User Management (End-User Portal)

Topic

This article explains how to manage users via the NinjaOne SaaS Backup End-User Portal.

Environment

NinjaOne SaaS Backup

Description

You can use the User Management page on the NinjaOne SaaS Backup End-User Portal to allow specific users to have elevated access. These users can then interact with the organization and other user accounts or grant permissions to external users who do not have an active backup within the organization. Review the sections below For instructions about granting and managing access.

Managing User Access

If you have the proper administrative privileges, you can manage user access to features of the NinjaOne SaaS Backup End User Portal. To manage user access, follow these steps:

1. Log in to the NinjaOne SaaS Backup End-User Portal.
2. Select User Management.
3. Navigate to the Grant Permission tab. This tab displays all users currently included in the backup.

4. From the Grant Permission tab, you can assign the role to each user from the drop-down menu and activate or deactivate login ability.

   For information about the individual roles, refer to the User Access Levels section below or the attached document at the end of this article.

User Access Levels

The NinjaOne SaaS Backup End-User Portal provides different user access levels depending on your subscription plan. The Backup Only plan includes a limited set of access levels. Backup + Archiving plans grant access to all levels.

The following table lists the User Access levels available with each plan. Click the user access level name to view a description of the access and restrictions for that level.

Full Admin

Full Admins have access across all areas and capabilities, including all accounts and backed-up items, compliance features, and organization-wide settings.

Access:

• View, search, restore, migrate, and download all organization data across all workloads.
• Manage all workloads, accounts, domains, and backup settings.
• Access all Compliance features, including eDiscovery, Alerts, Tags, Retention Policy, Legal Hold, Audit Logs, and Review Processes.
• Manage user roles, permissions, and organization settings.
• Access Advanced Search, Insights, and system status.

Restrictions:

• A Full Admin cannot transfer ownership. Only the Organization Owner can transfer ownership.

IT Admin

The IT Admin role has full access related to account and user management configuration, including adding, deactivating, and deleting accounts. IT Admins can view workload item lists, but cannot access individual file contents. File access is restricted. IT Admins can only restore files.

Access:

• Manage account and user settings, including department assignment, role permissions, and SSO enforcement.
• View account information, delete, or deactivate accounts.
• Add new backup accounts and configure all user settings.
• Restore workloads from other accounts.
• Restore all workloads from other accounts, and access the System status and Restores pages.

Restrictions:

• IT Admins cannot access any compliance features. These features include eDiscovery, Alerts, Tags, Retention Policy, Legal Hold, Audit Logs, and Review Processes.
• IT Admins cannot view individual file contents across workloads.
• IT Admins cannot download, migrate, or add/remove tags.
• IT Admins cannot access Advanced Search or Insights.

Restricted IT Admin

The Restricted IT Admin role has nearly all features available to an IT Admin, with specific restrictions to ensure data privacy. Restricted IT Admins cannot access detailed information such as backup item lists and item-level details or perform any item actions such as download, restore, or migrate. But these users do have access to Audit Log and Retention Policy.

Access:

• View account information, delete, or deactivate email for all accounts.
• Add a new backup account and set up all user settings.
• Restricted IT Admins have limited access to the Compliance tab (audit log and retention policy), with retention policy access restricted to the workload level.
• Access to the system status page (backup, restore, and migrate) to view the backup, restore, and migrate activity within their organization.

Restrictions:

• Restricted IT Admins cannot access detailed backup information, including backup item lists and item-level details.
• Restricted IT Admins cannot perform any Download, Restore, or Migrate items.
• Restricted IT Admins cannot access the Advanced Search or Insight menu.

Group Supervisor

Group Supervisors only have access to users within their assigned departments or groups. Group Supervisors cannot add new backup accounts or access backed-up data in the shared drive, Microsoft SharePoint, groups and teams, or Google Groups. But they can do an advanced search to find items within their departments.

Access:

• View account lists within assigned departments.
• View individual files across Email, OneDrive, Google Drive, Contact, Calendar, Task, and Private Chat within assigned departments.
• Access Advanced Search for items within assigned departments.
• Access the system status page, Backup, Download, Restore, and Migrate.

Restrictions:

• Group Supervisors have their access restricted to their assigned departments only.
• Group Supervisors cannot access detailed information such as backup item lists and item-level details.
• Group Supervisors cannot perform any item action, such as Download, Restore, or Migrate items.
• Group Supervisors cannot access the Advanced Search or the Insight menu.

User

This role provides full self-service access for users to manage and recover their own data only. Users cannot access other accounts, organization settings, or Compliance features.

Access:

• Access all personal backed-up data.
• Restore, migrate, and download personal data.
• Access the System Status page to monitor personal backup, restore, or migration activity.
• Users can edit their own personal details.

Restrictions:

• Users cannot access user management or organization settings
• User access is limited to personal data only
• Users cannot add or remove tags

User View and Restore

The User View and Restore role provides nearly all capabilities available to the User role, but access is limited to viewing and restoring personal data only. This role does not permit download or migration actions.

Compliance and Review Officer

The Compliance and Review Officer can access all compliance features. But has limited access to view and access backed-up items in the organization. This role can only access email, OneDrive, GDrive, and private chat, but cannot migrate, restore, or delete.

Access:

• Access all Compliance features, including eDiscovery, Alerts, Tags, Retention Policy, Legal Hold, Audit Logs, and Review Processes.
• View individual files across Email, OneDrive, Google Drive, Contact, Calendar, Task, and Private Chat
• Download email, OneDrive, and Google Drive from other accounts
• Access the System Status → Download page

Restrictions:

• Compliance and Review Officers cannot restore or migrate any item
• Compliance and Review Officers cannot delete or deactivate accounts.
• Compliance and Review Officers cannot manage user settings or organization configuration.
• Compliance and Review Officers cannot perform mark for deletion or deletion on the review process menu. Only Data Protection Officers can perform that task.

Data Protection Officer

The Data Protection Officer role provides full access to Compliance features for audit and governance activities. Data Protection Officers are the only role permitted to perform deletion actions within the Review Process workflow.

Access:

• Access all Compliance features, including eDiscovery, Alerts, Tags, Retention Policy, Legal Hold, Audit Logs, and Review Processes.
• Perform mark for deletion and deletion actions within Review Processes.
• Access all email and private chat data within their organization.

Restrictions:

• Data Protection Officers cannot perform any download, restore, or migration.
• Data Protection Officers cannot delete or deactivate accounts.
• Data Protection Officers cannot manage user settings or organization configuration.

Reviewer

The Reviewer role is limited to the Review Process tab and can only be used to review emails. No other administrative or compliance features are accessible to them. Reviewers cannot set up a new review process, and they don't have any access to account and user management configuration.

Access:

• Access Review Processes
• Review and mark as reviewed the assigned items

Restrictions:

• Reviewers cannot create new Review Processes
• Reviewers cannot grant permissions to Review Process lists
• Reviewers cannot access administrative or compliance configuration features

Limited Reviewer

Limited Reviewers have access to the same features as Reviewers, but they require higher-level permission to access the review process list.

Enabling Access for External (Delegated) Users

If you have users you are not backing up who want to access your organization, you can add them as an external (also called delegated) user. An external user is someone from outside the organization or someone who is part of the organization, but is someone you have not included in the backup. Only administrators who have access to the User Management page can give access to external users.

1. From the User Management page, navigate to the Grant Permission tab.
2. Select Add User.
3. Enter the email address of the user you want to invite, and then select a role for the user.
4. Select the box stating I agree with these Terms and then choose Invite.

The user you added will receive an email with a link to log in and reset their password.

Important Notes

Keep the following points in mind when adding users:

• The invitation link will expire 24 hours after you send it.
• You can check whether the user has accepted the invitation by reviewing the Invitation List tab on the User Management page. You can also resend or cancel the invitation from this same page.
• Once the user has accepted the invitation and has logged in, NinjaOne SaaS Backup will add them to the user list on the Grant Permissions tab.

When adding external users, be aware of the following:

• Depending on what level of access you granted them, Users may be able to view your backed-up data.
• You cannot transfer ownership of the organization to an external user.
• NinjaOne SaaS Backup captures all activity in the audit log. This information includes external users.
• Once added, you can revoke access for an external user and inactivate the login permission, but you cannot delete the user from the list. To remove an external user, contact support@dropsuite.com for assistance.

Deactivating Login for a User

1. Navigate to the User Management page and select the Grant Permission tab
2. From the list of users, locate the user you want to deactivate.
3. In the Login Status column, deactivate the Login Status toggle.

You can reactivate a user by activating the Login Status toggle again.

Enabling Microsoft Azure AD (Entra ID), or Google SSO

You can now activate Microsoft 365 (M365) Azure AD single sign-on (SSO) or Google SSO, which allows users to log in to their backup dashboard using their M365 or Google credentials. This way, users don't have to keep a separate password for the NinjaOne SaaS Backup End-User portal. When you activate Azure AD or Google SSO in the Grant Permissions tab of the NinjaOne SaaS Backup End-User Portal, it activates all users who have access granted to log in.

1. Navigate to the User Management page and select the Grant Permission column.
2. Activate Enforce Azure AD SSO Log In or Enforce Google SSO Log In access for all users.
3. Once activated, all users will have to use their M365 or Google credentials to log in to their backup dashboard. The user would select the option to sign in with either M365 or Google Workspace (GWS) instead of entering their NinjaOne SaaS Backup username and password. You can also inactivate the user login from this same page.

Assigning Users to Departments

Assigning users to departments can be helpful when you have a lot of users and want to manage them based on specific groups you set up. For example, you could set up a finance department and then add all your finance users to that department so that you can manage them all at once. To do this, follow the steps below:

1. From the User Management page, select the Assign Department tab.
2. Select Department Management.
3. If a needed department is not already on the list, you can add it as follows:
   • Choose Add More.
   • Choose Save Changes.
4. In Assign Department, assign one or more departments to a user.

To sync the existing departments from your tenant, follow these steps:

1. On the Assign Department page, you will have an option for each tenant domain to enable Azure AD Department sync. This option will be off by default.
2. Select the Enable Azure AD Department Sync option to enable it. A dialog warning will appear, letting you know that the departments will be automatically synced and assigned to the user accounts. Select either Yes, Continue, or Cancel.
3. Once department sync is activated, NinjaOne SaaS Backup will show a syncing status while it scans the tenant and retrieves the information.
4. After syncing is complete, the newly added departments will have a blue icon (circle with an i) next to them, indicating that NinjaOne SaaS Backup synced them automatically.
5. As long as Azure AD Department sync is activated, NinjaOne SaaS Backup will check weekly for new departments or changes to users' department assignments. If you need to force a sync, you can use the Sync Now option to have it run immediately.

• End-User Role Accessibility (1).pdf100 KB