Best practices for custom roles and permissions

Last updated
Save as PDF

Who is this article for?

CrashPlan Cloud

CrashPlan for Small Business

CrashPlan On-Premises

Find your product plan in the Code42 console on the Account menu.
Not a CrashPlan On-Premises customer? Search or browse Incydr and Instructor, CrashPlan Cloud, or CrashPlan for Small Business.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, no.

Incydr Basic, Advanced, and Gov F1, no.

CrashPlan Cloud, no.

Retired product plans, yes.

CrashPlan for Small Business, no.

Overview

After you have an understanding of Managing User Roles, you're ready to customize roles and permissions. Our recommended best practices provide guidelines for developing custom roles in your Code42 environment using its powerful and complex permissions.

Several standard roles are already preconfigured in your Code42 environment. These roles are thoroughly tested and provide for most common use cases.

Best practices

Process

We recommend this process for creating a new role in your Code42 environment:

Check the existing roles to see if they meet your needs
Make a duplicate of an existing role, then add or remove permissions as needed
Test your customized role to ensure it behaves as expected
Assign your custom role to users

Check existing roles first

Several standard roles are already preconfigured in your Code42 environment. These roles are thoroughly tested and provide for most common use cases.

Review the existing roles at Settings > Security > Roles.

Duplicate and modify an existing role

While you can create new roles and add permissions, we recommend starting with an existing role and changing permissions as needed for your environment.

Code42 for Enterprise permissions are modular and affect specific actions. Because of this, combining certain role permissions or omitting other permissions can cause unexpected behavior for users.

Test your custom roles

Due to the complexity of the available permissions, it is vital to test your custom roles before deploying them to users.

After creating a custom role, assign it to a test user. Then sign in as that test user and try the functions you expect that user to perform. For example, if you're creating a custom role for a help desk technician, test the role by looking through user accounts, deactivating and reactivating a user, and restoring a file from the Code42 console.

Assign your custom role to users

After testing that your custom role behaves as expected, assign that role to users in your Code42 environment.

Considerations

Be careful with SYSADMIN

The SYSADMIN role contains the admin permission, which is granted to the local administrator account. Users with the admin permission can:

Read and write all information for all users, organizations, and settings
Grant or remove all permissions for all users, including themselves and other SYSADMIN users

Though users with the admin permission can read and write all information in the Code42 console, it does not include all other permissions. For example, a user with admin permission cannot perform admin restores for other users.

Limiting the number of accounts with the admin permission is a good way to minimize the risk of incorrect configuration (even accidental) of your Code42 environment.

Example custom roles

These examples come from actual requests made to our Customer Champions.

Read-only user

Desired functionality

An organization wants to have "read-only" help desk users. These read-only users need to view user information in the Code42 console, but should not have permission to interact with backups, namely:

pausing backups
resuming backups
performing archive maintenance

Starting roles

Org Help Desk

Permissions

Starting Permissions	Added Permissions	Removed Permissions	Final Permissions
computer.read console.login cpd.login cpd.restore cpp.login cps.login org.read plan.read pushrestore.limited select user.read	allcomputer.read allorg.read alluser.read viewlogs	pushrestore.limited select	allcomputer.read allorg.read alluser.read computer.read console.login cpd.login cpd.restore cpo.login cpp.login cps.login org.read user.read viewlogs

Starting Permissions

Added Permissions

Removed Permissions

Final Permissions

computer.read

console.login

cpd.login

cpd.restore

cpp.login

cps.login

org.read

plan.read

pushrestore.limited

select

user.read

allcomputer.read

allorg.read

alluser.read

viewlogs

pushrestore.limited

select

allcomputer.read

allorg.read

alluser.read

computer.read

console.login

cpd.login

cpd.restore

cpo.login

cpp.login

cps.login

org.read

user.read

viewlogs

Regulation-compliant backup user

Desired functionality

An organization needs to give users permission to manage their backups, but the users should not be allowed to restore data from the Code42 console for compliance reasons.

The desired behavior requires two roles: the standard PROe User role, which allows users to sign in to the Code42 console, and a customized Desktop User role.

Starting roles

Desktop User

Permissions

Starting Permissions	Added Permissions	Removed Permissions	Final Permissions
cpd.login cps.login cpd.restore plan.create restore.personal select.personal spd.login	pushrestore	restore.personal	cpd.login cpd.restore cps.login plan.create pushrestore select.personal spd.login

Starting Permissions

Added Permissions

Removed Permissions

Final Permissions

cpd.login

cps.login

cpd.restore

plan.create

restore.personal

select.personal

spd.login

pushrestore

restore.personal

cpd.login

cpd.restore

cps.login

plan.create

pushrestore

select.personal

spd.login

Backup-only user

Desired functionality

An organization needs to give users permission to back up data, but not restore it on their own. To restore data, the users must contact their IT department.

Starting roles

Desktop User

Permissions

Starting Permissions	Added Permissions	Removed Permissions	Final Permissions
cpd.login cps.login cpd.restore plan.create restore.personal select.personal spd.login		cpd.restore restore.personal select.personal pushrestore	cpd.login cps.login plan.create spd.login

Starting Permissions

Added Permissions

Removed Permissions

Final Permissions

cpd.login

cps.login

cpd.restore

plan.create

restore.personal

select.personal

spd.login

cpd.restore

restore.personal

select.personal

pushrestore

cpd.login

cps.login

plan.create

spd.login

Standard role reference

The available standard roles, as well as the permissions, limitations, and recommended use cases for each are described in the table below.

For details about the specific permissions held by each role, review them in your Code42 console at Settings > Security > Roles.

Role	Permission Summary	Limitations	Recommended Use Case
Admin Restore	Administrative Allows users to restore data using the Code42 console End user None	No access to the Code42 console or Code42 app	Assign in conjunction with a role that has access to the Code42 console and Code42 app
Admin Restore Limited	Administrative Allows users to restore a limited amount of data using the Code42 console (configurable limit) End user None	Restore limit is configurable from Settings > Organization (250 MB by default) No access to the Code42 console or Code42 app	Assign in conjunction with a role that has access to the Code42 console and Code42 app
All Org Admin	Administrative Read and write information for all users, computers, and organizations Access the Code42 console command line interface View and cancel jobs in the archive maintenance queue View system logs Use the Reporting web app to view data for all organizations End user Perform personal backups from the Code42 app and Code42 console	No "root" level access	IT staff who need to perform administrative tasks, but who should not have "root" level access
All Org Manager	Administrative Review statistics about all organizations and retrieve data Use the Reporting web app to view data for all organizations End user None	Read-only access to prevent them from mistakenly changing settings or deleting data	Executive users who need statistics, but not technical details, about your Code42 environment
All Org Search	Administrative Use the File Search web app to: Search backed-up files in across all organizations Download files that appear in search results Use the Reporting web app to view data for all organizations End user None	No access to the Code42 console or Code42 app	Information security or legal personnel who need to examine backed-up files across your entire Code42 environment
All Org Security Viewer	Administrative Use the Reporting web appto view data for all organizations Use the Security Center to view data for all organizations End user None	Cannot change settings in your Code42 environment	Information security personnel who need to retrieve information from devices that use endpoint monitoring.
Desktop User	Administrative N/A End user Perform personal backups from the Code42 app and Code42 console	Cannot interact with other users' data or change settings in your Code42 environment	End users in your organization
Legal Admin	Administrative Use the Legal Hold web app to: Create, modify, and deactivate legal holds Restore files to any device for legal hold collection purposes (push restore) Perform web restores for any device Use the Reporting web app to view data for all organizations End user Perform personal backups from the Code42 app	No "root" level access Cannot change settings Read-only view of users, devices, and organizations	Legal personnel who need to place custodians on legal hold, perform data collection related to legal holds, and administer legal holds.
Org Admin	Administrative Read and write information for users, computers, and organization settings for the user's organization and its child organizations Read and write to plans within the user's organization and its child organizations Use the Reporting web app to view data for the user's organization and its child organizations End user Perform personal backups from the Code42 app and Code42 console	Cannot read or write information outside their organization Cannot access Code42 console command line Cannot access system logs	Administrators who should only manage users and devices within a specific organization
Org Help Desk	Administrative View (read-only) users and devices in the user's organization and its child organizations Restore files to the source user's devices using the Code42 console Use the Reporting web app to view data for the user's organization and its child organizations End user Perform personal backups from the Code42 app and Code42 console	Cannot change settings Cannot read or write information outside their organization	Help desk staff who can assist others within their organization, but not reconfigure any settings
Org Manager	Administrative View (read-only) users and devices in the user's organization and its child organizations Restore files to the source user's devices using the Code42 console Use the Reporting web app to view data for the user's organization and its child organizations End user Perform personal backups from the Code42 app and Code42 console	Cannot change settings Cannot read or write information outside their organization	Executive users who need statistics, but not technical details, about their organization (not the entire Code42 environment)
Org Search	Administrative Use the File Search web app to: Search backed-up files in the user's organization and child organizations Download files that appear in search results Use the Reporting web appto view data for the user's organization and its child organizations End user None	No access to the Code42 console or Code42 app	Information security or legal personnel who need to examine backed-up files in their organization (not the entire Code42 environment)
Org Security Viewer	Administrative Use the Reporting web app to view data for user's organization and its child organizations Use the Security Center to view data for user's organization and its child organizations End user None	Cannot change settings in the organization	Information security personnel who need to retrieve information from devices that use endpoint monitoring.
PROe User	Administrative Sign in to the Code42 console End user None	Cannot access other information or functions of Code42 for Enterprise	End users in your organization
Push Restore	Administrative Restore files from the Code42 console View files within backup archives End user None	No read or write access to any user, organization, or device	Help desk staff who will assist others with restoring data. Assign in conjunction with a role that has access to the Code42 console.
Remote File Selection	Administrative View files within backup archives End user None	No read or write access to any user, organization, or device	Help desk staff who will monitor backups. Assign in conjunction with a role that has access to the Code42 console.
Server Administrator	Administrative Read and write information for all users, computers, and organizations Read and write to all plans Edit all all system information and settings (except tasks reserved for system administrator) Use the Reporting web app to view data for all organizations End user Perform personal backups from the Code42 app and Code42 console	Cannot perform tasks reserved for system administrator, such as editing the local administrator account password	IT staff who need administrative privileges for the Code42 environment
SYSADMIN	Administrative Default role for the local administrator account "Root-level" access Read and write all information for all users, organizations, and settings Grant and revoke SYSADMIN role for other users Use the Reporting web app to view data for all organizations Use the File Search web app to: Search backed-up files in across all organizations Download files that appear in search results Use the Security Center to view data for all organizations End user None	Cannot perform admin restores for other users	Grant with caution! The roles Server Administrator or All Org Admin may be more appropriate.

Overview

Best practices

Process

Check existing roles first

Duplicate and modify an existing role

Test your custom roles

Assign your custom role to users

Considerations

Be careful with SYSADMIN

Example custom roles

Read-only user

Desired functionality

Starting roles

Permissions

Regulation-compliant backup user

Desired functionality

Starting roles

Permissions

Backup-only user

Desired functionality

Starting roles

Permissions

Standard role reference

Related topics