How to configure SCIM provisioning

Overview

SCIM provisioning allows you to automatically manage users in your cloud CrashPlan environment. Once enabled, CrashPlan creates new users, removes deactivated users, and updates user roles and permissions based on syncs with your provisioning provider. This article explains how to configure SCIM provisioning. 

The steps in this article give an overview of how to configure a SCIM provider that supports the SCIM 2.0 protocol. For directions specific to our supported provisioning providers, see:

To learn more about provisioning concepts, see Introduction to SCIM provisioning.

CrashPlan User Directory Sync
CrashPlan User Directory Sync is another option for automating user management, similar to SCIM provisioning. However, User Directory Sync has different requirements and a different setup process. For more information, see Configure CrashPlan User Directory Sync.

Considerations

  • You must have a role with Identity Management Administrator permissions or higher to configure this setting for an organization.

  • The CrashPlan provisioning feature requires you to connect a third-party provisioning provider to CrashPlan. The following are the basic requirements that your provider and your CrashPlan environment need to meet to integrate correctly:
    • Cloud CrashPlan environment: Provisioning is only available in cloud CrashPlan environments.
    • SCIM 2.0: CrashPlan requires a provisioning provider to use the SCIM 2.0 protocol. 
    • SCIM groups: The custom SCIM mapping and role mapping require that your provider uses SCIM groups. Other provisioning features are available without SCIM groups.

Before you begin 

Determine how you want to map users from the provisioning provider to CrashPlan organizations. To learn more, see our introduction to provisioning article. There are several ways to map users to a CrashPlan organization: 

Create new users in a CrashPlan organization

Assigns all users to the same CrashPlan organization. New users are moved to this organization. Users that are subsequently moved outside of this organization remain in their new organization. 

Example use case
Use this option if you use a single organization to manage users in the CrashPlan console.

Map users to organizations based on the provider's "c42OrgName" attribute  

Creates new organizations or assigns users to existing organizations based on the value for the user attribute c42OrgName. This value becomes the name for the CrashPlan org. This attribute is managed on the provisioning provider. 

Example use case
Use this method if you wish to manage users in the provisioning provider (and not in the CrashPlan console). Whatever is the value for this attribute becomes the name for the CrashPlan org. CrashPlan creates new organizations or assigns users to existing organizations based on the value. 

Map users to organizations using SCIM groups

Assigns users to CrashPlan organizations based on their SCIM group. If you choose this option, create organizations in the CrashPlan console before you begin.

Example use case
Use this mapping if your users are already assigned to SCIM groups. For example, a user is part of two different SCIM groups: an executive group and a UK group. You want this user's backup policies to match the other executives in your company, so this user should be assigned to the same CrashPlan organization as the other executives. In the CrashPlan console, you can choose the executive group to take priority over the UK group. This way you can place all of the executives in your company in the same organization and ensure they have the same backup policies.

Compare methods

  Automatically creates organizations in CrashPlan Requires you to create CrashPlan organizations before you begin Requires your provider to send SCIM groups to CrashPlan
Create new users in a CrashPlan organization   x  
Map all users to organizations based on the provider's "c42OrgName" attribute x    
Map users to organizations using SCIM groups   x x


Step 1: Create CrashPlan organizations 

This step is only required if you choose to use the Single Organization or Custom SCIM mapping methods. The "c42OrgName" attribute and Custom attribute methods create CrashPlan organizations automatically. 

  1. Sign in to the CrashPlan console
  2. Click Administration > Environment > Organizations. 
    Active_Organizations_Cloud_8.7.png
  3. Select the Add an organization icon Add_an_organization_button.png and enter a name. 
    This method adds the organization under the default organization.
  4. To add a child organization
    1. Select the organization. 
    2. Click the action menu Action_menu_icon.png in the upper-right corner. 
    3. Choose Add a child organization
  5. Repeat until you have added all of your organizations.

Step 2: Add a provisioning provider in the CrashPlan console

  1. In the CrashPlan console, navigate to Administration > Integrations > Identity Management.
  2. Select the Provisioning tab.
    SCIM provisioning.png
  3. Click Add Provisioning Provider and select Add SCIM Provider from the menu.
  4. Enter a display name and select the Authentication Credential Type:
    • API credentials (default)
      Generates a password.
    • OAuth token
      Generates a token for use with SCIM providers who accept OAuth tokens for credentials.
  5. Click Next
  6. The SCIM Provider Created message appears. Leave this message open. You need this information for the next step in the provisioning provider setup.
    After you have used the information here for provisioning provider setup, click Done.

    Add_scim_provisioning_April_20_2020.png

Step 3: Configure your provisioning provider

The steps for configuration vary by provisioning provider. See your provider's documentation for more details. When finished obtaining the information from the Add SCIM Provisioning dialog, click Done. The provisioning provider details appear. 

example provider page.png

(Optional) Step 4: Edit deactivation delay

In the CrashPlan console, view the provisioning provider details and select Deactivation Delay.

The deactivation delay determines how long CrashPlan waits to deactivate a user after syncing with the provisioning provider. To learn more about user deactivation, see Deactivate and reactivate users and devices in CrashPlan.

Although CrashPlan may be configured to wait, CrashPlan does immediately block a user once they receive deactivation update from the provisioning provider. Blocking a user means they can no longer sign in to the CrashPlan app, but their devices continue to back up. The delay helps prevent accidentally deactivating a user and removing their backup archive.

Deactivation of users on legal hold

If users who are custodians under a legal hold are subsequently selected for deactivation (for example, from the CrashPlan console, a provisioning provider, or API), they are not deactivated immediately because their data must be retained for legal hold purposes. Instead, they are blocked. Once these blocked users are released from legal hold, they are deactivated automatically.

Step 5: Push SCIM groups to CrashPlan

Push SCIM groups from the provisioning provider to CrashPlan. See your provider's documentation for more details. If you are not using groups, continue to the next step.

Apply changes after mapping SCIM groups

If you want to map SCIM groups to CrashPlan organizations in Step 6 or roles in Step 7, you must first push or provision SCIM groups and their users to CrashPlan so they are available in the CrashPlan console. 

However, this means that initially the users are provisioned in the default organization and are assigned default roles rather than the ones you want to map them to. To move these users to the desired organizations and roles, ensure that you map SCIM groups to organizations (Step 6) and roles (Step 7) and then apply the mappings using the Apply Org and Role Settings action.  

Step 6: Choose an organization mapping method

The mapping method determines how CrashPlan assigns users to organizations. Organizations are used to set backup policies and permissions for users in your CrashPlan environment. To change the method, go to Organization Mapping, and click Add Organization Mapping or the edit icon. 

organization mapping edit.png

The Edit Organization Mapping Method dialog is displayed.
edit organization mapping methods.png

In the Edit Organization Mapping Method dialog, choose one of the following mapping methods:

Create new users in an organization

Assigns all users to the same CrashPlan organization.

  1. In Edit Organization Mapping Method, choose Create new users in the organization below
  2. Select an existing organization to map all users to. 

Map users to organizations based on the provider's "c42OrgName" attribute

Creates new organizations or assigns users to existing organizations based on the value for the user attribute c42OrgName.

  1. In Edit Organization Mapping Method, choose Map users to organization based on the provider's "c42OrgName" attribute
  2. Choose an organization where unmapped users will be assigned. Unmapped users are users who do not have the c42OrgName attribute.  

Map users to organizations using SCIM groups

Assigns users to CrashPlan organizations based on their SCIM group. You can also choose the priority of which organization a user is mapped to if they belong to two or more groups.

  1. In Edit Organization Mapping Method, choose Map users to organizations using SCIM groups. 
  2. Choose an organization where unmapped users will be assigned. Unmapped users are users who either do not belong to a group or their group is not mapped. 
  3. Click Save
    The group mapping appears. 
  4. Click Add Mapping.
  5. Select one or more SCIM groups.
    add organization mapping.png
  6. From Select a CrashPlan organization, choose an organization from the menu. 
  7. Click Save
    The mapping appears on the Provisioning Provider details page. 
  8. Repeat until all of your SCIM groups have been mapped to CrashPlan organizations. 
    The message All SCIM groups are mapped appears.
    SCIM organization mapping.png
  9. (Optional) Adjust the priority of each mapping. This is useful for users who belong to more than one SCIM group. 

There are no SCIM groups available

This message appears if SCIM groups have not been synced with the CrashPlan console. Push groups to the CrashPlan console to begin organization mapping. 

Wait to assign people or groups to the CrashPlan app in the provisioning provider
Do not assign people to the CrashPlan app in the provisioning provider yet. Wait until after you have completed the organization mapping and role mapping. If you assign people to the CrashPlan app before you configure mapping, the users are not automatically mapped to CrashPlan organizations and roles.  

Step 7: Configure role mapping

Role mapping allows you to automatically assign CrashPlan roles and permissions to provisioned users based on their SCIM group. Learn more about CrashPlan roles and permissions. Users who are not mapped inherit the default roles for their organization. 

SCIM Groups
Role Mapping is only available if you are using SCIM groups. 
  1. Click Add Role Mapping
  2. Select a SCIM group from the dropdown. 
    Only groups that have not been mapped appear in the dropdown.
    SCIM add role mapping.png
  3. Choose one or more roles from the list to apply to this SCIM group. Learn more about CrashPlan roles and permissions.
Basic roles

Include the Desktop User and PROe User roles for all users who are backing up their computers to CrashPlan. These roles allow users to sign in to the CrashPlan app and CrashPlan console. If you are giving external groups access to your CrashPlan environment (for example, outside legal council) they do not need these roles.

  1. Click Add
    The role mapping appears under the provisioning provider detail. 
  2. Repeat until all of your SCIM groups have been mapped to CrashPlan organizations. 
    The message All SCIM groups are mapped appears. 

There are no SCIM groups available

This message appears if SCIM groups have not been synced with the CrashPlan console. Push groups to the CrashPlan console to begin role mapping. 

Wait to assign people or groups to the CrashPlan app in the provisioning provider
Do not assign people to the CrashPlan app in the provisioning provider yet. Wait until after you have completed the organization mapping and role mapping. If you assign people to the CrashPlan app before you configure mapping, the users are not automatically mapped to CrashPlan organizations and roles.  

Step 8: Assign the CrashPlan app users or groups in the provisioning provider

Users will not appear in CrashPlan until you assign them to the CrashPlan app in your SCIM provisioning provider. Create a test user and assign the CrashPlan app to the test user before assigning the app to all of the groups. Once you assign the CrashPlan app to a group or user, the SCIM provisioning provider immediately syncs with CrashPlan and provisions the users.

See your SCIM provider's documentation for more information about assigning apps to users and groups. 

Troubleshooting

Tips for troubleshooting SCIM provisioning: 

  • Once SCIM provisioning is configured in CrashPlan, you should make all user changes in the SCIM provisioning provider. CrashPlan does not make changes to the provisioning provider, so any changes made on the CrashPlan side causes the two apps to become out-of-sync. 
  • Updating the CrashPlan console does not start a sync between the SCIM provisioning provider and CrashPlan. Only changes made in the provisioning provider can start a sync. 
  • To view more information about provisioning changes and logs, see the Sync Log in the CrashPlan console. This gives details of all of the users that have been created, updated, or deleted due to provisioning. 
Was this article helpful?
0 out of 0 found this helpful

Articles in this section