How to configure IDP users to have Root/Admin Account Permissions in CPM

How to configure IDP users to have Root/Admin Account Permissions in CPM


Often administrators are asked to configure logins of  an IDP solution with Cloud Protection Manager CPM. This document will discuss the required configuration steps needed to allow IDP users to easily access CPM GUI and be able to see and configure/edit polices created by the CPM Root/Admin account. You will be creating delegate users to the root account for IDP users with their own IDP credentials. This procedure makes use of the "default _root_delegates" Group in CPM and we will detail steps required to add a corresponding group to the IDP side.

IDP applications allow for easier application access and security policy implementation through the use of groups. So the first step in this process of integrating the login for an IDP or SSO application is to add a group to IDP that will logically group users who need access to CPM in this example as the root account. 

It is imperative to name any group that will access CPM with the prefix cpm_ .

The configuration on the IDP side requires two attribute statements - one statement to be set one for the User attribute and the other is a group attributes. 
The below is an example how to configure the attribute that is required for the IDP accounts to have root access.


Name                                            Name Format                                Value

cpm_user_permissions                     Basic                                       User.cpm_custom_attribute


Name                                                     Name Format                       Filter

cpm_default_root_delegates             Unspecified                          Starts with: cpm_

Note: It is very important that any CPM-related group on the IDP side starts with the prefix "cpm_", otherwise you will receive an error indicating that there is an invalid group claim. 
For more specific details on configuring this in an ADFS environment please see the CPM User Guide. 
If you are configuring Okta as the Single Sign On you can follow the complete steps detailed in the technical document :
CPM Group Configuration:
You can take advantage of 4 "out of the box" default Groups on the CPM side.
We will utilize the default_cpm_root_delegates group  which will allow IDP users who belong to the group cpm_default_root_delegates to access the CPM Manager screen and manage the root account user's backup policies and allow file level recovery. No further configuration is necessary on the CPM side. For more details on using other default or custom groups please see the Cloud Protection Manager User Guide in Chapter 17.