Creating Security Associations for Role-Based Access Control

To create a security association, the entity is selected, a user or user group is selected, and then a role is assigned to the selected user or user group. You can create security associations at three levels: company, client, or subclient. This page contains examples of the steps to use for each of the three levels.

Creating a Security Association at the Company Level

Associations are defined at a company level when permissions are applied to the entire tenant. An example might be a help desk role that needs the ability to browse and restore for any managed workload without having the ability to control backups or create users.

Procedure

1. From the navigation pane, go to Manage > Company.

2. In the Security section, click Edit.

   The Security dialog box appears.

3. Enter users and/or user groups, and select their role from the provided list, and click Add for each one.

4. Repeat the preceding steps for each user and user group and role that you want to include in the security association.

5. Click Save.

Creating a Security Association at the Client Level

Associations are defined at the client level to restrict permissions to that particular client. An example is providing the email and messaging team access to Exchange Online backups, but not to SharePoint, OneDrive, or Teams backups.

Procedure

1. From the navigation pane, go to Protect > Office 365.

   An overview of the Microsoft 365 information is displayed.

2. On the Apps tab, select an application in the Name column.

   An overview of the app is displayed.

3. On the Configuration tab, in the Security section, click Edit.

   The Security dialog box appears.

4. Enter a user or user group, select their role from the provided list, and click Add.

5. Repeat the preceding step for each user and user group and role that you want to include in the security association.

6. Click Save.

Creating a Security Association at the Subclient Level

Associations are defined at the subclient level to restrict access to specific subsections of data, such as a folder or set of files within a file server. These associations are used less frequently than company or client-level associations.

Procedure

1. From the navigation pane, go to Protect > File servers.

2. Click the subclient.

3. Select the Configuration tab.

4. In the Security section, click Edit.

   The Security dialog box appears.

5. Enter users and/or user groups, and select their role from the provided list, and click Add for each one.

6. Repeat the preceding steps for each user and user group and role that you want to include in the security association.

7. Click Save.