Skip to content
Last update: 2022-05-03

Add a custom role

You can add custom roles if you're a Super Admin.

Custom roles are based on the predefined roles. You can restrict the access for a custom role to a specific product. You can also create a role that allows an administrator to have full access to one product and read-only access to a second product.

If a role doesn't have access to both Endpoint Protection and Server Protection (in some cases Encryption as well), the shared settings are read-only.

The shared settings are as follows:

  • Tamper protection
  • Allowed applications
  • Website management
  • Proxy configuration
  • Blocked item
  • Bandwidth usage (Encryption access required)
  • HTTPS updating
  • DLP rules
  • Manage content control list
  • Reject network connections
  • XDR threat analysis center

Create custom role

To create a custom role, do as follows:

  1. Go to Overview > Global Settings > Role Management.
  2. Click Roles and Add role.
  3. Give the custom role a name and a description.
  4. Select the Base role you want to use as the basis for the custom role.

    Example

    If you choose Help Desk as the Base role, administrators with the custom role have Help Desk permissions.

  5. Choose the product and access type you want the role to have in Sophos Central Admin.

    Example

    You create a custom role called Endpoint Help Desk.

    This custom role uses Read-only as its Base role and Endpoint Protection as its selected product with an access type of Help Desk.

  6. Choose more than one product, if required.

    You can choose different access types for different products.

    Example

    You can create a custom role that has Help Desk access permissions for Endpoint Protection and Read-only access for Mobile. You can set the permissions for all other products to None.

    This means that the custom role only has access in Sophos Central Admin to Endpoint Protection with Help Desk permissions and Mobile with Read-only permissions.

  7. Choose the additional access and management options for the custom role.

    • Enable access to logs & reports.
    • Enable policy management (add, edit, and delete).
    • Enable policy assignment to users, device, etc.. (turn policies on and off; and add users, user groups, devices and device groups to existing policies).
    • Start Live Response sessions on computers (connect to a computer to investigate and remediate possible security issues).

    This option is available only if you've chosen the Endpoint Protection product with the Full or Help Desk access type.

    • Start Live Response sessions on servers (connect to a server to investigate and remediate possible security issues).

      This option is available only if you've chosen the Server Protection product with the Full or Help Desk access type.

    • Manage Live Response settings for computers (turn on Live Response for computers and exclude specific computers from Live Response).

      This option is available only if you've chosen the Endpoint Protection product with the Full access type.

    • Manage Live Response settings for servers (turn on Live Response for servers and exclude specific servers from Live Response).

      This option is available only if you've chosen the Server Protection product with the Full access type.

    These additional options only apply to the selected products for the custom role. Apart from the Live Response options, all options are the same for all products and access types for the custom role.

    Example

    You could do the following:

    • Add logs & reports access to a Read-only or Help Desk role.
    • Prevent a custom Admin role from managing policies.
  8. Select Save.

You can now assign this role to administrators.

Back to top