Search <book_title>...

Important Update: Cohesity Products Documentation

All Cohesity product documentation are now managed via the Cohesity Docs Portal: https://docs.cohesity.com/HomePage/Content/home.htm. Some documentation available here may not reflect the latest information or may no longer be accessible.

Cohesity Alta SaaS Protection Administrator's Guide

Last Published: 2026-04-21

Product(s): Alta SaaS Protection (3.10.1)

Introduction to Veritas Alta SaaS Protection
1. About Veritas Alta SaaS Protection
2. Features of Veritas Alta SaaS Protection
3. Architecture of Veritas Alta SaaS Protection
4. Operational workflow
5. Extra Data Backup (EDB)
Veritas Alta SaaS Protection Copilot (AI chatbot)
1. Veritas Alta SaaS Protection Copilot (AI chatbot)
Veritas Alta SaaS Protection Administrator portal (Web UI)
1. About Veritas Alta SaaS Protection Administration portal
2. Configure Veritas Alta SaaS Protection Administration portal
3. View upgrade history
Supported SaaS workloads
1. Supported SaaS workloads and backup capabilities
Workflow to protect data using Veritas Alta SaaS Protection
1. Workflow to protect data using Veritas Alta SaaS Protection
2. Know your subscription details
Manage users and roles
1. Role-based access control
2. Permissions tab
API permissions
1. API permissions for Microsoft 365 workloads
2. API permissions for Gmail and Google Drive
3. System and API permissions for Salesforce
4. API permissions for Entra ID
5. App permissions of Web App
What is a connector?
1. What is a connector?
2. About transient errors
3. Overview of adding connectors
4. Configure General settings
5. Configure Capture scope
6. Configure User filter
7. Configure Group filter
8. Configure Folder filter
9. Configure credentials
  1. Assign Microsoft 365 apps registration
  2. Microsoft 365 apps registration status
  3. Manually approve Microsoft 365 apps registration
  4. Approve Microsoft 365 apps using the App Consent Grant utility
  5. Microsoft 365 apps recovery
10. Configure Custom backup policy and guidelines
11. Configure Delete policy for SharePoint Online and guidelines
12. Configure Stubbing policy
13. Guidelines to configure Stubbing policy for SharePoint Online
14. Schedule a backup
15. Configure email addresses to get notifications
16. Review configuration and edit/save/initiate backup
17. Connectors page
18. Connector status
19. Edit connector configuration
20. Delete connectors
Pre-requisites to setup protection for M365
1. Pre-requisites to setup protection for M365
Protect Microsoft 365 Multi-Geo tenant
1. Considerations for adding SharePoint/Teams Sites/OneDrive connectors for Microsoft 365 Multi-Geo tenant
Protect Exchange Online data
1. Setting up Exchange Online data protection with Veritas Alta SaaS Protection
  1. Configure capture scope for Exchange connectors
Protect SharePoint sites and data
1. Setting up SharePoint Online protection with Veritas Alta SaaS Protection
  1. Configure capture scope for SharePoint connectors
  2. Configure additional backup options for SharePoint/Teams site/ OneDrive connectors
2. Backup and restore support for SharePoint Online
3. End-user SharePoint data access in Veritas Alta SaaS Protection
4. Run the Delete and Stubbing policies to the SharePoint Online environment
5. Backup limitations for SharePoint Online
Protect Teams sites
1. Setting up Teams Site protection with Veritas Alta SaaS Protection
  1. Configure capture scope for Team site collections connectors
2. Backup limitations for Teams site collections
Protect OneDrive data
1. Setting up OneDrive protection with Veritas Alta SaaS Protection
  1. Configure capture scope for OneDrive connectors
Protect Teams chats
1. Setting up Teams chat protection with Veritas Alta SaaS Protection
  1. Configure capture scope for Teams chat connectors
2. Backup limitations for Teams chat
Protect Google Drive data
1. Prerequisites to setup Google Drive protection with Veritas Alta SaaS Protection
2. Setting up Google Drive protection with Veritas Alta SaaS Protection
  1. Configure Capture scope Google Drive connectors
3. Backup limitations for Google Drive
4. FAQs
Protect Gmail data
1. Prerequisites to setup Gmail protection with Veritas Alta SaaS Protection
2. Setting up Gmail protection with Veritas Alta SaaS Protection
  1. Configure capture scope for Gmail connectors
Protect Audit logs
1. Add Audit log connectors
2. Audit log connector limitations
Protect Salesforce data and metadata
1. About Salesforce protection
2. Key considerations and prerequisites for adding Salesforce connectors
  1. Configure User, Profile, and Connected App for Salesforce
3. Add Salesforce connectors
4. Limitations of Salesforce connectors
5. Salesforce Objects not supported for backup
Protect Entra ID objects
1. Setting up Entra ID protection with Veritas Alta SaaS Protection
2. Backup and restore limitations for Entra ID
Protect Box data
1. Prerequisites for Box connectors configuration
2. Setting up Box protection with Veritas Alta SaaS Protection
  1. Configure capture scope for Box connector
3. Backup limitations for Box data
Protect Slack data
1. Add Slack connectors
Protect Email/Message data
1. Prerequisite for Email/message connector
2. Add Email/Messages file
Configure Retention policies
1. About WORM policies
2. Ingestion WORM policies page
3. Add/edit Ingestion WORM retention policies and guidelines
4. Add/edit At-Rest WORM retention policies
5. Add/edit Deletion policies
6. View deletion history
7. How to edit the policy evaluation interval?
8. How to add a Location filter?
9. How to add a filter?
Perform backups
1. Perform on-demand/ad-hoc backup
2. Backup dashboard
3. Video tutorial for connector troubleshooting
4. View backup events
  1. About Event suppression
  2. Create event suppression rules
5. Viewing backup tasks details
View and share backed-up data
1. Browse backed-up data
2. Share data
3. Remove data sharing
Analytics
1. About analytics
2. Analytics page and refresh behavior
3. Aggregation buckets
4. Gain insights into storage utilization
5. Gain insights into storage utilization for Entra ID and Salesforce connectors
6. Gain insights into blocked activities, most active users, and more
7. Gain insights into data volume (size and item count) on legal hold
8. Gain insights into data volume (size and item count) saved in different Enhanced cases
9. Gain insights into data volume (size and count) under different policies
10. Gain insights into data volume (size and item count) under different Tags
11. Gain insights into data volume (size and item count) under different Tags behaviors
12. Gain insights into storage savings after deduplication and compression
13. Gain insights into data ingestion trends
Perform restores using Administration portal
1. About restore
2. Prerequisites for restore
3. Restore Exchange Online mailboxes
4. Restore SharePoint/OneDrive/Teams Sites and data
  1. Restore of OneDrive, Microsoft 365 Group, and Microsoft Teams sites
  2. Restore limitations for SharePoint Online
5. Restore Teams chat messages and Teams channel conversations
  1. Restore limitations for Teams chat
6. Restore O365 audit logs
7. Restore Box data
  1. Restore limitations for Box
8. Restore Google Drive data
  1. Overwrite restore behavior for Box/Google Drive data
9. Restore Gmail data
10. About Salesforce Data, Metadata, and CRM Content restore and Sandbox seeding
11. About Entra ID (Azure AD) objects and records restore
12. Restore Slack data
13. Restore data to File server
14. Set default restore point
15. Configure Restore all, Restore all versions, Point-in-time, and Specific range restore options
16. Configure email addresses for notifications
17. Downloading an item
Restore dashboard
1. About Restore dashboard
2. Restore job statuses
3. How to cancel a restore job?
4. View the restore events
Install services and utilities
1. About services and utilities
2. Pre-requisites to download and install services and utilities
3. Downloading services and utilities
4. Where to install the services and utilities
5. Installing or upgrading services and utilities
6. Configuring service accounts for services and utilities
7. About the Apps Consent Grant Utility
Discovery
1. About eDiscovery/searches
  1. Elasticsearch
2. Add search templates
3. Add Discovery cases
4. Perform ad hoc search and add data to Discovery cases
5. View data in Discovery cases
6. Edit Discovery cases
7. DeleteDiscovery cases
8. Assign Discovery cases to users
Configure Tagging policies
1. About the Tagging policy
2. Add Tags
3. Add/edit Tagging policies
4. Adding regular expressions
  1. RegEx and query examples for PII detection
Configure Tiering policy
1. About the Tiering policy
2. Add/edit Tiering policies
Auditing
1. Auditing
Manage Stors (Storages)
1. Viewing Stors (Storages)
2. Requesting a new Stor
3. General tab
4. Version control settings
5. Metadata tab
6. Statistical policies tab
7. Location-Mapping tab
8. Backup tab
9. Custodian Groups tab
10. Advanced tab
11. Analytics tab

Configure User, Profile, and Connected App for Salesforce

This topic describes the procedure to create a user, profile, and a Connected App in Salesforce (Lightning Experience) for use by Veritas Alta SaaS Protection.

Before you configure a Connected App, create a dedicated Salesforce user for Veritas Alta SaaS Protection and grant the permissions it needs to perform backup and restore operations using Salesforce APIs.

Create a dedicated integration user: Create a Salesforce user (for example, Veritas Backup Admin) that is used exclusively for backup and restore operations.
Assign a supported Salesforce license: The Veritas Backup Admin user must be assigned a Salesforce license. Veritas Alta SaaS Protection does not currently support the Salesforce API Integration License, as it provides limited access to Salesforce objects and features.
There are two options to create a profile:
- Option A (recommended): Create a custom profile by cloning System Administrator: Create a new custom profile by cloning the System Administrator profile (for example, Veritas Backup Admin profile).
- Option B (alternative): Standard User + Permission Set. Use this approach if your organization's security policies do not allow cloning the System Administrator profile.

Option B (alternative): Standard User + Permission Set. Use this approach if your organization's security policies do not allow cloning the System Administrator profile. It is strongly recommended to assign all permissions listed in the Required Permissions table below. These permissions determine what the integration user can read and write through Salesforce APIs during backup and restore. If any permissions are excluded, Veritas assumes that the customer understands the associated risks and may not provide support for related issues.

For Option B (Permission Set approach):

Create the permission set and assign all required permissions to the Veritas Backup Admin user before you authorize that user for the Connected App.
Create the Veritas Backup Admin user with a Standard User profile (not System Administrator).
Assign the permission set to the Veritas Backup Admin user (instead of granting permissions via a cloned admin profile).

Required Permissions (Permission Set Checklist)

Use the checklist below to build the permission set. At a minimum, ensure coverage for object permissions, field-level security, and record types across both standard and custom objects.

Object permissions: Modify All and Create permissions for all objects in the Salesforce organization (standard and custom).
Field permissions: Read Access and Edit Access for all fields across all objects (standard and custom).
Record type permissions: Read and Edit access for all record types across all objects (standard and custom).
Additional requirements
- Ensure all relevant feature permission sets are assigned.
- Ensure the user has all required feature licenses for any installed AppExchange products.

A few permissions (for example, Modify All Data) can automatically enable other permissions. In addition, Salesforce may auto-enable permissions that are not explicitly listed in the table based on what you select. Do not remove any auto-enabled permissions if they are required for Veritas Alta SaaS Protection features to work as expected.

Table:

Permissions	Data / Metadata / Both	Salesforce Description	Used by Cohesity Alta SaaS Protection for
Access Activities	Data	Access tasks, events, calendar, and email.	Protection (backup and restore) of Tasks, Events, Calendar and Email
Access Libraries	Data	Access libraries.	Protection of Libraries
Apex REST Services	Data	Allow access to Apex REST services	Access to Salesforce APIs
API Enabled	Both	Access any Salesforce.com API.	To access Salesforce APIs for backup and restore of Data and Metadata
Assign Topics	Data	Assign existing topics to feed items. Remove topics from feed items.	Restore of FeedItem (while assigning a topic to FeedItem)
Author Apex	Metadata	Create Apex classes and triggers.	Restore of Apex classes and Triggers
Change Dashboard Colors	Metadata	Choose dashboard color theme and palette.	Restore of Dashboards
Chatter Internal User	Data	Use all Chatter features.	Protection of Chatter Objects
Create and Own New Chatter Groups	Data	Use all Chatter features.	Protection of Chatter Objects
Create Content Deliveries	Data	Create content delivery links to share files that aren't managed by a library. To let a user create content deliveries for files in a library, enable Deliver Content for that user in the library.	Protection of Salesforce Orgs where Content Delivery feature is enabled. Restore of public link Field for the Document/Attachment requires this.
Create Folders for Lightning Email Templates	Metadata	Create Folders for Lightning Email Templates.	Restore of Email Template (in Folder)
Create Libraries	Data	Create libraries.	Restore of Library
Create Public Links	Data	Let users create links to share files externally. Unlike content deliveries, public links can't be password protected. To let a user create links to files in a library, enable Deliver Content for that user in the library.	Restore of Public Links of Documents / Attachments / Files
Create Topics	Data	Create new topics by assigning them to feed items.	Restore of FeedItem (while assigning a topic to FeedItem)
Customize Application	Metadata	Customize the organization using App Setup menu options.	Required for 'Connected App' backup. Restore of various Metadata types, for example, Custom Fields, Page Layout and so on.
Edit HTML Templates	Metadata	Edit Classic HTML Email Templates.	Restore of Email Templates
Edit Read Only Fields	Data	Edit fields that are read only due to page layouts or field-level security.	Restore values back into some fields that are read-only due to page layout or field level security
Edit Tasks	Data	Create, edit, and delete tasks.	Restore of Tasks
Edit Topics	Data	Edit topic names and descriptions.	Restore of Topics
Manage All Private Reports and Dashboards	Metadata	Allows full access to reports and dashboards in all other users' private folders (API only).	Restore to reports and dashboards in all other users' private folders (API only).
Manage Auth. Providers	Metadata	Create and edit Auth. Providers	Restore of Auth Providers
Manage Certificates	Metadat	Ability to manage certificates	Protection of Certificates
Manage Chatter Messages and Direct Messages	Data	Access all users' messages sent in Chatter.	Protection of Chatter data
Manage Connected Apps	Metadata	Manage, create, edit, and delete connected applications.	Restore of Connected Apps
Manage Custom Permissions	Metadata	Create, edit, and delete custom permissions.	Restore of Permission Sets and Profiles
Manage Custom Report Types	Metadata	Create, edit, and delete custom report types.	Restore of Custom Reports
Manage Dashboards in Public Folders	Metadata	Create, edit, delete dashboards, and manage their sharing in all public folders.	Restore of Custom Dashboards
Manage Data Categories	Metadata	Create, edit, and delete data categories.	Protection of 'DataCategoryGroup' backup
Manage Data Integrations	Data	Monitor or abort Bulk API jobs.	Bulk API management (during backup and restore)
Manage Letterhead	Both	Create, edit, and delete letterheads for HTML emails.	Protection of Email Letterheads.
Manage Multi-Factor Authentication in API	Metadata	Use the API to manage user identity verification methods for multi-factor authentication.	Required for Metadata Backup
Manage Public Classic Email Templates	Metadata	Create, edit, and delete text emails, mail merge templates, and folders for public email templates.	Restore of Email Template in Folder
Manage Public Documents	Data	Create, edit, and delete folders for public documents.	Restore of Folders for Documents
Manage Public List Views	Metadata	Create, edit, and delete public list views	Restore of List Views
Manage Reports in Public Folders	Data	Create, edit, delete reports, and manage their sharing in all public folders.	Restore of Reports in Public Folder
Manage Unlisted Groups	Metadata	View and moderate unlisted Chatter groups.	Protection of Unlisted Groups
Manage Users	Metadata	Create, edit, and deactivate users, and manage security settings, including profiles and roles.	Restore of Users
Modify All Data	Data	Create, edit, and delete all organization data, regardless of sharing settings	Needed for auto-inclusion of new objects and related objects. Third party product objects, custom objects as and when they get added to the Org, they will get picked up by Alta SaaS Protection only if this permission is given. Also, some objects (TopicAssignment, FeedRevision, FeedAttachment, Announcement, FeedComment, EntitySubscription) require this permission for query. A few other objects require this permission for Metadata restore.
Modify Metadata through Metadata API Functions	Metadata	Create, read, edit, and delete org metadata. Users must have appropriate access rights to the metadata they're trying to modify. Be careful if delegating this permission. Some metadata executes in system context, when object permissions, field-level security, and sharing rules that apply to the user are ignored. For example, Apex executes in system context.	Metadata restores
Update Email Messages	Data	Modify certain email message related records.	Restore of Email Messages
View All Custom Settings	Metadata	Let users view all custom setting data directly and via the API.	Protection of Custom Settings
View All Lookup Record Names	Data	View the record names in lookup fields regardless of sharing settings. Lookup fields include system fields, such as Created By and Last Modified By.	Backup of System Fields
View All Profiles	Metadata	View all user profiles, regardless of profile filtering setting.	Backup of Profiles
View And Edit Converted Leads	Data	View and edit converted lead records.	Restore of Converted Leads
View Developer Name		View the DeveloperName field via the API.	Backup of Developer Name field
View Encrypted Data	Data	View the value of encrypted fields in plain text.	Protection of Encrypted Fields
Edit Case Comments	Data	Edit their own case comments but not other user's comments.	Restore of CaseComment
Import Solutions	Data	Import solutions for the organization.	Protection of Solutions
Manage Cases	Data	Administer case settings, including Email-to-Case and mass transfer of cases.	Protection of Cases
Manage Categories	Data	Define and modify solution categories settings.	Define and modify solution categories settings.
Manage Entitlements	Data	Enable, create, and update entitlement management items.	Enable, create, and update entitlement management items.
Manage Content Permissions	Data	Create, edit, and delete library permissions in Salesforce CRM Content.	Create, edit, and delete library permissions in Salesforce CRM Content
Manage Content Properties	Data	Create, edit, and delete custom fields in Salesforce CRM Content.	Create, edit, and delete custom fields in Salesforce CRM Content
Manage Flow	Data	Allow users to view, create, edit, delete, and activate all flows and flow types in Lightning Experience apps and Setup.	Protection of Workflows
Manage record types and layouts for Files	Both	Create, edit, and delete content types in Salesforce CRM Content..	Create, edit, and delete content types in Salesforce CRM Content.
Manage Salesforce CRM Content	Data	Create, edit, and delete libraries and library memberships.	Create, edit, and delete libraries and library memberships.
Query All Files	Data	Allows View All Data users to SOQL query all files in the org.	Protection of Documents / Attachments / Files / Salesforce CRM Content

Create user and profile

You may be using Salesforce Lightning Experience or Classic Experience. Use this procedure to create a user and profile in Salesforce Lightning Experience.

To create user and profile

Log in to your Salesforce org using a user with the System Administrator profile.
Click Setup.
Locate the profile setup by typing profile in the search box on the left.
Click New Profile.
Select System Administrator from the list to create a clone of the profile.
Enter a name for the profile (for example, Veritas Backup Admin Profile).
Click Save.
Go to the profile you have just created and click Edit.
Assign the following permissions to the profile:
- Modify All Data
- API enabled
- View Encrypted Data
  If encrypted fields are used for standard/custom objects.
- Query all files
  To back up private library files for all users.
- View and Edit Converted Leads
  If the lead has been converted and needs to be restored.
Click Save.
Click View Users > New User to create a new user.
Enter user details like First Name, Last Name, Username, Email and then select the profile created earlier.
Click Save.
Log off, then log on using the newly created user.

Configure Connected App

To Configure Connected App

Log on using the newly created user.
Click Setup.
Locate the App Manager setup by typing it in the search box on the left.
On the top right, click New Connected App.
Select Create a Connected App option and click Continue.
Provide the basic information for the new app, such as the name.
Click the checkbox to enable OAuth settings. Set the callback URL to http://localhost:1717/OauthRedirect.
Select Full Access and Perform requests at any time (refresh_token, offline_access) from the list of the available OAuth scopes. This is required by the app for permissions to back up and restore various objects and records.
Click Save.
Go to the app created above and look for the consumer key. Copy the consumer key to a text file for use later. This is required when creating a connector on the Veritas Alta SaaS Protection Web UI.
Go to the Veritas Alta SaaS Protection Web UI to create a Salesforce connector.
Enter the Salesforce username, instance URL, and consumer key.
To find the instance URL, log in to the Salesforce org, click Setup, type My Domain, click My Domain, copy the Current My Domain URL, and add https:// to the beginning.
Click Generate certificate and download the certificate.
When entering the username, ensure that the user is part of the profile (for example, Veritas Backup Admin Profile) associated with the connected app so that access is limited to the user.
Go back to the Salesforce app created earlier and click Edit to associate the certificate created by Veritas Alta SaaS Protection and to relax IP restrictions.
Click the Use Digital Signature checkbox and upload the certificate created by Veritas Alta SaaS Protection using the Choose File button.
Keep all other settings as default and click Save.
From the App Manager, locate this app and click Manage.
Click Edit Policies.
Under OAuth Policies, set Permitted Users to Admin approved users are pre-authorized and set IP Relaxation to Relax IP restrictions. Keep default values for all other settings.
Click Save.
Scroll down and click Manage Profiles.
Select the profile associated with the user who can use this connected app for backup and restore. For example, select the Veritas Backup Admin Profile.
Click Save.
This completes the setup of the Connected App in Salesforce for users using Lightning Experience.