Managing identity and access

You can use the Identity and access management (IAM) panel to manage identity providers, users, and user roles in R‑Cloud.

The scope of tasks you can perform depends on your assigned roles and the selected user interface context:

• Subscription:

  Task	Instructions
  Add, edit, or remove identity providers from R‑Cloud.	Managing identity providers
  Add, deactivate, or remove users.	Managing users
  Add or remove user roles.	Managing roles
  Send password reset requests	Requesting a password reset

• Protection set:

  Task	Instructions
  Add users.	Managing users
  Assign or unassign user roles.	Managing roles
  Send password reset requests	Requesting a password reset

Managing identity providers

You can integrate R‑Cloud with identity providers that support the OpenID Connect authentication protocol, such as Google, Microsoft, and Okta, to give users the possibility to securely sign in to R‑Cloud by using these identity providers, without the need to maintain dedicated credentials for R‑Cloud.

Prerequisites

Only when adding identity providers that support the OpenID Connect authentication protocol. R‑Cloud must be registered as a web application within the identity provider that you plan to add to R‑Cloud. When registering R‑Cloud, make sure the following is done:

• Only if you are using Microsoft as an identity provider. In Azure, R‑Cloud must be given access permissions to the following Azure API: Microsoft Graph with delegated permissions for User.Read.

• Only if you are using Okta as an identity provider. In Okta, you must select Authorization Code under Client acting on behalf of a user as the grant type.

For instructions on how to register an application, see the respective identity provider documentation.

Adding an identity provider to R‑Cloud

Procedure

1. In the Identity Providers dialog box, click  New.

2. Enter a name for the identity provider. The name that you specify can contain only lowercase letters and hyphens, must begin and end with a lowercase letter, and cannot be longer than 63 characters.

3. From the Type drop-down menu, select one of the following types of identity providers, and then follow the instructions:

   Identity provider type	Instructions
   Google	In the Client ID field, enter the application ID that is generated by the identity provider. In the Client secret field, enter the application secret that is associated with the client ID and generated by the identity provider.
   Microsoft	In the Client ID field, enter the application ID that is generated by the identity provider. In the Client secret field, enter the application secret that is associated with the client ID and generated by the identity provider. In the Issuer field, enter the URL of the issuer of the identity provider.
   Okta
   OIDC
   Cognito

4. Click  Copy to Clipboard to copy the redirect URL that you need to input when you create the application integration with R‑Cloud.

5. Click Save.
6. Configure your identity provider and enter the redirect URL that you copied. For details on the required format, see the respective identity provider documentation.

You can later do the following:

• Edit information about any of the existing identity providers by clicking  Edit and making the required modifications.

• Delete any of the existing identity providers by clicking  Delete.

Managing users

The R‑Cloud user management system provides security mechanisms to help prevent unauthorized users from accessing protected data. Only users that are given specific rights have access to the data protection environment. These users can be authenticated either by HYCU or any of the supported identity providers. For details on identity providers, see Managing identity providers.

Consideration

The scope of tasks you can perform depends on the selected UI context. In the Protection set context, you can only add users but cannot deactivate or remove them.

Adding a user

1. In the IAM panel, click  New User. The New User dialog box opens.

2. Enter the email address of the user that you want to add.

3. Optional, if the user will sign in using an identity provider. Select Generate password to automatically generate a password. The user must change the generated password during the first sign-in.

    Important  If the user has no identity provider configured and you do not generate a password, the user will not be able to sign in to R‑Cloud.

4. Only if you are adding a user in the Subscription context. Select one of the following options:

   • Assign to subscription

     Assign the user to the subscription.

   • Assign to protection set

     From the list of protection sets, select the one to which you assign the user.

      Tip  You can search for a protection set by entering its name in the Protection set search field and then pressing Enter. By selecting the Name check box, you select all protection sets at once.

5. From the Role drop-down menu, select the role for the user.

   You can select more than one role if needed. For more information about user roles, see R‑Cloud roles.

6. Click Save.

Deactivating a user

Consideration

When you deactivate a user, the user can no longer perform any actions. However, the inactive account is preserved in cloud, including all the data that the user has backed up.

Procedure

1. In the IAM panel, from the list of available users, select the user that you want to deactivate.

2. Click  Deactivate. The Deactivate User dialog box opens.

3. Click Deactivate to confirm the deactivation of the user.

Deleting a user

Considerations

• Deleting a user from R‑Cloud does not remove it from cloud.

• You cannot delete yourself from R‑Cloud.

• Any upcoming data protection tasks related to the user that you delete will be automatically assigned to you.

Procedure

1. In the IAM panel, from the list of available users, select the one that you want to delete.

    Tip  You can also search for a user by entering their name in the Search field.

2. Click  Remove. The Remove Account dialog box opens.

3. Click Remove to confirm that you want the selected user to be deleted from R‑Cloud.

Managing roles

A role determines the scope of actions that can be performed in the R‑Cloud data protection environment by a specific user or service account. This means that access to data and information within the data protection environment is limited based on the assigned role. As an administrator, you can manage these roles and define what actions can be performed by each user or service account.

Considerations

• Each user that signs in to R‑Cloud or each configured service account has by default the Administrator role assigned.

• At least one user with the Administrator role assigned must exist in the data protection environment for each subscription, at the subscription level.

• User roles are inherited from the subscription level to all protection sets under one subscription. User roles set in a protection set are local to that protection set.

R‑Cloud roles

A user or a service account can be assigned one or more of the following roles:

Role	Allowed actions
Administrator	Perform all actions in the data protection environment.
Backup Operator	Define backup strategies, back up SaaS applications, applications, instances, and buckets, and acquire the same information as Viewer.
Restore Operator	Restore SaaS applications, applications, instances, and buckets, and acquire the same information as Viewer.
Viewer	Acquire information about SaaS applications, applications, instances, buckets, policies, targets, tasks, events, reports, service accounts, and protection sets in the data protection environment.

Assigning or unassigning roles

Consideration

If you plan to remove your own Administrator role, keep in mind the following:

• At least one user with the Administrator role assigned must exist in the data protection environment for each subscription.
• You will not be able to change your role back to Administrator yourself.

Procedure

1. In the IAM panel, from the list of available users, select the user for whom you want to change the roles and then click  Edit.

2. In the Edit Role dialog box, from the drop-down list, select the roles that you want to assign or unassign. You can select or deselect roles individually or you can click Select all to select all roles at once.

3. Click Save to save the selected roles.

Requesting a password reset

If a user signs in to R‑Cloud by using the HYCU credentials and their password should be changed due to company policy requirements or safety reasons, send the user a password reset request.

Procedure

1. In the IAM panel, from the list of available users, select the user that should reset their password, and then click  Edit.

2. Click Request password reset.

3. Click Request password reset to confirm that you want to request a password reset for this user.

The user will receive an email containing the password verification code that allows them to reset the password the next time they sign in to R‑Cloud.