Adding a SaaS instance

To be able to protect SaaS application data, you must add the SaaS instance to which the SaaS application is related as a source to R‑Cloud.

Staging target

If the R-Cloud module that enables adding your SaaS instance to R‑Cloud supports storing data on a staging target, as part of adding the SaaS instance, you also add an Amazon S3 bucket, a Google Cloud bucket, or an S3 compatible bucket to R‑Cloud as a staging target. The staging target is used either to temporarily store SaaS application data before it is moved to the target that you define in the R‑Cloud policy, or to store SaaS application data as a snapshot. For information on whether an R-Cloud module supports staging targets, see Protecting SaaS applications.

Prerequisites

Only if you plan to add the SaaS instance to a protection set other than the default one. The protection set must be created. For instructions, see Creating a protection set.
Only if the R-Cloud module supports storing data on a staging target. The staging target that you plan to add to R‑Cloud must be created in Amazon S3 or Google Cloud Storage.
Only if the R-Cloud module supports OAuth 2.0 and you want to use it to access the SaaS application data. The OAuth 2.0 application credentials must be available to R‑Cloud. You can use the global OAuth 2.0 application credentials that R‑Cloud generates automatically for you and adds them to R‑Cloud, or the custom OAuth 2.0 application credentials that you need to add to R‑Cloud yourself.

You can add the custom OAuth 2.0 application credentials as part of adding a SaaS instance, or use the ones that you already added as part of adding a cloud account to R‑Cloud. For details, see Adding OAuth 2.0 application credentials.

Limitations

Only if the R-Cloud module supports storing data on a staging target. When adding a staging target to R‑Cloud, the following limitations apply:

Targets that are specified in any of the R‑Cloud policies cannot be used as staging targets.
Targets with Object Lock (WORM) enabled cannot be used as staging targets.
Automatically created staging targets are created only in Google Cloud Storage.
The staging target that you add to R‑Cloud when adding a SaaS instance and the target that is defined in the policy assigned to the related SaaS application must reside on the same cloud platform.

Considerations

If you assign a data mover configuration to a SaaS application that already inherits a data mover configuration from the related SaaS instance, the manually assigned data mover configuration will be used.
Only if the R-Cloud module supports storing data on a staging target. When adding a staging target to R‑Cloud, consider the following:
- The staging target must be dedicated exclusively to SaaS application backups.
- Data belonging to different SaaS instances cannot be stored on the same staging target (one staging target per SaaS instance).
- If you use an automatically created staging target, the HMSA must be configured to perform all operations on the target specified in the policy that is assigned to the related SaaS application. Alternatively, the same cloud account must be configured to perform all operations on both targets (the staging target and the target specified in the policy that is assigned to the related SaaS application).
Only if the R-Cloud module requires using a data mover configuration. The Use data mover configuration switch will be automatically enabled by default. In this case, you must use an existing or a new data mover configuration.
Only if the R-Cloud module supports OAuth 2.0. If renewing consent is required after you added a SaaS instance and granted access to the registered application, an event is created in R‑Cloud and an email is sent to the R‑Cloud administrator. You can renew consent by editing the application credentials of the SaaS instance in the Sources panel.

Procedure

In the Sources panel, click Add.
Select SaaS, and then click Next.
From the R‑Cloud Module drop-down menu, select the appropriate R-Cloud module for the SaaS instance that you want to add to R‑Cloud.
In the Display Name field, enter a display name for the SaaS instance.
Only if you are adding the SaaS instance in the Subscription context. From the Protection Set drop-down menu, select the protection set to which you want to add the SaaS instance.
Only if the R-Cloud module supports storing data on a staging target. From the Staging Target drop-down menu, select the staging target that you want to use for storing the data.

If the R-Cloud module supports automatically created targets and you want your staging target to be selected automatically, make sure to select the Automatically selected option. In this case, R‑Cloud creates a staging target and uses it to temporarily store the data.

Depending on whether the R-Cloud module supports OAuth 2.0, select the preferred authentication type, and then provide the required authentication information:

If the R-Cloud module supports OAuth 2.0 and you want to use it to access the SaaS application data:

From the Authentication Type drop-down menu, select one of the following authentication types:

Authentication type	Description
OAuth 2.0 - authorization code	Your application authorization code and the client credentials are exchanged for an access token that must be refreshed periodically or when the SaaS instance configuration changes.
OAuth 2.0 - authorization code with certificate	Your application authorization code and the certificate are exchanged for an access token that must be refreshed periodically or when the SaaS instance configuration changes.
OAuth 2.0 - client credentials	Your application credentials are exchanged for an access token.
OAuth 2.0 - client credentials with certificate	Your application certificate is used for acquiring an access token.
OAuth 2.0 - pre-approved client credentials	Your application credentials are exchanged for an access token without the need to grant consent.
OAuth 2.0 - pre-approved client credentials with certificate	Your application certificate is used for acquiring an access token without the need to grant consent.

Specify the requested authentication information.
Above the application credentials list, click New.

From the Application Credentials drop-down menu, select the OAuth 2.0 application credentials that you want to add to R‑Cloud. If such OAuth 2.0 application credentials are not already added to R‑Cloud, you can add them as follows:

In the drop-down menu, click Add New. You are automatically redirected to the Add OAuth 2.0 Application Credentials dialog box.

In the Name field, enter a name for your OAuth 2.0 application credentials.
From the Protection Set drop-down menu, select the protection set to which you want to add the OAuth 2.0 application credentials. By default, the OAuth 2.0 application credentials are added to the currently selected protection set.
From the Application Platform drop-down menu, select the platform that hosts your registered application.
In the Client ID field, enter the client ID of the registered application.

From the Authentication Method drop-down menu, select one of the following authentication methods, and then do as requested:

Authentication method	Instructions
Client Secret	Enter the client secret of the registered application.
Certificate	Browse and upload the client private key. Only if the private key is encrypted. Enter the private key passphrase.

Click Save.

Click Grant Consent to grant access to the registered application. You are redirected to the platform that hosts your registered application.

If the R-Cloud module does not support OAuth 2.0: Select your authentication type, and then specify the requested authentication information, such as the organization name, the user name, API tokens, the preferred service account, and so on.

For protecting Google SaaS applications:
1. Only if you want a service account other than the HMSA to be used for performing all operations on the target. From the Service Account drop-down menu, select the preferred service account.
  By clicking Add New, you are automatically redirected to the dialog box that enables you to add the preferred cloud account to R‑Cloud, if not already added.
2. Click Grant Consent to open the HYCU Managed Service Account configuration wizard that guides you through all the required steps of enabling the HMSA for the Google Cloud project.
Return to the R‑Cloud web user interface.
Only if the R-Cloud module requires using a data mover configuration or if you want to use a specific data mover configuration with the related SaaS applications. Make sure the Use data mover configuration switch is enabled, and then, from the Data Movers drop-down menu, select an existing data mover configuration.

By clicking Add New, you are automatically redirected to the dialog box that enables you to add new data mover configuration. For details, see Creating a data mover configuration.
Click Save.

The SaaS instance is added to the list of sources. You can later do the following:

Edit any of the existing SaaS instances (click Edit and make the required modifications).
Remove the SaaS instances that you do not need anymore (click Remove). Before removing a SaaS instance from R‑Cloud, make sure that the following prerequisites are met:
- The policy must be unassigned from the SaaS application related to the SaaS instance. To unassign the policy from the SaaS application, in the SaaS panel, select the application, and then click Set Policy. Click Unassign, and then click Yes to confirm that you want to unassign the policy from the selected SaaS application.
- No restore points may be present for the SaaS application related to the SaaS instance. If the SaaS application still has valid restore points, you must expire them manually and wait for the next retention maintenance task to finish before removing the SaaS instance. For details on how to expire restore points, see Expiring backups manually.
- No tasks with the Ready status or a progress bar indicating the Running status may be present for the SaaS application related to the SaaS instance.