NinjaOne SaaS Backup: User Management (End-User Portal)

Topic

This article discusses user management and user roles in the End-user Portal for NinjaOne SaaS Backup and NinjaOne Archiving + Backup.

Environment

NinjaOne SaaS Backup
NinjaOne SaaS Backup + Archiver

Description

NinjaOne SaaS Backup users who are added to be backed up can sign in and interact with their backup. Through the User Management page, you can allow certain users to have elevated access to interact with the organization and other user accounts, or to grant permissions to external users who do not have an active backup within the organization.

A given role can only assign user roles below its own.

Managing User Access

Log into your business backup/archive account.
Click the account bubble in the upper right corner of the page and select User Management.
Click the Grant Permission tab. Here, you will see all users who are currently included in the backup, and you can assign roles to each user. From this tab, you can assign each user a role from the drop-down and toggle login on or off. If selecting the Group Supervisor role for a user, be sure to also select the department they are admins of in the box that will appear just below the role.

User Access Levels

NinjaOne SaaS Backup allows ten access levels for the SaaS Backup + Archiver product and five access levels for Business Backup.

Role	Permissions
Full Admin	All accesses and capabilities. Can view, download, restore, migrate, and search emails from all email accounts. Can set user permissions and compliance policies. Can view logs, set legal holds, and set up review processes.
IT Admin	Can view, delete, and deactivate email for all accounts. Can restore emails from other accounts. Can set up all user settings. Cannot access the Compliance tab.
Restricted IT Admin	Can view the list of backed-up accounts. Can access account details, including status and the last backup date. Can deactivate or reactivate accounts. Can add new backups. Can configure all user settings. Cannot access any metadata. Cannot use the Advanced Search and Insight tabs.
Group Supervisor	Full access to users within the departments in which they are supervisors. Can restore, migrate, download, search, and view all email accounts within their allotted department. Can set user permissions Cannot access all compliance policies.
User	Can view, download, restore, migrate, and search their emails. Cannot access other users' accounts. Cannot access the Compliance tab.
User View and Restore	Can view, restore, and search their emails. Cannot download or migrate emails. Cannot access the Compliance tab.
Compliance and Review Officer (SaaS Backup + Archiver Product only)	Can access eDiscovery Search, Alerts, View Audit Logs, Retention Policy, Legal Hold, and Review Process tabs. Can view email for all accounts.
Reviewer (SaaS Backup + Archiver Product only)	Can access the Review Process tab to review emails. Cannot set up a new review process.
Limited Reviewer (SaaS Backup + Archiver Product only)	Can access the Review Process menu. Can only review emails within the selected list in the review process.
Data Protection Officer (SaaS Backup + Archiver Product only)	Can access the Review Process Tab. Can delete messages marked for deletion. Can add notes to messages marked for deletion for the audit log. Can create tags to classify messages. Can view email for all accounts.

Enabling Access for External (Delegated) Users

You can add users who need access to our organization but are not backed up as external users. A delegated user can be someone from outside the organization or a member of the organization who is not included in the backup. Note the following information:

The user you add will be able to see your backed-up data (depending on their access level).
You cannot transfer ownership of the organization to a delegated user.
All activity, including that from external users, is captured in the audit log.
Once added, you can revoke access to an external user and disable login, but you cannot delete the user from the list. To remove an external user, contact [email protected], and they will be able to assist.

Only admins who have access to the User Management page can give access to external users

From the User Management page, click the Grant Permission tab.
Click Add User, then enter the email address of the user you want to invite.
Select a role for the user, agree to the terms and conditions, and click Invite. The user you added will receive an email with a link to log in and reset their password. This link expires after 24 hours. You can check, cancel, or resend the invitation in the Invitation List tab on the User Management page.
Once the user has accepted the invitation and has logged in, the system will add them to the user list on the Grant Permissions tab.

Disabling a User Login

On the User Management page, select the Grant Permission tab.
Locate the user you want to disable and switch the Login Status option to Off. (It will show red.) You can re-enable the user login by switching this option to on (it will show green).

Enabling Azure or Google SSO

You can now enable M365 Azure Active Directory SSO or Google SSO, which will let users log into their backup dashboard using their M365 or Google credentials, eliminating the need for a separate password for the SaaS Backup End-User Portal. When Azure or Google SSO is enabled, all users who have access granted can log in.

Azure or Google SSO will not be enabled for external owners by default and will not be affected by the SSO toggle found within the portal. SSO can be enabled for the owner per request to [email protected].

On the User Management page, select the Grant Permission tab.
On the right side of the page, enable Enforce Azure AD SSO Log in or Enforce Google SSO Log In access for all users. Once enabled, all users must use their M365 or Google credentials to log into their backup dashboard. They will select the option to sign in with either M365 or GWS instead of using their username and password. You can also disable the user login from the same page.

Assigning Users to Departments

Departments can be useful when you have a lot of users and want to manage them based on specific groups you set up. For example, you could set up a finance department for all your finance users, so you can manage them all at once.

On the User Management page, click the Assign Department tab, then click Department Management and select the department to which you will assign the users. You can assign multiple departments to a user. If a needed department is not already on the list, you can add it to the bottom of the list
Click Add More to add the users, then click Save Changes.

Syncing Existing Departments From Your Tenant

As long as the option is enabled, NinjaOne SaaS Backup will check once a week for new departments or changes to users' department assignments. To force an immediate sync, use the Sync Now option.

From the Assign Department page, each tenant domain has an option to enable Azure AD Department sync. This option is turned off by default. Click the toggle to turn it on.
A pop-up warning will let you know that the departments will be automatically synced and assigned to the user accounts. Select either Yes, Continue, or Cancel.
The system will show a “syncing” status while it scans the tenant and retrieves the information
After syncing is complete, the departments added will have a special icon (blue circle with an i) next to them, indicating that they were automatically synced.