Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=role-management-custom-role-add

Add a custom role

You can add custom roles if you're a Super Admin.

Custom roles are based on the predefined roles. You can restrict the access for a custom role to a specific product. You can also create a role that allows an administrator to have full access to one product and read-only access to a second product.

If a role doesn't have access to both Endpoint Protection and Server Protection (in some cases Encryption as well), the shared settings are read-only. This affects what administrators can do. If you don't have access to both Endpoint Protection and Server Protection you can't add and manage exclusions.

The shared settings are as follows:

  • Tamper protection
  • Allowed applications
  • Website management
  • Proxy configuration
  • Blocked item
  • Bandwidth usage (Encryption access required)
  • DLP rules
  • Manage content control list
  • Reject network connections
  • XDR threat analysis center

Create custom role

To create a custom role, do as follows:

  1. Go to My Products > General Settings and click Role Management.
  2. Click Roles and Add role.
  3. Give the custom role a name and a description.

  4. Select the Base role you want to use as the basis for the custom role.

    Example

    If you choose Help Desk as the Base role, administrators with the custom role have Help Desk permissions.

  5. Choose the product and access type you want the role to have in Sophos Central Admin.

    Example

    You create a custom role called Endpoint Help Desk.

    This custom role uses Read-only as its Base role and Endpoint Protection as its selected product with an access type of Help Desk.

  6. Choose more than one product, if required.

    You can choose different access types for different products.

    Example

    You can create a custom role that has a Help Desk access type for Endpoint Protection and Read-only access for Mobile. You can set the access type for all other products to None.

    This means that the custom role only has access in Sophos Central Admin to Endpoint Protection with Help Desk access type and Mobile with Read-only access type.

  7. Choose the additional access and management options for the custom role.

    These additional options only apply to the selected products for the custom role.

    Example

    You could do as follows:

    • Add logs & reports access to a Read-only or Help Desk role.
    • Prevent a custom Admin role from managing policies.

    • Enable access to logs & reports. This option enables the user to access the Logs & Reports page.

      This option applies to all products and access types for the custom role.

    • Enable policy management (add, edit, and delete). This option enables the user to manage policies.

      This option applies to all products and access types for the custom role.

    • Enable policy assignment to users, device, etc.. This option enables the user to turn policies on and off, and add users, user groups, devices, and device groups to existing policies.

      This option applies to all products and access types for the custom role.

    • Start Live Response sessions on computers. This option enables the user to use Live Response and connect to a computer to investigate and remediate possible security issues.

      You must select the Endpoint Protection product with a Full or Help Desk access type to use this option.

    • Start Live Response sessions on servers. This option enables the user to use Live Response and connect to a server to investigate and remediate possible security issues.

      You must select the Server Protection product with a Full or Help Desk access type to use this option.

    • Manage Live Response settings for computers. This option enables the user to turn on Live Response for computers and exclude specific computers from Live Response.

      You must select the Endpoint Protection product with a Full access type to use this option.

    • Manage Live Response settings for servers. This option enables the user to turn on Live Response for servers and exclude specific servers from Live Response.

      You must select Server Protection product with a Full access type to use this option.

    • Enable global search management. This option enables the user to use Search in Threat Analysis Center.

      You must select Endpoint Protection or Server Protection, or both, with a Full access type to use this option.

  8. Select Save.

You can now assign this role to administrators.