Important Update: Cohesity Products Documentation


All Cohesity product documentation are now managed via the Cohesity Docs Portal: https://docs.cohesity.com/HomePage/Content/home.htm. Some documentation available here may not reflect the latest information or may no longer be accessible.

Cohesity Alta SaaS Protection Administrator's Guide

Last Published:
Product(s): Alta SaaS Protection (3.10.1)
  1. Introduction to Veritas Alta SaaS Protection
    1.  
      About Veritas Alta SaaS Protection
    2.  
      Features of Veritas Alta SaaS Protection
    3.  
      Architecture of Veritas Alta SaaS Protection
    4.  
      Operational workflow
    5.  
      Extra Data Backup (EDB)
  2. Veritas Alta SaaS Protection Copilot (AI chatbot)
    1.  
      Veritas Alta SaaS Protection Copilot (AI chatbot)
  3. Veritas Alta SaaS Protection Administrator portal (Web UI)
    1.  
      About Veritas Alta SaaS Protection Administration portal
    2.  
      Configure Veritas Alta SaaS Protection Administration portal
    3.  
      View upgrade history
  4. Supported SaaS workloads
    1.  
      Supported SaaS workloads and backup capabilities
  5. Workflow to protect data using Veritas Alta SaaS Protection
    1.  
      Workflow to protect data using Veritas Alta SaaS Protection
    2.  
      Know your subscription details
  6. Manage users and roles
    1.  
      Role-based access control
    2. Permissions tab
      1.  
        Users and groups page
      2.  
        Roles page
      3.  
        Unrecognized users page
      4.  
        Settings page
  7. API permissions
    1.  
      API permissions for Microsoft 365 workloads
    2.  
      API permissions for Gmail and Google Drive
    3.  
      System and API permissions for Salesforce
    4.  
      API permissions for Entra ID
    5.  
      App permissions of Web App
  8. What is a connector?
    1.  
      What is a connector?
    2.  
      About transient errors
    3.  
      Overview of adding connectors
    4.  
      Configure General settings
    5.  
      Configure Capture scope
    6.  
      Configure User filter
    7.  
      Configure Group filter
    8.  
      Configure Folder filter
    9. Configure credentials
      1.  
        Assign Microsoft 365 apps registration
      2.  
        Microsoft 365 apps registration status
      3.  
        Manually approve Microsoft 365 apps registration
      4.  
        Approve Microsoft 365 apps using the App Consent Grant utility
      5.  
        Microsoft 365 apps recovery
    10.  
      Configure Custom backup policy and guidelines
    11.  
      Configure Delete policy for SharePoint Online and guidelines
    12.  
      Configure Stubbing policy
    13.  
      Guidelines to configure Stubbing policy for SharePoint Online
    14.  
      Schedule a backup
    15.  
      Configure email addresses to get notifications
    16.  
      Review configuration and edit/save/initiate backup
    17.  
      Connectors page
    18.  
      Connector status
    19.  
      Edit connector configuration
    20.  
      Delete connectors
  9. Pre-requisites to setup protection for M365
    1.  
      Pre-requisites to setup protection for M365
  10. Protect Microsoft 365 Multi-Geo tenant
    1.  
      Considerations for adding SharePoint/Teams Sites/OneDrive connectors for Microsoft 365 Multi-Geo tenant
  11. Protect Exchange Online data
    1. Setting up Exchange Online data protection with Veritas Alta SaaS Protection
      1.  
        Configure capture scope for Exchange connectors
  12. Protect SharePoint sites and data
    1. Setting up SharePoint Online protection with Veritas Alta SaaS Protection
      1.  
        Configure capture scope for SharePoint connectors
      2.  
        Configure additional backup options for SharePoint/Teams site/ OneDrive connectors
    2. Backup and restore support for SharePoint Online
      1.  
        Supported and unsupported SharePoint Objects, Properties, Settings, and Types for backup and restore
      2.  
        Supported Sites and List templates for backup and restore
      3.  
        Supported SharePoint permission objects for backup and restore
    3.  
      End-user SharePoint data access in Veritas Alta SaaS Protection
    4.  
      Run the Delete and Stubbing policies to the SharePoint Online environment
    5.  
      Backup limitations for SharePoint Online
  13. Protect Teams sites
    1. Setting up Teams Site protection with Veritas Alta SaaS Protection
      1.  
        Configure capture scope for Team site collections connectors
    2.  
      Backup limitations for Teams site collections
  14. Protect OneDrive data
    1. Setting up OneDrive protection with Veritas Alta SaaS Protection
      1.  
        Configure capture scope for OneDrive connectors
  15. Protect Teams chats
    1. Setting up Teams chat protection with Veritas Alta SaaS Protection
      1.  
        Configure capture scope for Teams chat connectors
    2.  
      Backup limitations for Teams chat
  16. Protect Google Drive data
    1.  
      Prerequisites to setup Google Drive protection with Veritas Alta SaaS Protection
    2. Setting up Google Drive protection with Veritas Alta SaaS Protection
      1.  
        Configure Capture scope Google Drive connectors
    3.  
      Backup limitations for Google Drive
    4.  
      FAQs
  17. Protect Gmail data
    1.  
      Prerequisites to setup Gmail protection with Veritas Alta SaaS Protection
    2. Setting up Gmail protection with Veritas Alta SaaS Protection
      1.  
        Configure capture scope for Gmail connectors
  18. Protect Audit logs
    1.  
      Add Audit log connectors
    2.  
      Audit log connector limitations
  19. Protect Salesforce data and metadata
    1.  
      About Salesforce protection
    2. Key considerations and prerequisites for adding Salesforce connectors
      1.  
        Configure User, Profile, and Connected App for Salesforce
    3.  
      Add Salesforce connectors
    4.  
      Limitations of Salesforce connectors
    5.  
      Salesforce Objects not supported for backup
  20. Protect Entra ID objects
    1.  
      Setting up Entra ID protection with Veritas Alta SaaS Protection
    2.  
      Backup and restore limitations for Entra ID
  21. Protect Box data
    1.  
      Prerequisites for Box connectors configuration
    2. Setting up Box protection with Veritas Alta SaaS Protection
      1.  
        Configure capture scope for Box connector
    3.  
      Backup limitations for Box data
  22. Protect Slack data
    1.  
      Add Slack connectors
  23. Protect Email/Message data
    1.  
      Prerequisite for Email/message connector
    2.  
      Add Email/Messages file
  24. Configure Retention policies
    1.  
      About WORM policies
    2.  
      Ingestion WORM policies page
    3.  
      Add/edit Ingestion WORM retention policies and guidelines
    4.  
      Add/edit At-Rest WORM retention policies
    5.  
      Add/edit Deletion policies
    6.  
      View deletion history
    7.  
      How to edit the policy evaluation interval?
    8.  
      How to add a Location filter?
    9.  
      How to add a filter?
  25. Perform backups
    1.  
      Perform on-demand/ad-hoc backup
    2.  
      Backup dashboard
    3.  
      Video tutorial for connector troubleshooting
    4. View backup events
      1.  
        About Event suppression
      2.  
        Create event suppression rules
    5.  
      Viewing backup tasks details
  26. View and share backed-up data
    1.  
      Browse backed-up data
    2.  
      Share data
    3.  
      Remove data sharing
  27. Analytics
    1.  
      About analytics
    2.  
      Analytics page and refresh behavior
    3.  
      Aggregation buckets
    4.  
      Gain insights into storage utilization
    5.  
      Gain insights into storage utilization for Entra ID and Salesforce connectors
    6.  
      Gain insights into blocked activities, most active users, and more
    7.  
      Gain insights into data volume (size and item count) on legal hold
    8.  
      Gain insights into data volume (size and item count) saved in different Enhanced cases
    9.  
      Gain insights into data volume (size and count) under different policies
    10.  
      Gain insights into data volume (size and item count) under different Tags
    11.  
      Gain insights into data volume (size and item count) under different Tags behaviors
    12.  
      Gain insights into storage savings after deduplication and compression
    13.  
      Gain insights into data ingestion trends
  28. Perform restores using Administration portal
    1.  
      About restore
    2.  
      Prerequisites for restore
    3.  
      Restore Exchange Online mailboxes
    4. Restore SharePoint/OneDrive/Teams Sites and data
      1.  
        Restore of OneDrive, Microsoft 365 Group, and Microsoft Teams sites
      2.  
        Restore limitations for SharePoint Online
    5. Restore Teams chat messages and Teams channel conversations
      1.  
        Restore limitations for Teams chat
    6.  
      Restore O365 audit logs
    7. Restore Box data
      1.  
        Restore limitations for Box
    8. Restore Google Drive data
      1.  
        Overwrite restore behavior for Box/Google Drive data
    9.  
      Restore Gmail data
    10. About Salesforce Data, Metadata, and CRM Content restore and Sandbox seeding
      1.  
        Guidelines for Schema changes in Salesforce organization to prevent restore failures
      2.  
        Restore Standard and Custom objects (Structured data restore)
      3.  
        Custom Object restore - post processing steps
      4.  
        Restore specific Records (Structured data) using Query filters
      5.  
        Restore Salesforce CRM Content (Unstructured data restore)
      6.  
        Restore Salesforce files/documents in Public/Shared libraries (Unstructured data restore)
      7.  
        Limitations of Salesforce Data restore
      8.  
        Salesforce Objects not supported for restore
      9.  
        Key considerations for Salesforce Metadata restore
      10.  
        Restore Salesforce Metadata
      11.  
        Limitations of Salesforce Metadata backup and restore
    11. About Entra ID (Azure AD) objects and records restore
      1.  
        Permissions requirement
      2.  
        Best practices to restore Entra ID objects
      3.  
        Restore an Entra ID object
      4.  
        Restore specific records within Entra ID objects
    12.  
      Restore Slack data
    13.  
      Restore data to File server
    14.  
      Set default restore point
    15.  
      Configure Restore all, Restore all versions, Point-in-time, and Specific range restore options
    16.  
      Configure email addresses for notifications
    17.  
      Downloading an item
  29. Restore dashboard
    1.  
      About Restore dashboard
    2.  
      Restore job statuses
    3.  
      How to cancel a restore job?
    4.  
      View the restore events
  30. Install services and utilities
    1.  
      About services and utilities
    2.  
      Pre-requisites to download and install services and utilities
    3.  
      Downloading services and utilities
    4.  
      Where to install the services and utilities
    5.  
      Installing or upgrading services and utilities
    6.  
      Configuring service accounts for services and utilities
    7. About the Apps Consent Grant Utility
      1.  
        Downloading the Apps Consent Grant Utility
      2.  
        Installing or upgrading the Apps Consent Grant Utility
      3.  
        Post-installation activities for the Apps Consent Grant Utility
  31. Discovery
    1. About eDiscovery/searches
      1.  
        Elasticsearch
    2.  
      Add search templates
    3.  
      Add Discovery cases
    4.  
      Perform ad hoc search and add data to Discovery cases
    5.  
      View data in Discovery cases
    6.  
      Edit Discovery cases
    7.  
      DeleteDiscovery cases
    8.  
      Assign Discovery cases to users
  32. Configure Tagging policies
    1.  
      About the Tagging policy
    2.  
      Add Tags
    3.  
      Add/edit Tagging policies
    4. Adding regular expressions
      1.  
        RegEx and query examples for PII detection
  33. Configure Tiering policy
    1. About the Tiering policy
      1.  
        Storage tiering and full-text search
      2.  
        User experience on storage tiering
      3.  
        Priority for storage Tiering
    2.  
      Add/edit Tiering policies
  34. Auditing
    1.  
      Auditing
  35. Manage Stors (Storages)
    1.  
      Viewing Stors (Storages)
    2.  
      Requesting a new Stor
    3.  
      General tab
    4.  
      Version control settings
    5.  
      Metadata tab
    6.  
      Statistical policies tab
    7.  
      Location-Mapping tab
    8.  
      Backup tab
    9.  
      Custodian Groups tab
    10.  
      Advanced tab
    11.  
      Analytics tab

Configure User, Profile, and Connected App for Salesforce

This topic describes the procedure to create a user, profile, and a Connected App in Salesforce (Lightning Experience) for use by Veritas Alta SaaS Protection.

Before you configure a Connected App, create a dedicated Salesforce user for Veritas Alta SaaS Protection and grant the permissions it needs to perform backup and restore operations using Salesforce APIs.

  • Create a dedicated integration user: Create a Salesforce user (for example, Veritas Backup Admin) that is used exclusively for backup and restore operations.

  • Assign a supported Salesforce license: The Veritas Backup Admin user must be assigned a Salesforce license. Veritas Alta SaaS Protection does not currently support the Salesforce API Integration License, as it provides limited access to Salesforce objects and features.

  • There are two options to create a profile:

    • Option A (recommended): Create a custom profile by cloning System Administrator: Create a new custom profile by cloning the System Administrator profile (for example, Veritas Backup Admin profile).

    • Option B (alternative): Standard User + Permission Set. Use this approach if your organization's security policies do not allow cloning the System Administrator profile.

Option B (alternative): Standard User + Permission Set. Use this approach if your organization's security policies do not allow cloning the System Administrator profile. It is strongly recommended to assign all permissions listed in the Required Permissions table below. These permissions determine what the integration user can read and write through Salesforce APIs during backup and restore. If any permissions are excluded, Veritas assumes that the customer understands the associated risks and may not provide support for related issues.

For Option B (Permission Set approach):

  • Create the permission set and assign all required permissions to the Veritas Backup Admin user before you authorize that user for the Connected App.

  • Create the Veritas Backup Admin user with a Standard User profile (not System Administrator).

  • Assign the permission set to the Veritas Backup Admin user (instead of granting permissions via a cloned admin profile).

Required Permissions (Permission Set Checklist)

Use the checklist below to build the permission set. At a minimum, ensure coverage for object permissions, field-level security, and record types across both standard and custom objects.

  • Object permissions: Modify All and Create permissions for all objects in the Salesforce organization (standard and custom).

  • Field permissions: Read Access and Edit Access for all fields across all objects (standard and custom).

  • Record type permissions: Read and Edit access for all record types across all objects (standard and custom).

  • Additional requirements

    • Ensure all relevant feature permission sets are assigned.

    • Ensure the user has all required feature licenses for any installed AppExchange products.

A few permissions (for example, Modify All Data) can automatically enable other permissions. In addition, Salesforce may auto-enable permissions that are not explicitly listed in the table based on what you select. Do not remove any auto-enabled permissions if they are required for Veritas Alta SaaS Protection features to work as expected.

Table:

Permissions

Data / Metadata / Both

Salesforce Description

Used by Cohesity Alta SaaS Protection for

Access Activities

Data

Access tasks, events, calendar, and email.

Protection (backup and restore) of Tasks, Events, Calendar and Email

Access Libraries

Data

Access libraries.

Protection of Libraries

Apex REST Services

Data

Allow access to Apex REST services

Access to Salesforce APIs

API Enabled

Both

Access any Salesforce.com API.

To access Salesforce APIs for backup and restore of Data and Metadata

Assign Topics

Data

Assign existing topics to feed items. Remove topics from feed items.

Restore of FeedItem (while assigning a topic to FeedItem)

Author Apex

Metadata

Create Apex classes and triggers.

Restore of Apex classes and Triggers

Change Dashboard Colors

Metadata

Choose dashboard color theme and palette.

Restore of Dashboards

Chatter Internal User

Data

Use all Chatter features.

Protection of Chatter Objects

Create and Own New Chatter Groups

Data

Use all Chatter features.

Protection of Chatter Objects

Create Content Deliveries

Data

Create content delivery links to share files that aren't managed by a library. To let a user create content deliveries for files in a library, enable Deliver Content for that user in the library.

Protection of Salesforce Orgs where Content Delivery feature is enabled. Restore of public link Field for the Document/Attachment requires this.

Create Folders for Lightning Email Templates

Metadata

Create Folders for Lightning Email Templates.

Restore of Email Template (in Folder)

Create Libraries

Data

Create libraries.

Restore of Library

Create Public Links

Data

Let users create links to share files externally. Unlike content deliveries, public links can't be password protected. To let a user create links to files in a library, enable Deliver Content for that user in the library.

Restore of Public Links of Documents / Attachments / Files

Create Topics

Data

Create new topics by assigning them to feed items.

Restore of FeedItem (while assigning a topic to FeedItem)

Customize Application

Metadata

Customize the organization using App Setup menu options.

Required for 'Connected App' backup. Restore of various Metadata types, for example, Custom Fields, Page Layout and so on.

Edit HTML Templates

Metadata

Edit Classic HTML Email Templates.

Restore of Email Templates

Edit Read Only Fields

Data

Edit fields that are read only due to page layouts or field-level security.

Restore values back into some fields that are read-only due to page layout or field level security

Edit Tasks

Data

Create, edit, and delete tasks.

Restore of Tasks

Edit Topics

Data

Edit topic names and descriptions.

Restore of Topics

Manage All Private Reports and Dashboards

Metadata

Allows full access to reports and dashboards in all other users' private folders (API only).

Restore to reports and dashboards in all other users' private folders (API only).

Manage Auth. Providers

Metadata

Create and edit Auth. Providers

Restore of Auth Providers

Manage Certificates

Metadat

Ability to manage certificates

Protection of Certificates

Manage Chatter Messages and Direct Messages

Data

Access all users' messages sent in Chatter.

Protection of Chatter data

Manage Connected Apps

Metadata

Manage, create, edit, and delete connected applications.

Restore of Connected Apps

Manage Custom Permissions

Metadata

Create, edit, and delete custom permissions.

Restore of Permission Sets and Profiles

Manage Custom Report Types

Metadata

Create, edit, and delete custom report types.

Restore of Custom Reports

Manage Dashboards in Public Folders

Metadata

Create, edit, delete dashboards, and manage their sharing in all public folders.

Restore of Custom Dashboards

Manage Data Categories

Metadata

Create, edit, and delete data categories.

Protection of 'DataCategoryGroup' backup

Manage Data Integrations

Data

Monitor or abort Bulk API jobs.

Bulk API management (during backup and restore)

Manage Letterhead

Both

Create, edit, and delete letterheads for HTML emails.

Protection of Email Letterheads.

Manage Multi-Factor Authentication in API

Metadata

Use the API to manage user identity verification methods for multi-factor authentication.

Required for Metadata Backup

Manage Public Classic Email Templates

Metadata

Create, edit, and delete text emails, mail merge templates, and folders for public email templates.

Restore of Email Template in Folder

Manage Public Documents

Data

Create, edit, and delete folders for public documents.

Restore of Folders for Documents

Manage Public List Views

Metadata

Create, edit, and delete public list views

Restore of List Views

Manage Reports in Public Folders

Data

Create, edit, delete reports, and manage their sharing in all public folders.

Restore of Reports in Public Folder

Manage Unlisted Groups

Metadata

View and moderate unlisted Chatter groups.

Protection of Unlisted Groups

Manage Users

Metadata

Create, edit, and deactivate users, and manage security settings, including profiles and roles.

Restore of Users

Modify All Data

Data

Create, edit, and delete all organization data, regardless of sharing settings

Needed for auto-inclusion of new objects and related objects. Third party product objects, custom objects as and when they get added to the Org, they will get picked up by Alta SaaS Protection only if this permission is given. Also, some objects (TopicAssignment, FeedRevision, FeedAttachment, Announcement, FeedComment, EntitySubscription) require this permission for query. A few other objects require this permission for Metadata restore.

Modify Metadata through Metadata API Functions

Metadata

Create, read, edit, and delete org metadata. Users must have appropriate access rights to the metadata they're trying to modify. Be careful if delegating this permission. Some metadata executes in system context, when object permissions, field-level security, and sharing rules that apply to the user are ignored. For example, Apex executes in system context.

Metadata restores

Update Email Messages

Data

Modify certain email message related records.

Restore of Email Messages

View All Custom Settings

Metadata

Let users view all custom setting data directly and via the API.

Protection of Custom Settings

View All Lookup Record Names

Data

View the record names in lookup fields regardless of sharing settings. Lookup fields include system fields, such as Created By and Last Modified By.

Backup of System Fields

View All Profiles

Metadata

View all user profiles, regardless of profile filtering setting.

Backup of Profiles

View And Edit Converted Leads

Data

View and edit converted lead records.

Restore of Converted Leads

View Developer Name

View the DeveloperName field via the API.

Backup of Developer Name field

View Encrypted Data

Data

View the value of encrypted fields in plain text.

Protection of Encrypted Fields

Edit Case Comments

Data

Edit their own case comments but not other user's comments.

Restore of CaseComment

Import Solutions

Data

Import solutions for the organization.

Protection of Solutions

Manage Cases

Data

Administer case settings, including Email-to-Case and mass transfer of cases.

Protection of Cases

Manage Categories

Data

Define and modify solution categories settings.

Define and modify solution categories settings.

Manage Entitlements

Data

Enable, create, and update entitlement management items.

Enable, create, and update entitlement management items.

Manage Content Permissions

Data

Create, edit, and delete library permissions in Salesforce CRM Content.

Create, edit, and delete library permissions in Salesforce CRM Content

Manage Content Properties

Data

Create, edit, and delete custom fields in Salesforce CRM Content.

Create, edit, and delete custom fields in Salesforce CRM Content

Manage Flow

Data

Allow users to view, create, edit, delete, and activate all flows and flow types in Lightning Experience apps and Setup.

Protection of Workflows

Manage record types and layouts for Files

Both

Create, edit, and delete content types in Salesforce CRM Content..

Create, edit, and delete content types in Salesforce CRM Content.

Manage Salesforce CRM Content

Data

Create, edit, and delete libraries and library memberships.

Create, edit, and delete libraries and library memberships.

Query All Files

Data

Allows View All Data users to SOQL query all files in the org.

Protection of Documents / Attachments / Files / Salesforce CRM Content

Create user and profile

You may be using Salesforce Lightning Experience or Classic Experience. Use this procedure to create a user and profile in Salesforce Lightning Experience.

To create user and profile

  1. Log in to your Salesforce org using a user with the System Administrator profile.
  2. Click Setup.
  3. Locate the profile setup by typing profile in the search box on the left.
  4. Click New Profile.
  5. Select System Administrator from the list to create a clone of the profile.
  6. Enter a name for the profile (for example, Veritas Backup Admin Profile).
  7. Click Save.
  8. Go to the profile you have just created and click Edit.
  9. Assign the following permissions to the profile:
    • Modify All Data

    • API enabled

    • View Encrypted Data

      If encrypted fields are used for standard/custom objects.

    • Query all files

      To back up private library files for all users.

    • View and Edit Converted Leads

      If the lead has been converted and needs to be restored.

  10. Click Save.
  11. Click View Users > New User to create a new user.
  12. Enter user details like First Name, Last Name, Username, Email and then select the profile created earlier.
  13. Click Save.
  14. Log off, then log on using the newly created user.
Configure Connected App

To Configure Connected App

  1. Log on using the newly created user.
  2. Click Setup.
  3. Locate the App Manager setup by typing it in the search box on the left.
  4. On the top right, click New Connected App.
  5. Select Create a Connected App option and click Continue.
  6. Provide the basic information for the new app, such as the name.
  7. Click the checkbox to enable OAuth settings. Set the callback URL to http://localhost:1717/OauthRedirect.
  8. Select Full Access and Perform requests at any time (refresh_token, offline_access) from the list of the available OAuth scopes. This is required by the app for permissions to back up and restore various objects and records.
  9. Click Save.
  10. Go to the app created above and look for the consumer key. Copy the consumer key to a text file for use later. This is required when creating a connector on the Veritas Alta SaaS Protection Web UI.
  11. Go to the Veritas Alta SaaS Protection Web UI to create a Salesforce connector.
  12. Enter the Salesforce username, instance URL, and consumer key.
  13. To find the instance URL, log in to the Salesforce org, click Setup, type My Domain, click My Domain, copy the Current My Domain URL, and add https:// to the beginning.
  14. Click Generate certificate and download the certificate.
  15. When entering the username, ensure that the user is part of the profile (for example, Veritas Backup Admin Profile) associated with the connected app so that access is limited to the user.
  16. Go back to the Salesforce app created earlier and click Edit to associate the certificate created by Veritas Alta SaaS Protection and to relax IP restrictions.
  17. Click the Use Digital Signature checkbox and upload the certificate created by Veritas Alta SaaS Protection using the Choose File button.
  18. Keep all other settings as default and click Save.
  19. From the App Manager, locate this app and click Manage.
  20. Click Edit Policies.
  21. Under OAuth Policies, set Permitted Users to Admin approved users are pre-authorized and set IP Relaxation to Relax IP restrictions. Keep default values for all other settings.
  22. Click Save.
  23. Scroll down and click Manage Profiles.
  24. Select the profile associated with the user who can use this connected app for backup and restore. For example, select the Veritas Backup Admin Profile.
  25. Click Save.
  26. This completes the setup of the Connected App in Salesforce for users using Lightning Experience.