Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/enterprise/help/en-us/index.html?contextId=roles

Roles

You can assign roles to administrators if you're an Enterprise Super Admin.

Administration roles divide security administration by responsibility level. Sophos Central Enterprise includes several predefined roles. You can't edit or delete these roles. This is the access level for an administrator.

The options are Enterprise Super Admin, Enterprise Admin, Enterprise Help Desk, or Enterprise Read-only.

An Enterprise Super Admin can add custom roles. These roles are based on the predefined roles but you can restrict the access for a custom role to a specific product. See Add a custom role.

Enterprise Super Admin

There must be at least one administrator with an Enterprise Super Admin role.

This role has access to everything in Sophos Central Enterprise and Sophos Central Admin.

They can also do the following:

  • Add and remove other enterprise admins.
  • Choose the sub-estates that the other admins are allowed to access.
  • Create, edit, assign and delete custom roles.
  • Enable master licensing.
  • Start trials after master licensing is enabled.
  • Create a sub-estate.
  • Reset the multi-factor authentication/PIN.
  • Unlink sub-estates.
  • Disable enterprise control over an individual licensed enterprise.

Enterprise Admin

This role has access to everything in Sophos Central Enterprise and Sophos Central Admin.

They can access their designated sub-estates.

They don't have the additional Enterprise Super Admin capabilities. For example, they can't add and update roles for administrators.

Enterprise Help Desk

This role has access to everything in Sophos Central Enterprise and Sophos Central Admin.

They can also do the following:

  • Access their designated sub-estates.
  • Look at sensitive logs or reports.
  • Receive and clear alerts.
  • Update the Sophos agent software on a computer.
  • Scan computers.
  • Modify the co-branding for their sub-estates in Sophos Central Admin.

Enterprise Read-only

This role has access to everything in Sophos Central Enterprise and Sophos Central Admin.

They can also do the following:

  • Access their designated sub-estates.
  • Look at sensitive logs or reports.
  • Receive alerts.