Skip to main content

Articles in this section

See more
Print

Permissions for Forest Recovery in Cayosoft Guardian

  • Updated

Permissions for Forest Recovery in Cayosoft Guardian

Cayosoft Guardian uses multiple identities such as connection accounts and Microsoft Entra applications to access and manage your environment.

When you add an Azure subscription under Forest Recovery > Cloud Services, the Add Azure subscription wizard supports two paths, with different prerequisites:

  • Create a new application — Cayosoft Guardian creates the Microsoft Entra application automatically. The signed-in account must be able to create app registrations and grant the required API permissions in the tenant; this typically requires the Global Administrator role (or an equivalent privileged role).
  • Use an existing application — the customer pre-creates the Entra application, service principal, and certificate, then provides the Subscription ID, Application ID, Tenant ID, and certificate during registration. No Global Administrator role is required in the tenant for this path. The pre-created service principal only needs the Azure RBAC roles listed in the tables below.

Microsoft Azure permissions

Create resources

System or task Permissions Details
Create Azure resources for recovery site Contributor role in the resource group Create a resource group manually and only allow Cayosoft Guardian to create the resources.
Create Azure resources for recovery site Contributor role for the subscription Assign this role to an account used to add a new subscription under Cloud Services. This allows the creation of resources across the subscription.
Attach the recovery site to customer-provided Azure network resources Network Contributor role on the existing virtual network (and on the network security group, if used) Required when deploying the standby forest recovery site into a customer-managed VNet/subnet/NSG rather than allowing Cayosoft Guardian to create its own. Grants permission to attach network interfaces to the subnet and associate the existing NSG without modifying the network configuration itself. When the network resources live in a different resource group than the recovery site, assign this role at the network resource group scope.

NOTE: Cayosoft Guardian does not modify existing virtual networks, subnets, or network security groups supplied by the customer. Inbound rules required by Cayosoft Guardian (WinRM and agent ports — see Required Ports for Cayosoft Guardian) must be configured on the customer-managed NSG before deployment.

Manage backups

System or task Permissions Details
Create an Azure share for backups Contributor role in the resource group Create a resource group manually and only allow Cayosoft Guardian to create resources, such as Azure file shares, for backups.
Using an Azure blob storage in backup plans Storage Blob Data Contributor role Assign this role to an account used to add a new subscription under Cloud Services. Grants read, write, and delete access to blob data within the assigned subscription for backup and recovery purposes.

Manage storage

System or task Permissions Details
Azure Storage access Enabled from all networks Ensure network access is not restricted in Azure Storage Account settings to allow backup and recovery tasks.

AWS permissions

To back up to S3 storage and create resources in AWS, Cayosoft Guardian requires an account with the following permissions:

Create resources

System or task Permissions Details
Provision and manage EC2 instances for the recovery site AmazonEC2FullAccess Full access to EC2 instances for provisioning, managing, and recovering resources at the recovery site.
Create and managing AWS resources AWSCloudFormationFullAccess Automating the deployment of the recovery site using infrastructure-as-code templates and defining the infrastructure setup in CloudFormation stacks.
Run automation scripts for failover, configuration adjustments, and recovery tasks AWSLambda_FullAccess Full access to AWS Lambda to run automation scripts for handling instance failover, configuration adjustments, and other event-driven recovery tasks.
Create and manage IAM roles and policies IAMFullAccess Create and manage IAM roles and policies required for the recovery site's services and components. Assign necessary permissions to recovery resources (e.g., allowing EC2 instances to access S3 or SSM).
Organize recovery-related resources using tags and resource groups

ResourceGroupsandTagEditor

FullAccess

 Organize recovery-related resources using tags and resource groups. Automate tagging of new resources to maintain proper tracking and cost allocation.

 

Manage backups

System or task

Permission/Role 

Details
Store recovery site backups, logs, and configurations AmazonS3FullAccess Full access to Amazon S3 for storing recovery site backups, logs, and configurations.
Enable automated retrieval of backup data when initiating recovery AmazonS3FullAccess Retrieve backup data stored in S3 buckets when initiating recovery processes.
Automate recovery processes using AWS Systems Manager AmazonSSMFullAccess Full access to AWS Systems Manager to automate recovery processes, including instance management, patching, and configuration.

NOTE: Cayosoft recommends creating a separate organization and accounts for instant forest recovery, so the service accounts can only access resources required for forest recovery, and do not have access to production workloads.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.