Administration roles summary
We have predefined administration roles. These have some license specific capabilities.
You can also create custom roles. You can give these custom roles some license specific capabilities.
This page summarizes the differences between the roles.
Predefined roles
Administration roles divide security administration by responsibility level. Sophos Central includes several predefined roles. This table shows the access and capabilities for the predefined roles.
Role | Access | Capabilities |
---|---|---|
Super Admin | Have access to everything you have licenses for in Sophos Central. | Can do everything you have licenses for in Sophos Central. They are also the only administrators who can do the following:
|
Admin | Have access to everything you have licenses for in Sophos Central. No access to Super Admin only options. | Can do everything you have licenses for in Sophos Central apart from the Super Admin specific tasks. |
Help Desk | Read-only access to everything you have licenses for in Sophos Central. No access to Super Admin only options. | Can do the following:
|
Read-only | Read-only access to everything in Sophos Central. No access to Super Admin only options. | Can do the following:
|
Custom roles
You can create custom roles from base role types. You use custom roles to change the access and capabilities of the predefined roles. You can limit access by product and change the default capabilities for a base role. These capabilities only apply to the selected products for a custom role. See Add a custom role.
The base role types have the default capabilities shown in the table.
Note
You can only use one of the two policy capability options. Turning on one of the options turns the other off. The policy management option allows an administrator to do more than the policy assignment option. If you turn it on for the Help Desk or read-only base roles, it gives them the same capability for managing policies, devices and users as the full base role.
You won't see the license dependent capabilities if you don't have the correct license.
Role | Capabilities and access | Additional Capabilities |
---|---|---|
Full | Same access and capabilities as the predefined Admin role. | These are turned on by default:
If you have a Live Response license, you can also add the following:
|
Help Desk | Same access and capabilities as the predefined Help Desk role. | These are turned on by default:
If you have a Live Response license, you can also add the following:
|
Read-only | Same access and capabilities as the predefined Read-only role. | These are turned on by default:
|
License specific capabilities
There are some things that administrators can only do if you have specific licenses. Their capabilities depend on your licenses and their roles. These are included in the predefined roles if you have the correct license.
Option | License | Role |
---|---|---|
View the intelligence report. | XDR | Super Admin, Admin, Help Desk, Read-only |
Request the intelligence report | XDR | Super Admin, Admin, Help Desk |
Add items to the “Clean and Block” list. | XDR | Super Admin, Admin |
Remove items from the “Clean and Block” list. | XDR | Super Admin, Admin |
View blocked items. | XDR | Super Admin, Admin, Help Desk, Read-only |
View on-demand threat graphs. | XDR | Super Admin, Admin, Help Desk, Read-only |
Request an on-demand threat graph. | XDR | Super Admin, Admin, Help Desk |
Isolate and un-isolate devices | XDR | Super Admin, Admin |
Request a forensic snapshot | XDR | Super Admin, Admin, Help Desk |
Start Live Response sessions on computers | Live Response | Super Admin, Admin Custom role with a full or Help Desk base role and access to Endpoint Protection. |
Start Live Response sessions on servers | Live Response | Super Admin, Admin Custom role with a full or Help Desk base role and access to Server Protection. |
Manage Live Response settings for computers | Live Response | Super Admin, Admin Custom role with a full base role and access to Endpoint Protection. |
Manage Live Response settings for servers | Live Response | Super Admin, Admin Custom role with a full base role and access to Server Protection. |