Add Users

To add users and grant user permissions to IBM® Storage Protect for Cloud and other services, click Add Users on the ribbon, and then configure the following settings:

Procedure

  1. Sign-in Method – Select the sign-in method from the drop-down list.
    • Local User – The local system will check the user credentials.
    • Microsoft 365 User/Group – Microsoft 365 users and groups will become IBM Storage Protect for Cloud users. They can use their Microsoft 365 login IDs to log into IBM Storage Protect for Cloud.
      Note: To allow added users and group users to sign in to IBM Storage Protect for Cloud Microsoft 365 login IDs, IBM Storage Protect for Cloud recommends that the Microsoft 365 Global Administrator check the Enterprise applications configuration in Microsoft Entra ID > Enterprise applications > Consent and permissions > User consent settings. If the Do not allow user consent option is selected, the Microsoft 365 Global Administrator or Privileged Role Administrator must consent to the IBM Storage Protect for Cloud app first. For details on consenting to the app by the Administrator, refer to What If Your Tenant Does Not Allow Users to Consent to Apps?
    • Salesforce User – Salesforce users will become IBM Storage Protect for Cloud users. They can use their Salesforce login IDs to log into IBM Storage Protect for Cloud.
    • Google user/group – Google users and groups will become IBM Storage Protect for Cloud users. They can use their Google login IDs to log into IBM Storage Protect for Cloud.
      Note: Due to Google API limitations, users in the nested Google groups cannot use their Google login IDs to log into IBM Storage Protect for Cloud.
  2. The following options appear according to the sign-in method you have selected:
    • Microsoft 365 Tenant – This option only appears if Microsoft 365 User/Group is selected as the sign-in method. Select a tenant from the drop-down list.
    • Salesforce tenant – This option only appears if Salesforce User is selected as the sign-in method. Select the tenant of the users you want to add from the drop-down list.
    • Google tenant – This option appears if Google user/group is selected as the sign-in method. Select the tenant of the users you want to add from the drop-down list.

    The tenants in the Microsoft 365 tenant / Google tenant / and Salesforce tenant drop-down list are retrieved from Tenant management. For details on connecting tenants, refer to Connect your Tenants to IBM Storage Protect for Cloud.

  3. Add Users – Specify the users that you are about to add into IBM Storage Protect for Cloud.
    • For Local User, enter valid email addresses in the format of someone@example.com.
    • For Microsoft 365 User/Group, you can enter the following:
      • The username of Microsoft 365 usernames / email adddresses in the format of someone@example.com.
      • The aliases of Microsoft 365 users.
      • The names / email addresses of Microsoft 365 Groups, mail-enabled security groups, distribution groups, and security groups.
        Note: If the Microsoft 365 username, alias, or group name begins with a special character, you cannot add them to IBM Storage Protect for Cloud.
    • For Salesforce user, enter usernames of Salesforce users in the format of someone@example.com.
    • For Google user/group, you can enter the following:
      • The usernames of Google users in the format of someone@example.com.
      • The display names or email addresses of Google groups.
    Note the following:
    • If you select Microsoft 365 User/Group as the sign-in method, you can enter or select Everyone. Everyone refers to all available users (excluding external users) in your Microsoft Entra ID. If you add Everyone as IBM Storage Protect for Cloud users, all available users can sign in to IBM Storage Protect for Cloud and perform the corresponding actions according to the assigned role and available products.
    • When you add a security group, distribution group, or mail-enabled security group to IBM Storage Protect for Cloud, the following users cannot sign in to IBM Storage Protect for Cloud:
      • The owner of the distribution group or mail-enabled security group.
      • If the security group has nested groups and the owner of a nested group is not a member of any other groups that have been added to IBM Storage Protect for Cloud, the nested group owner cannot sign in to IBM Storage Protect for Cloud.
    • Guest users cannot log in to IBM Storage Protect for Cloud
  4. Role – Select the Tenant User, Service Administrator, or Customized administrator role.
    Note: For more details about the user roles, refer to IBM Storage Protect for Cloud User Roles.
  5. Assign permissions to users (for Customized administrator) – If you select the Customized administrator role, turn on the toggle of the permission that you want to assign to the users. In IBM Storage Protect for Cloud, you can assign Management, Auto discovery, and Administration permissions to customized administrators, and they can only access the functions for which they have been assigned permissions. When customized administrators go to each cloud service, their permissions are the same as the service administrators.
  6. Assign services and permissions to users for Tenant user) – If you select the Tenant user role, turn on the toggle of the service that the users can access, and then select the permissions for the users. The services available for selection depend on your subscription. If your subscription for a specific service has expired, the service is unavailable for selection.
    Service Permission
    IBM Storage Protect for Cloud Microsoft 365 Standard User

    In IBM Storage Protect for Cloud, Standard Users can configure restore settings, perform restores, and view activity reports. Additionally, Standard Users that are added to the Administrators group in IBM Storage Protect for Cloud can also configure backup settings and perform backups.
    Application administrator

    The application administrator can configure backup and restore settings, perform backup and restore operations, view activity reports, etc.

    IBM Storage Protect for Cloud Recovery Portal (for Microsoft 365)
    Note: This service is only supported for Microsoft 365 accounts. If you want to grant permissions to many users, it is recommended to grant permissions to Microsoft 365 Groups instead of Microsoft 365 users.
    		 Standard User

    Standard Users can access the IBM Storage Protect for Cloud Recovery Portal, run jobs to recover Microsoft 365 data, and view job reports.
    Application administrator

    Application Administrators can use all the functionalities in IBM Storage Protect for Cloud Recovery Portal and manage access to IBM Storage Protect for Cloud Recovery Portal for Standard Users.
    IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID
    Note: This service is only supported for Microsoft 365 accounts and local accounts.
    		 Application administrator

    In IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID, application administrators can manage backup and restore settings, perform backup/restore jobs, and view or download job reports.

    Standard user

    Standard users must be manually added to IBM Storage Protect for Cloud Azure VMs, Storage, and Entra ID account management. The standard users who are added to a security group will have the same permissions as this group has been granted. The standard user can also be added to the Administrators group to have the full control to the application.
    IBM Storage Protect for Cloud Salesforce Standard User

    A standard user must be added into a user group in IBM Storage Protect for Cloud Salesforce by Administrators for using the specific features according to the permissions granted to the user group.
    Application administrator

    The application administrator fulfills the role of an Administrator. The Administrator can perform backup/restore jobs, export backup data to CSV, download reports, and manage IBM Storage Protect for Cloud Salesforce settings.
    IBM Storage Protect for Cloud Dynamics 365

    Application administrator

    The application administrator can configure backup and restore settings, perform backup and restore, view activity reports, etc.
    Standard user In IBM Storage Protect for Cloud Dynamics 365, administrators must add standard users to specific security groups to access certain features.
    IBM Storage Protect for Cloud Google Workspace Standard User

    Standard users must be manually added to IBM Storage Protect for Cloud Google Workspace account management. The standard users who are added to the security groups can access the IBM Storage Protect for Cloud Google Workspace portal to restore/export backup data and view job reports based on their permissions.
    Application administrator

    In IBM Storage Protect for Cloud Google Workspace, Application administrators can configure backup and restore settings, perform backup and restore, view activity reports, etc. Apart from these, in IBM Storage Protect for Cloud, Application administrators can add Tenant Users and assign IBM Storage Protect for Cloud Google Workspace to them.
    IBM Storage Protect for Cloud Recovery Portal Google WorkSpace
    Note: This service is only supported for Google users.
    		 Standard User

    Standard users can access the IBM Storage Protect for Cloud Recovery Portal portal, run jobs to recover Google Workspace data, and view job reports.
      Application administrator

    Application administrators can use all the functionalities in IBM Storage Protect for Cloud Recovery Portal and manage access to IBM Storage Protect for Cloud Recovery Portal for Tenant Users.
  7. Available geo location If your tenant has Multi-Geo Capabilities in IBM Storage Protect for Cloud Microsoft 365, the Available Geo Location option will appear when you select Microsoft 365 in the Available Product field. To maintain segregation among geo locations, select one or more geo locations that will be available to the users.
  8. Send email notifications to the newly added users (for Microsoft 365 User/Group or Salesforce User) – If you want to send email notifications to newly added users, select this check box.
  9. Click Save to save your configurations. Users with the sign-in method of Local User will receive invitation emails. They must activate the user IDs first by clicking the link provided in the emails, and then use the user ID and password in the invitation emails to sign in to IBM Storage Protect for Cloud.