Identity management reference

Updated

Overview

This article describes identity management settings. You can use identity management to control authentication and authorization in your environment.

Considerations

Single sign-on (SSO) for Incydr
•  These SSO instructions apply only if you access Incydr directly via console.*.code42.com URL (typically for SSO configured before September 2025).
•  If you access Incydr from the Mimecast Administration Console after signing in at login.mimecast.com, these instructions do not apply to you (typically for SSO configured after September 2025).
•  Directory services information, however, applies to all Incydr environments.

Definitions

authentication: The process of identifying and verifying users in a system. Methods for authentication include: 

  • Local Incydr directory
  • Single sign-on (SSO)
  • Multi-factor authentication (MFA)

authentication provider: Allows access to Incydr. When enabled, users sign in using the authentication provider instead of Incydr. Examples of authentication providers include Okta, Google SSO, Ping, Entra ID (Azure AD), OneLogin, and Microsoft AD FS. 

Incydr User Directory Sync Tool: Uses LDAP to automate user management between your directory service and your environment. This differs from other provisioning providers because it uses LDAP rather than SCIM.  

identity management: An IT administrative area or market that deals with users in a IT system and gives them access to the right resources within the system. 

identity provider (IdP): A general term to refer to a system that contains user identities. Identity provider can refer to a system performing authentication, provisioning, or both. Examples of identity providers include Okta, Google SSO, Ping, Entra ID (Azure AD), and OneLogin. 

SCIM provisioning: An open standard protocol for automating user management. 

provisioning provider: Automates user management. Applications like Incydr sync with a provisioning provider and then create, update, or deactivate users based on the provisioning provider's user profile. Examples of provisioning providers include Okta, Ping, and Entra ID (Azure AD). 

single sign-on (SSO):  SSO is one type of authentication method. It allows a user to use the same credentials to sign in to multiple applications.

Authentication

Authentication provider settings enable you to use a third-party application to authenticate users in the environment. For example, use these settings to configure a provider for single sign-on authentication.  

To view the authentication provider settings:

  1.  Sign in to the Incydr console.
  2.  Go to Administration > Integrations > Identity Management
  3. Select Authentication.

Authentication provider main screen

Add authentication provider

From the Authentication tab, click Add authentication provider.

Add authentication provider

Item Description
a Display Name Sets the name of your organization's authentication provider. This is a descriptive label and the text entered here is displayed to the user on the sign-in screen of the agent and Incydr console.
b Provider's Metadata

Sets the format for the authentication provider's metadata. Choose either to enter a URL or upload an XML file. 
c Enter URL 
or
Upload XML File

Enter URL: Sets the URL for the identity provider. The Incydr cloud must be able to access this URL.

Upload XML File: Uploads the XML file.

Custom domains are not supported
When entering the URL for the XML metadata file, custom domains are not supported. You must use the standard domain of your identity provider. 

Authentication provider

The following screen appears when you configure a standalone identity provider. 

Authentication provider details

Item Description Click to:
a Display name Displays the name of your authentication provider.    
b Actions

Menu with the following actions: 

  
c Code42 Service Provider Metadata URL

Displays the URL for the SAML 2.0 metadata file. This file is used by the authentication provider(s).

To view the contents of the metadata XML file, open the link in a web browser. The file contains URLs needed by your service provider to connect to Incydr, including URLs to the server, entity ID, and Assertion Consumer Service (ACS).

 View the metadata XML file.
d Attribute mapping

Maps Incydr usernames to the provider's name identifier or a custom attribute. 

  • Username: Specify the identity provider's name ID or attribute that maps to the Incydr username.
    • Select Use nameid to use the identity provider's name ID.
    • Select Use attribute tag to enter a custom identity provider attribute.
  • Email (Use nameid only): Enter the identity provider attribute that contains user email addresses.
  • First Name: Enter the identity provider attribute that contains user first names.
  • Last Name: Enter the identity provider attribute that contains user last names.
 Edit attribute mappings.
e Organizations in Use

Displays the organizations that use this provider as the authentication method.

You can also manage the organizations that use this authentication provider from organization settings.

 Change organizations that use the authentication provider.
f SAML attributes Displays the SAML context and class references in your identity provider's SSO requests, as well as the digest and signature algorithms to use.  Set the SAML attributes.
g Local users

Displays users who are set to use local authentication only. These users are meant for troubleshooting issues with your authentication provider. 

Local users cannot be managed with provisioning.

 Add users to the list.

Provisioning

Provisioning provider settings allow you to connect to a third-party application where your users are stored, and automatically add them to Incydr. To view the provisioning provider settings:

  1. Sign in to the Incydr console.
  2. Select Administration > Integrations > Identity Management
  3. Select Provisioning.
  4. Click the options menu Alerts_ActionsIcon.png for a provider in the list and select View provider details.

Provisioning-Provider-List-2025-03-18-export.png

Add Provisioning Provider

To view, go to Provisioning, then click Add Provisioning Provider. Choose either Add SCIM Provider or Add Code42 User Directory Sync.

The following dialog appears when you select Add SCIM Provider. 

Add SCIM Provisioning Provider dialog

Item Description
a Display Name Sets the name for the SCIM provider or Incydr User Directory Sync.
b Authentication Credential Type

Sets the type of credential authentication to use:

  • API credentials (default)
    Generates a password.
  • OAuth token
    Generates a token for use with SCIM providers who accept OAuth tokens for credentials.

Credentials

After you enter a username for the provisioning provider, the credentials appear. Your provider may require some or all of these credentials to create a service account for syncing between your directory and Incydr. 

SCIM Provider Created dialog

Item Description
a Base URL The URL for interacting with the Incydr provisioning API. 
b Username Username for the service account. 
c

Password

or

Token

Password or token for the service account. Which appears appears depends on whether you selected API Credentials or OAuth token in the Add SCIM Provisioing Provider dialog box.

This password or token appears only once, so save it in a secure location.

SCIM provisioning provider

Appears when configuring a SCIM provisioning provider. 

Provisioning-Provider-Details-2025-03-18-export.png

Item Description Click to view
a Name Displays the name of your provisioning provider.  
b Actions

Menu with the following actions: 

  • Edit this provider name
    Change the provisioning provider's displayed name.
  • Configure authentication type
    Allows you to choose either password or token authentication.
  • Apply org and role settings
    Apply any organization or role changes. May take up to an hour for the changes to be implemented.
  • Delete this provider
    Remove this provisioning provider from Incydr.
  
c Provider credentials

Displays user credentials. This user performs directory sync between your provider and Incydr. These credentials are used by the provisioning provider.

Type is either SCIM Provider or Incydr User Directory Sync

  
d Regenerate credentials

Regenerates credentials, either API credentials or an OAuth token. The regenerated password or token appears on the SCIM Provider Updated dialog. Copy the newly-generated password or token to the SCIM provisioning provider.

Credentials were originally generated when you added the SCIM provisioning provider. You may need to regenerate credentials in certain circumstances, such as when a new administrator takes over management of the SCIM provisioning provider in Incydr.

  
e Deactivation delay
 

Displays the amount of time Incydr waits to deactivate a user once the provider has sent the update. The maximum deactivation delay is 90 days.

Even if you configure Incydr to wait to deactivate a user, the user is immediately blocked. The user is then deactivated after the configured time. If you need to cancel a pending user deactivation during the delay period, unblock the user.

Deactivation of users on legal hold

Backup agent and legacy agent only

If users who are custodians under a legal hold are subsequently selected for deactivation (for example, from the Incydr console, a provisioning provider, or API), they are not deactivated immediately because their data must be retained for legal hold purposes. Instead, they are blocked. Once these blocked users are released from legal hold, they are deactivated automatically. 

  
f

Edit

Edits the deactivation delay setting.

  
g

Organization mapping

Displays how Incydr assigns organizations to users who are added from the provisioning provider.

Only configurable for SCIM provisioning providers.

  
h

Edit

Change how Incydr maps provisioned users. Choose between the following mapping methods: 

  • Create new users in the organization below 
    Maps new users to a single organization.
  • Map users to organizations based on the provider's "c42OrgName" attribute
    Maps groups to organizations based on the providers' "c42OrgName" attribute.
  • Map users to organizations using SCIM groups
    Create mappings of SCIM groups to organizations.  You must first send SCIM groups to Incydr to use this option. If SCIM group are not sent to Incydr (for example, using the /Groups API resource in the SCIM protocol), the "There are no SCIM groups available" message displays. After sending the SCIM groups, the Add Mapping button displays.
 Organization Mapping Method
i Organization name

Displays a Incydr organization or the Add Mapping button.

  
j Role mapping

Displays how roles are mapped from the provisioning provider to Incydr.

  
k Edit

Change how roles are mapped from the provisioning provider to Incydr. Choose:

  • Manually
    Assign roles manually in Incydr. Roles are not mapped from the provisioning provider.
  • Map SCIM groups to Code42 roles
    Map the SCIM groups in the provisioning provider to roles in Incydr. You must first send SCIM groups to Incydr to use this option. If SCIM group are not sent to Code42 (for example, using the /Groups API resource in the SCIM protocol), the "There are no SCIM groups available" message displays. After sending the SCIM groups, an Add Role Mapping button displays.
 Edit Role Mapping
l

Edit mapped roles 

or 

Add Role Mapping

SCIM provisioning providers only

Maps Incydr roles and permissions to groups.

  • Allows you to edit mapped roles if roles have already been mapped (pictured).
  • If role mapping has not been performed yet, an Add Role Mapping button appears. The button appears only if SCIM groups have already been sent from your provider. 
 Add Role Mapping

Select Roles

Incydr User Directory Sync only

Edit and delete roles to be managed by the Incydr User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the Incydr console. 

See the Roles reference for more information on each role. 

 View a list of roles within your environment

Edit Organization Mapping Method for SCIM provider

To view organization mapping methods, select the edit icon Edit icon next to Organization Mapping. 

Single organization

Assigns all users to the same Incydr organization. If you choose this option, create organizations in the Incydr console before you begin.

Example use case
Use this option if you manage users in the Incydr console. For example, all users that are provisioned from the provisioning provider are added to the same organization. You can then move the users from that single organization to additional organizations in the Incydr console. 

Mapping to single organization

Item Description
a Create new users in the organization below Incydr assigns new users to the selected organization.  
b Select an organization Select the organization where you want to place new users.
"C42OrgName" attribute

The "c42OrgName" attribute creates new organizations or assigns users to existing organizations based on the value for the user attribute c42OrgName. This value becomes the name for the Incydr organization. This attribute is managed on the provisioning provider. 

Example use case
Use this method if you want to manage users in the provisioning provider (and not in the Incydr console). The value for this attribute becomes the name for the Incydr organization. Incydr creates new organizations or assigns users to existing organizations based on the value. 

Mapping to C42OrgName attribute

Item Description
a Map users to organizations based on the provider's "c42OrgName" attribute Code42 assigns users to the selected organization using the "c42OrgName" attribute. 
b Select an organization Select the organization where you want to place unmapped users.
SCIM group

Assigns users to Incydr organizations based on their SCIM group. If you choose this option, create organizations in the Incydr console before you begin.

Example use case
Use this mapping method if your users are already assigned to SCIM groups. For example, a user is part of a two different SCIM groups: an executive group and a UK group. You want this user's backup policies to match the other executives in your company, so this user should be assigned to the same Incydr organization as the other executives. In the Incydr console, you can choose the executive group to take priority over the UK group. This way you can place all of the executives in your company in the same organization and ensure they have the same backup policies.


Custom SCIM mapping.

Item Description
a Map users to organizations using SCIM groups.

Incydr assigns users to the selected organization based on SCIM groups.  To use this option, SCIM groups must first be sent to Incydr (for example, using the /Groups API resource in the SCIM protocol).

After you click Save, click Add Mapping to map roles to Incydr groups.
b Select an organization Select the organization where you want to place unmapped users.

Add Mapping

To view, click Add Mapping. Use Add Organization Mapping to map SCIM groups to Incydr organizations. To use this option, SCIM groups must first be sent to Incydr (for example, using the /Groups API resource in the SCIM protocol).

Provisioning provider add mapping

Item Description
a Select a SCIM group Displays all the SCIM groups that your provider has sent to the Incydr console. Only groups that have not been mapped appear in this list.
b Select a Code42 organization Displays the organization tree for your environment. 

Edit Role Mapping

To view, select the edit icon Edit icon next to Role Mapping.

Edit Role Mapping dialog

Item Description
a Manually Assign roles manually in Incydr. Roles are not mapped from the provisioning provider. 
b Map SCIM groups to Code42 roles

Map the SCIM groups in the provisioning provider to roles in Incydr. To use this option, you must first send SCIM groups to Incydr (for example, using the /Groups API resource in the SCIM protocol).

If SCIM group are not sent to Incydr, the "There are no SCIM groups available" message displays. After sending the SCIM groups, an Add Role Mapping button displays. 

Add Role Mapping

To view, click Add Role Mapping.

Add role mapping

Item Description
a Select a SCIM group Displays all the SCIM groups that have been pushed to Incydr (for example, using the /Groups API resource in the SCIM protocol). Only groups that have not been mapped appear in this list.
b Select a Code42 role Displays a list of all the Incydr roles. Learn more about roles and permissions below.

Incydr User Directory Sync

Appears when configuring Incydr User Directory Sync. 

Incydr User Directory Sync configuration page

Item Description Click to view
a Name Display name for this User Directory Sync instance  
b Actions

Menu with the following actions: 

  
c Provider Credentials

Displays user credentials. This user performs directory sync between your provider and Incydr. 

Click Regenerate password to create a new password if needed for the user. If you generate a new password for the user, you must also run the C42UserDirectorySync.bat --scim-password command to reconfigure the scim.password property with the new password

  
d Deactivation Delay
 

Displays the amount of time Incydr waits to deactivate a user after a synchronization is run. The maximum deactivation delay is 90 days.

Click the edit icon Edit icon to change the length of time to delay deactivation.

Even if you configure Incydr to wait to deactivate a user, the user is immediately blocked. The user is then deactivated after the configured time. If you need to cancel a pending user deactivation during the delay period, unblock the user.

Deactivation of users on legal hold

Backup agent and legacy agent only

If users who are custodians under a legal hold are subsequently selected for deactivation (for example, from the Incydr console, a provisioning provider, or API), they are not deactivated immediately because their data must be retained for legal hold purposes. Instead, they are blocked. Once these blocked users are released from legal hold, they are deactivated automatically. 

  
e

Organization Mapping

Disabled within the Incydr console. To configure how users are mapped to Incydr organizations, use the Org script in the Incydr User Directory Sync Tool. 

  
f Edit  Change how Incydr maps provisioned users to organizations.  Edit Organization Mapping Method
g

Role Mapping

Displays which roles the User Directory Sync automatically updates. 

  
h Edit 

Enable a method for mapping roles to users. Choose either Manually or Select roles from the Incydr User Directory Sync.

  • Manually: You must update roles within the Incydr console
  • Select roles from the Incydr User Directory Sync: Incydr automatically updates a user's roles based on the role script
 Edit Role Mapping
i Select Roles

Select roles to be managed by the Incydr User Directory Sync Tool. This means only roles checked in this list will be automatically updated by the tool. Roles that aren't checked here must be manually updated in the Incydr console. 

See the Roles reference for more information on each role. 

 View a list of roles within your environment.

Edit Organization Mapping Method for User Directory Sync

To view organization mapping methods, select the edit icon Edit icon next to Organization Mapping. 

Create new users in an existing Incydr organization

Assigns new users to the same Incydr organization and does not map new users based on the User Directory Sync org script. If you choose this option, create organizations in the Incydr console before you begin.

Example use case
Use this option if you want to manage new users in the Incydr console. All users that are provisioned from User Directory Sync are added to the same organization. You can then move the users from that single organization to additional organizations in the Incydr console. 

Add new users to one organization.

Item Description
a Create new users in the organization below and do not map users based on the User Directory Sync's org script Incydr assigns new users to the selected organization.  
b Select an organization Select the organization where to place new users. 
User Directory Sync org script

Assigns users to organizations based on the User Directory Sync org script.   

Example use case
Use this method if you want to manage users in the User Directory Sync (and not in the Incydr console). Incydr creates new organizations or assigns users to existing organizations based on the org script.  

Map using UDS org script.

Item Description
a Map users to organizations based on the User Directory Sync's org script Incydr assigns users to the selected organization using the User Directory Sync org script. 
b Select an organization Select the organization where you want to place unmapped users. 

Select roles

To view, go to the Provisioning, and click Select Roles. This is a security measure to prevent users from elevating their privilege within environment. 

Select roles

Item Description
a Choose Roles Displays all of the roles available in your environment. To learn more about what the permissions, limitations, and example use cases for each role, see the

Roles reference.
b Enable or disable role

Enable or disable roles from automatic provisioning.

  • Enabled: Incydr automatically adds or removes this role based on your role script.
  • Disabled: Even if your role script includes this role, Incydr will not update a user to add or remove this role. You must manually update in the Incydr console. 

Apply organization and role settings

Should you need to change organization and role settings and want them to be applied to all provisioned users in Incydr immediately, use the Apply Org and Role Settings option in the action menu of the target provisioning provider.

Use with caution
Applying the organization and role settings to all provisioned users with the Apply Org and Role Settings option could be a destructive action because organization assignment changes may impact your currently provisioned user's archive configurations. Both organization and role settings are applied simultaneously and complete asynchronously.

Steps

To apply organization and role changes to either a SCIM provisioning provider or a Incydr User Directory Sync provisioning provider, complete the following: 

  1. Sign in to the Incydr console.
  2. Go to Administration > Integrations > Identity Management > Provisioning.
  3. Select a provisioning provider.
  4. Choose Actions > Apply Org and Role Settings.

    Apply org and role settings

  5. Click Apply.
    It may take up to one hour for the changes to be applied to all affected users.

Apply settings for organizations and roles mapped with SCIM groups

In order to map SCIM groups to V organizations or roles, you must first push those SCIM groups to Incydr so they are available for mapping. You can do this by provisioning the users in their groups (or by using a push method such as the /Groups API resource in the SCIM protocol). However, this means that initially the users are placed in the default organizations and roles rather than the ones you want to map them to. 

To move users to the correct organizations and roles, map your organizations and roles and then apply the mappings:

  1. Provision users with their groups. Although this places the users in default organizations and assigns default roles, it also pushes the SCIM groups to Incydr so they appear in the Incydr console.
  2. Now that the SCIM groups appear in the Incydr console, you can use them to configure organization mapping and configure role mapping.
  3. Run Apply Org and Role Settings to apply the newly configured organizations and role assignments to the already-provisioned users. Users are moved to the correct organizations and roles.

Use cases

See the following sections for situations where applying mappings may be useful.

SCIM provisioning provider
Configure mappings first
Ensure you've configured the organization and role mappings in the provisioning provider details page before applying mappings with the Apply organization and role settings dialog.
Organization mapping

You have configured your identity provider to provision the "c42OrgName" user attribute. Apply mappings when:

  • You have recently configured the Incydr mapping method to use "C42OrgName" and would like to move all existing provisioned users to their "c42OrgName" organization.
  • You have manually moved users into other organizations and would like them moved back to their "c42OrgName" organization.

You have configured your identity provider to provision user group information. Apply mappings when:

  • You have recently configured the Incydr mapping method to use SCIM groups and would like to move all existing provisioned users in manually assigned organizations to their mapped organization.
  • You have manually moved provisioned users into other organizations and would like them moved back to their mapped organization.
  • You have updated the SCIM group mappings and would like existing provisioned users to be moved into their newly mapped organizations immediately.
Role mapping

You have configured your identity provider to provision user group information. Apply mappings when:

  • You have recently configured the Incydr mapping method to use SCIM groups and would like to move all existing provisioned users in manually assigned roles into newly mapped roles.
  • You have manually assigned roles to provisioned users and would like them re-assigned to their mapped roles.
  • You have updated the SCIM group mappings and would like existing provisioned users to be assigned into their newly mapped roles immediately.
Incydr User Directory Sync
Full sync
You should run a full sync to reprovision all users to Incydr using the Incydr User Directory Sync rather than applying organization and role mappings. However, in some cases, accessing the Incydr User Directory Sync or running a full sync may not be an option. In those cases you can apply mappings with the Apply organization and role settings dialog.
Organization mappings
  • You had previously configured mapping to use the org script, but recently updated the Incydr mapping method to use the "User Directory Sync Org Script".  Apply mappings when you would like to move all existing provisioned users in their manually assigned organizations to the scripted organization.
  • You have mapping configured to use the "User Directory Sync Org Script", but later manually moved provisioned users into other organizations. Apply mapping changes to move users back to their scripted organization.
Role mappings

You have configured the User Directory Sync role script to provision user's roles information. Apply mappings when you have updated the role allowlist and would like update provisioned users accordingly.

Sync Log

The sync log displays all of the updates made to your environment from the provisioning provider. 

To view the Sync Log:

  1. Sign in to the Incydr console.
  2. Select Administration > Integrations > Identity Management
  3. Click Sync Log
Data in the Sync Log is retained for 90 days
As of September 22, 2021, the Sync Log retains data for only 90 days. If you want to retain Sync Log data older than the last 90 days, you must export the data before September 22, 2021. After that date, to retain Sync Log data older than 90 days, export the data on a regular basis and keep it in your own storage systems. For more information, see Export Sync Log data.

Sync log

Item Description Click to view
a Date selector Selects the timeframe for which logs to display. Click to view a calendar date picker.
b Refresh Table Retrieves the most recent synchronization changes. Click to view the latest log entries.
c Export CSV Exports all of the sync logs to a .CSV file. Use this option to filter the logs further.  Click to start downloading a CSV file.
d Provider Displays the provider that made the update. Click to sort.
e User Impacted Displays the Incydr username.  Click to sort.
f Change type

Displays how the user was changed. Change types are: 

  • Added
  • Created
  • Modified
  • Deactivated
  • Removed
  • Sync Failure
  • Not in Role Mapping
  • Removed
 Click to sort.
g Attribute changed

Displays what part of the user changed. Attribute changes can be to: 

  • Country
  • Department
  • Division
  • Email
  • Employment Type
  • External ID
  • First Name
  • Last Name
  • Locality
  • Manager
  • Organization 
  • Region
  • Role
  • Title
  • User Name
 Click to sort.
h New Value

Displays the new value for the attribute that was changed.

Note: Organization attribute values include the orgId, and Manager attribute values include the userId.

 Click to sort.
i Old value Displays the old value for the attribute that was changed. Click to sort.
j Date changed Displays the date the change occurred.  Click to sort.
Provisioning updates also appear in the Audit Log
In addition to appearing in the Sync Log, updates resulting from provisioning also appear in the Audit Log. For example, newly-provisioned users appear in the Add user event type, users deactivated by provisioning appear in the Deactivate user event type, and provisioned user attributes changes appear in the External attributes change event type. 

Whenever the acting user in an Audit Log event is a SCIM provisioning system, the username of the acting user in the event appears as the provisioning provider Username credentials from Incydr (for example, "okta_1234@cloud.code42.com"). 

Related topics

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.