Description
This article will discuss the different aspects of how External users work within an Veritas Alta SaaS Protection tenant.
External users are defined as either:
Users not in your corporate domain that have been granted shared access to content in Veritas Alta SaaS Protection, and/or;
Shadow users, which are identities present in the access rights of your archived data, but are not found in your directory. For more information, see Understanding shadow users in Veritas Alta SaaS Protection.
Before we look at how you can configure and manage external users, it is important to first understand how authentication and authorization work for external users.
Authentication
When an internal user shares Veritas Alta SaaS Protection content externally, the user must provide the email address of the grantee of the share. This email address must be associated with a Microsoft account. Veritas Alta SaaS Protection uses the email address as the claim for authenticating the user, and relies on Microsoft as the trusted identity provider for authentication. Thus, with the sharing notification email that the external user receives containing a link to access the shared content, upon clicking the link the external user is prompted to authenticate. They must use the same email that was used for Veritas Alta SaaS Protection sharing to authenticate with Microsoft, thus the email address must be associated with the user's Microsoft account.
Authorization
After successfully authenticating, the user will have access to the Veritas Alta SaaS Protection User Portal. Inside the portal, two levels of authorization determine what the user is able to access and what actions they may perform:
Access rights -- The user will only be able to access folders and items to which they have access rights, and:
Veritas Alta SaaS Protection role-based access control (RBAC) -- The user can only execute features to which they are authorized via Veritas Alta SaaS Protection RBAC layer.
How to Manage External Users in Veritas Alta SaaS Protection
By default, all external users are enrolled in the 'Default' role in Veritas Alta SaaS Protections authorization layer. The 'Default' role can be configured as you wish. This makes it easy to globally manage all external users. See What is the 'Default' Role Used for in Veritas Alta SaaS Protection?
Veritas Alta SaaS Protection lists all identities in the Admin Portal under Administration > Permissions > Users & groups. This is a combined list of users and groups synchronized from your corporate directory along with all external users (either named through sharing or generated as shadow users).
From the 'Users & Groups' area, you can manage permissions for users, either individually or through roles. For more information, see How to Use Veritas Alta SaaS Protection Role Based Access Control (RBAC) and Definition of the permissions in the Veritas Alta SaaS Protection authorization\RBAC model.
Controlling External Access for Users
Within the Veritas Alta SaaS Protection Admin portal, there is the option to globally allow or disable the ability for external users to authenticate even when content has been shared with them.
This option is under the Administration > Permissions > Settings
When enabled, it will allow all external users to authenticate and access shared content within Veritas Alta SaaS Protection. This setting serves as a master switch and must be enabled to allow any external user to authenticate.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.