Cohesity Alta SaaS Protection Administrator's Guide
- Introduction to Cohesity Alta SaaS Protection
- API permissions
- Administrator portal (Web UI)
- Manage users and roles
- What is a connector?
- What is a connector?
- Supported SaaS workloads and backup capabilities
- Workflow to protect data using Cohesity Alta SaaS Protection
- Know your subscription details
- About transient errors
- Overview of adding connectors
- Configure General settings
- Configure Capture scope
- Configure User filter
- Configure Group filter
- Configure Folder filter
- Configure credentials
- Configure Custom backup policy and guidelines
- Configure Delete policy for SharePoint Online and guidelines
- Configure Stubbing policy
- Guidelines to configure Stubbing policy for SharePoint Online
- Schedule a backup
- Configure email addresses to get notifications
- Review configuration and edit/save/initiate backup
- Connectors page
- Connector status
- Edit connector configuration
- Delete connectors
- Pre-requisites for Microsoft 365 connectors
- Protect Microsoft 365 Multi-Geo tenant
- Protect Exchange Online data
- Protect SharePoint sites and data
- Add SharePoint connectors
- Supported and unsupported SharePoint Settings and Types for backup and restore
- Supported Sites and List templates for backup and restore
- Supported SharePoint permission objects for backup and restore
- Configuring capture scope for SharePoint connectors
- End-user SharePoint data access in Cohesity Alta SaaS Protection
- Run the Delete and Stubbing policies to the SharePoint Online environment
- Limitations of SharePoint connector
- Protect Teams sites
- Protect OneDrive data
- Protect Teams chats
- Protect GoogleDrive data
- Protect Gmail data
- Protect Audit logs
- Protect Salesforce data and metada
- Protect Entra ID objects
- Protect Box data
- Protect Slack data
- Protect Email/Message data
- Configure Retention policies
- Perform backups
- View and share backed-up data
- Analytics
- About analytics
- Gain insights into storage utilization
- Gain insights into storage utilization for Entra ID and Salesforce connectors
- Gain insights into blocked activities, most active users, and more
- Gain insights into data volume (size and item count) on legal hold
- Gain insights into data volume (size and item count) saved in different Enhanced cases
- Gain insights into data volume (size and count) under different policies
- Gain insights into data volume (size and item count) under different Tags
- Gain insights into data volume (size and item count) under different Tags behaviors
- Gain insights into storage savings after deduplication and compression
- Gain insights into data ingestion trends
- Perform restores using Administration portal
- About restore
- Prerequisites for restore
- Restore Exchange Online mailboxes
- Restore SharePoint/OneDrive/Teams Sites and data
- Restore Teams chat messages and Teams channel conversations
- Restore O365 audit logs
- Restore Box data
- Restore Google Drive data
- Restore Gmail data
- About Salesforce Data, Metadata, and CRM Content restore and Sandbox seeding
- Guidelines for Schema changes in Salesforce organization to prevent restore failures
- Restore Standard and Custom objects (Structured data restore)
- Custom Object restore - post processing steps
- Restore specific Records (Structured data) using Query filters
- Restore Salesforce CRM Content (Unstructured data restore)
- Restore Salesforce files/documents in Public/Shared libraries (Unstructured data restore)
- Limitations of Salesforce Data restore
- Salesforce Objects not supported for restore
- Key considerations for Salesforce Metadata restore
- Restore Salesforce Metadata
- Limitations of Salesforce Metadata backup and restore
- About Entra ID (Azure AD) objects and records restore
- Restore Slack data
- Restore data to File server
- Set default restore point
- Configure Restore all, Restore all versions, Point-in-time, and Specific range restore options
- Configure email addresses for notifications
- Downloading an item
- Restore dashboard
- Install services and utilities
- About services and utilities
- Pre-requisites to download and install services and utilities
- Downloading services and utilities
- Where to install the services and utilities
- Installing or upgrading services and utilities
- Configuring service accounts for services and utilities
- About the Apps Consent Grant Utility
- Discovery
- Configure Tagging polices
- Configure Tiering policy
- Auditing
- Manage Stors (Storages)
System and API permissions for Salesforce
To enable Salesforce protection in Cohesity Alta SaaS Protection, a dedicated 'ASP Backup Admin' user must be created by cloning the 'Salesforce System Administrator' profile. This is the recommended approach to ensure comprehensive protection of the Salesforce organization. The 'ASP Backup Admin' user must be assigned a Salesforce license, as Cohesity Alta SaaS Protection does not currently support the Salesforce API Integration License, which has limited access to objects and features.
If an organization's security policies prohibit cloning the 'System Administrator' profile, a set of required permissions can be assigned to a permission set linked to the 'ASP Backup Admin' user created with a Standard user profile. It is strongly recommended to enable all the permissions listed here. If permission(s) are skipped, Cohesity will assume that customer fully understands its implications of the same and may not be able to help with issues arising out of such exclusions.
When using the Permission Set based approach to assign permissions, the ASP Backup Admin user must be assigned the Permission Set containing all the permissions listed herein before assigning the user to the Connected App created for Cohesity Alta SaaS Protection. In this case, instead of using System Admin Profile, use a Standard User profile. Refer to the KB article for Connected App creation, Setting up a Connected App in Salesforce for use by Cohesity Alta SaaS Protection. You need to assign the new Permission Set to the 'ASP Backup Admin' user instead of creating the user using 'System Administrator' profile. and provide the following:
Object permissions: 'Modify All' and 'Create' for all objects in the Salesforce organization (Standard and Custom).
Field permissions: 'Read Access' and 'Edit Access' for all fields in all objects (Standard and Custom).
Record Type permissions: 'Read' and 'Edit' access for all record types across all objects (Standard and Custom).
Ensure that all necessary feature licenses (for AppExchange products installed, if any) and feature PermissionSets are also assigned to the user.
Some permissions, such as 'Modify All Data,' will automatically enable other permissions. Additionally, other permissions not listed here may also be auto-enabled and must remain active for Cohesity Alta SaaS Protection to function properly.
Table:
Permissions | Data/Metadata | Salesforce description | Used by Cohesity Alta SaaS Protection for |
|---|---|---|---|
Access Activities. | Data | Access tasks, events, calendar, and email. | Protection (backup and restore) of Tasks, Events, Calendar, and Email. |
Access Libraries. | Data | Access libraries. | Protection of Libraries. |
Apex REST Services | Data | Allow access to Apex REST services. | Access to Salesforce APIs |
API Enabled. | Data and Metadata | Access any Salesforce.com API. | To access Salesforce APIs for backup and restore of Data and Metadata. |
Assign Topics. | Data | Assign existing topics to feed items. Remove topics from feed items. | Restore of FeedItem (while assigning a topic to FeedItem) |
Author Apex. | Metadata | Create Apex classes and triggers. | Restore of Apex classes and Triggers. |
Change Dashboard Colors. | Metadata | Choose a dashboard color theme and palette. | Restore of Dashboards. |
Chatter Internal User. | Data | Use all Chatter features. | Protection of Chatter Objects. |
Create and Own New Chatter Groups. | Data | Create and own new Chatter groups. | Restore of Chatter Groups (CollationGroup Standard object). |
Create Content Deliveries. | Data | Create content delivery links to share files that aren't managed by a library. To let a user create content deliveries for files in a library, enable Deliver Content for that user in the library. | Protection of Salesforce Orgs where the Content Delivery feature is enabled. Restore of public link Field for the Document/Attachment requires this. |
Create Folders for Lightning Email Templates. | Metadata | Create Folders for Lightning Email Templates. | Restore of Email Template (in Folder). |
Create Public Links. | Data | Let users create links to share files externally. Unlike content deliveries, public links can't be password protected. To let a user create links to files in a library, enable Deliver Content for that user in the library. | Restore of Public Links of Documents / Attachments / Files. |
Create Topics. | Data | Create new topics by assigning them to feed items. | Restore of FeedItem (while assigning a topic to FeedItem). |
Customize Application. | Metadata | Customize the organization using App Setup menu options. | 'Required for 'Connected App' backup. Restore of various Metadata types, for example Custom Fields, Page Layout, and so on. |
Edit HTML Templates. | Metadata | Edit Classic HTML Email Templates. | Restore of Email Templates. |
Edit Read-Only Fields. | Data | Edit fields that are read only due to page layouts or field-level security. | Restore values back into some fields that are read-only due to page layout or field-level security. |
Edit Tasks. | Data | Create, edit, and delete tasks. | Restore of Tasks. |
Edit Topics. | Data | Edit topic names and descriptions. | Restore of Topics. |
Manage All Private Reports and Dashboards. | Metadata | Allows full access to reports and dashboards in all other users' private folders (API only). | Restore to reports and dashboards in all other users' private folders (API only). |
Manage Auth. Providers. | Metadata | Create and edit Auth. Providers. | Restore of Auth Providers. |
Manage Certificates. | Metadata | Ability to manage certificates. | Protection of Certificates. |
Manage Chatter Messages and Direct Messages. | Data | Access all users' messages sent in Chatter. | Protection of Chatter data. |
Manage Connected Apps. | Metadata | Manage, create, edit, and delete connected applications. | Restore of Connected Apps. |
Manage Custom Permissions. | Metadata | Create, edit, and delete custom permissions. | Restore of PermissionSets and Profiles. |
Manage Custom Report Types. | Metadata | Create, edit, and delete custom report types. | Restore of Custom Reports. |
Manage Dashboards in Public Folders. | Metadata | Create, edit, delete dashboards, and manage their sharing in all public folders. | Restore of Custom Dashboards. |
Manage Data Categories. | Metadata | Create, edit, and delete data categories. | Protection of 'DataCategoryGroup' backup. |
Manage Data Integrations. | Data | Monitor or abort Bulk API jobs. | Bulk API management (during backup and restore). |
Create Libraries. | Data | Create libraries. | Restore of Library. |
Manage Letterhead. | Data and Metadata | Create, edit, and delete letterheads for HTML emails. | Protection of Email Letterheads. |
Manage Multi-Factor Authentication in API. | Metadata | Use the API to manage user identity verification methods for multi-factor authentication. | Required for Metadata Backup. |
Manage Public Classic Email Templates. | Metadata | Create, edit, and delete text emails, mail merge templates, and folders for public email templates. | Restore of Email Template in Folder. |
Manage Public Documents. | Data | Create, edit, and delete folders for public documents. | Restore of Folders for Documents. |
Manage Public List Views. | Metadata | Create, edit, and delete public list views. | Restore of List Views. |
Manage Reports in Public Folders. | Metadata | Create, edit, delete reports, and manage their sharing in all public folders. | Restore of Reports in Public Folder. |
Manage Unlisted Groups. | Data | View and moderate unlisted Chatter groups. | Protection of Unlisted Groups. |
Manage Users. | Metadata | Create, edit, and deactivate users, and manage security settings, including profiles and roles. | Restore of Users. |
Modify All Data. | Data | Create, edit, and delete all organization data, regardless of sharing settings. | Needed for auto-inclusion of new objects and related objects. Third-party product objects, custom objects as and when they get added to the Org, they will get picked up by ASP only if this permission is given. Some objects (TopicAssignment, FeedRevision, FeedAttachment, Announcement, FeedComment, EntitySubscription) require this permission for query. A few other objects require this permission for Metadata restore. |
Modify Metadata through Metadata API Functions. | Metadata | Create, read, edit, and delete org metadata. Users must have appropriate access rights to the metadata they're trying to modify. Be careful if delegating this permission. Some metadata runs in a system context, when object permissions, field-level security, and sharing rules that apply to the user are ignored. For example, Apex runs in a system context. | Metadata restores. |
Update Email Messages. | Data | Modify certain email message-related records. | Restore of EmailMessages. |
View All Custom Settings. | Metadata | Let users view all custom setting data directly and by the API. | Protection of Custom Settings. |
View All Lookup Record Names. | Data | View the record names in lookup fields regardless of sharing settings. Lookup fields include system fields, such as Created By and Last Modified By. | Backup of System Fields. |
View All Profiles. | Metadata | View all user profiles, regardless of profile filtering setting. | Backup of Profiles. |
View All Data. | Metadata and Data | View all organizational data, regardless of sharing settings. | Backup of Data and Metadata. |
View And Edit Converted Leads. | Data | View and edit converted lead records. | Restore of Converted Leads. |
View Developer Name | Data | View the DeveloperName field by the API. | Backup of Developer Name field. |
View Encrypted Data | Data | View the value of encrypted fields in plain text. | Protection of Encrypted Fields. |
Edit Case Comments. | Data | Edit their own case comments but not other user's comments. | Restore of CaseComment. |
Import Solutions | Data | Import solutions for the organization. | Protection of Solutions. |
Manage Cases. | Data | Administer case settings, including Email-to-Case and mass transfer of cases. | Protection of Cases. |
Manage Categories. | Data | Define and modify solution categories settings. | Define and modify solution categories settings. |
Manage Entitlements. | Data | Enable, create, and update entitlement management items. | Enable, create, and update entitlement management items. |
Manage Content Permissions. | Data | Create, edit, and delete library permissions in Salesforce CRM Content. | Create, edit, and delete library permissions in Salesforce CRM Content. |
Manage Content Properties. | Data | Create, edit, and delete custom fields in Salesforce CRM Content. | Create, edit, and delete custom fields in Salesforce CRM Content. |
Manage Flow. | Data | Allow users to view, create, edit, delete, and activate all flows and flow types in Lightning Experience apps and Setup. | Protection of Workflows |
Manage record types and layouts for Files. | Data and Metadata | Create, edit, and delete content types in Salesforce CRM Content. | Create, edit, and delete content types in Salesforce CRM Content. |
Manage Salesforce CRM Content. | Data | Create, edit, and delete libraries and library memberships. | Create, edit, and delete libraries and library memberships. |
Query All Files | Data | Allows View All Data users to SOQL query all files in the org. | Protection of Documents / Attachments / Files / Salesforce CRM Content. |