Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Identity management reference

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Overview

This article describes identity management settings. You can use identity management to control authentication and authorization in your Code42 environment. These settings are only available in Code42 cloud environments. 

Definitions

authentication: The process of identifying and verifying users in a system. Methods for authentication include: 

  • Local Code42 directory
  • Single sign-on (SSO)
  • Multi-factor authentication (MFA)

authentication provider: Allows access to Code42. When enabled, users sign in using the authentication provider instead of Code42. Examples of authentication providers include Okta, Google SSO, Ping, Azure AD, OneLogin, and Microsoft AD FS. 

Code42 User Directory Sync Tool: Uses LDAP to automate user management between your directory service and your Code42 environment. This differs from other provisioning providers because it uses LDAP rather SCIM.  

identity management: An IT administrative area or market that deals with users in a IT system and gives them access to the right resources within the system. 

identity provider (IdP): A general term to refer to a system that contains user identities. Identity provider can refer to a system performing authentication, provisioning, or both. Examples of identity providers include Okta, Google SSO, Ping, Azure AD, and OneLogin. 

SCIM provisioning: An open standard protocol for automating user management. 

provisioning provider: Automates user management. Applications like Code42 sync with a provisioning provider and then create, update, or remove users based on the provisioning provider's user profile. Examples of provisioning providers include Okta, Ping, and Azure AD. 

single sign-on (SSO):  SSO is one type of authentication method. It allows a user to use the same credentials to sign in to multiple applications.

Authentication

Authentication provider settings enable you to use a third-party application to authenticate users in the Code42 environment. For example, use these settings to configure a provider for single sign-on authentication.  

To view the authentication provider settings:

  1.  Sign in to the administration console.
  2.  Click Settings, and choose Identity Management

Add authentication provider

From the Authentication tab, click Add authentication provider.

Add authentication provider

Item Description
a Display Name Sets the name of your organization's authentication provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the Code42 app and administration console.
b Provider's Metadata

Sets the format for the authentication provider's metadata. Choose either to enter a URL or upload an XML file. 

c Enter URL 
or
Upload XML File

Enter URL: Sets the URL for the standalone identity provider or identity federation metadata file. The Code42 cloud must be able to access this URL.

Upload XML File: Uploads the XML file. 

Use metadata URL for federations
Code42 cloud environments do not support uploading an XML file for federations. Use the metadata URL to configure the federation instead. 

 

Authentication provider

The following screen appears when you configure a standalone identity provider.

Authentication provider details

Item Description Click to view
a Display name Displays the name of your authentication provider.    
b Actions menu

Menu with the following actions: 

 
c Code42 Service Provider Metadata URL Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s). The metadata XML file.
d Attribute mapping

Maps Code42 usernames to the provider's name identifier or a custom attribute.

 

Username: Maps Code42 usernames to the authentication provider's name identifier or a custom attribute.

  • Select Use nameId to use the provider name identifier.

  • Select Use Attribute tag to enter a custom provider attribute.

Email: Maps Code42 user email addresses to a provider attribute.

First Name: Maps Code42 user first names to a provider attribute.

Last Name: Maps Code42 user last names to a provider attribute.

 
e Edit  Edits attribute mappings.  
f Organizations in Use Displays the number of organizations that use this provider as the authentication method.  
g Local users Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider.  Add users to the list.

Federation

federation is a group of organizations that have formed trusts. With federations, the identity provider simply shares a token with the service provider to authenticate a user instead of supplying the user's credentials. When you enter the metadata URL, Code42 automatically detects if the metadata belongs to a federation or a single provider. If it is a federation, you are automatically directed to the federation details configuration page.

Federation details

Item   Description
a Display name Displays the name of your authentication provider.  
b Actions menu

Menu with the following actions: 

c Attribute mapping

Maps Code42 usernames to the provider's name identifier or a custom attribute.

 

Username: Maps Code42 usernames to the authentication provider's name identifier or a custom attribute.

  • Select Use nameId to use the provider name identifier.

  • Select Use Attribute tag to enter a custom provider attribute.

Email: Maps Code42 user email addresses to a provider attribute.

First Name: Maps Code42 user first names to a provider attribute.

Last Name: Maps Code42 user last names to a provider attribute.

d Edit

Edits the attribute mappings.

 

In the resulting Attribute Mapping dialog, select the Use default mapping check box to use the default attribute mappings. Deselect the check box to enter your own values.

e Federated Identity Providers Lists all of the Federated Identity Providers that have been added for this federation. Click the name of the provider to view the details.
f Add Adds a new federated identity provider.
g Local users Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider. 

Add an identity provider to this federation

Add a federated identity provider

Item   Description
a Select a Provider URL Selects an identity provider from the list of available providers. Begin typing to search for the correct provider. 
b Display Name Sets the display name for the identity provider

Identity provider details

To view the identity provider details, click the identity provider's name under the Federation details. 

Identity provider details

Item   Description
a Display name Displays the name of your authentication provider.  
b Action menu

Menu with the following actions: 

c Code42 Service Provider Metadata URL Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s).
d Attribute Mapping

Maps Code42 usernames to the provider's name identifier or a custom attribute.

 

Username: Maps Code42 usernames to the authentication provider's name identifier or a custom attribute.

  • Select Use nameId to use the provider name identifier.

  • Select Use Attribute tag to enter a custom provider attribute.

Email: Maps Code42 user email addresses to a provider attribute.

First Name: Maps Code42 user first names to a provider attribute.

Last Name: Maps Code42 user last names to a provider attribute.

e Edit

Edits attribute mappings.

 

In the resulting Attribute Mapping dialog, select the Inherit from federation check box to inherit the attribute mappings from the federated authentication provider. Deselect the check box to enter your own values.

f Organizations in Use Displays the number of organizations that use this provider as the authentication method.
g Local Users Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider. 

Provisioning

Provisioning provider settings allow you to connect to a third-party application where your users are stored, and automatically add them to Code42. To view the provisioning provider settings:

  1. Sign in to the administration console.
  2. Click Settings, and choose Identity Management
  3. Click Provisioning.

Add Provisioning Provider

To view, go to Provisioning, then click Add Provisioning Provider. Choose either Add SCIM Provider or Add Code42 User Directory Sync.

Add SCIM Provisioning

Item Description
a Username Sets the name for the SCIM provider or Code42 User Directory Sync.

API Credentials

After you enter a username for the provisioning provider, the API credentials appear. Your provider may require some or all of these credentials to create a service account for syncing between your directory and Code42. 


API credentials

API credentials reference
Item Description
a Base URL The URL for interacting with the Code42 provisioning API. 
b Username Username for the service account. 
c Password Password for the service account. This password only appears once, so save the password in a secure location.

 

SCIM Provisioning Provider

Appears when configuring a SCIM provisioning provider. 

SCIM Provisioning Provider

Item Description Click to view
a Name Displays the name of your provisioning provider.  
b Action menu

Menu with the following actions: 

  • Edit This Provider Name
  • Add New SCIM Provider 
  • Add Code42 User Directory Sync
  • Delete This Provider
 
c API Credentials

Displays API user credentials. This user performs directory sync between your provider and Code42. These credentials are used by the provisioning provider.


Type is either SCIM Provider or Code42 User Directory Sync

 
d Deactivation Delay
 

Displays the amount of time Code42 waits to deactivate a user once the provider has sent the update. 

Note: Even if you configure Code42 to wait to deactivate a user, the user is immediately blocked. The user is then deactivated after the configured time. 

 

Only configurable for SCIM provisioning providers.

 
e

Edit

Edits the deactivation delay setting.   
f

Organization Mapping

 

Displays how Code42 assigns organizations to users who are added from the provisioning provider.

 

Only configurable for SCIM provisioning providers.

 
g

Edit 

Change how Code42 maps provisioned users. Choose between the following mapping methods: 
  • Map all users to a Code42 organization: Maps all groups to a single organization.
  • Map users to organizations based on the provider's "c42OrgName" attribute: Maps groups to organizations based on the providers' "c42OrgName" attribute.
  • Map users to organizations based on an existing provider SCIM attribute: Map to organizations based on a provider's SCIM attribute.
  • Map users to organizations using SCIM groups: Create mappings of SCIM groups to organizations.
Organization Mapping Methods 
h

"Code42 organization"

Displays a Code42 organization.

Additional Code42 organizations
i

Add Role Mapping
 

SCIM provisioning providers only

Opens the Add Role Mapping setting. This maps Code42 roles and permissions to groups.

 

Note: This button only appears if SCIM groups have already been sent from your provider. 

Role mapping

Select Roles

 

Code42 User Directory Sync only

Select roles to be managed by the Code42 User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the administration console. 

 

See the Roles reference for more information on each role. 

View a list of roles within your Code42 environment

Edit Organizational Mapping Method

To view organization mapping methods, select the edit icon pencil icon next to Organization Mapping. 

Single organization

Assigns all users to the same Code42 organization. If you choose this option, create organizations in the administration console before you begin.

Example use case
Use this option if you manage users in the administration console. For example, all users that are provisioned from the provisioning provider are added to the same organization. You can then move the users from that single organization to additional organizations in the administration console. 

Single organization mapping method

Item Description
a Single organization Displays the mapping method. 
b Select an organization Displays a list of the organizations in your Code42 environment.
"C42OrgName" attribute

The "c42OrgName" attribute creates new organizations or assigns users to existing organizations based on the value for the user attribute c42OrgName. This value becomes the name for the Code42 organization. This attribute is managed on the provisioning provider. 

Example use case
Use this method if you want to manage users in the provisioning provider (and not in the administration console). The value for this attribute becomes the name for the Code42 organization. Code42 creates new organizations or assigns users to existing organizations based on the value. 

Choose c42OrgName attribute

Item Description
a Mapping method Enables the mapping method. Code42 provisions users to organizations using the "c42OrgName" attribute. 
Custom attribute

Using a custom attribute creates new organizations or assigns users to existing organizations based on the value for the chosen user attribute. 

Example use case
Use this method if you already have an attribute included in the provisioning provider user profile that you want to use for organization mapping. For example, you want to set up your Code42 organizations by office location. You create an office attribute. The value of the office attribute becomes the name of the organization. 

Custom attribute

Item Description
a Mapping method Enables the mapping method. Code42 provisions users to organizations based on a custom SCIM attribute. 
b SCIM attribute Enter the attribute Code42 should use to map provisioned users to Code42 organizations. This must value match the attribute name in your provisioning provider exactly. 
Custom SCIM mapping

Assigns users to Code42 organizations based on their SCIM group. If you choose this option, create organizations in the administration console before you begin.

Example use case
Use this mapping method if your users are already assigned to SCIM groups. For example, a user is part of a two different SCIM groups: an executive group and a UK group. You want this user's backup policies to match the other executives in your company, so this user should be assigned to the same Code42 organization as the other executives. In the administration console, you can choose the executive group to take priority over the UK group. This way you can place all of the executives in your company in the same organization and ensure they have the same backup policies.

Custom SCIM mapping

Item Description
a Mapping Method Displays the mapping method. Click Save to go to Add Mapping

Add Mapping

To view, click Add Mapping. Use Add Organization Mapping to map SCIM groups to Code42 organizations. 

Add Organization Mapping

Item Description
a Select a SCIM group Displays all the SCIM groups that your provider has sent to the administration console. Only groups that have not been mapped appear in this list.
b Select a Code42 organization Displays the organization tree for your administration console. 

Add Role Mapping

To view, click Add Role Mapping.

Add Role Mapping

Item Description
a Select a SCIM group Displays all the SCIM groups that have been pushed to your administration console. Only groups that have not been mapped appear in this list.
b Select a Code42 role Displays a list of all the Code42 roles. Learn more about Code42 roles and permissions below.

Code42 User Directory Sync

Appears when configuring Code42 User Directory Sync. 

Code42 User Directory Sync configuration page

Item Description Click to view
a Name Display name for this User Directory Sync instance  
b Action menu

Menu with the following actions: 

  • Edit Provider Name
  • Add New SCIM Provider
  • Add Code42 User Directory Sync
  • Delete This Provider
 
c API Credentials

Displays API user credentials. This user performs directory sync between your provider and Code42. These credentials are used by the provisioning provider.


Type is either SCIM Provider or Code42 User Directory Sync

 
d Deactivation Delay
 

This feature is configured within the Code42 User Directory Tool itself.

Note: Even if you configure Code42 to wait to deactivate a user, the user is immediately blocked. The user is then deactivated after the configured time. 

 

 
e

Organization Mapping

 

Disabled within the administration console. To configure how users are mapped to Code42 organizations, use the Org script in the Code42 User Directory Sync Tool. 

 
f

Role Mapping

Displays which roles the Code42 User Directory Sync automatically updates. 

 
g Edit Role Mapping

Enable a method for mapping roles to users. Choose either Manually or Select roles from the Code42 User Directory Sync.

  • Manually: You must update roles within the administration console
  • Select roles from the Code42 User Directory Sync: Code42 automatically updates a user's roles based on the role script
 
h Select Roles

Select roles to be managed by the Code42 User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the administration console. 
 

See the Roles reference for more information on each role. 

View a list of roles within your Code42 environment.

Select roles

To view, go to the Provisioning, and click Select Roles. This is a security measure to prevent users from elevating their privilege within Code42 environment. 

Select roles

Item Description
a Choose Roles Displays all of the roles available in your Code42 environment. To learn more about what the permissions, limitations, and example use cases for each role, see the

Roles reference

.
b Enable or disable role

Enable or disable roles from automatic provisioning.

  • Enabled: Code42 automatically adds or removes this role based on your role script.
  • Disabled: Even if your role script includes this role, Code42 will not update a user to add or remove this role. You must manually update in the administration console. 

Sync Log

The sync log displays all of the updates made to your Code42 environment from the provisioning provider. To view the Sync Log:

  1. Sign in to the administration console.
  2. Click Settings.
  3. Choose Identity Management
  4. Click Sync Log

Sync log

Item Description Click to view
a Date selector Selects the timeframe for which logs to display. Click to view a calendar date picker.
b Export CSV Exports all of the sync logs to a .CSV file. Use this option to filter the logs further.  Click to start downloading a CSV file.
c Provider Displays the provider that made the update. Click to sort.
d User Impacted Displays the Code42 username.  Click to sort.
e Change type

Displays how the user was changed. Change types are: 

  • Created
  • Modified
  • Deactivated
  • Sync Failure
  • Not in Role Mapping
  • Removed
Click to sort.
f Attribute changed

Displays what part of the user changed. Attribute changes can be to: 

  • Organization 
  • Role
  • User name
  • Email
Click to sort.
g New Value Displays the new value for the attribute that was changed. Click to sort.
h Old value Displays the old value for the attribute that was changed. Click to sort.
i Date changed Displays the date the change occurred.  Click to sort.

Roles details

The available standard roles, as well as the permissions, limitations, scope of permissions, and recommended use cases for each are described in Roles reference.

For details about the specific permissions held by each role, review them in your administration console. To access role information:

  1. Select Administration > Users > Active,
  2. Click a user row to open the user details page.
  3. Select Edit from the action menu in the upper-right corner.
  4. Click the Roles tab.

External resources