Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Identity management reference

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Overview

This article describes identity management settings. You can use identity management to control authentication and authorization in your Code42 environment. These settings are only available in Code42 cloud environments. 

Definitions

authentication: The process of identifying and verifying users in a system. Methods for authentication include: 

  • Local Code42 directory
  • Single sign-on (SSO)
  • Multi-factor authentication (MFA)

authentication provider: Allows access to Code42. When enabled, users sign in using the authentication provider instead of Code42. Examples of authentication providers include Okta, Google SSO, Ping, Azure AD, OneLogin, and Microsoft AD FS. 

Code42 User Directory Sync Tool: Uses LDAP to automate user management between your directory service and your Code42 environment. This differs from other provisioning providers because it uses LDAP rather SCIM.  

identity management: An IT administrative area or market that deals with users in a IT system and gives them access to the right resources within the system. 

identity provider (IdP): A general term to refer to a system that contains user identities. Identity provider can refer to a system performing authentication, provisioning, or both. Examples of identity providers include Okta, Google SSO, Ping, Azure AD, and OneLogin. 

SCIM provisioning: An open standard protocol for automating user management. 

provisioning provider: Automates user management. Applications like Code42 sync with a provisioning provider and then create, update, or remove users based on the provisioning provider's user profile. Examples of provisioning providers include Okta, Ping, and Azure AD. 

single sign-on (SSO):  SSO is one type of authentication method. It allows a user to use the same credentials to sign in to multiple applications.

Authentication

Authentication provider settings enable you to use a third-party application to authenticate users in the Code42 environment. For example, use these settings to configure a provider for single sign-on authentication.  

To view the authentication provider settings:

  1.  Sign in to the administration console.
  2.  Click Settings, and choose Identity Management

Add authentication provider

From the Authentication tab, click Add authentication provider.

Add authentication provider

Item Description
a Display Name Sets the name of your organization's authentication provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the Code42 app and administration console.
b Provider's Metadata

Sets the format for the authentication provider's metadata. Choose either to enter a URL or upload an XML file. 

c Enter URL 
or
Upload XML File

Enter URL: Sets the URL for the standalone identity provider or identity federation metadata file. The Code42 cloud must be able to access this URL.

Upload XML File: Uploads the XML file. 

Use metadata URL for federations
Code42 cloud environments do not support uploading an XML file for federations. Use the metadata URL to configure the federation instead. 

 

Authentication provider

The following screen appears when you configure a standalone identity provider.

Authentication provider details

Item Description Click to view
a Display name Displays the name of your authentication provider.    
b Actions menu

Menu with the following actions: 

 
c Code42 Service Provider Metadata URL Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s). The metadata XML file.
d Attribute mapping

Maps Code42 usernames to the provider's name identifier or a custom attribute.

 

Username: Maps Code42 usernames to the authentication provider's name identifier or a custom attribute.

  • Select Use nameId to use the provider name identifier.

  • Select Use Attribute tag to enter a custom provider attribute.

Email: Maps Code42 user email addresses to a provider attribute.

First Name: Maps Code42 user first names to a provider attribute.

Last Name: Maps Code42 user last names to a provider attribute.

 
e Edit  Edits attribute mappings.  
f Organizations in Use Displays the number of organizations that use this provider as the authentication method.  
g Local users Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider.  Add users to the list.

Federation

federation is a group of organizations that have formed trusts. With federations, the identity provider simply shares a token with the service provider to authenticate a user instead of supplying the user's credentials. When you enter the metadata URL, Code42 automatically detects if the metadata belongs to a federation or a single provider. If it is a federation, you are automatically directed to the federation details configuration page.

Federation details

Item   Description
a Display name Displays the name of your authentication provider.  
b Actions menu

Menu with the following actions: 

c Attribute mapping

Maps Code42 usernames to the provider's name identifier or a custom attribute.

 

Username: Maps Code42 usernames to the authentication provider's name identifier or a custom attribute.

  • Select Use nameId to use the provider name identifier.

  • Select Use Attribute tag to enter a custom provider attribute.

Email: Maps Code42 user email addresses to a provider attribute.

First Name: Maps Code42 user first names to a provider attribute.

Last Name: Maps Code42 user last names to a provider attribute.

d Edit

Edits the attribute mappings.

 

In the resulting Attribute Mapping dialog, select the Use default mapping check box to use the default attribute mappings. Deselect the check box to enter your own values.

e Federated Identity Providers Lists all of the Federated Identity Providers that have been added for this federation. Click the name of the provider to view the details.
f Add Adds a new federated identity provider.
g Local users Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider. 

Add an identity provider to this federation

Add a federated identity provider

Item   Description
a Select a Provider URL Selects an identity provider from the list of available providers. Begin typing to search for the correct provider. 
b Display Name Sets the display name for the identity provider

Identity provider details

To view the identity provider details, click the identity provider's name under the Federation details. 

Identity provider details

Item   Description
a Display name Displays the name of your authentication provider.  
b Action menu

Menu with the following actions: 

c Code42 Service Provider Metadata URL Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s).
d Attribute Mapping

Maps Code42 usernames to the provider's name identifier or a custom attribute.

 

Username: Maps Code42 usernames to the authentication provider's name identifier or a custom attribute.

  • Select Use nameId to use the provider name identifier.

  • Select Use Attribute tag to enter a custom provider attribute.

Email: Maps Code42 user email addresses to a provider attribute.

First Name: Maps Code42 user first names to a provider attribute.

Last Name: Maps Code42 user last names to a provider attribute.

e Edit

Edits attribute mappings.

 

In the resulting Attribute Mapping dialog, select the Inherit from federation check box to inherit the attribute mappings from the federated authentication provider. Deselect the check box to enter your own values.

f Organizations in Use Displays the number of organizations that use this provider as the authentication method.
g Local Users Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider. 

Provisioning

Provisioning provider settings allow you to connect to a third-party application where your users are stored, and automatically add them to Code42. To view the provisioning provider settings:

  1. Sign in to the administration console.
  2. Click Settings, and choose Identity Management
  3. Click Provisioning.

Add Provisioning Provider

To view, go to Provisioning, then click Add Provisioning Provider. Choose either Add SCIM Provider or Add Code42 User Directory Sync.

Add SCIM Provisioning

Item Description
a Username Sets the name for the SCIM provider or Code42 User Directory Sync.

API Credentials

After you enter a username for the provisioning provider, the API credentials appear. Your provider may require some or all of these credentials to create a service account for syncing between your directory and Code42. 


API credentials

API credentials reference
Item Description
a Base URL The URL for interacting with the Code42 provisioning API. 
b Username Username for the service account. 
c Password Password for the service account. This password only appears once, so save the password in a secure location.

 

SCIM Provisioning Provider

Appears when configuring a SCIM provisioning provider. 

SCIM Provisioning Provider

Item Description Click to view
a Name Displays the name of your provisioning provider.  
b Action menu

Menu with the following actions: 

  • Edit This Provider Name
  • Add New SCIM Provider 
  • Add Code42 User Directory Sync
  • Delete This Provider
 
c API Credentials

Displays API user credentials. This user performs directory sync between your provider and Code42. These credentials are used by the provisioning provider.


Type is either SCIM Provider or Code42 User Directory Sync

 
d Deactivation Delay
 

Displays the amount of time Code42 waits to deactivate a user once the provider has sent the update. 

Note: Even if you configure Code42 to wait to deactivate a user, the user is immediately blocked. The user is then deactivated after the configured time. 

 

Only configurable for SCIM provisioning providers.

 
e

Edit

Edits the deactivation delay setting.   
f

Organization Mapping

 

Displays how Code42 assigns organizations to users who are added from the provisioning provider.

 

Only configurable for SCIM provisioning providers.

 
g

Edit 

Change how Code42 maps provisioned users. Choose between the following mapping methods: 
  • Map all users to a Code42 organization: Maps all groups to a single organization.
  • Map users to organizations based on the provider's "c42OrgName" attribute: Maps groups to organizations based on the providers' "c42OrgName" attribute.
  • Map users to organizations based on an existing provider SCIM attribute: Map to organizations based on a provider's SCIM attribute.
  • Map users to organizations using SCIM groups: Create mappings of SCIM groups to organizations.
Organization Mapping Methods 
h

"Code42 organization"

Displays a Code42 organization.

Additional Code42 organizations
i

Add Role Mapping
 

SCIM provisioning providers only

Opens the Add Role Mapping setting. This maps Code42 roles and permissions to groups.

 

Note: This button only appears if SCIM groups have already been sent from your provider. 

Role mapping

Select Roles

 

Code42 User Directory Sync only

Select roles to be managed by the Code42 User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the administration console. 

 

See the Code42 role reference for more information on  each role. 

View a list of roles within your Code42 environment

Edit Organizational Mapping Method

To view organization mapping methods, select the edit icon pencil icon next to Organization Mapping. 

Single organization

Assigns all users to the same Code42 organization. If you choose this option, create organizations in the administration console before you begin.

Example use case
Use this option if you manage users in the administration console. For example, all users that are provisioned from the provisioning provider are added to the same organization. You can then move the users from that single organization to additional organizations in the administration console. 

Single organization mapping method

Item Description
a Single organization Displays the mapping method. 
b Select an organization Displays a list of the organizations in your Code42 environment.
"C42OrgName" attribute

The "c42OrgName" attribute creates new organizations or assigns users to existing organizations based on the value for the user attribute c42OrgName. This value becomes the name for the Code42 organization. This attribute is managed on the provisioning provider. 

Example use case
Use this method if you want to manage users in the provisioning provider (and not in the administration console). The value for this attribute becomes the name for the Code42 organization. Code42 creates new organizations or assigns users to existing organizations based on the value. 

Choose c42OrgName attribute

Item Description
a Mapping method Enables the mapping method. Code42 provisions users to organizations using the "c42OrgName" attribute. 
Custom attribute

Using a custom attribute creates new organizations or assigns users to existing organizations based on the value for the chosen user attribute. 

Example use case
Use this method if you already have an attribute included in the provisioning provider user profile that you want to use for organization mapping. For example, you want to set up your Code42 organizations by office location. You create an office attribute. The value of the office attribute becomes the name of the organization. 

Custom attribute

Item Description
a Mapping method Enables the mapping method. Code42 provisions users to organizations based on a custom SCIM attribute. 
b SCIM attribute Enter the attribute Code42 should use to map provisioned users to Code42 organizations. This must value match the attribute name in your provisioning provider exactly. 
Custom SCIM mapping

Assigns users to Code42 organizations based on their SCIM group. If you choose this option, create organizations in the administration console before you begin.

Example use case
Use this mapping method if your users are already assigned to SCIM groups. For example, a user is part of a two different SCIM groups: an executive group and a UK group. You want this user's backup policies to match the other executives in your company, so this user should be assigned to the same Code42 organization as the other executives. In the administration console, you can choose the executive group to take priority over the UK group. This way you can place all of the executives in your company in the same organization and ensure they have the same backup policies.

Custom SCIM mapping

Item Description
a Mapping Method Displays the mapping method. Click Save to go to Add Mapping

Add Mapping

To view, click Add Mapping. Use Add Organization Mapping to map SCIM groups to Code42 organizations. 

Add Organization Mapping

Item Description
a Select a SCIM group Displays all the SCIM groups that your provider has sent to the administration console. Only groups that have not been mapped appear in this list.
b Select a Code42 organization Displays the organization tree for your administration console. 

Add Role Mapping

To view, click Add Role Mapping.

Add Role Mapping

Item Description
a Select a SCIM group Displays all the SCIM groups that have been pushed to your administration console. Only groups that have not been mapped appear in this list.
b Select a Code42 role Displays a list of all the Code42 roles. Learn more about Code42 roles and permissions below.

Code42 User Directory Sync

Appears when configuring Code42 User Directory Sync. 

Code42 User Directory Sync configuration page

Item Description Click to view
a Name Display name for this User Directory Sync instance  
b Action menu

Menu with the following actions: 

  • Edit Provider Name
  • Add New SCIM Provider
  • Add Code42 User Directory Sync
  • Delete This Provider
 
c API Credentials

Displays API user credentials. This user performs directory sync between your provider and Code42. These credentials are used by the provisioning provider.


Type is either SCIM Provider or Code42 User Directory Sync

 
d Deactivation Delay
 

This feature is configured within the Code42 User Directory Tool itself.

Note: Even if you configure Code42 to wait to deactivate a user, the user is immediately blocked. The user is then deactivated after the configured time. 

 

 
e

Organization Mapping

 

Disabled within the administration console. To configure how users are mapped to Code42 organizations, use the Org script in the Code42 User Directory Sync Tool. 

 
f

Role Mapping

Displays which roles the Code42 User Directory Sync automatically updates. 

 
g Edit Role Mapping

Enable a method for mapping roles to users. Choose either Manually or Select roles from the Code42 User Directory Sync.

  • Manually: You must update roles within the administration console
  • Select roles from the Code42 User Directory Sync: Code42 automatically updates a user's roles based on the role script
 
h Select Roles

Select roles to be managed by the Code42 User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the administration console. 
 

See the Code42 role reference for more information on  each role. 

View a list of roles within your Code42 environment.

Select roles

To view, go to the Provisioning, and click Select Roles. This is a security measure to prevent users from elevating their privilege within Code42 environment. 

Select roles

Item Description
a Choose Roles Displays all of the roles available in your Code42 environment. To learn more about what the permissions, limitations, and example use cases for each role, see the roles reference
b Enable or disable role

Enable or disable roles from automatic provisioning.

  • Enabled: Code42 automatically adds or removes this role based on your role script.
  • Disabled: Even if your role script includes this role, Code42 will not update a user to add or remove this role. You must manually update in the administration console. 

Sync Log

The sync log displays all of the updates made to your Code42 environment from the provisioning provider. To view the Sync Log:

  1. Sign in to the administration console.
  2. Click Settings.
  3. Choose Identity Management
  4. Click Sync Log

Sync log

Item Description Click to view
a Date selector Selects the timeframe for which logs to display. Click to view a calendar date picker.
b Export CSV Exports all of the sync logs to a .CSV file. Use this option to filter the logs further.  Click to start downloading a CSV file.
c Provider Displays the provider that made the update. Click to sort.
d User Impacted Displays the Code42 username.  Click to sort.
e Change type

Displays how the user was changed. Change types are: 

  • Created
  • Modified
  • Deactivated
  • Sync Failure
  • Not in Role Mapping
  • Removed
Click to sort.
f Attribute changed

Displays what part of the user changed. Attribute changes can be to: 

  • Organization 
  • Role
  • User name
  • Email
Click to sort.
g New Value Displays the new value for the attribute that was changed. Click to sort.
h Old value Displays the old value for the attribute that was changed. Click to sort.
i Date changed Displays the date the change occurred.  Click to sort.

Roles reference

The available standard roles, as well as the permissions, limitations, and recommended use cases for each are described in the table below.

The available standard roles, as well as the permissions, limitations, scope of permissions, and recommended use cases for each are described in the table below.

For details about the specific permissions held by each role, review them in your administration console. To access role information, select Users > Active, click a user row to open the user details page, select Edit from the action menu in the upper-right corner, and then click the Roles tab.

Role Permission Summary Limitations Scope of permissions Recommended Use Case
Admin Restore

Administrative

End user

  • None

No access to the administration console or Code42 app 

 

 

All organizations Assign in conjunction with a role that has access to the administration console and Code42 app. For example, PROe user and Desktop User.
Admin Restore Limited

Administrative

End user

  • None
  • Restore limit is configurable from organization settings (250 MB by default)
  • No access to the administration console or Code42 app
All organizations Assign in conjunction with a role that has access to the administration console and Code42 app. For example, PROe user and Desktop User.
Alert Emails

Administrative

  • Receive automated backup reports and backup alerts by email.

End user

  • None
  All organizations Organization administrators who monitor the frequency and success of backup operations for their users' devices.
Cross Org Admin

Administrative

  • Add/deactivate users, devices, and organizations.  
  • Update settings
  • View data in the Reporting web app 
  • Perform push and web restores for other users 


End user

  • Perform personal backups from the Code42 app and administration console
  • Limited access to the administration console command line interface (CLI)
  • Cannot access system logs
All organizations Administrators who manage users and devices in all organizations and who need to restore files for users
Cross Org Admin - No Restore 

Administrative

  • Add/deactivate users, devices, and organizations 
  • View data in the Reporting web app  


End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot perform push or web restores
  • Limited access to the administration console command line interface (CLI)
  • Cannot access system logs
All organizations Administrators who manage users and devices in all organizations but should not restore files for users
Cross Org Help Desk

Administrative

  • View (read-only) users and devices 
  • Restore files to the source user's devices using the administration console
  • Use the Reporting web app to view data

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot change settings
  • Cannot add/deactivate users, devices, or organizations
All organizations Help desk staff who assist others in all organizations, but not reconfigure any settings
Cross Org Legal Admin

Administrative

End user

  • Perform personal backups from the Code42 app
  • No "root" level access
  • Cannot change settings
  • Cannot add or deactivate users, devices, or organizations. 
All organizations Legal personnel who  place custodians on legal hold and administer legal holds for the entire Code42 environment, and who need to restore files for users 
Cross Org Manager

Administrative

  • View (read-only) users and devices 
  • Restore files to the source user's devices using the administration console
  • View data in the Reporting web app 

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot change settings
  • Cannot add/deactivate users, devices, or organizations
All organizations Executive users who need statistics, but not technical details, about all organizations 
Cross Org Security Viewer

Requires Security Center User role
To use Security Center's file exfiltration detection capabilities, you must also assign the Security Center User role


Administrative

End user

  • None
  • Cannot change settings in organizations
  • Cannot add/deactivate users, devices, or organizations
All organizations Information security personnel who need to retrieve information from devices that use endpoint monitoring in all organizations
Cross Org User Modify

Administrative

  • View users
  • Update user information

End user

  • None
  • Cannot add or deactivate users 
  • Cannot update organization settings
All organizations

Help desk staff who manage users, but not devices or organization settings. 

 

Assign in conjunction with a role that has access to the administration console (such as Cross Org Helpdesk.)

 

Customer Cloud Admin

Administrative

  • Add/deactivate users, devices, and organizations 
  • Update settings for users, devices, and organizations
  • View data in the Reporting web app  for the user's Code42 environment
  • View the Subscriptions screen for the user's organization or organizations.


End user

  • Perform personal backups from the Code42 app and administration console
  • Limited access to the administration console command line interface (CLI)
  • Cannot access system logs
All organizations Administrators who need administrative privileges for the Code42 environment
Desktop User

Administrative

  • N/A

End user

  • Perform personal backups from the Code42 app and administration console
  • Perform web restores
Cannot interact with other users' data or change settings in your Code42 environment Assigned user End users in your organization
Desktop User - No Web Restore

Administrative

  • N/A

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot interact with other users' data or change settings
  • Cannot perform web restores
Assigned user End users in your organization who do not need to perform web restores
Multi-Factor Auth Admin Permissions to view and edit the settings for two-factor authentication for local users.

Does not directly grant access to view or manage users and organizations.

 

Use this role in addition to an administrative role such as Org Admin.

The user's organization and its child organizations

Administrators who manage user authentication within a specific organization.

Org Admin

Administrative

  • Add/deactivate users, devices, and organizations
  • Update settings for users, devices, and organizations 
  • View data in the  Reporting web app
  • Perform web restores

End user

  • Perform personal backups from the Code42 app and administration console
  • Limited access to the administration console command line interface (CLI)
  • Cannot access system logs
The user's organization and its child organizations Administrators who only manage users and devices within a specific organization
Org Admin - No Web Restore

Administrative

  • Add/deactivate users, computers, and organizations 
  • Update settings for users, devices, and organizations
  • View data in the Reporting web app


End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot add/deactivate users or computers outside their organization
  • Limited access to the administration console command line interface (CLI)
  • Cannot access system logs
  • Cannot perform web restores
The user's organization and its child organizations Administrators who only manage users and devices within a specific organization and who should not perform web restores
Org Help Desk

Administrative

  • View (read-only) users and devices 
  • Restore files to the source user's devices using the administration console
  • View data in the Reporting web app 

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot change settings
  • Cannot add/deactivate users, devices, or organizations 
The user's organization and its child organizations Help desk staff who assist others within their organization, but not reconfigure any settings

Org Legal Admin

Administrative

End user

  • Perform personal backups from the Code42 app
  • No "root" level access
  • Cannot change settings
  • Cannot add/deactivate users, devices, or organizations
The user's organization and its child organizations Legal personnel who need to place custodians on legal hold and administer legal holds for the entire Code42 environment, but who only need to restore files from users within their organization. 
Org Manager

Administrative

  • View (read-only) users and devices 
  • Restore files to the source user's devices using the administration console
  • View data in the Reporting web app 

End user

  • Perform personal backups from the Code42 app and administration console
  • Cannot change settings
  • Cannot add/deactivate users, devices, or organizations
The user's organization and its child organizations Executive users who need statistics, but not technical details, about their organization (not the entire Code42 environment)
Org Security Viewer

Administrative

End user

  • None
Cannot change settings in the organization The user's organization and its child organizations Information security personnel who need to retrieve information from devices that use endpoint monitoring.
PROe User

Administrative

  • Sign in to the administration console

End user

  • None

Cannot access other information or functions of Code42 for Enterprise

Assigned user End users in your organization
PRO-Online Admin For CrashPlan for Small Business only. Do not use.      
Push Restore

Administrative

  • Restore files from the administration console
  • View files within backup archives

End user

  • None
Cannot add/deactivate users, organizations, or devices All organizations Help desk staff who assist others with restoring data. Assign in conjunction with a role that has access to the administration console.
Remote File Selection

Administrative

  • View files within backup archives

End user

  • None

Cannot add/deactivate users, organizations, or devices

All organizations Help desk staff who monitor backups. Assign in conjunction with a role that has access to the administration console.
Security Center User

Administrative

End user

  • None

Does not directly grant access to view or manage other users. Use this role in addition to an administrative role such as Org Admin.

The user's organization and its child organizations Information security personnel who review information about devices that use endpoint monitoring.
User Modify

Administrative

  • View users
  • Update user information

End user

  • None
  • Cannot add or deactivate users 
  • Cannot update organization settings

The user's organization and its child organizations

 

 

Help desk staff who manage users, but not devices or organization settings. 

 

Assign in conjunction with a role that has access to the administration console (such as Org Helpdesk.)

 

 

External resources