1. Support
  2. Knowledge base
  3. 100050021

Understanding Shadow Users in Cohesity Alta SaaS Protection

Article: 100050021
Last Published: 2025-08-27
Ratings: 0 0
Product(s): Alta SaaS Protection

Description

Cohesity Alta SaaS Protection (CASP) has the concept of ' Shadow Users'.  These are users that get created automatically in CASP, if the directory provider finds any security identifiers in the data which do not resolve to any user/group.
 
A shadow user is a placeholder account that shows an identity present in the data but not in the directory.  Shadow users will be shown in the CASP Administration Portal  ( Administration -> Permissions -> Users and groups) as an ' External user'. 
 
 
Using any of the custodian-based policies, or search capabilities in CASP, will allow you to specify shadow users. If a shadow user is later discovered by the directory provider, CASP automatically resolves its pre-existing access rights mapping for the identity.
 
This is done for two reasons:
  1. It allows CASP to archive content from your organization prior to your first directory synchronization completing.
  2. It enables data governance in orphaned data scenarios. Often times, what's in the scope of archiving is data that's orphaned (content where all users with access rights are no longer at the organization).  In CASP, automatic shadow user profiles provide an efficient way of identifying orphan content in your archive.  CASP's ability to leverage custodians in searches and policies means that you can specifically target orphaned user's data. For instance, perhaps you wish to run a retention policy specifically for orphaned data, or exclude it from a Discovery search.

 

Was this content helpful?

Article Languages