Managing identity and access

You can use the Identity and access management (IAM) panel to manage users and identity providers in R‑Cloud.

Prerequisite

You must have the Administrator role assigned.

Depending on what you want to do, see one of the following topics:

To access the IAM panel, in the navigation pane, click IAM.

Managing users

The R‑Cloud user management system provides security mechanisms to help prevent unauthorized users from accessing protected data. Only users that are given specific rights have access to the data protection environment. These users can be authenticated either by HYCU or by any of the supported identity providers. For details on identity providers, see Managing identity providers.

Users can be managed on the level of the currently selected subscription or the currently selected protection set. Therefore, the scope of tasks that you can perform depends on the selected user interface context.

Depending on what you want to do, see one of the following topics:

I want to... UI context Instructions
Add a user to R‑Cloud. Subscription or Protection set Adding a user
Assign or unassing a role, or request a password reset for a user. Subscription or Protection set

Editing a user

Note  For details about roles, see R‑Cloud roles.
Deactivate a user. Subscription Deactivating a user
Remove a user from a protection set. Protection set Removing a user from a protection set
Remove a user from R‑Cloud. Subscription Removing a user from R‑Cloud

R‑Cloud roles

A role determines the scope of actions that can be performed in the R‑Cloud data protection environment by a specific user or service account. This means that access to data and information within the data protection environment is limited based on the assigned role. You can assign or unassign these roles to define what actions can be performed by each user or service account.

A user or a service account can be assigned one or more of the following roles:

Role Allowed actions
Administrator Perform all actions in the data protection environment.
Backup Operator

Define backup strategies, back up SaaS applications, applications, instances, and buckets, and view the same information as Viewer.
Restore Operator

Restore SaaS applications, applications, instances, and buckets, and view the same information as Viewer.
Viewer View information about SaaS applications, applications, instances, buckets, policies, targets, tasks, events, reports, service accounts, and protection sets in the data protection environment.

For instructions on how to assign or unassign a role, see Assigning or unassigning a role.

Adding a user

Procedure

  1. In the IAM panel, click New New User.

  2. Enter the email address of the user that you want to add in lowercase letters.

  3. Optional, if the user will sign in using an identity provider. Select Generate Password to automatically generate a password. The user must change the generated password the first time they sign in to R‑Cloud.

    Important  If the user has no identity provider configured and you do not generate a password, the user will not be able to sign in to R‑Cloud.

  4. Only if you are adding a user in the Subscription context. Select one of the following options:

    • Assign to Subscription

      Assign the user to the subscription.

    • Assign to Protection Set

      From the list of protection sets, select the protection set to which you want to assign the user.

      Tip  You can search for a protection set by entering its name in the Search field and then pressing Enter. By selecting the Name check box, you select all protection sets at once.

  5. From the Role drop-down menu, select the role for the user.

    You can select more than one role if needed. For details on roles, see R‑Cloud roles.

  6. Click Save.

Editing a user

By editing a user, you can assign or unassign a role, or request a user password reset. For details about roles, see R‑Cloud roles.

Depending on what you want to do, see one of the following topics:

Assigning or unassigning a role

Considerations

  • Each user that signs in to R‑Cloud or each configured service account has by default the Administrator role assigned.

  • At least one user with the Administrator role assigned must exist in the data protection environment for each subscription, at the subscription level.

  • User roles are inherited from the subscription level to all protection sets under one subscription. User roles set in a protection set are local to that protection set.

  • When unassigning a role, consider the following:

    • For the Protection Set context: If a user has an inherited role from the Subscription context, you can unassign all the roles assigned to the user in the Protection Set context.

    • For the Subscription context: If a user has at least one role assigned in the Protection Set context, you can unassign all the roles assigned to the user in the Subscription context.

  • If you plan to remove your own Administrator role, keep in mind the following:

    • At least one user with the Administrator role assigned must exist in the data protection environment for each subscription.
    • You will not be able to change your role back to Administrator yourself.

Procedure

  1. In the IAM panel, from the list of available users, select the user for whom you want to change the role, and then click Edit Edit.

  2. In the Edit Role dialog box, from the drop-down list, select the role that you want to assign or unassign.

    If you want to assign or unassign more than one role, you can select or deselect the roles individually, or you can click Select all to select all roles at once.

  3. Click Save.

Requesting a password reset

If a user signs in to R‑Cloud by using the HYCU credentials, and their password should be changed due to company policy requirements or safety reasons, you can send the user a password reset request.

Procedure

  1. In the IAM panel, from the list of available users, select the user that should reset their password, and then click Edit Edit.

  2. Click Request Password Reset.

  3. Click Request Password Reset to confirm that you want to request a password reset for this user.

The user will receive an email containing the password verification code that allows them to reset the password the next time they sign in to R‑Cloud.

Deactivating a user

Considerations

  • When you deactivate a user, the user can no longer perform any actions. However, the inactive account is preserved in cloud, including all the data that the user backed up.

  • Deactivating a user is available in the Subscription context.

Procedure

  1. In the IAM panel, from the list of available users, select the user that you want to deactivate.

  2. Click Deactivate Deactivate.

  3. Click Deactivate to confirm that you want to deactivate the user.

Removing a user from a protection set

Prerequisite

The Protection set context must be selected.

Considerations

  • You cannot remove a user that has an inherited role from the Subscription context.

  • Removing a user from the currently selected protection set does not remove the user from R‑Cloud if they are a member of other protection sets.

Procedure

  1. In the IAM panel, from the list of available users, select the user that you want to remove from the currently selected protection set.

    Tip  You can also search for a user by entering their name in the Search field.

  2. Click Remove Remove.

  3. Click Remove to confirm that you want to remove the user from the protection set.

Removing a user from R‑Cloud

Prerequisite

The Subscription context must be selected.

Considerations

  • You cannot remove yourself from R‑Cloud.

  • Any upcoming data protection tasks related to the user that you remove will be automatically assigned to you.

Procedure

  1. In the IAM panel, from the list of available users, select the one that you want to remove from R‑Cloud.

    Tip  You can also search for a user by entering their name in the Search field.

  2. Click Remove Remove.

  3. Click Remove to confirm that you want to remove the user from R‑Cloud.

Managing identity providers

You can integrate R‑Cloud with identity providers that support the OpenID Connect authentication protocol, such as Google, Microsoft, and Okta. This gives users the possibility to securely sign in to R‑Cloud by using these identity providers, without the need to maintain dedicated credentials for R‑Cloud.

Consideration

Managing identity providers is available in the Subscription context.

Recommendation

In addition to users that will be authenticated by identity providers, it is recommended that your data protection environment contains at least one user that is authenticated by HYCU. This ensures that R‑Cloud can be accessed if the identity provider is unavailable for any reason.

To access the Identity Providers dialog box, in the Subscription context, in the IAM panel, click Identity Providers Identity Providers.

Adding an identity provider to R‑Cloud

Prerequisites

R‑Cloud must be registered as a web application within the identity provider that you plan to add to R‑Cloud. When registering R‑Cloud, make sure the following is done:

  • For Microsoft: In Azure, R‑Cloud must be given access permissions to the Microsoft Graph API with delegated permissions for User.Read.

  • For Okta: In Okta, you must select Authorization Code under Client acting on behalf of a user as the grant type.

For instructions on how to register an application, see the respective identity provider documentation.

Recommendation

For Okta: By following the procedure described in this topic, you can enable users to sign in to R‑Cloud with the Okta IdP. However, it is recommended that you configure single sign-on (SSO) with the Okta Integration Network (OIN) application. For instructions, see Configuring R‑Cloud SSO with Okta.

Procedure

  1. In the Identity Providers dialog box, click New New.

  2. Enter a name for the identity provider. The name that you specify must contain only lowercase letters and hyphens, it must begin and end with a lowercase letter, and it may not be longer than 63 characters.

  3. From the Type drop-down menu, select one of the following types of identity providers, and then follow the instructions:

    Identity provider type Instructions
    Google

    1. In the Client ID field, enter the application ID that is generated by the identity provider.

    2. In the Client Secret field, enter the application secret that is associated with the client ID and generated by the identity provider.
    Microsoft

    1. In the Client ID field, enter the application ID that is generated by the identity provider.

    2. In the Client Secret field, enter the application secret that is associated with the client ID and generated by the identity provider.

    3. In the Issuer field, enter the URL of the issuer of the identity provider.

    Okta
    OIDC
    Cognito

  4. Click  Copy to Clipboard to copy the redirect URL that you need to enter when you create the application integration with R‑Cloud.

  5. Click Save.
  6. Configure your identity provider and enter the redirect URL that you copied. For details on the required format, see the respective identity provider documentation.

You can later do the following:

  • Edit information about any of the existing identity providers by clicking Edit Edit and making the required modifications.

  • Delete any of the existing identity providers by clicking Delete Delete.