Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. Cohesity Alta SaaS Protection Administrator's Guide
  3. Protect SharePoint sites and data
  4. End-user SharePoint data access in Cohesity Alta SaaS Protection
Cohesity Alta SaaS Protection Administrator's Guide

End-user SharePoint data access in Cohesity Alta SaaS Protection

End users can access Cohesity Alta SaaS Protection data either directly by the End-User portal or indirectly by stubs. End-users can only access data in Cohesity Alta SaaS Protection for which they have permissions at source. Cohesity Alta SaaS Protection captures this information while taking a backup. This section explains how access details at source are replicated in Cohesity Alta SaaS Protection for SharePoint/OneDrive and Teams Sites.

See Guidelines to configure Stubbing policy for SharePoint Online.

General
  • By default, Cohesity Alta SaaS Protection captures only access information for site, list, and folder level permissions from the source.

    To capture access information at item level, contact support.

  • Cohesity Alta SaaS Protection only captures access details for users who have SharePoint direct-access permissions.

  • When permissions change at the source, changes in Cohesity Alta SaaS Protection are only reflected when the connector successfully backs up the source at its scheduled time.

  • Cohesity Alta SaaS Protection only allows access to files for end-users or groups with the SharePoint permission levels that include the following list permissions:

    • Open items: Mapped to Cohesity Alta SaaS Protection Read, end user can preview, download, and restore files from the End-User portal or download and restore files from stub.

    • Edit items: Mapped to Cohesity Alta SaaS Protection Write, there are no Cohesity Alta SaaS Protection operations which use this for now.

    • Delete items: Mapped to Cohesity Alta SaaS Protection Delete, there are no Cohesity Alta SaaS Protection operations which use this for now.

  • If a user or group has SharePoint permission level with any other permission, then access will not be permitted. For example:

    • For a SharePoint permission level with only the View Items or View Application Pages permissions, access will not be permitted. Default SharePoint permission levels that use only View Items permission include Restricted View, View Only, and Download Only.

      When files are stubbed, users with these permission levels will not be able to access the files from the stub.

    • SharePoint permission levels Limited Access also generally does not contain the Open Items permissions, so such access to users with such permissions in Cohesity Alta SaaS Protection will not be permitted.

Directory synchronization with Cohesity Alta SaaS Protection
  • Directory synchronization should be configured as part of the Cohesity Alta SaaS Protection on-boarding process.

  • Cohesity Alta SaaS Protection requires directory synchronization for resolving SharePoint permissions, which are assigned to Entra groups and teams, and permissions, which are given to users with only a UPN and no email address.

  • Directory synchronization by Cohesity Alta SaaS Protection happens once a day. There can be intermittent access issues when changes have been made in Entra to a user or a group and a synchronization has not taken place.

  • Some changes/configurations in Entra can cause issues when doing directory synchronization in Cohesity Alta SaaS Protection, which can cause the end-user to not be able to access files either through the End-User portal or stubs. Contact support in such scenarios.

    For example, frequent UPN changes - After User Principal Name change, end users are unable to download SharePoint items from End-User Portal. (veritas.com).

    • When a UPN is configured as a proxy email address for another user.

  • It is required to synchronize the entire directory with Cohesity Alta SaaS Protection, rather than parts to avoid access issues for end users.

  • If Cohesity Alta SaaS Protection backs up two different AD tenants with shared users (for example, a user in Tenant A is also an external user in Tenant B), permission issues can arise when accessing items assigned to shared users.

Permissions to SharePoint Administrators, SharePoint Groups, Entra Groups, and Teams
  • Site Administrators have full access to items in Cohesity Alta SaaS Protection.

  • For permission at the source with an AD group or Team members, a single permission for that AD Group or Team is created.

  • For permission at the source with a SharePoint group or Team owners, one permission per group member/owner is created in Cohesity Alta SaaS Protection.

    Permissions for 'Everyone', 'NT AUTHORITY\authenticated users', 'Everyone except external users' are mapped to a built-in Cohesity Alta SaaS Protection system group called 'All Internal'.

    • This will grant access to all end-users (including external users in Microsoft Entra) synchronized to Cohesity Alta SaaS Protection by the directory synchronization process to that item.

    • If multiple Microsoft 365 tenants are being backed up then end users in Cohesity Alta SaaS Protection across all tenants will get access to the item.

  • Permissions for the 'Company Administrators' group are not synchronized to Cohesity Alta SaaS Protection as Cohesity Alta SaaS Protection does not support such a group.

OneDrive

For OneDrive content, Cohesity Alta SaaS Protection synchronizes permissions only for the user who owns the OneDrive. So, from the Cohesity Alta SaaS Protection End-User portal and stubs within OneDrive, only the user to whom the OneDrive belongs can access the content.

Sharing links
  • Currently, permissions granted by sharing links are not supported for Teams, SharePoint, and OneDrive.

Feedback

Was this page helpful?
Previous

Supported SharePoint permission objects for backup and restore

Next

Run the Delete and Stubbing policies to the SharePoint Online environment

Feedback

Was this page helpful?