Cohesity Alta SaaS Protection Administrator's Guide
- Introduction to Cohesity Alta SaaS Protection
- API permissions
- Administrator portal (Web UI)
- Manage users and roles
- What is a connector?
- What is a connector?
- Supported SaaS workloads and backup capabilities
- Workflow to protect data using Cohesity Alta SaaS Protection
- Know your subscription details
- About transient errors
- Overview of adding connectors
- Configure General settings
- Configure Capture scope
- Configure User filter
- Configure Group filter
- Configure Folder filter
- Configure credentials
- Configure Custom backup policy and guidelines
- Configure Delete policy for SharePoint Online and guidelines
- Configure Stubbing policy
- Guidelines to configure Stubbing policy for SharePoint Online
- Schedule a backup
- Configure email addresses to get notifications
- Review configuration and edit/save/initiate backup
- Connectors page
- Connector status
- Edit connector configuration
- Delete connectors
- Pre-requisites for Microsoft 365 connectors
- Protect Microsoft 365 Multi-Geo tenant
- Protect Exchange Online data
- Protect SharePoint sites and data
- Add SharePoint connectors
- Supported and unsupported SharePoint Settings and Types for backup and restore
- Supported Sites and List templates for backup and restore
- Supported SharePoint permission objects for backup and restore
- Configuring capture scope for SharePoint connectors
- End-user SharePoint data access in Cohesity Alta SaaS Protection
- Run the Delete and Stubbing policies to the SharePoint Online environment
- Limitations of SharePoint connector
- Protect Teams sites
- Protect OneDrive data
- Protect Teams chats
- Protect GoogleDrive data
- Protect Gmail data
- Protect Audit logs
- Protect Salesforce data and metada
- Protect Entra ID objects
- Protect Box data
- Protect Slack data
- Protect Email/Message data
- Configure Retention policies
- Perform backups
- View and share backed-up data
- Analytics
- About analytics
- Gain insights into storage utilization
- Gain insights into storage utilization for Entra ID and Salesforce connectors
- Gain insights into blocked activities, most active users, and more
- Gain insights into data volume (size and item count) on legal hold
- Gain insights into data volume (size and item count) saved in different Enhanced cases
- Gain insights into data volume (size and count) under different policies
- Gain insights into data volume (size and item count) under different Tags
- Gain insights into data volume (size and item count) under different Tags behaviors
- Gain insights into storage savings after deduplication and compression
- Gain insights into data ingestion trends
- Perform restores using Administration portal
- About restore
- Prerequisites for restore
- Restore Exchange Online mailboxes
- Restore SharePoint/OneDrive/Teams Sites and data
- Restore Teams chat messages and Teams channel conversations
- Restore O365 audit logs
- Restore Box data
- Restore Google Drive data
- Restore Gmail data
- About Salesforce Data, Metadata, and CRM Content restore and Sandbox seeding
- Guidelines for Schema changes in Salesforce organization to prevent restore failures
- Restore Standard and Custom objects (Structured data restore)
- Custom Object restore - post processing steps
- Restore specific Records (Structured data) using Query filters
- Restore Salesforce CRM Content (Unstructured data restore)
- Restore Salesforce files/documents in Public/Shared libraries (Unstructured data restore)
- Limitations of Salesforce Data restore
- Salesforce Objects not supported for restore
- Key considerations for Salesforce Metadata restore
- Restore Salesforce Metadata
- Limitations of Salesforce Metadata backup and restore
- About Entra ID (Azure AD) objects and records restore
- Restore Slack data
- Restore data to File server
- Set default restore point
- Configure Restore all, Restore all versions, Point-in-time, and Specific range restore options
- Configure email addresses for notifications
- Downloading an item
- Restore dashboard
- Install services and utilities
- About services and utilities
- Pre-requisites to download and install services and utilities
- Downloading services and utilities
- Where to install the services and utilities
- Installing or upgrading services and utilities
- Configuring service accounts for services and utilities
- About the Apps Consent Grant Utility
- Discovery
- Configure Tagging polices
- Configure Tiering policy
- Auditing
- Manage Stors (Storages)
API permissions for Entra ID
The following API permissions are required for Entra ID backup operation.
Table:
API name | Claim name | permissions | Description my Microsoft | Used by Cohesity Alta SaaS Protection |
|---|---|---|---|---|
Microsoft Graph | Group.Read.All | Read all groups | Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user. | Used to read group information |
User.Read.All | Read all users' full profiles | Allows the app to read user profiles without a signed-in user. | Used to read user profile details during backup. | |
Application.ReadWrite.All | Read and write all applications | Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. | Used to read application settings and to get Token issuance policies and token lifetime policies during backup. | |
Directory.ReadAll | Read directory data | Allows the app to read all directory data. | Used to read directory data, including user, group, and app information. | |
Policy.Read.All | Read your organization's policies | Allows the app to read your organization's policies. | Used to read organizational policies during backup. |
The following API permissions are required for Entra ID restore operation.
Table:
API name | Claim name | Permissions | Description my Microsoft | Used by Cohesity Alta SaaS Protection |
|---|---|---|---|---|
Microsoft Graph | Directory.ReadWrite.All | Read and write directory data. | Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion. | To restore directory data, including user and group. |
User.ReadWrite.All | Read and write all users' full profiles. | Allows the app to read and write user profiles without a signed-in user. | To restore user profile details during recovery workflows. | |
Group.ReadWrite.All | Read and write all groups. | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. | To restore groups, group properties and memberships for groups. | |
Application.ReadWrite.All | Read and write all applications. | Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants. | To create & restore the application registration during recovery processes. | |
GroupMember.ReadWrite.All | Read and write all group memberships. | Allows the app to list groups, read basic properties, read and update the membership of the groups this app has access to without a signed-in user. Group properties and owners cannot be updated and groups cannot be deleted. | To update & restore the group membership. | |
Device.ReadWrite.All | Read and write devices | Allows the app to read and write all device properties without a signed in user. Does not allow device creation, device deletion or update of device alternative security identifiers. | To add group members of Device type during recovery processes. | |
OrgContact.Read.All | Read organizational contacts. | Allows the app to read all organizational contacts without a signed-in user. These contacts are managed by the organization and are different from a user's personal contacts. | To read the organizational contacts during recovery workflows. | |
AppRoleAssignment.ReadWrite.All | Manage app permission grants and app role assignments. | Allows the app to manage permission grants for application permissions to any API (including Microsoft Graph) and application assignments for any app, without a signed-in user. | To manage app roles and permission grants during recovery operations. | |
RoleManagement.ReadWrite.Directory | Read and write all directory RBAC settings. | Allows the app to read and manage the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes instantiating directory roles and managing directory role membership, and reading directory role templates, directory roles and memberships. | To restore RBAC settings during recovery workflows. | |
Policy.ReadWrite.ApplicationConfiguration | Read and write your organization's application configuration policies. | Allows the app to read and write your organization's application configuration policies, without a signed-in user. | To restore application configuration policies during recovery processes. |