provider can refer to a system performing authentication, provisioning, or both. Examples of identity providers include Okta, Google SSO, Ping, Azure AD, and OneLogin. 

SCIM provisioning: An open standard protocol for automating user management. 

provisioning provider: Automates user management. Applications like Code42 sync with a provisioning provider and then create, update, or remove users based on the provisioning provider's user profile. Examples of provisioning providers include Okta, Ping, and Azure AD. 

single sign-on (SSO):  SSO is one type of authentication method. It allows a user to use the same credentials to sign in to multiple applications.

Authentication

Authentication provider settings enable you to use a third-party application to authenticate users in the Code42 environment. For example, use these settings to configure a provider for single sign-on authentication.  

To view the authentication provider settings:

  1.  Sign in to the administration console.
  2.  Click Settings, and choose Identity Management

Add authentication provider

From the Authentication tab, click Add authentication provider.

Add authentication provider

Item Description
a Display Name Sets the name of your organization's authentication provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the Code42 app and administration console.
b Provider's Metadata

Sets the format for the authentication provider's metadata. Choose either to enter a URL or upload an XML file. 

c Enter URL 
or
Upload XML File

Enter URL: Sets the URL for the standalone identity provider or identity federation metadata file. The Code42 cloud must be able to access this URL.

Upload XML File: Uploads the XML file. 

Use metadata URL for federations
Code42 cloud environments do not support uploading an XML file for federations. Use the metadata URL to configure the federation instead. 

 

Authentication provider

The following screen appears when you configure a standalone identity provider.

Authentication provider details

Item Description Click to view
a Display name Displays the name of your authentication provider.    
b Actions menu

Menu with the following actions: 

 
c Code42 Service Provider Metadata URL Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s). The metadata XML file.
d Attribute mapping

Maps Code42 usernames to the provider's name identifier or a custom attribute.

 

Username: Maps Code42 usernames to the authentication provider's name identifier or a custom attribute.

  • Select Use nameId to use the provider name identifier.

  • Select Use Attribute tag to enter a custom provider attribute.

Email: Maps Code42 user email addresses to a provider attribute.

First Name: Maps Code42 user first names to a provider attribute.

Last Name: Maps Code42 user last names to a provider attribute.

 
e Edit  Edits attribute mappings.  
f Organizations in Use Displays the number of organizations that use this provider as the authentication method.  
g Local users Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider.  Add users to the list.

Federation

federation is a group of organizations that have formed trusts. With federations, the identity provider simply shares a token with the service provider to authenticate a user instead of supplying the user's credentials. When you enter the metadata URL, Code42 automatically detects if the metadata belongs to a federation or a single provider. If it is a federation, you are automatically directed to the federation details configuration page.

Federation details

Item   Description
a Display name Displays the name of your authentication provider.  
b Actions menu

Menu with the following actions: 

c Attribute mapping

Maps Code42 usernames to the provider's name identifier or a custom attribute.

 

Username: Maps Code42 usernames to the authentication provider's name identifier or a custom attribute.

  • Select Use nameId to use the provider name identifier.

  • Select Use Attribute tag to enter a custom provider attribute.

Email: Maps Code42 user email addresses to a provider attribute.

First Name: Maps Code42 user first names to a provider attribute.

Last Name: Maps Code42 user last names to a provider attribute.

d Edit

Edits the attribute mappings.

 

In the resulting Attribute Mapping dialog, select the Use default mapping check box to use the default attribute mappings. Deselect the check box to enter your own values.

e Federated Identity Providers Lists all of the Federated Identity Providers that have been added for this federation. Click the name of the provider to view the details.
f Add Adds a new federated identity provider.
g Local users Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider. 

Add an identity provider to this federation

Add a federated identity provider

Item   Description
a Select a Provider URL Selects an identity provider from the list of available providers. Begin typing to search for the correct provider. 
b Display Name Sets the display name for the identity provider

Identity provider details

To view the identity provider details, click the identity provider's name under the Federation details. 

Identity provider details

Item   Description
a Display name Displays the name of your authentication provider.  
b Action menu

Menu with the following actions: 

c Code42 Service Provider Metadata URL Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s).
d Attribute Mapping

Maps Code42 usernames to the provider's name identifier or a custom attribute.

 

Username: Maps Code42 usernames to the authentication provider's name identifier or a custom attribute.

  • Select Use nameId to use the provider name identifier.

  • Select Use Attribute tag to enter a custom provider attribute.

Email: Maps Code42 user email addresses to a provider attribute.

First Name: Maps Code42 user first names to a provider attribute.

Last Name: Maps Code42 user last names to a provider attribute.

e Edit

Edits attribute mappings.

 

In the resulting Attribute Mapping dialog, select the Inherit from federation check box to inherit the attribute mappings from the federated authentication provider. Deselect the check box to enter your own values.

f Organizations in Use Displays the number of organizations that use this provider as the authentication method.
g Local Users Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider. 

Provisioning

Provisioning provider settings allow you to connect to a third-party application where your users are stored, and automatically add them to Code42. To view the provisioning provider settings:

  1. Sign in to the administration console.
  2. Click Settings, and choose Identity Management
  3. Click Provisioning.

Add Provisioning Provider

To view, go to Provisioning, then click Add Provisioning Provider. Choose either Add SCIM Provider or Add Code42 User Directory Sync.

Add SCIM Provisioning

Item Description
a Username Sets the name for the SCIM provider or Code42 User Directory Sync.

API Credentials

After you enter a username for the provisioning provider, the API credentials appear. Your provider may require some or all of these credentials to create a service account for syncing between your directory and Code42. 


API credentials

API credentials reference
Item Description
a Base URL The URL for interacting with the Code42 provisioning API. 
b Username Username for the service account. 
c Password Password for the service account. This password only appears once, so save the password in a secure location.

 

SCIM Provisioning Provider

Appears when configuring a SCIM provisioning provider. 

SCIM Provisioning Provider

Item Description Click to view
a Name Displays the name of your provisioning provider.  
b Action menu

Menu with the following actions: 

  • Edit This Provider Name
  • Add New SCIM Provider 
  • Add Code42 User Directory Sync
  • Delete This Provider
 
c API Credentials

Displays API user credentials. This user performs directory sync between your provider and Code42. These credentials are used by the provisioning provider.


Type is either SCIM Provider or Code42 User Directory Sync

 
d Deactivation Delay
 

Displays the amount of time Code42 waits to deactivate a user once the provider has sent the update. 

Note: Even if you configure Code42 to wait to deactivate a user, the user is immediately blocked. The user is then deactivated after the configured time. 

 

Only configurable for SCIM provisioning providers.

 
e

Edit

Edits the deactivation delay setting.   
f

Organization Mapping

 

Displays how Code42 assigns organizations to users who are added from the provisioning provider.

 

Only configurable for SCIM provisioning providers.

 
g

Edit 

Change how Code42 maps provisioned users. Choose between the following mapping methods: 
  • Map all users to a Code42 organization: Maps all groups to a single organization.
  • Map users to organizations based on the provider's "c42OrgName" attribute: Maps groups to organizations based on the providers' "c42OrgName" attribute.
  • Map users to organizations based on an existing provider SCIM attribute: Map to organizations based on a provider's SCIM attribute.
  • Map users to organizations using SCIM groups: Create mappings of SCIM groups to organizations.
Organization Mapping Methods 
h

"Code42 organization"

Displays a Code42 organization.

Additional Code42 organizations
i

Add Role Mapping
 

SCIM provisioning providers only

Opens the Add Role Mapping setting. This maps Code42 roles and permissions to groups.

 

Note: This button only appears if SCIM groups have already been sent from your provider. 

Role mapping

Select Roles

 

Code42 User Directory Sync only

Select roles to be managed by the Code42 User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the administration console. 

 

See the Code42 role reference for more information on  each role. 

View a list of roles within your Code42 environment

Edit Organizational Mapping Method

To view organization mapping methods, select the edit icon pencil icon next to Organization Mapping. 

Single organization

Assigns all users to the same Code42 organization. If you choose this option, create organizations in the administration console before you begin.

Example use case
Use this option if you manage users in the administration console. For example, all users that are provisioned from the provisioning provider are added to the same organization. You can then move the users from that single organization to additional organizations in the administration console. 

Single organization mapping method

Item Description
a Single organization Displays the mapping method. 
b Select an organization Displays a list of the organizations in your Code42 environment.
"C42OrgName" attribute

The "c42OrgName" attribute creates new organizations or assigns users to existing organizations based on the value for the user attribute c42OrgName. This value becomes the name for the Code42 organization. This attribute is managed on the provisioning provider. 

Example use case
Use this method if you want to manage users in the provisioning provider (and not in the administration console). The value for this attribute becomes the name for the Code42 organization. Code42 creates new organizations or assigns users to existing organizations based on the value. 

Choose c42OrgName attribute

Item Description
a Mapping method Enables the mapping method. Code42 provisions users to organizations using the "c42OrgName" attribute. 
Custom attribute

Using a custom attribute creates new organizations or assigns users to existing organizations based on the value for the chosen user attribute. 

Example use case
Use this method if you already have an attribute included in the provisioning provider user profile that you want to use for organization mapping. For example, you want to set up your Code42 organizations by office location. You create an office attribute. The value of the office attribute becomes the name of the organization. 

Custom attribute

Item Description
a Mapping method Enables the mapping method. Code42 provisions users to organizations based on a custom SCIM attribute. 
b SCIM attribute Enter the attribute Code42 should use to map provisioned users to Code42 organizations. This must value match the attribute name in your provisioning provider exactly. 
Custom SCIM mapping

Assigns users to Code42 organizations based on their SCIM group. If you choose this option, create organizations in the administration console before you begin.

Example use case
Use this mapping method if your users are already assigned to SCIM groups. For example, a user is part of a two different SCIM groups: an executive group and a UK group. You want this user's backup policies to match the other executives in your company, so this user should be assigned to the same Code42 organization as the other executives. In the administration console, you can choose the executive group to take priority over the UK group. This way you can place all of the executives in your company in the same organization and ensure they have the same backup policies.

Custom SCIM mapping

Item Description
a Mapping Method Displays the mapping method. Click Save to go to Add Mapping

Add Mapping

To view, click Add Mapping. Use Add Organization Mapping to map SCIM groups to Code42 organizations. 

Add Organization Mapping

Item Description
a Select a SCIM group Displays all the SCIM groups that your provider has sent to the administration console. Only groups that have not been mapped appear in this list.
b Select a Code42 organization Displays the organization tree for your administration console. 

Add Role Mapping

To view, click Add Role Mapping.

Add Role Mapping

Item Description
a Select a SCIM group Displays all the SCIM groups that have been pushed to your administration console. Only groups that have not been mapped appear in this list.
b Select a Code42 role Displays a list of all the Code42 roles. Learn more about Code42 roles and permissions below.

Code42 User Directory Sync

Appears when configuring Code42 User Directory Sync. 

Code42 User Directory Sync configuration page

Item Description Click to view
a Name Display name for this User Directory Sync instance  
b Action menu

Menu with the following actions: 

  • Edit Provider Name
  • Add New SCIM Provider
  • Add Code42 User Directory Sync
  • Delete This Provider
 
c API Credentials

Displays API user credentials. This user performs directory sync between your provider and Code42. These credentials are used by the provisioning provider.


Type is either SCIM Provider or Code42 User Directory Sync

 
d Deactivation Delay
 

This feature is configured within the Code42 User Directory Tool itself.

Note: Even if you configure Code42 to wait to deactivate a user, the user is immediately blocked. The user is then deactivated after the configured time. 

 

 
e

Organization Mapping

 

Disabled within the administration console. To configure how users are mapped to Code42 organizations, use the Org script in the Code42 User Directory Sync Tool. 

 
f

Role Mapping

Displays which roles the Code42 User Directory Sync automatically updates. 

 
g Edit Role Mapping

Enable a method for mapping roles to users. Choose either Manually or Select roles from the Code42 User Directory Sync.

  • Manually: You must update roles within the administration console
  • Select roles from the Code42 User Directory Sync: Code42 automatically updates a user's roles based on the role script
 
h Select Roles

Select roles to be managed by the Code42 User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the administration console. 
 

See the Code42 role reference for more information on  each role. 

View a list of roles within your Code42 environment.

Select roles

To view, go to the Provisioning, and click Select Roles. This is a security measure to prevent users from elevating their privilege within Code42 environment. 

Select roles

Item Description
a Choose Roles Displays all of the roles available in your Code42 environment. To learn more about what the permissions, limitations, and example use cases for each role, see the roles reference
b Enable or disable role

Enable or disable roles from automatic provisioning.

  • Enabled: Code42 automatically adds or removes this role based on your role script.
  • Disabled: Even if your role script includes this role, Code42 will not update a user to add or remove this role. You must manually update in the administration console. 

Sync Log

The sync log displays all of the updates made to your Code42 environment from the provisioning provider. To view the Sync Log:

  1. Sign in to the administration console.
  2. Click Settings.
  3. Choose Identity Management
  4. Click Sync Log

Sync log

Item Description Click to view
a Date selector Selects the timeframe for which logs to display. Click to view a calendar date picker.
b Export CSV Exports all of the sync logs to a .CSV file. Use this option to filter the logs further.  Click to start downloading a CSV file.
c Provider Displays the provider that made the update. Click to sort.
d User Impacted Displays the Code42 username.  Click to sort.
e Change type

Displays how the user was changed. Change types are: 

  • Created
  • Modified
  • Deactivated
  • Sync Failure
  • Not in Role Mapping
  • Removed
Click to sort.
f Attribute changed

Displays what part of the user changed. Attribute changes can be to: 

  • Organization 
  • Role
  • User name
  • Email
Click to sort.
g New Value Displays the new value for the attribute that was changed. Click to sort.
h Old value Displays the old value for the attribute that was changed. Click to sort.
i Date changed Displays the date the change occurred.  Click to sort.

Roles reference

The available standard roles, as well as the permissions, limitations, and recommended use cases for each are described in the table below.

The available standard roles, as well as the permissions, limitations, and recommended use cases for each are described in the table below.

For details about the specific permissions held by each role, review them in your administration console. To access role information, select Users > Active, click a user row to open the user details page, select Edit from the action menu in the upper-right corner, and then click the Roles tab.

Role Permission Summary Limitations Recommended Use Case
Admin Restore

Administrative

End user

  • None
No access to the administration console or Code42 app Assign in conjunction with a role that has access to the administration console and Code42 app
Admin Restore Limited

Administrative

End user

  • None
  • Restore limit is configurable from organization settings (250 MB by default)
  • No access to the administration console or Code42 app

Assign in conjunction with a role that has access to the administration console and Code42 app

Alert Emails

Administrative

  • Receives automated backup reports and backup alerts by email.

End user

  • None
  Organization administrators who want to monitor the frequency and success of backup operations for their users' devices.
Consumer user  For CrashPlan for Home only. Do not use.    

Customer Cloud Admin

Administrative

  • Read and write information for users, computers, and organization settings for the user's Code42 environment
  • Read and write to plans within the user's Code42 environment
  • Use the Reporting web app to view data for the user's Code42 environment
  • View the Subscriptions screen for the user's organization or organizations.

End user

  • Perform personal backups from the Code42 app and administration console
  • Limited access to the administration console command line interface (CLI)
  • Cannot access system logs
Administrators who need administrative privileges for the Code42 environment
Desktop User

Administrative

  • N/A

End user

  • Perform personal backups from the Code42 app and administration console
Cannot interact with other users' data or change settings in your Code42 environment End users in your organization
Org Admin

Administrative

  • Read and write information for users, computers, and organization settings for the user's organization and its child organizations
  • Read and write to plans within the user's organization and its child organizations
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot read or write information outside their organization
  • Limited access to the administration console command line interface (CLI)
  • Cannot access system logs
Administrators who should only manage users and devices within a specific organization
Org Help Desk

Administrative

  • View (read-only) users and devices in the user's organization and its child organizations
  • Restore files to the source user's devices using the administration console
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot change settings
  • Cannot read or write information outside their organization
Help desk staff who can assist others within their organization, but not reconfigure any settings

Org Legal Admin

Administrative

  • Use the Legal Hold web app to:
    • Create, modify, and deactivate legal holds
    • Restore files for legal hold collection purposes (push restore) for users within their organization and its child organization
  • Perform web restores for other users that are within their organization and its child organizations
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app
  • No "root" level access
  • Cannot change settings
  • Read-only view of users, devices, and organizations
  • Cannot restore files for users outside their organization and its child organizations
Legal personnel who need to place custodians on legal hold and administer legal holds for the entire Code42 environment, but who only need to restore files from users within their organization. 
Org Manager

Administrative

  • View (read-only) users and devices in the user's organization and its child organizations
  • Restore files to the source user's devices using the administration console
  • Use the Reporting web app to view data for the user's organization and its child organizations

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot change settings
  • Cannot read or write information outside their organization
Executive users who need statistics, but not technical details, about their organization (not the entire Code42 environment)
Org Security Viewer

Administrative

  • Use the Reporting web app to view data for user's organization and its child organizations
  • Use the Security Center to view data for user's organization and its child organizations

End user

  • None
Cannot change settings in the organization Information security personnel who need to retrieve information from devices that use endpoint monitoring.
PROe User

Administrative

  • Sign in to the administration console

End user

  • None
  • Cannot access other information or functions of Code42 for Enterprise
End users in your organization
PRO-Online Admin For CrashPlan for Small Business only. Do not use.    
Push Restore

Administrative

  • Restore files from the administration console
  • View files within backup archives

End user

  • None
  • No read or write access to any user, organization, or device
Help desk staff who will assist others with restoring data. Assign in conjunction with a role that has access to the administration console.
Remote File Selection

Administrative

  • View files within backup archives

End user

  • None
  • No read or write access to any user, organization, or device
Help desk staff who will monitor backups. Assign in conjunction with a role that has access to the administration console.
Security Center User

Administrative

End user

  • None
  • Does not directly grant access to view or manage other users. Use this role in addition to an administrative role such as Org Admin.
Information security personnel who need to review information about devices that use endpoint monitoring.

External resources