Add a custom role
You can add custom roles if you're a Super Admin.
Custom roles are based on the predefined roles. You can restrict the access for a custom role to a specific product. You can also create a role that allows an administrator to have full access to one product and read-only access to a second product.
If a role doesn't have access to both Endpoint Protection and Server Protection (in some cases Encryption as well), the shared settings are read-only. This affects what administrators can do. If you don't have access to both Endpoint Protection and Server Protection you can't add and manage exclusions.
The shared settings are as follows:
- Tamper protection
- Allowed applications
- Website management
- Proxy configuration
- Blocked item
- Bandwidth usage (Encryption access required)
- DLP rules
- Manage content control list
- Reject network connections
- XDR threat analysis center
Create custom role
To create a custom role, do as follows:
- Go to My Products > General Settings and click Role Management.
- Click Roles and Add role.
- Give the custom role a name and a description.
Select the Base role you want to use as the basis for the custom role.
If you choose Help Desk as the Base role, administrators with the custom role have Help Desk permissions.
Choose the product and access type you want the role to have in Sophos Central Admin.
You create a custom role called Endpoint Help Desk.
This custom role uses Read-only as its Base role and Endpoint Protection as its selected product with an access type of Help Desk.
Choose more than one product, if required.
You can choose different access types for different products.
You can create a custom role that has Help Desk access permissions for Endpoint Protection and Read-only access for Mobile. You can set the permissions for all other products to None.
This means that the custom role only has access in Sophos Central Admin to Endpoint Protection with Help Desk permissions and Mobile with Read-only permissions.
Choose the additional access and management options for the custom role.
- Enable access to logs & reports.
- Enable policy management (add, edit, and delete).
- Enable policy assignment to users, device, etc.. (turn policies on and off; and add users, user groups, devices and device groups to existing policies).
Start Live Response sessions on computers (connect to a computer to investigate and remediate possible security issues).
This option is available only if you've chosen the Endpoint Protection product with the Full or Help Desk access type.
Start Live Response sessions on servers (connect to a server to investigate and remediate possible security issues).
This option is available only if you've chosen the Server Protection product with the Full or Help Desk access type.
Manage Live Response settings for computers (turn on Live Response for computers and exclude specific computers from Live Response).
This option is available only if you've chosen the Endpoint Protection product with the Full access type.
Manage Live Response settings for servers (turn on Live Response for servers and exclude specific servers from Live Response).
This option is available only if you've chosen the Server Protection product with the Full access type.
Enable global search management.
These additional options only apply to the selected products for the custom role. Apart from the Live Response options, all options are the same for all products and access types for the custom role.
You could do the following:
- Add logs & reports access to a Read-only or Help Desk role.
- Prevent a custom Admin role from managing policies.
You can now assign this role to administrators.