Security settings reference
Who is this article for?
Instructor, no.
Incydr Professional, Enterprise, Gov F2, and Horizon, no.
Incydr Basic, Advanced, and Gov F1, no.
CrashPlan Cloud, no.
Retired product plans, yes.
CrashPlan for Small Business, no.
Overview
This article is a reference guide for settings used to manage security keys, roles, LDAP, Radius, and Single Sign-On.
Keys
Item | Description | |
---|---|---|
a | Require SSL to access console |
Forces all web requests to use SSL. This setting impacts:
Before requiring ssl
Install a CA-signed SSL certificate, and configure the Website protocol, host, and port to use https and port 4285. |
b | SSL Keystore | Displays the Java keystore that contains your key materials. |
c | Import Keystore |
Imports your own SSL keystore into this Code42 server.
|
d | Export Keystore | Exports the currently installed SSL keystore to a file. This option is not available if the default keystore is in use. |
e | Reset Keystore | Deletes the existing keystore and randomly generates a new SSL keystore. |
f | RSA Public Key | Displays the public RSA key used for transport security. |
g | RSA Private Key | Displays the private RSA key used for transport security. |
h | Change RSA Key Pair |
Changes the RSA key pair used for transport security. This change requires a restart of the authority server to take effect.
Changing RSA keys will break server connections
Changing the RSA key pair will break any current connections between this authority server and other Code42 servers. We do not recommend it in multiple-server configurations. Restoring the connections requires manually adjusting server databases. |
Roles
The Roles screen displays all user roles and the specific permissions assigned to each role. You can add, copy, and edit user roles from this screen. To assign user roles, go to the specific user's User Details > Action Menu > Edit > Roles. You may also assign roles within your existing LDAP integration settings, using the role name script.
The SYSADMIN role has full read-write access to all orgs, users, and configuration settings. Users with the SYSADMIN role can grant any permission to themselves and to any other role or user. Other admin users with read-write access are allowed to grant only the permissions granted to themselves. When a permission is removed from an admin role, admins with the updated role can no longer grant the removed permission to any other user.
Item | Description | |
---|---|---|
a | Roles | Lists all currently available roles. |
b | Copy Role | Creates a new role. |
c | Edit Role | Edits the role. Default roles cannot be edited. |
d | Delete Role | Deletes the role. Default roles cannot be deleted. |
e | Permissions | Lists the permissions assigned to a role. |
f | Add | Creates a new role with custom permissions. |
g | Users | Displays the number of users currently assigned the selected role. Click to display a list of those users. |
Add or edit roles
Item | Description | |
---|---|---|
a | Role | Specifies the name of the role. |
b | Permissions Editor | Determines which permissions are assigned to this role. |
Standard role reference
The available standard roles, as well as the permissions, limitations, and recommended use cases for each are described in the table below.
For details about the specific permissions held by each role, review them in your Code42 console at Settings > Security > Roles.
Role | Permission Summary | Limitations | Recommended Use Case |
---|---|---|---|
Admin Restore |
Administrative
End user
|
No access to the Code42 console or Code42 app | Assign in conjunction with a role that has access to the Code42 console and Code42 app |
Admin Restore Limited |
Administrative
End user
|
|
Assign in conjunction with a role that has access to the Code42 console and Code42 app |
All Org Admin |
Administrative
End user
|
No "root" level access |
IT staff who need to perform administrative tasks, but who should not have "root" level access |
All Org Manager |
Administrative
End user
|
Read-only access to prevent them from mistakenly changing settings or deleting data | Executive users who need statistics, but not technical details, about your Code42 environment |
All Org Search |
Administrative
End user
|
No access to the Code42 console or Code42 app | Information security or legal personnel who need to examine backed-up files across your entire Code42 environment |
All Org Security Viewer |
Administrative
End user
|
Cannot change settings in your Code42 environment | Information security personnel who need to retrieve information from devices that use endpoint monitoring. |
Desktop User |
Administrative
End user
|
Cannot interact with other users' data or change settings in your Code42 environment | End users in your organization |
Legal Admin |
Administrative
End user
|
|
Legal personnel who need to place custodians on legal hold, perform data collection related to legal holds, and administer legal holds. |
Org Admin |
Administrative
End user
|
|
Administrators who should only manage users and devices within a specific organization |
Org Help Desk |
Administrative
End user
|
|
Help desk staff who can assist others within their organization, but not reconfigure any settings |
Org Manager |
Administrative
End user
|
|
Executive users who need statistics, but not technical details, about their organization (not the entire Code42 environment) |
Org Search |
Administrative
End user
|
No access to the Code42 console or Code42 app | Information security or legal personnel who need to examine backed-up files in their organization (not the entire Code42 environment) |
Org Security Viewer |
Administrative
End user
|
Cannot change settings in the organization | Information security personnel who need to retrieve information from devices that use endpoint monitoring. |
PROe User |
Administrative
End user
|
|
End users in your organization |
Push Restore |
Administrative
End user
|
|
Help desk staff who will assist others with restoring data. Assign in conjunction with a role that has access to the Code42 console. |
Remote File Selection |
Administrative
End user
|
|
Help desk staff who will monitor backups. Assign in conjunction with a role that has access to the Code42 console. |
Server Administrator |
Administrative
End user
|
Cannot perform tasks reserved for system administrator, such as editing the local administrator account password |
IT staff who need administrative privileges for the Code42 environment |
SYSADMIN |
Administrative
End user
|
|
Grant with caution! The roles Server Administrator or All Org Admin may be more appropriate. |
LDAP
For LDAP information please see the dedicated LDAP page.
RADIUS
Item | Description | |
---|---|---|
a | Server Name | Identifies the RADIUS server within your Code42 environment. |
b | Address |
Specifies hostname or IP address and port of the RADIUS server, in the format:
|
c | Shared Secret | Sets the shared encryption key that the authority server and RADIUS server use to communicate securely. |
d | Attributes | Sets the attribute/value pairs you want to send to the RADIUS server with each access request. Either the NAS-Identifer or NAS-IP-Address attribute/value pair is required. |
e | Timeout seconds | Sets the timeout period for all RADIUS requests. |
f | Protocol (4.1.6 and later) |
Sets the protocol used for communication with the RADIUS server: |
Single sign-on
When single sign-on (SSO) is enabled in your authority server, your Code42 environment delegates all authentication and authorization to the organization's identity provider for a single source of trust. You are able to centrally control all authentication - users never enter a password into Code42 applications or the Code42 console. Authentication and authorization is delegated (redirected) to an identity provider, where the login is performed.
For SSO configuration instructions, see Single Sign-On.
Item | Description | |
---|---|---|
a | Service Provider Metadata URL | Displays the URL for the authority server's SAML 2.0 metadata file. This file is used by the identity provider(s). |
b | Identify Provider(s) |
Displays the configured SSO identity provider(s) and identity federation(s). |
c | Identity federation | Click to view, modify, or delete the identity federation. |
d | Add identity provider | Click to add an identity provider from the identity federation. |
e | Identity provider | Click to view, modify, or delete the identity provider. |
f | Add Identity Provider or Federation | Click to configure a standalone identity provider or identity federation. |
g | Edit this provider | Click to modify the identity provider or identity federation. |
h | Delete this provider | Click to delete the identity provider or identity federation. Identity providers cannot be deleted while they are in use by the default organization settings or specific organizations. |
i | Identity Provider Details | Displays a read-only view of identity provider or identity federation configuration, including metadata URL and attribute mapping. Click Edit this provider to modify the configuration. |
Identity provider metadata
The following screen appears when configuring a standalone identity provider or identity federation.
Item | Description | |
---|---|---|
a | Identity Provider metadata URL |
Sets the URL for the standalone identity provider or identity federation metadata file. The authority server must be able to access this URL. |
b | Continue | Click to obtain configuration values from the metadata file referenced by the URL. |
Identity provider settings
The following screen appears when configuring a standalone identity provider or identity federation after you enter a metadata URL and click Continue, or when configuring an identity provider from an identity federation.
Item | Description | |
---|---|---|
a | Identity Provider metadata URL / Choose identity provider |
|
b | Update | Click to check the metadata file referenced by the URL for changes. |
c | Display name | Sets the name of your organization's SSO identity provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the Code42 applications and Code42 console. |
d | Path to identify provider display name Federations only |
Sets the path to identity provider display names in the identity federation metadata XML file.
|
e | Use default mapping | Enables or disables default mapping between Code42 platform username attributes and SSO username attributes. |
f | Username |
Maps Code42 platform usernames to the SSO name identifier or a custom attribute.
|
g | Maps Code42 platform user email addresses to an SSO attribute. | |
h | First name | Maps Code42 platform user first names to an SSO attribute. |
i | Last name | Maps Code42 platform user last names to an SSO attribute. |
Storage server security settings
Viewing the Security settings from the Code42 console of a storage server presents a limited number of options for SSL.
Item | Description | |
a | Require SSL to access console | |
b | SSL Keystore | |
c | Import Keystore | |
d | Export Keystore | |
e | Reset Keystore |