Cohesity Alta SaaS Protection Administrator's Guide

Last Published:
Product(s): Alta SaaS Protection (3.2.1)
  1. Introduction to Cohesity Alta SaaS Protection
    1.  
      About Cohesity Alta SaaS Protection
    2.  
      Features of Cohesity Alta SaaS Protection
    3.  
      Architecture of Cohesity Alta SaaS Protection
    4.  
      Operational workflow
    5.  
      Extra Data Backup (EDB)
  2. Cohesity Alta SaaS Protection Copilot (AI chatbot)
    1.  
      Cohesity Alta SaaS Protection Copilot (AI chatbot)
  3. Cohesity Alta SaaS Protection Administrator portal (Web UI)
    1.  
      About Cohesity Alta SaaS Protection Administration portal
    2.  
      Configure Cohesity Alta SaaS Protection Administration portal
    3.  
      View upgrade history
  4. Supported SaaS workloads
    1.  
      Supported SaaS workloads and backup capabilities
  5. Workflow to protect data using Cohesity Alta SaaS Protection
    1.  
      Workflow to protect data using Cohesity Alta SaaS Protection
    2.  
      Know your subscription details
  6. Manage users and roles
    1.  
      Role-based access control
    2. Permissions tab
      1.  
        Users and groups page
      2.  
        Roles page
      3.  
        Unrecognized users page
      4.  
        Settings page
  7. API permissions
    1.  
      API permissions for Microsoft 365 workloads
    2.  
      API permissions for Gmail and Google Drive
    3.  
      System and API permissions for Salesforce
    4.  
      API permissions for Entra ID
    5.  
      App permissions of Web App
  8. What is a connector?
    1.  
      What is a connector?
    2.  
      About transient errors
    3.  
      Overview of adding connectors
    4.  
      Configure General settings
    5.  
      Configure Capture scope
    6.  
      Configure User filter
    7.  
      Configure Group filter
    8.  
      Configure Folder filter
    9. Configure credentials
      1.  
        Assign Microsoft 365 apps registration
      2.  
        Microsoft 365 apps registration status
      3.  
        Manually approve Microsoft 365 apps registration
      4.  
        Approve Microsoft 365 apps using the App Consent Grant utility
      5.  
        Microsoft 365 apps recovery
    10.  
      Configure Custom backup policy and guidelines
    11.  
      Configure Delete policy for SharePoint Online and guidelines
    12.  
      Configure Stubbing policy
    13.  
      Guidelines to configure Stubbing policy for SharePoint Online
    14.  
      Schedule a backup
    15.  
      Configure email addresses to get notifications
    16.  
      Review configuration and edit/save/initiate backup
    17.  
      Connectors page
    18.  
      Connector status
    19.  
      Edit connector configuration
    20.  
      Delete connectors
  9. Pre-requisites to setup protection for M365
    1.  
      Pre-requisites to setup protection for M365
  10. Protect Microsoft 365 Multi-Geo tenant
    1.  
      Considerations for adding SharePoint/Teams Sites/OneDrive connectors for Microsoft 365 Multi-Geo tenant
  11. Protect Exchange Online data
    1. Setting up Exchange Online data protection with Cohesity Alta SaaS Protection
      1.  
        Configure capture scope for Exchange connectors
  12. Protect SharePoint sites and data
    1. Setting up SharePoint Online protection with Cohesity Alta SaaS Protection
      1.  
        Configure capture scope for SharePoint connectors
      2.  
        Configure additional backup options for SharePoint/Teams site/ OneDrive connectors
    2. Backup and restore support for SharePoint Online
      1.  
        Supported and unsupported SharePoint Settings and Types for backup and restore
      2.  
        Supported Sites and List templates for backup and restore
      3.  
        Supported SharePoint permission objects for backup and restore
    3.  
      End-user SharePoint data access in Cohesity Alta SaaS Protection
    4.  
      Run the Delete and Stubbing policies to the SharePoint Online environment
    5.  
      Backup limitations for SharePoint Online
  13. Protect Teams sites
    1. Setting up Teams Site protection with Cohesity Alta SaaS Protection
      1.  
        Configure capture scope for Team site collections connectors
    2.  
      Backup limitations for Teams site collections
  14. Protect OneDrive data
    1. Setting up OneDrive protection with Cohesity Alta SaaS Protection
      1.  
        Configure capture scope for OneDrive connectors
  15. Protect Teams chats
    1. Setting up Teams chat protection with Cohesity Alta SaaS Protection
      1.  
        Configure capture scope for Teams chat connectors
    2.  
      Backup limitations for Teams chat
  16. Protect GoogleDrive data
    1.  
      Prerequisites to setup Google Drive protection with Cohesity Alta SaaS Protection
    2. Setting up Google Drive protection with Cohesity Alta SaaS Protection
      1.  
        Configure Capture scope Google Drive connectors
    3.  
      Backup limitations for Google Drive
    4.  
      FAQs
  17. Protect Gmail data
    1.  
      Prerequisites to setup Gmail protection with Cohesity Alta SaaS Protection
    2. Setting up Gmail protection with Cohesity Alta SaaS Protection
      1.  
        Configure capture scope for Gmail connectors
  18. Protect Audit logs
    1.  
      Add Audit log connectors
    2.  
      Audit log connector limitations
  19. Protect Salesforce data and metada
    1.  
      About Salesforce protection
    2.  
      Key considerations and prerequisites for adding Salesforce connectors
    3.  
      Add Salesforce connectors
    4.  
      Limitations of Salesforce connectors
    5.  
      Salesforce Objects not supported for backup
  20. Protect Entra ID objects
    1.  
      Setting up Entra ID protection with Cohesity Alta SaaS Protection
    2.  
      Backup and restore limitations for Entra ID
  21. Protect Box data
    1.  
      Prerequisites for Box connectors configuration
    2. Setting up Box protection with Cohesity Alta SaaS Protection
      1.  
        Configure capture scope for Box connector
    3.  
      Backup limitations for Box data
  22. Protect Slack data
    1.  
      Add Slack connectors
  23. Protect Email/Message data
    1.  
      Prerequisite for Email/message connector
    2.  
      Add Email/Messages file
  24. Configure Retention policies
    1.  
      About WORM policies
    2.  
      Ingestion WORM policies page
    3.  
      Add/edit Ingestion WORM retention policies and guidelines
    4.  
      Add/edit At-Rest WORM retention policies
    5.  
      Add/edit Deletion policies
    6.  
      View deletion history
    7.  
      How to edit the policy evaluation interval?
    8.  
      How to add a Location filter?
    9.  
      How to add a filter?
  25. Perform backups
    1.  
      Perform on-demand/ad-hoc backup
    2.  
      Backup dashboard
    3.  
      Video tutorial for connector troubleshooting
    4. View backup events
      1.  
        About Event suppression
      2.  
        Create event suppression rules
    5.  
      Viewing backup tasks details
  26. View and share backed-up data
    1.  
      Browse backed-up data
    2.  
      Share data
    3.  
      Remove data sharing
  27. Analytics
    1.  
      About analytics
    2.  
      Analytics page and refresh behavior
    3.  
      Aggregation buckets
    4.  
      Gain insights into storage utilization
    5.  
      Gain insights into storage utilization for Entra ID and Salesforce connectors
    6.  
      Gain insights into blocked activities, most active users, and more
    7.  
      Gain insights into data volume (size and item count) on legal hold
    8.  
      Gain insights into data volume (size and item count) saved in different Enhanced cases
    9.  
      Gain insights into data volume (size and count) under different policies
    10.  
      Gain insights into data volume (size and item count) under different Tags
    11.  
      Gain insights into data volume (size and item count) under different Tags behaviors
    12.  
      Gain insights into storage savings after deduplication and compression
    13.  
      Gain insights into data ingestion trends
  28. Perform restores using Administration portal
    1.  
      About restore
    2.  
      Prerequisites for restore
    3.  
      Restore Exchange Online mailboxes
    4. Restore SharePoint/OneDrive/Teams Sites and data
      1.  
        Restore of OneDrive, Microsoft 365 Group, and Microsoft Teams sites
      2.  
        Restore limitations for SharePoint Online
    5. Restore Teams chat messages and Teams channel conversations
      1.  
        Restore limitations for Teams chat
    6.  
      Restore O365 audit logs
    7. Restore Box data
      1.  
        Restore limitations for Box
    8. Restore Google Drive data
      1.  
        Overwrite restore behavior for Box/Google Drive data
    9.  
      Restore Gmail data
    10. About Salesforce Data, Metadata, and CRM Content restore and Sandbox seeding
      1.  
        Guidelines for Schema changes in Salesforce organization to prevent restore failures
      2.  
        Restore Standard and Custom objects (Structured data restore)
      3.  
        Custom Object restore - post processing steps
      4.  
        Restore specific Records (Structured data) using Query filters
      5.  
        Restore Salesforce CRM Content (Unstructured data restore)
      6.  
        Restore Salesforce files/documents in Public/Shared libraries (Unstructured data restore)
      7.  
        Limitations of Salesforce Data restore
      8.  
        Salesforce Objects not supported for restore
      9.  
        Key considerations for Salesforce Metadata restore
      10.  
        Restore Salesforce Metadata
      11.  
        Limitations of Salesforce Metadata backup and restore
    11. About Entra ID (Azure AD) objects and records restore
      1.  
        Permissions requirement
      2.  
        Best practices to restore Entra ID objects
      3.  
        Restore an Entra ID object
      4.  
        Restore specific records within Entra ID objects
    12.  
      Restore Slack data
    13.  
      Restore data to File server
    14.  
      Set default restore point
    15.  
      Configure Restore all, Restore all versions, Point-in-time, and Specific range restore options
    16.  
      Configure email addresses for notifications
    17.  
      Downloading an item
  29. Restore dashboard
    1.  
      About Restore dashboard
    2.  
      Restore job statuses
    3.  
      How to cancel a restore job?
    4.  
      View the restore events
  30. Install services and utilities
    1.  
      About services and utilities
    2.  
      Pre-requisites to download and install services and utilities
    3.  
      Downloading services and utilities
    4.  
      Where to install the services and utilities
    5.  
      Installing or upgrading services and utilities
    6.  
      Configuring service accounts for services and utilities
    7. About the Apps Consent Grant Utility
      1.  
        Downloading the Apps Consent Grant Utility
      2.  
        Installing or upgrading the Apps Consent Grant Utility
      3.  
        Post-installation activities for the Apps Consent Grant Utility
  31. Discovery
    1.  
      About eDiscovery/searches
    2.  
      Add search templates
    3.  
      Add Discovery cases
    4.  
      Perform ad hoc search and add data to Discovery cases
    5.  
      View data in Discovery cases
    6.  
      Edit Discovery cases
    7.  
      DeleteDiscovery cases
    8.  
      Assign Discovery cases to users
  32. Configure Tagging polices
    1.  
      About the Tagging policy
    2.  
      Add Tags
    3.  
      Add/edit Tagging policies
    4. Adding regular expressions
      1.  
        RegEx and query examples for PII detection
  33. Configure Tiering policy
    1. About the Tiering policy
      1.  
        Storage tiering and full-text search
      2.  
        User experience on storage tiering
      3.  
        Priority for storage Tiering
    2.  
      Add/edit Tiering policies
  34. Auditing
    1.  
      Auditing
  35. Manage Stors (Storages)
    1.  
      Viewing Stors (Storages)
    2.  
      Requesting a new Stor
    3.  
      General tab
    4.  
      Version control settings
    5.  
      Metadata tab
    6.  
      Statistical policies tab
    7.  
      Location-Mapping tab
    8.  
      Backup tab
    9.  
      Custodian Groups tab
    10.  
      Advanced tab
    11.  
      Analytics tab

Guidelines to configure Stubbing policy for SharePoint Online

The SharePoint Online connector can be configured with a policy to perform stubbing. Stubbing helps to reduce storage in the SharePoint Online environment. When enabled, during the backup process, backed up items are changed to stubs (shortcuts) and original item versions are deleted. Stubs appear in SharePoint as URL files ending in the .stub.url extension. By clicking on the stub an end-user can either download the data from ASP locally or restore the stubbed items to back to its original location in the SharePoint site (this behavior is configurable by an Cohesity Alta SaaS Protection administrator).

The stubbing policy can be customized based on the following criteria:

  • Size

  • Last modified date

  • Type

You can define any or all of these criteria according to your specific data retention requirements.

Stubbing policy setup guidelines

  • It's advisable to first test the impact of your stubbing policy in a small or less frequently used environment before rolling it out widely. This will help administrators and end-users become familiar with how stubbed files behave. It's important to note that stubbed files do not directly replace the original file in terms of supporting the same functionality within SharePoint.

  • Review the Considerations Before Enabling Stubbing section to understand the implications of configuring stubbing and can select Sites and Locations eligible for stubbing, with the appropriate stubbing policy.

  • Determine whether you plan to use Cohesity Alta SaaS Protection only to stub certain SharePoint/OneDrive items based on policy, or to back up all data in SharePoint Sites/OneDrive while also stubbing certain items.

  • If you plan for only stubbing, ensure that your Custom Backup Policy and Stubbing Policy align with each other.

    • To achieve savings sooner, target larger items first (for example, items > 5 MB, with last modified > 1 year, or whatever your date criteria may be).

    • Later, adjust the criteria for both the Custom Backup Policy and Stubbing Policy to what you plan to use on an ongoing basis (for example, items > 1 MB with last modified > 1 year).

  • If stubbing items based on policy while also backing up all items, follow the guidelines in step 2. When setting the ongoing criteria, clear the settings in the Custom Backup Policy so that all items are included in the backup, but only items meeting the stubbing policy criteria are eligible for stubbing.

Considerations before enabling stubbing

As the stubbing process deletes data at the source and replaces it with URLs, it is important to understand the implications of the Cohesity Alta SaaS Protection process before enabling the stubbing policy. Cohesity cannot help or support the customer if they exercise or run into unsupported scenarios. It will be the customer's responsibility to recover from the situation.

General considerations:

  • Cohesity Alta SaaS Protection stubs an item after the data is moved to Cohesity Alta SaaS Protection storage, depending on the options configured in the connector and its backup policies. By default, Cohesity Alta SaaS Protection does not maintain any other copies of the item. Therefore, Cohesity Alta SaaS Protection stubs items only after creating a primary backup copy. Care should be taken to ensure that this primary copy is not deleted, for example, due to a misconfigured Cohesity Alta SaaS Protection deletion policy.

    Additional options, such as Extra Data Backup, need to be purchased if you want Cohesity Alta SaaS Protection to maintain a separate secondary copy.

  • Only a file can be stubbed. A folder, library or a site cannot be stubbed.

  • There may be automated processes within SharePoint Online or third-party software integrated with SharePoint Online that relies on the actual file being present for processing. Such locations should be excluded from stubbing.

  • There may also be automated processes within SharePoint Online or by the third-party software that copy, move, or create lists and folders where potentially stubbed files can reside. These locations should also be excluded from stubbing.

  • If stubbing is based on the 'last modified' date, note that the content, which is frequently accessed but not modified will still be stubbed. Careful consideration should be given to whether such content should be stubbed, as keeping it as stubs may not be desired and can lead to frequent requests to restore the original content.

  • For the above reasons, it is crucial to thoroughly evaluate what should not be stubbed before initiating the stubbing process. This careful planning ensures that the stubbing policies are configured correctly, preventing any inadvertent issues.

    If sites or libraries are accidentally stubbed, administrators will have to resort to doing restores by the admin portal. Depending on the number of sites and lists, the need for mass un-stubbing restores may arise. This can take time and may result in a diminished end-user experience.

  • Considerations for the restores when stub policy is based on 'Last modified time'. When doing restores, if the stub recall options have:

    • Restore: When content is recalled by clicking on the stub, Cohesity Alta SaaS Protection updates the modification time to prevent the item from being stubbed again immediately.

    • Download Only: End users can download the file, but restores can only be performed from the Administration Portal. By default, when restoring from the Administration Portal, the original last modified time is restored, meaning that the restored content can be stubbed again. To prevent this:

      • Exclude the content from stubbing after it has been restored.

      • When restoring from the Admin Portal, select the option Reset 'last modified time' of restored items to time of restore.

  • Stubbing is not supported for Project Web Access sites. These sites must be manually excluded from the stubbing policy.

  • Interaction of Cohesity Alta SaaS Protection stubbing in sites with the SPO features like, DLP, SharePoint Workflows is not supported. Sites with these functionalities should be excluded from stubbing manually.

Stubbed item deletion, movement, and interaction with Cohesity Alta SaaS Protection deletion policies:

  • This section describes the behavior of a stub and its corresponding item in Cohesity Alta SaaS Protection under specific scenarios as follows:

    • Stub deletion

      • If a stub is deleted, Cohesity Alta SaaS Protection marks the corresponding item as Removed from source in Cohesity Alta SaaS Protection storage during the next backup cycle.

        Note:

        Removed from source indicates that Cohesity Alta SaaS Protection recognizes the item is no longer present in its original location. This is important as Cohesity Alta SaaS Protection deletion policies are often configured to delete items marked as Removed from source.

      • When the stub is restored to its original location from the Recycle Bin, in Cohesity Alta SaaS Protection's next scan the Removed from Source flag will be cleared, and access permissions (in Cohesity Alta SaaS Protection) will be updated based on existing permissions on source item.

    • Stub movement

      • If an end-user copies or moves stub in SharePoint Online, Cohesity Alta SaaS Protection backup scans detect the change and perform the following:

        • Copies the original item backed up in Cohesity Alta SaaS Protection to a corresponding new location in Cohesity Alta SaaS Protection and sets an Archival Type.

        • Modifies the stubs in the destination SPO location to point to the newly copied item in Cohesity Alta SaaS Protection. Same is now referred to during the item restore or download.

      • The Archival type of the stub item is labeled as Moved stub, Copied stub, or Moved or Copied stub based on the detected action as describe in the following table.

        Scenario

        Behavior

        Archival method type

        Stub is moved

        The original item along with all its versions are copied to the new location in Cohesity Alta SaaS Protection.

        Moved stub

        Stub is copied

        Only the latest version of the original item is copied to the new location in Cohesity Alta SaaS Protection.

        Copied stub

        The action (move or copy) is undetermined. This behavior can be observed when stubs are moved across sites. Some scenarios in which Cohesity Alta SaaS Protection cannot detect whether a stub was moved or copied in SharePoint. It includes the following:

        • The stub is copied from a library without versioning to another library (with or without versioning).

        • The stub is moved to a library with versioning, and then its properties are changed in SharePoint.

        Cohesity Alta SaaS Protection treats it as a move and copies the item.

        Moved or copied

      • The Archival method type of an item in Cohesity Alta SaaS Protection is fixed once set. It does not change after the stub is restored.

      • Each time a stub is moved or copied, a copy of the item is created in Cohesity Alta SaaS Protection. This copy counts toward the licensed storage used by Cohesity Alta SaaS Protection.

      • If the stub copy or move operation fails to update the stub in SharePoint (for example, due to SharePoint restrictions), users may experience the behaviors described in points a and b below when accessing the stub from SharePoint. In such cases, the Administration portal can be used to access or restore the items directly from Cohesity Alta SaaS Protection.

      • If copied or moved stubs are not detected during incremental backups, Cohesity Alta SaaS Protection will process them during the next full backup scan.

      • For moved stubs in SharePoint Online, the original item in Cohesity Alta SaaS Protection will be marked as Removed from Source only during full backup scans.

      • The Removed from Source flag will not be carried over to the versions of the copied item.

      • If an end user tries to restore or download items from a copied or moved stub in SharePoint before the item is copied to the new location in Cohesity Alta SaaS Protection, the following may occur:

        • The user may see an Access Denied error if they don't have permission to access the original item in &ProductNameASP;.

        • If the user does have permission to the original item and tries to restore it:

          • (a). The Copy pending file will be restored to the original location.

          • (b). The copied or moved stub in SharePoint remains unchanged.

        • If the restore is executed from the Administration portal with the Restore only stub option, before the item is copied to the new location in Cohesity Alta SaaS Protection, stubbed files may not be restored at the destination in SharePoint where they were moved or copied.

        • In SharePoint, if a retention label is applied to a copied or moved stub at the destination, Cohesity Alta SaaS Protection will not delete the existing version of the stub in SharePoint after updating it.

        • If a stub is copied or moved to a library with moderation, minor versioning, or required checkout enabled, the Modified By field of the stub in SharePoint will be set to SharePoint App during the copy operation.

        • The copied items, in Cohesity Alta SaaS Protection, do not retain the Cohesity Alta SaaS Protection policies, legal holds, or retention settings applied to the original items. They are treated as newly backed-up items, and Cohesity Alta SaaS Protection applies policies based on the current configuration.

        • The Archived At time for copied items in Cohesity Alta SaaS Protection reflects the time the copy operation occurred.

        • Newly copied items in Cohesity Alta SaaS Protection will have the same access permissions from the stub at the destination in SharePoint Online.

        • If the copy operation within Cohesity Alta SaaS Protection fails, a Copy pending flag will be set on the source item in Cohesity Alta SaaS Protection, along with the pending destination path. Items marked as Copy pending will be excluded from deletion when Cohesity Alta SaaS Protection deletion policies are run.

        • If the stub copy operation fails, Cohesity Alta SaaS Protection will retry it during the next full backup scan. The copy pending path will be cleared after the item is successfully copied. The Copy pending flag will be removed only after all pending copies are completed.

        • Cohesity Alta SaaS Protection needs to scan the destination location in SharePoint Online to perform the copy. Therefore, you may notice a delay before the copied stub appears in Cohesity Alta SaaS Protection, as it depends on the backup task copying the data and updating the stub.

        • Backup task statistics will show details such as the number of updated stubs and the size of the copied data.

        • Cohesity Alta SaaS Protection cannot copy an item if the original item is deleted from Cohesity Alta SaaS Protection before the backup task performs the copy. It is the user's responsibility to configure the Cohesity Alta SaaS Protection Deletion Policy properly, ensuring backup tasks have enough time to detect and process copied or moved stubs.

          Example: If a deleted stub in SharePoint is restored from the Recycle Bin after the corresponding item has already been deleted from Cohesity Alta SaaS Protection, the item cannot be copied, and the user will encounter copy errors for that stub.

        • If a moved stub is detected to have returned to its original location in SharePoint (as known to Cohesity Alta SaaS Protection), only the Removed from Source flag will be cleared, and access permissions (in Cohesity Alta SaaS Protection) will be updated based on existing permissions on source item.

        • When a stub is copied or moved across libraries, any columns in the source library that do not exist in the destination library cannot be restored.

        • If a stub at a copy-pending path is deleted in SharePoint before Cohesity Alta SaaS Protection can copy the item, the copy pending path will remain on the source item in Cohesity Alta SaaS Protection. If Cohesity Alta SaaS Protection Deletion Policy does not remove such items, please contact support.

        • It is not supported to configure the same site for stubbing in multiple connectors. Cohesity Alta SaaS Protection will not copy stubbed items from the same site across different connectors by default. A warning message will appear in the logs in such cases. Support should be contacted for guidance on next steps.

        • Cohesity Alta SaaS Protection does not support copying items across different Cohesity Alta SaaS Protection tenants.

        • Backup tasks may take longer to complete if there are many stub move or copy operations in SharePoint that require item copying in Cohesity Alta SaaS Protection.

        • Once the feature is enabled, the backup task will attempt to retroactively correct any previously copied or moved stubs in SharePoint.

          For more details, refer to the knowledge base article:Issues when accessing or restoring files from copied or moved stubs (.stub.url) in SharePoint Online.

    • Modification in Version setting

      If the versioning setting of a Document Library in SharePoint is changed from 'Create Major/Minor Version' to 'No Versioning' or vice versa, during the next backup cycle, the corresponding item in Cohesity Alta SaaS Protection is marked as Removed from source.

    • Cohesity Alta SaaS Protection deletion policy and items marked as removed from source

      • If an item in Cohesity Alta SaaS Protection storage qualifies for a Cohesity Alta SaaS Protection deletion policy for deletion, it will be deleted from storage without verifying whether it is stubbed at the source.

      • The Removed from Source property can also be used a criterion for Cohesity Alta SaaS Protection deletion policies. This means that deletion policies can remove items marked as Removed from source in Cohesity Alta SaaS Protection, even if they are still present at the source (due to certain scenarios described above for example the stub is moved and the location is yet to be scanned by Cohesity Alta SaaS Protection detect the change).

      • Recommendation: It is strongly recommended not to use Cohesity Alta SaaS Protection deletion policies that target content where stubbing is or was enabled at the source.

Connector management:

  • For a site being backed up by a connector with a stubbing policy, and that contains stubbed items which have been stubbed by same connector, the stubs should be restored before removing the site from the connector or deleting the connector.

  • For a site being backed up by a connector with a stubbing policy, if the same site is added to a new connector, no data will be backed up for the data that was stubbed the previous connector by the new connector.

  • Stubbing same site by multiple connector is not supported.

Item permissions:

  • When an item is stubbed, its permissions are not changed. Any changes to the permissions after the item is stubbed are captured by Cohesity Alta SaaS Protection.

  • When a stub is restored back to a file by Cohesity Alta SaaS Protection, the permissions the stub had prior to the restore are maintained by default.

  • Cohesity Alta SaaS Protection only allows access to files for end-users with the specific SharePoint Permission Levels which contain the Open List Items permission. If a user or group only has SharePoint Permission Levels which contain View Items or View Application Pages permissions, Cohesity Alta SaaS Protection will not permit access to those files. Default SharePoint permission levels that use the View Items permission include Restricted View, View Only, and Download Only. When files are stubbed, users with these permission levels will not be able to access the files from the stub.

  • For more details on how Cohesity Alta SaaS Protection syncs end-user permissions, refer to the section End-user SharePoint Data Access in Cohesity Alta SaaS Protection.

  • If Cohesity Alta SaaS Protection backs up and stubs SharePoint sites in two different AD tenants with shared users (for example, a user in Tenant A is also an external user in Tenant B), issues can arise for the shared user if they try to access an item in Cohesity Alta SaaS Protection, via its SharePoint stub in a site present in a tenant where that user is a external. Such a configuration should be avoided.

Item properties:

  • When an item is stubbed, its properties and permissions are preserved.

  • Any changes to properties made after the item is stubbed are not captured by Cohesity Alta SaaS Protection.

  • When a stub is restored back to a file by Cohesity Alta SaaS Protection, the list column properties are restored to the state they were in when Cohesity Alta SaaS Protection initially backed up the item.

Stubbing policy evaluation, configuration, and interaction:

  • When configuring exclusions based on type, you must also configure either the last modified date or size criteria.

  • The connector stubbing policy will consider an item for stubbing only if all its captured versions meet the criteria configured in the policy.

  • The stubbing policy is applied starting from the second full backup, after all data has been successfully backed up during the first full backup.

  • The connector stubbing policy applies only to full backups and does not apply to incremental backups occurring between two full backups.

  • If both the connector deletion and connector stubbing policies target the same item, the delete policy takes precedence and permanently deletes the item from the source SharePoint environment.

Scope of application of stubbing in SharePoint:

  • The stubbing policy applies exclusively to files within document libraries and not to any other library types.

  • The stubbing policy specifically applies to items derived from the Document SharePoint content type.

Exclusions from the stubbing policy:

  • ASPX files

  • Links with a .url extension

  • Document libraries in SharePoint that have the Require checkout setting enabled.

    Some site templates, like Publishing Site, create document libraries with this setting enabled. As a result, items in these libraries cannot be stubbed.

    Contact Cohesity Support to enable stubbing for these items.

  • Files in libraries and lists with the Information Rights Management (IRM) setting enabled.

  • Items that are checked out.

  • Thicket file.

  • Starting from the 2.26.1 release, the following items cannot be stubbed using the Stubbing policy:

    • All items in sites, which are on legal hold or have a retention policy.

      You need to contact Cohesity Support to enable stubbing for these items.

    • Only when Legal Holds done through Microsoft Purview by link Create eDiscovery holds in an eDiscovery case Microsoft Learn, Cohesity Alta SaaS Protection can detect, and skip stubbing for such items. Any other way is unsupported. Legal holds applied through any other way are unsupported, as a result Cohesity Alta SaaS Protection's stubbing process will not be able to detect legal holds and continue to stub the items in the site and may result in unsupported behavior (for example, items may appear as a stub but versions may still remain in SharePoint).

    Contact Cohesity support team to stub other items in such sites.

  • Starting from the 2.28.1 release, the following items cannot be stubbed:

    • Items with a sensitivity label configured for encryption cannot be stubbed.

    • Items in read-only sites.

    • Items marked with a retention label and still within the retention period.

  • Starting from the 2.31.1 release, the following items cannot be stubbed:

    • Items in lists and libraries with the following version settings enabled in SharePoint Online:

      • Require content approval for submitted items.

      • Create major and minor (draft) versions (for example, 1.0, 1.1, 1.2, 2.0)

      • Some site templates, like Publishing Site, create document libraries with these settings, preventing stubbing in such libraries for the site.

    • Cohesity Alta SaaS Protection does not support the stubbing of Loop components in emails and Teams chats.

      For more information on Loop components, refer to the Microsoft knowledge base article: Overview of Loop Components in Microsoft 365.

  • Starting from the 2.35.1 release, the items/files with View only permission will not be stubbed.

  • OneNote notebooks.

Sharing links:

  • Sharing links (by Teams, OneDrive, or SharePoint) for items created before and after stubbing may not work.

Accessing stubs via the SharePoint App on Mobile devices:

  • Accessing stubs through the Microsoft SharePoint App on iOS and Android is not supported. Users can open the SharePoint site in Safari or Chrome, navigate to the library containing the stub, and click on it to access the data in Cohesity Alta SaaS Protection.

Files synchronized with Laptops and PCs:

  • When files synchronized with laptops or PCs using the OneDrive client are stubbed, Cohesity Alta SaaS Protection replaces the items with internet shortcuts, adding the .stub.url extension to the item name.

  • When an end user tries to access the stubbed file from File Explorer, they are navigated to a browser. Based on the settings configured in Cohesity Alta SaaS Protection for managing end-user experiences with stubs, appropriate actions will be taken. Refer to the Managing End-User Experience with Stubbed Items section for more details.

  • When stubbing a file the OneDrive Sync client may add or/and change the stub file. Cohesity does not support the scenario, if the change disrupts the functioning of the stub.

Inconsistent stubbed files:

Browser support:

  • The following browsers are supported for accessing data in Cohesity Alta SaaS Protection by a stub:

    Browser

    Restore and Download stub

    Download only

    Chrome

    Supported

    Supported

    Edge

    Supported

    Supported

    Safari

    Not supported

    Supported

Stub modifications:

  • If there are any external modifications to the stub by any processes other than Cohesity Alta SaaS Protection, this may lead to unsupported scenarios - for example, external processes like a different backup vendor, SharePoint workflows.

See Run the Delete and Stubbing policies to the SharePoint Online environment.

Managing end-user experience with stubbed items

  • For more information on the end-user workflow when an end-user clicks on a stub, refer to the topic Restore OneDrive/SharePoint stubbed items in the Cohesity Alta SaaS Protection End User Guide.

  • As an administrator, you can control the options available to the end-user. You can direct them to the End-User portal to restore the specific item or initiate the download when a stub is clicked. You can use the following permissions to manage the experience of the end user in restoring or downloading the stubbed items:

    • End-User SharePoint stubbing restore: With this permission, when an end-user clicks on the stubbed item, they are redirected to a webpage. On this webpage, an option is available to restore the item to its original location at the time of backup.

    • End-User retrieval and download: With this permission, when an end-user clicks on the stubbed item, they are redirected to a webpage. On this webpage, an option is available to download the last backed-up version of the SharePoint file to the local computer.

      If only this permission is assigned, the download starts when the user clicks the stub.

      Both of these permissions are inherently included in the Default role.

  • You can monitor the restore progress on the Restore dashboard.

Notes on the restoration of stubbed items initiated by end-users

  • A SharePoint user with the View permission can restore the file. The user retains the same permissions for the file after restoration as they had on the stub.

  • If a stub is moved from its original location, the restore fails. An Administrator needs to restore it from the Administration portal.

  • The last modified date is updated to the current time after restoration or download. This should prevent the item from being picked up by the configured Stub policy if configured based on the last modified time.

  • Only the last backed-up version of the SharePoint item before the stubbing occurred is restored.

  • You can monitor the restore progress on the Restore dashboard, but you cannot rerun the restore.

  • If your tenant is Scope enabled, then clicking on a stub always download the last backed-up version of the SharePoint file to the local computer.