Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Cohesity Alta SaaS Protection Administrator's Guide
  3. Manage users and roles
  4. Permissions tab
Cohesity Alta SaaS Protection Administrator's Guide

Permissions tab

Cohesity Alta SaaS Protection offers the capability to implement role-based access control (RBAC) for its tenants. RBAC lets you grant users access and permissions according to their specific organizational roles.

The following table describes the permissions in Cohesity Alta SaaS Protection.

Table: General settings permissions

General settings

Description

Access all items

It permits the user to access and restore all content of the tenant.

Also, by selecting the following respective checkboxes, you can prevent the user from sharing, downloading, restoring, and restoring to an alternative location.

  • Prevent administrative sharing.

  • Prevent Item Preview and Download.

  • Prevent restore.

  • Prevent restore outside of original location.

Full admin

It permits the user with all permissions except Access All Items, Add Content, and API Impersonation.

To mitigate the risks associated with the Full Admin account, provision this account only on-demand to prevent account sharing.

Add content

The assigned user can add new content to the tenant, typically the Service account.

View only

It permits the user to sign in to the Administration portal without the ability to add, modify, or delete anything.

Delete content

It permits the user to delete backed-up items.

Table: End-User permissions

End-User settings

Description

End-User SharePoint stubbing restore

It permits an end-user to restore a stubbed item by clicking on it using the End-User portal.

End-User retrieval and download

It permits an end-user to download a stubbed item by clicking on it using the End-User portal.

End-user portal

It permits an end-user to perform the following action on the End-User portal:

  • Search for the required item.

  • Share items internally and externally.

  • Restore the items.

Table: Administration portal permissions

Administration portal settings

Description

Administration App

It permits the user to sign in to the Administration portal.

You can select the following checkboxes for the permissions you want to grant the user.

  • Manage permissions: It permits the user to manage permission and roles for other users.

  • Provisioning: It permits the user to perform the initial provisioning operations (used by the Cohesity Alta SaaS Protection team only).

  • View auditing: It permits the user to access the Auditing module and enable auditing as required.

  • Manage connectors: It permits the user to add connectors. Important: A user who is a member of a Custodian group should not be assigned this permission.

Manage Scope

It permits the user to view and manage Scopes.

  • If a user is added to a Scope and does not have Managed Scope permission, then the user can only see the connectors that are part of the Scope to which the user is added.

  • If the user is assigned with the Managed Scope permission (it does not matter if the user has Scopes), then the user can see all connectors, including those created using a Scope.

Analytics App

It permits the user to access the Analytics module.

Tagging App

It permits the user to access the Tagging module.

Discovery app

It permits the user to access the Discovery module.

You can select the following checkboxes for the permissions you want to grant the user:

  • Create cases: It permits a user to create Discovery cases.

  • All cases full admin: It permits a user to view and manage all Discovery cases with full rights.

Retention App

It permits the user to access the Retention module.

License App

It permits the user to access the License module.

System App

It permits the user to access the System module.

Chargeback App

It permits the user to access the Chargeback module.

Storage Tiering App

It permits the user to access the Tiering module.

Monitoring App

It permits the user to view the Monitoring module.

Table: API settings

API settings

Description

API

It permits the user to access a wide range of general API. This permission is required for all Service accounts.

API Blobless Archive

It permits the user to allow the Connector service to operate with the Blobless Archive option on a connector.

It is advisable to grant and use this permission solely in a drive-shipping scenario.

API Impersonation

It permits the user to impersonate another user by the API.

The Permissions tab lets you manage user access and roles, with options for user and group management, roles administration, managing unrecognized and external users.

Feedback

Was this page helpful?
Previous

Role-based access control

Next

Users and groups page

Feedback

Was this page helpful?