Skip to main content

Who is this article for?

Incydr Professional and Enterprise
Incydr Basic and Advanced
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, yes.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Roles reference

Overview

Your Code42 environment has a pre-existing set of user roles that can be applied to user accounts. These standard user roles provide administrators with the fine-grained set of permissions needed for most use cases. This article describes the available standard roles, as well as the permissions and limitations for each.

To assign roles to users, see Manage user roles. For use cases, see Role assignment use cases.

Roles training 

Code42 University offers virtual instructor-led training for all major roles within Code42. Roles courses are included with the Code42 All Access Education Team Pass. For more information, see Instructor Led Training - Learn By Role.  

View roles

Incydr Professional and Enterprise

  1. Sign in to the Code42 console.
  2. Go to Administration > Environment > Users.
  3. Click a user row to open the user details screen.
  4. Click Roles.
    The roles assigned to the user appear below.
  5. To add or remove roles on the user, click Edit Edit icon.
  6. From Edit roles, select the roles to assign to that user.
  7. Click Save to save your changes.

Incydr Basic and Advanced, CrashPlan Cloud, and other plans

  1. Sign in to the Code42 console as a user with the Customer Cloud Admin role.
  2. Navigate to Administration > Environment > Users
  3. Click a user row to open the user details page. 
  4. Select Edit from the action menu in the upper-right corner.
  5. Click the Roles tab. 
  6. Select a role from the Available Roles or Current Roles lists.
    The permissions granted by the selected role are displayed in the Role's Permissions table. 

View roles.

Available roles

Most of the standard roles are available in Incydr Basic and Advanced, CrashPlan Cloud, and other plans.

Standard roles

Admin Restore

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to administrators who restore data for users using the Code42 console. Assign this role in conjunction with a role that has access to the Code42 console, such as PROe User or Desktop User.

    Limitations 
    • No access to the Code42 console or Code42 app.
  • Scope of permissions
    • All organizations.
  • Permissions
    • restore: Perform a full web restore for all devices user has authority to manage.
    • restore.limited: Perform a limited size web restore for all devices user has authority to manage.
    • restore.personal: Perform a personal web restore.

Admin Restore Limited

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to administrators who restore a limited amount of data for users using the Code42 console. The amount that this role is limited to restore is defined by Web restore limit in organization settings. Assign this role in conjunction with a role that has access to the Code42 console, such as PROe User or Desktop User.

    Limitations 
    • No access to the Code42 console or Code42 app.
  • Scope of permissions
    • All organizations.
  • Permissions
    • restore.limited: Perform a limited size web restore for all devices user has authority to manage.

Agent User

Incydr Professional and Enterprise only

This role is the default role for users in Incydr Professional and Enterprise. People with this role cannot sign in to the Code42 console. This role is assigned at initial user registration.

  • Limitations 
    • Cannot sign in to the Code42 console.
  • Scope of permissions
    • Assigned user.
  • Permissions
    • computer.read: Permission to read computer information.
    • computer.update: Permission to update computer information.

Alert Emails

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to administrators who want to receive warning and critical alerts emails to monitor the frequency and success of backup operations for their users' devices.

    Limitations 
    • No "root" level access.
  • Scope of permissions
    • All organizations.
  • Permissions
    • receives.alert.email: Receive automated backup reports and alerts by email.

Alert Rule Builder

Assign this role to administrators who need to create and modify alert rules.

  • Limitations 
    • Cannot sign in to the Code42 console.
  • Scope of permissions
    • All organizations.
  • Permissions
    • alerting.rules.write: Create and modify alert rules.

Audit Log Viewer

Assign this role to information security personnel who need to review events in the Audit Log

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only: Assign this role in conjunction with a role that has access to the Code42 console, such as PROe User or Desktop User.

  • Limitations 
    • Cannot perform any functions except view the Audit Log.
  • Scope of permissions
    • All organizations.
  • Permissions
    • auditlog.read: View Audit Log events.

Cross Org Admin

Assign this role to administrators who manage users and devices in all organizations, and who need to restore files for users. 

    Limitations 
    • Has only limited access to the Code42 console command line interface (CLI).
    • Cannot access system logs.
  • Scope of permissions
    • All organizations.
  • Permissions
    • account.update: For internal use only.
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • crossorg-computer: Access, alter, or remove any computer information across organizations.
    • crossorg_computer.delete: Delete any computer across organizations.
    • crossorg_computer.read: View computer information across organizations.
    • crossorg_computer.update: Update computer information across organizations.
    • crossorg-org.create: Create new parent organizations across organizations.
    • crossorg-org.delete: Delete any org across organizations.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-org.update_deactivate: Update organization information and deactivate organizations across organizations.
    • crossorg-plan: Create, read, update and delete plans across organizations.
    • crossorg_plan.create: Create plans across organizations.
    • crossorg_plan.delete: Delete plans across organizations.
    • crossorg_plan.read: Read information about plans across organizations.
    • crossorg_plan.update: Update information on plans across organizations.
    • crossorg-user: Access, alter, or remove any user information across organizations.
    • crossorg_user.create: Create users across organizations.
    • crossorg_user.delete: Delete users across organizations.
    • crossorg_user.read: View user information across organizations.
    • crossorg_user.update: Update user information across organizations.
    • fileforensics.settings_write: View and edit file forensics related settings.
    • pushrestore: Perform a push restore from and to any device the user has authority to manage.
    • pushrestore.limited: Perform a push restore only to the source user's devices. There is no size limit.
    • pushrestore.personal: Perform a personal push restore.
    • restore: Perform a full web restore for all devices user has authority to manage.
    • restore.limited: Perform a limited size web restore for all devices user has authority to manage.
    • restore.personal: Perform a personal web restore.
    • search.configure: Configure search related settings.
    • securitytools.settings_write: Edit settings for Code42 Security Tools.
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources.
    • system.command_restricted: View the CLI and run any command for which the user has permission.
    • viewlogs.device: Access agent logs for any device the user has read permissions to.

Cross Org Admin - No Restore

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to administrators who manage users and devices in all organizations, but who should not restore files for users. 

    Limitations 
    • Cannot perform push or web restores.
    • Limited access to the Code42 console command line interface (CLI).
    • Cannot access system logs.
  • Scope of permissions
    • All organizations.
  • Permissions
    • account.update: For internal use only.
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • crossorg-computer: Access, alter, or remove any computer information across organizations.
    • crossorg_computer.delete: delete any computer across organizations.
    • crossorg_computer.read: view computer information across organizations.
    • crossorg_computer.update: update computer information across organizations.
    • crossorg-org.create: Create new parent organizations across organizations.
    • crossorg-org.delete: Delete any org across organizations.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-org.update_deactivate: Update organization information and deactivate organizations across organizations.
    • crossorg-plan: Create, read, update and delete plans across organizations.
    • crossorg_plan.create: create plans across organizations.
    • crossorg_plan.delete: delete plans across organizations.
    • crossorg_plan.read: read information about plans across organizations.
    • crossorg_plan.update: update information on plans across organizations.
    • crossorg-user: Access, alter, or remove any user information across organizations.
    • crossorg_user.create: Create users across organizations.
    • crossorg_user.delete: Delete users across organizations.
    • crossorg_user.read: View user information across organizations.
    • fileforensics.settings_write: View and edit file forensics related settings.
    • pushrestore: Perform a push restore from and to any device the user has authority to manage.
    • pushrestore.limited: Perform a push restore only to the source user's devices. There is no size limit.
    • pushrestore.personal: Perform a personal push restore.
    • search.configure: Configure search related settings.
    • securitytools.settings_write: Edit settings for Code42 Security Tools.
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.
    • system.command_restricted: View the CLI and run any command for which the user has permission.
    • viewlogs.device: Access to agent logs for any device the user has read permissions to.

Cross Org Computer Modify

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to individuals who modify device settings in all organizations. Assign in conjunction with Cross Org Help Desk to allow help desk personnel to add and deactivate user devices.

    Limitations 
    • Cannot add/deactivate users or organizations.
  • Scope of permissions
    • All organizations.
  • Permissions
    • crossorg-computer.update: Update computer information across all organizations.
    • crossorg-user.read: View user information across all organizations.

Cross Org Help Desk

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to help desk personnel who assist others in all organizations, but who cannot change any settings. The people with this role can view users and devices, restore files to the source user's devices using the Code42 console, and use reports to view data. To allow people with this role to add and deactivate user devices, assign this role in conjunction with the Cross Org Computer Modify role. 

    Limitations 
    • Cannot change settings.
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • All organizations.
  • Permissions
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • crossorg-computer.read: View computer information across organizations.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-plan.read: Read information about plans across organizations.
    • crossorg-user.read: View user information across organizations.
    • pushrestore.limited: Perform a push restore only to the source user's devices. There is no size limit.
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.

Cross Org Help Desk - No Restore

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to help desk personnel who assist others in all organizations, but who do not change any settings or restore files for others. People with this role can view users and devices and use reports to view data.

    Limitations 
    • Cannot perform push or web restores.
    • Cannot change settings.
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • All organizations.
  • Permissions
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • crossorg-computer.read: View computer information across organizations.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-plan.read: Read information about plans across organizations.
    • crossorg-user.read: View user information across organizations.

Cross Org Legal Admin

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to legal personnel who place custodians on legal hold and administer legal holds for all organizations. People with this role can restore files for legal hold collection purposes (push restore), view data in reports, and create, modify, and deactivate legal holds.

    Limitations 
    • No "root" level access.
    • Cannot change settings.
    • Cannot add or deactivate users, devices, or organizations.
  • Scope of permissions
    • All organizations.
  • Permissions
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • crossorg-computer.read: View computer information across organizations.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-plan: Create, read, update and delete plans across organizations.
    • crossorg_plan.create: create plans across organizations.
    • crossorg_plan.delete: delete plans across organizations.
    • crossorg_plan.read: read information about plans across organizations.
    • crossorg_plan.update: update information on plans across organizations.
    • crossorg-user.read: View user information across organizations.
    • legalhold: Perform any operation regarding any legal hold.
    • legalhold.create: Create a legal hold.
    • legalhold.modify_membership: Add/remove users to/from any legal hold.
    • legalhold.read: View any legal hold.
    • legalhold.update: Update any legal hold.
    • pushrestore: Perform a push restore from and to any device the user has authority to manage.
    • pushrestore.limited: Perform a push restore only to the source user's devices. There is no size limit.
    • pushrestore.personal: Perform a personal push restore.
    • restore: Perform a full web restore for all devices user has authority to manage.
    • restore.limited: Perform a limited size web restore for all devices user has authority to manage.
    • restore.personal: Perform a personal web restore.
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.

Cross Org Manager

Assign this role to executive users who need statistics, but not technical details, about all organizations. People with this role can view users and devices, restore files to the source user's devices using the Code42 console, and view data in reports.

  • Limitations 
    • Cannot change settings.
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • All organizations.
  • Permissions
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • crossorg-computer.read: View computer information across organizations.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-plan.read: Read information about plans across organizations.
    • crossorg-user.read: View user information across organizations.
    • pushrestore.personal: Perform a personal push restore.
    • restore.limited: Perform a limited size web restore for all devices user has authority to manage.
    • restore.personal: Perform a personal web restore.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.

Cross Org Security Viewer

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to information security personnel who need to retrieve information from devices that use endpoint monitoring in all organizations. People with this role can use the Activity Profile to view user activity detected by endpoint monitoring, and view data in reports. This role only applies to customers with the retired Code42 Gold product plan. It must be assigned in conjunction with the Security Center User role. 

  • Limitations 
    • Cannot view security data in features offered by other product plans than the Code42 Gold product plan (for example, Forensic Search, Alerts, Risk Exposure dashboard, and so on).
    • Cannot change settings in organizations.
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • All organizations.
  • Permissions
    • console.login: Log in to the Code42 console.
    • cpp.login: Log in to the Code42 console.
    • crossorg-computer.read: View computer information across organizations.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-plan.read: Read information about plans across organizations.
    • crossorg-user.read: View user information across organizations.
    • securitytools.data_read: View data collected by Code42 Security Tools.

Cross Org User Modify

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to help desk personnel who modify user settings on all organizations, but not device or organization settings. This role must be assigned in conjunction with a role that has access to the Code42 console, such as Cross Org Help Desk.

  • Limitations 
    • Cannot add or deactivate users.
    • Cannot update organization settings.
  • Scope of permissions
    • All organizations.
  • Permissions
    • crossorg-user.read: View user information across organizations.
    • crossorg-user.update: Update user information across organizations.

Customer Cloud Admin

Assign this role to "super user" administrators who should have all possible permissions. People with this role have permissions to perform the tasks of any role.

Use with caution
Always assign roles so that users have the lowest level of privilege needed to perform their jobs. Do not assign the Customer Cloud Admin role if another role will provide the desired permissions. 
  • Limitations 
    • Limited access to the Code42 console command line interface (CLI).
    • Cannot access system logs.
  • Scope of permissions
    • All organizations.
  • Permissions
    • accesslock: Perform all accessLock related functions.
    • account.update: For internal use only.
    • alerting.alerts.read: View alerts generated.
    • alerting.alerts.write: Manage generated alerts, including ability to edit notes and status.
    • alerting.rules.read: View rules configured for alerts.
    • alerting.rules.write: Create and modify alert rules.
    • api_client.read: View API client information.
    • api_client.write: Create, modify, and remove API client information.
    • auditlog.read: View Audit Log events.
    • cases.content.read: View all case information, including events and findings.
    • cases.content.write: Edit all aspects of a case, including add/remove file events, assign subjects, statuses, and add/edit findings.
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • client_management.deployment_policy.read: Read Deployment Policy information.
    • client_management.deployment_policy.write: Write Deployment Policy information.
    • client_management.device_upgrade.read: Read Device Upgrade (DCU) settings.
    • client_management.device_upgrade.write: Write DeviceUpgrade (DCU) settings.
    • crossorg-computer: Access, alter, or remove any computer information across organizations.
    • crossorg_computer.delete: delete any computer across organizations.
    • crossorg_computer.read: view computer information across organizations.
    • crossorg_computer.update: update computer information across organizations.
    • crossorg-org.create: Create new parent organizations across organizations.
    • crossorg-org.delete: Delete any org across organizations.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-org.update_deactivate: Update organization information and deactivate organizations across organizations.
    • crossorg-org.update_restricted: Update restricted organization information across organizations.
    • crossorg-plan: Create, read, update and delete plans across organizations.
    • crossorg_plan.create: Create plans across organizations.
    • crossorg_plan.delete: Delete plans across organizations.
    • crossorg_plan.read: Read information about plans across organizations.
    • crossorg_plan.update: Update information on plans across organizations.
    • crossorg-user: Access, alter, or remove any user information across organizations.
    • crossorg_user.create: Create users across organizations.
    • crossorg_user.delete: Delete users across organizations.
    • crossorg_user.read: View user information across organizations.
    • crossorg_user.update: Update user information across organizations.
    • customer_admin: Configure settings for the entire environment, such as subscription information and single sign-on (SSO).
    • dataconnections.settings.read: View all settings configured for Data Connections.
    • dataconnections.settings.write: Add, edit, and remove settings configured for Data Connections. 
    • datapreferences.settings.read: View all settings configured for Data Preferences.
    • datapreferences.settings.write: Add, edit, and remove settings configured for Data Preferences.
    • detectionlists.departingemployee.read: View users on the departing employee list, including notes, departure date, attributes, and event counts.
    • detectionlists.departingemployee.write: Add and remove users from the departing employee list, including details for departure date.
    • detectionlists.departingemployeealerts.read: View departing employee alert settings.
    • detectionlists.departingemployeealerts.write: Modify departing employee alert settings.
    • detectionlists.highriskemployee.read: View users on the high risk employee list, including notes, attributes, and risk factors.
    • detectionlists.highriskemployee.write: Add and remove users from high risk employee list.
    • detectionlists.highriskemployeealerts.read: View high risk employee alert settings.
    • detectionlists.highriskemployeealerts.write: Modify high risk employee alert settings.
    • detectionlists.userprofile.read: Ability to search for user profiles and get basic user information such as their name, department, and cloud aliases.
    • detectionlists.userprofile.write: Ability to add and remove cloud alias names from a user profile.
    • detectionlists.userprofilenotes.read: Ability to view user notes.
    • detectionlists.userprofilenotes.write: Ability to update user notes.
    • directory.uac.elevated_role_manage: Manage role assignments for any role. 
    • email.update: Change customer-specific email settings and content.
    • fileforensics.restore:  Download (restore) files from Forensic Search.
    • fileforensics.settings_write: View and edit file forensics related settings.
    • legalhold: Perform any operation regarding any Legal Hold.
    • legalhold.create: Create a legal hold.
    • legalhold.modify_membership: Add/remove users to/from any legal hold.
    • legalhold.read: View any legal hold.
    • legalhold.update: Update any legal hold.
    • notify-new-location: View and update whether the user is notified on login from a new location.
    • notify_new_location.read: Read whether the user is notified on login from a new location.
    • notify_new_location.update: Update whether the user is notified on login from a new location.
    • preservation.metadata.read: View the preservation manifest for any archive in the organization.
    • prioritization.settings.read: View all available risk settings, including the risk indicators and corresponding weights.
    • prioritization.settings.write: Edit all aspects of risk settings, including the weight assigned to individual risk indicators.
    • pushrestore: Perform a push restore from and to any device the user has authority to manage.
    • pushrestore.limited: Perform a push restore only to the source user's devices. There is no size limit.
    • pushrestore.personal: Perform a personal push restore.
    • restore: Perform a full web restore for all devices user has authority to manage.
    • restore.limited: Perform a limited size web restore for all devices user has authority to manage.
    • restore.personal: Perform a personal web restore.
    • search.configure: Configure search related settings.
    • search.fileevents.read: View, search, and export event-level metadata about file and data movement. Includes access to Forensic Search and related APIs.
    • search.saved.read: View saved searches that have been created in Forensic Search.
    • search.saved.write: Create, modify, and delete saved searches in Forensic Search.
    • securitytools.data_read: View data collected by Code42 Security Tools.
    • securitytools.settings_write: Edit settings for Code42 Security Tools.
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.
    • system.command_restricted: View the CLI and run any command for which the user has permission.
    • twofactorauth.configure: View and edit two-factor auth settings for local users.
    • viewlogs.device: Access agent logs for any device the user has read permissions to.
    • visualizations.endpointhealth.read: View device health information for collection of file events.
    • visualizations.risksummaries.read: View the risk exposure visualizations.

Departing Employee Manager

Assign this role to people who add or remove users in the Departing Employees list. This role is intended to augment the Insider Risk Analyst role, or to be used as a standalone role for application integrations that add or remove users in the Departing Employees list.

    Limitations 
    • Cannot perform any administrator actions beyond adding and removing users in the Departing Employees list.
  • Scope of permissions
    • Assigned user.
  • Permissions
    • cpp.login: Log in to the Code42 console.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-user.read: View user information across organizations.
    • detectionlists.departingemployee.read: View users on the departing employee list, including notes, departure date, attributes, and event counts.
    • detectionlists.departingemployee.write: Add and remove users from the departing employee list, including details for departure date.
    • detectionlists.departingemployeealerts.read: View departing employee alert settings.
    • detectionlists.departingemployeealerts.write: Modify departing employee alert settings.
    • detectionlists.userprofile.read: Ability to search for user profiles and get basic user information such as their name, department, and cloud aliases.
    • detectionlists.userprofile.write: Ability to add and remove cloud alias names from a user profile.
    • detectionlists.userprofilenotes.read: Ability to view user notes.
    • detectionlists.userprofilenotes.write: Ability to update user notes.

Desktop User

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

This role is the default role for Code42 app users. People with this role can sign in to the Code42 app, select files for backup in the Code42 app, and restore files from the Code42 app.

  • Limitations 
    • Cannot interact with other users' data or change settings in the Code42 environment.
  • Scope of permissions
    • Assigned user.
  • Permissions
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cps.login: Log in to the client desktop.
    • plan.create: Create plans within a user's organization hierarchy.
    • restore.personal: Perform a personal web restore.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.

Desktop User - No Web Restore

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to users of the Code42 app who do not need to perform restores using the Code42 console. People with this role can still restore files from the Code42 app and select files for backup in the Code42 app.

  • Limitations 
    • Cannot interact with other users' data or change settings.
    • Cannot perform web restores.
  • Scope of permissions
    • Assigned user.
  • Permissions
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cps.login: Log in to the client desktop.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.

High Risk Employee Manager

Assign this role to people who add or remove users in the High Risk Employees list. This role is intended to augment the Insider Risk Analyst role, or to be used as a standalone role for application integrations that add or remove users in the High Risk Employees list.

    Limitations 
    • Cannot perform any administrator actions beyond adding and removing users in the High Risk Employees list.
  • Scope of permissions
    • Assigned user.
  • Permissions
    • cpp.login: Log in to the Code42 console.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-user.read: View user information across organizations.
    • detectionlists.highriskemployee.read: View users on the high risk employee list, including notes, attributes, and risk factors.
    • detectionlists.highriskemployee.write: Add and remove users from high risk employee list.
    • detectionlists.highriskemployeealerts.read: View high risk employee alert settings.
    • detectionlists.highriskemployeealerts.write: Modify high risk employee alert settings.
    • detectionlists.userprofile.read: Ability to search for user profiles and get basic user information such as their name, department, and cloud aliases.
    • detectionlists.userprofile.write: Ability to add and remove cloud alias names from a user profile.
    • detectionlists.userprofilenotes.read: Ability to view user notes.
    • detectionlists.userprofilenotes.write: Ability to update user notes.

Insider Risk Admin

Assign this role to administrators who need read and write access to all Incydr functionality. The person with this role typically is the administrator responsible for managing the team of insider risk analysts, and assigns the Insider Risk Analyst and Insider Risk Read Only roles.

For Incydr users currently assigned the Security Center User role, we recommend reassigning them either this role or the Insider Risk Analyst role instead, depending on their responsibilities. These roles are designed specifically for users of Incydr and only contain permissions for use with Incydr product plans. For directions on assigning roles to Incydr users, see Roles for Incydr.

  • Limitations 
    • Cannot restore files from Forensic Search (requires the Security Center - Restore role).
    • Cannot view the Audit Log (requires the Audit Log Viewer role).
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • All organizations.
  • Permissions
    • alerting.alerts.read: View alerts generated.
    • alerting.alerts.write: Manage generated alerts, including ability to edit notes and status.
    • alerting.rules.read: View rules configured for alerts.
    • alerting.rules.write: Create and modify alert rules.
    • cases.content.read: View all case information, including events and findings.
    • cases.content.write: Edit all aspects of a case, including add/remove file events, assign subjects, statuses, and add/edit findings.
    • console.login: Log in to the Code42 console.
    • cpp.login: Log in to the Code42 console.
    • dataconnections.settings.read: View all settings configured for Data Connections.
    • datapreferences.settings.read: View all settings configured for Data Preferences.
    • datapreferences.settings.write: Add, edit, and remove settings configured for Data Preferences.
    • detectionlists.departingemployee.read: View users on the departing employee list, including notes, departure date, attributes, and event counts.
    • detectionlists.departingemployee.write: Add and remove users from the departing employee list, including details for departure date.
    • detectionlists.departingemployeealerts.read: View departing employee alert settings.
    • detectionlists.departingemployeealerts.write: Modify departing employee alert settings.
    • detectionlists.highriskemployee.read: View users on the high risk employee list, including notes, attributes, and risk factors.
    • detectionlists.highriskemployee.write: Add and remove users from high risk employee list.
    • detectionlists.highriskemployeealerts.read: View high risk employee alert settings.
    • detectionlists.highriskemployeealerts.write: Modify high risk employee alert settings.
    • detectionlists.userprofile.read: Ability to search for user profiles and get basic user information such as their name, department, and cloud aliases.
    • detectionlists.userprofile.write: Ability to add and remove cloud alias names from a user profile.
    • detectionlists.userprofilenotes.read: Ability to view user notes.
    • detectionlists.userprofilenotes.write: Ability to update user notes.
    • prioritization.settings.read: View all available risk settings, including the risk indicators and corresponding weights.
    • prioritization.settings.write: Edit all aspects of risk settings, including the weight assigned to individual risk indicators.
    • search.fileevents.read: View, search, and export event-level metadata about file and data movement. Includes access to Forensic Search and related APIs.
    • search.saved.read: View saved searches that have been created in Forensic Search.
    • search.saved.write: Create, modify, and delete saved searches in Forensic Search.
    • visualizations.endpointhealth.read: View device health information for collection of file events.
    • visualizations.risksummaries.read: View the risk exposure visualizations.

Insider Risk Analyst

Assign this role to analysts responsible for using Incydr to investigate and respond to insider risks. The people assigned this role perform investigations with Forensic Search, create cases, create alert rules, and view alert notifications. For directions on assigning roles to Incydr users, see Roles for Incydr.

  • Limitations 
    • Cannot access the High Risk Employees list or Departing Employees list.
    • Cannot restore files from Forensic Search (requires the Security Center - Restore role).
    • Cannot view the Audit Log (requires the Audit Log Viewer role).
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • All organizations.
  • Permissions
    • alerting.alerts.read: View alerts generated.
    • alerting.alerts.write: Manage generated alerts, including ability to edit notes and status.
    • alerting.rules.read: View rules configured for alerts.
    • alerting.rules.write: Create and modify alert rules.
    • cases.content.read: View all case information, including events and findings.
    • cases.content.write: Edit all aspects of a case, including add/remove file events, assign subjects, statuses, and add/edit findings.
    • console.login: Log in to the Code42 console.
    • cpp.login: Log in to the Code42 console.
    • dataconnections.settings.read: View all settings configured for Data Connections.
    • datapreferences.settings.read: View all settings configured for Data Preferences.
    • datapreferences.settings.write: Add, edit, and remove settings configured for Data Preferences.
    • detectionlists.userprofile.read: Ability to search for user profiles and get basic user information such as their name, department, and cloud aliases.
    • detectionlists.userprofile.write: Ability to add and remove cloud alias names from a user profile.
    • detectionlists.userprofilenotes.read: Ability to view user notes.
    • detectionlists.userprofilenotes.write: Ability to update user notes.
    • prioritization.settings.read: View all available risk settings, including the risk indicators and corresponding weights.
    • prioritization.settings.write: Edit all aspects of risk settings, including the weight assigned to individual risk indicators.
    • search.fileevents.read: View, search, and export event-level metadata about file and data movement. Includes access to Forensic Search and related APIs.
    • search.saved.read: View saved searches that have been created in Forensic Search.
    • search.saved.write: Create, modify, and delete saved searches in Forensic Search.
    • visualizations.endpointhealth.read: View device health information for collection of file events.
    • visualizations.risksummaries.read: View the risk exposure visualizations.

Insider Risk Read Only

Assign this role to people who need to keep informed about insider risk investigations in Incydr, but who should not create alert rules, cases, or saved searches. For example, assign it to a junior analyst to allow them to perform light investigations, or assign it to the CISO or Chief Privacy Officer to allow them read-only access. People assigned this role can view information in Incydr, including the High Risk Employees list, Departing Employees list, Risk Exposure, Alerts notifications, and Cases. For directions on assigning roles to Incydr users, see Roles for Incydr.

  • Limitations 
    • View-only capabilities; cannot make any changes in Incydr.
    • Cannot view the Audit Log (requires the Audit Log Viewer role).
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • All organizations.
  • Permissions
    • alerting.alerts.read: View alerts generated.
    • alerting.rules.read: View rules configured for alerts.
    • cases.content.read: View all case information, including events and findings.
    • console.login: Log in to the Code42 console.
    • cpp.login: Log in to the Code42 console.
    • dataconnections.settings.read: View all settings configured for Data Connections.
    • datapreferences.settings.read: View all settings configured for Data Preferences.
    • detectionlists.departingemployee.read: View users on the departing employee list, including notes, departure date, attributes, and event counts.
    • detectionlists.departingemployeealerts.read: View departing employee alert settings.
    • detectionlists.highriskemployee.read: View users on the high risk employee list, including notes, attributes, and risk factors.
    • detectionlists.highriskemployeealerts.read: View high risk employee alert settings.
    • detectionlists.userprofile.read: Ability to search for user profiles and get basic user information such as their name, department, and cloud aliases.
    • detectionlists.userprofilenotes.read: Ability to view user notes.
    • prioritization.settings.read: View all available risk settings, including the risk indicators and corresponding weights.
    • search.fileevents.read: View, search, and export event-level metadata about file and data movement. Includes access to Forensic Search and related APIs.
    • search.saved.read: View saved searches that have been created in Forensic Search.
    • visualizations.endpointhealth.read: View device health information for collection of file events.
    • visualizations.risksummaries.read: View the risk exposure visualizations.

Manifest Viewer

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to people who need to access archive metadata so they can generate reports on files and their versions. This role is used only by APIs.

  • Limitations 
    • Does not directly grant access to view or manage users and organizations.
  • Scope of permissions
    • Used solely by APIs.
    • Allows access to archives for all organizations.
  • Permissions
    • preservation.metadata.read: View the preservation manifest for any archive in the organization.

Multi-Factor Auth Admin

Assign this role to administrators who manage two-factor authentication for local users within a specific organization. Assign this role in conjunction with an administrative role with organization and user access rights such as Org Admin.

  • Limitations 
    • Does not directly grant access to view or manage users and organizations.
  • Scope of permissions
    • The user's organization and its child organizations.
  • Permissions
    • twofactorauth.configure: View and edit two-factor auth settings for local users.

Org Admin

Assign this role to administrators who manage users and devices within a specific organization. The person assigned this role can perform web restores, view data in reports, and update settings for users, devices, and organizations.

  • Limitations 
    • Limited access to the Code42 console command line interface (CLI).
    • Cannot access system logs.
  • Scope of permissions
    • The user's organization and its child organizations.
  • Permissions
    • account.update: For internal use only.
    • computer: Access, alter, or remove any computer information.
    • computer.delete: Permission to delete computer.
    • computer.read: Permission to view computer information.
    • computer.update: Permission to update computer information.
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • fileforensics.settings_write: View and edit file forensics related settings.
    • org.create: Create child organizations within user's organization.
    • org.delete: Delete information within user's organization.
    • org.read: View org information within user's organization.
    • org.update_deactivate: Update information within a user's organization and deactivate organizations.
    • plan: Create, read, update and delete plans within a user's organization hierarchy.
    • plan.create: Create plans within a user's organization hierarchy.
    • plan.delete: Delete plans from a user's organization hierarchy.
    • plan.read: Read information about plans within a user's organization hierarchy.
    • plan.update: Update information on plans within a user's organization hierarchy.
    • pushrestore: Perform a push restore from and to any device the user has authority to manage.
    • pushrestore.limited: Perform a push restore only to the source user's devices. There is no size limit.
    • pushrestore.personal: Perform a personal push restore.
    • restore: Perform a full web restore for all devices user has authority to manage.
    • restore.limited: Perform a limited size web restore for all devices user has authority to manage.
    • restore.personal: Perform a personal web restore.
    • search.configure: Configure search related settings.
    • securitytools.settings_write: Edit settings for Code42 Security Tools.
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.
    • system.command_restricted: View the CLI and run any command for which the user has permission.
    • user: Access, alter or remove any user information.
    • user.create: Permission to create users.
    • user.delete: Permission to delete users.
    • user.read: Permission to view user information.
    • user.update: Permission to update user information.
    • viewlogs.device: Access agent logs for any device the user has read permissions to.

Org Admin - No Web Restore

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to administrators who manage users and devices within a specific organization and who do not perform web restores. The person assigned this role can update settings for users, devices, and organizations.

  • Limitations 
    • The user's organization and its child organizations.
  • Scope of permissions
    • Cannot add/deactivate users or computers outside their organization.
    • Limited access to the Code42 console command line interface (CLI).
    • Cannot access system logs.
    • Cannot perform web restores.
  • Permissions
    • account.update: For internal use only.
    • computer: Access, alter, or remove any computer information.
    • computer.delete: Permission to delete computer.
    • computer.read: Permission to view computer information.
    • computer.update: Permission to update computer information.
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • fileforensics.settings_write: View and edit file forensics related settings.
    • org.create: Create child organizations within user's organization.
    • org.delete: Delete information within user's organization.
    • org.read: View org information within user's organization.
    • org.update_deactivate: Update information within a user's organization and deactivate organizations.
    • plan: Create, read, update and delete plans within a user's organization hierarchy.
    • plan.create: Create plans within a user's organization hierarchy.
    • plan.delete: Delete plans from a user's organization hierarchy.
    • plan.read: Read information about plans within a user's organization hierarchy.
    • plan.update: Update information on plans within a user's organization hierarchy.
    • pushrestore: Perform a push restore from and to any device the user has authority to manage.
    • pushrestore.limited: Perform a push restore only to the source user's devices. There is no size limit.
    • pushrestore.personal: Perform a personal push restore.
    • search.configure: Configure search related settings.
    • securitytools.settings_write: Edit settings for Code42 Security Tools.
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.
    • system.command_restricted: View the CLI and run any command for which the user has permission.
    • user: Access, alter or remove any user information.
    • user.create: Permission to create users.
    • user.delete: Permission to delete users.
    • user.read: Permission to view user information.
    • user.update: Permission to update user information.
    • viewlogs.device:  Access agent logs for any device the user has read permissions to.

Org Computer Modify

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to individuals who modify device settings in their organization. Assign in conjunction with Org Help Desk to enable help desk personnel to add and deactivate user devices.

    Limitations 
    • Cannot modify settings of devices in other organizations.
    • Cannot add/deactivate users or organizations.
  • Scope of permissions
    • All organizations.
  • Permissions
    • computer.update: Update computer information.
    • user.read: View user information.

Org Help Desk

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to help desk personnel who assist others in their organization, but who do not change any settings. The people with this role can view users and devices, restore files to the source user's devices using the Code42 console, and use reports to view data. To allow people with this role to add and deactivate devices, assign this role in conjunction with the Org Computer Modify role. 

  • Limitations 
    • Cannot change settings.
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • The user's organization and its child organizations.
  • Permissions
    • computer.read: View computer information.
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • org.read: View org information within user's organization.
    • plan.read: Read information about plans within a user's organization hierarchy.
    • pushrestore.limited: Perform a push restore only to the source user's devices. There is no size limit.
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.
    • user.read: View user information.

Org Help Desk - No Restore

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to help desk personnel who assist others in their organization, but who do not change any settings or restore files for others. People with this role can view users and devices.

  • Limitations 
    • Cannot perform push or web restores.
    • Cannot change settings.
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • The user's organization and its child organizations.
  • Permissions
    • computer.read: View computer information.
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • org.read: View org information within user's organization.
    • plan.read: read information about plans within a user's organization hierarchy.
    • user.read: View user information.

Org Legal Admin

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to legal personnel who place custodians on legal hold and administer legal holds for all organizations, but who only need to restore files from users within their organization. People with this role can restore files for legal hold collection purposes (push restore), and create, modify, and deactivate legal holds.

  • Limitations 
    • No "root" level access.
    • Cannot change settings.
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • The user's organization and its child organizations.
  • Permissions
    • computer.read: View computer information.
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • legalhold: Perform any operation regarding any Legal Hold.
    • legalhold.create: Create a Legal Hold.
    • legalhold.modify_membership: Add/remove users to/from any Legal Hold.
    • legalhold.read: View any Legal Hold.
    • legalhold.update: Update any Legal Hold.
    • org.read: View org information within user's organization.
    • plan: Create, read, update and delete plans within a user's organization hierarchy.
    • plan.create: Create plans within a user's organization hierarchy.
    • plan.delete: Delete plans from a user's organization hierarchy.
    • plan.read: Read information about plans within a user's organization hierarchy.
    • plan.update: Update information on plans within a user's organization hierarchy.
    • pushrestore: Perform a push restore from and to any device the user has authority to manage.
    • pushrestore.limited: Perform a push restore only to the source user's devices. There is no size limit.
    • pushrestore.personal: Perform a personal push restore.
    • restore: Perform a full web restore for all devices user has authority to manage.
    • restore.limited: Perform a limited size web restore for all devices user has authority to manage.
    • restore.personal: Perform a personal web restore.
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.
    • user.read: View user information.

Org Manager

Assign this role to executive users who need statistics, but not technical details, about their organization. People with this role can view users and devices, restore files to the source user's devices using the Code42 console, and view data in reports.

  • Limitations 
    • Cannot change settings.
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • The user's organization and its child organizations.
  • Permissions
    • computer.read: View computer information.
    • console.login: Log in to the Code42 console.
    • cpd.login: Log in to the Code42 app.
    • cpd.restore: Restore from the Code42 app.
    • cpp.login: Log in to the Code42 console.
    • cps.login: Log in to the client desktop.
    • org.read: View org information within user's organization.
    • plan.read: Read information about plans within a user's organization hierarchy.
    • pushrestore.personal: Perform a personal push restore.
    • restore.limited: Perform a limited size web restore for all devices user has authority to manage.
    • restore.personal: Perform a personal web restore.
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.
    • user.read: View user information.
    • viewlogs.device:  Access agent logs for any device the user has read permissions to.

Org Security Viewer

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to information security personnel who need to retrieve information from devices that use endpoint monitoring in their organization. People with this role can use the Activity Profile to view user activity detected by endpoint monitoring, and can view data in reports. This role only applies to customers with the retired Code42 Gold product plan. It must be assigned in conjunction with the Security Center User role. 

  • Limitations 
    • Cannot view security data in features offered by other product plans than the Code42 Gold product plan (for example, Forensic Search, Alerts, Risk Exposure dashboard, and so on).
    • Does not restrict access by organization for security data features in non-Code42 Gold product plans.
    • Cannot change settings in the organization.
    • Cannot add/deactivate users, devices, or organizations.
  • Scope of permissions
    • The user's organization and its child organizations.
  • Permissions
    • computer.read: View computer information.
    • console.login: Log in to the Code42 console.
    • cpp.login: Log in to the Code42 console.
    • org.read: View org information within user's organization.
    • plan.read: Read information about plans within a user's organization hierarchy.
    • securitytools.data_read: View data collected by Code42 Security Tools.
    • user.read: View user information.

PROe User

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

This role is the default role for Code42 console users. People with this role can sign in to the Code42 console and restore files from the Code42 console.

  • Limitations 
    • Cannot access other information or functions of Code42 for Enterprise.
  • Scope of permissions
    • Assigned user.
  • Permissions
    • console.login: Log in to the Code42 console.
    • cpd.restore: Restore files.
    • cpp.login: Log in to the Code42 console.

Push Restore

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to help desk personnel who assist others with restoring data. People with this role can restore files from the Code42 console and view files within backup archives. Assign this role in conjunction with a role that has access to the Code42 console, such as Org Help Desk

  • Limitations 
    • Cannot add/deactivate users, organizations, or devices.
  • Scope of permissions
    • All organizations.
  • Permissions
    • pushrestore: Perform a push restore from and to any device the user has authority to manage.
    • pushrestore.limited: Perform a push restore only to the source user's devices. There is no size limit.
    • pushrestore.personal: Perform a personal push restore.
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources. 
    • select.personal: Remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.

Remote File Selection

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to help desk personnel who monitor backups by viewing files within backup archives. Assign this role in conjunction with a role that has access to the Code42 console, such as Org Help Desk - No Restore.

  • Limitations 
    • Cannot add/deactivate users, organizations, or devices.
  • Scope of permissions
    • All organizations.
  • Permissions
    • select: Remotely browse file and directory names for all devices user has authority to manage. Used for remotely selecting push-restore destination and backup sources. 
    • select.personal: Permission to remotely browse file and directory names for personal devices. Used for remotely selecting push-restore destination and backup sources.

Security Administrator

Assign this role to an administrator whose work is limited to setup and maintenance of the Incydr installation. People assigned this role can configure data connections and perform client management jobs that include app downloadsdeployment policies, customizations, and Code42 app upgrades.

Assign this role instead of the Customer Cloud Admin role if the administrator's job is limited to setup and maintenance of the Incydr installation. For more information on assigning roles for Incydr, see Roles for Incydr.

  • Limitations 
    • Cannot use Incydr features.
  • Scope of permissions
    • All organizations.
  • Permissions
    • client_management.agent_channel_upgrade.read: Permission to read Agent Upgrade Channel information.
    • client_management.agent_channel_upgrade.subscribe: Permission to subscribe to an Agent Upgrade Channel.
    • client_management.deployment_policy.read: Read deployment policy information.
    • client_management.deployment_policy.write: Write deployment policy information.
    • client_management.device_upgrade.read: Read device upgrade settings.
    • client_management.device_upgrade.write: Write device upgrade settings.
    • console.login: Log in to the Code42 console.
    • cpp.login: Log in to the Code42 console.
    • customer_admin.all: Configure settings for the entire environment. 
    • dataconnections.settings.read: View all settings configured for Data Connections.
    • dataconnections.settings.write: Add, edit, and remove settings configured for Data Connections. 

Security Center User

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to information security personnel who need to view user activity detected by endpoint monitoring and who manage activity profiles.

If this role is assigned to administrators or analysts who use Incydr, we recommend reassigning them either the Insider Risk Admin or Insider Risk Analyst role instead, depending on their responsibilities. These roles are designed specifically for users of Incydr and only contain permissions for use with Incydr product plans. For directions on assigning roles to Incydr users, see Roles for Incydr

  • Limitations 
    • Cannot change settings.
    • Cannot add/deactivate users, devices, or organizations.
    • Cannot restore files from Forensic Search (requires the Security Center - Restore role).
  • Scope of permissions
    • All organizations.
  • Permissions
    • alerting.alerts.read: View alerts generated.
    • alerting.alerts.write: Manage generated alerts, including ability to edit notes and status.
    • alerting.rules.read: View rules configured for alerts.
    • alerting.rules.write: Create and modify alert rules.
    • cases.content.read: View all case information, including events and findings.
    • cases.content.write: Edit all aspects of a case, including add/remove file events, assign subjects, statuses, and add/edit findings.
    • crossorg-org.read: View organization information across organizations.
    • crossorg-user.read: View user information across organizations.
    • datapreferences.settings.read: View all settings configured for Data Preferences.
    • datapreferences.settings.write: Add, edit, and remove settings configured for Data Preferences.
    • detectionlists.departingemployee.read: View users on the departing employee list, including notes, departure date, attributes, and event counts.
    • detectionlists.departingemployee.write: Add and remove users from the departing employee list, including details for departure date.
    • detectionlists.departingemployeealerts.read: View departing employee alert settings.
    • detectionlists.departingemployeealerts.write: Modify departing employee alert settings.
    • detectionlists.highriskemployee.read: View users on the high risk employee list, including notes, attributes, and risk factors.
    • detectionlists.highriskemployee.write: Add and remove users from high risk employee list.
    • detectionlists.highriskemployeealerts.read: View high risk employee alert settings.
    • detectionlists.highriskemployeealerts.write: Modify high risk employee alert settings.
    • detectionlists.userprofile.read: Ability to search for user profiles and get basic user information such as their name, department, and cloud aliases.
    • detectionlists.userprofile.write: Ability to add and remove cloud alias names from a user profile.
    • detectionlists.userprofilenotes.read: Ability to view user notes.
    • detectionlists.userprofilenotes.write: Ability to update user notes.
    • fileforensics.settings_write: View and edit file forensics related settings.
    • search.fileevents.read: View, search, and export event-level metadata about file and data movement. Includes access to Forensic Search and related APIs.
    • search.saved.read: View saved searches that have been created in Forensic Search.
    • search.saved.write: Create, modify, and delete saved searches in Forensic Search.
    • securitytools.data_read: View data collected by Code42 Security Tools.
    • securitytools.settings_write: Edit settings for Code42 Security Tools.
    • visualizations.endpointhealth.read: View device health information for collection of file events.
    • visualizations.risksummaries.read: View the risk exposure visualizations.

Security Center - Restore

Assign this role to information security personnel who need to restore files from Forensic Search. Assign in conjunction with an administrative role such as Insider Risk Admin or Insider Risk Analyst. For directions on assigning roles to Incydr users, see Roles for Incydr

  • Limitations 
    • Does not directly grant access to view or manage other users.
  • Scope of permissions
    • The user's organization and its child organizations.
  • Permissions
    • fileforensics.restore: Restore files from Forensic Search.

User Modify

Incydr Basic and Advanced, CrashPlan Cloud, and other plans only

Assign this role to help desk personnel who modify user settings in their organization, but who do not modify device or organization settings. This role must be assigned in conjunction with a role that has access to the Code42 console, such as Cross Org Help Desk.

  • Limitations Scope of permissions
    • Cannot add or deactivate users.
    • Cannot update organization settings.
    • The user's organization and its child organizations.
  • Permissions
    • user.read: View user information.
    • user.update: Update user information.
  • Was this article helpful?