Skip to content

Add a custom role

You can add custom roles if you're a Partner Super Admin.

Custom roles are based on the predefined roles. You can restrict the access for a custom role to a specific product. You can also create a role that allows an administrator to have full access to one product and read-only access to a second product.

Shared settings


If a role doesn't have access to both Endpoint Protection and Server Protection (in some cases Encryption as well), the shared settings are read-only.

The shared settings are as follows:

  • Tamper protection
  • Allowed applications
  • Website management
  • Proxy configuration
  • Blocked item
  • Bandwidth usage (Encryption access required)
  • HTTPS updating
  • DLP rules
  • Manage content control list
  • Reject network connections
  • XDR threat analysis center

Create a role

To create a custom role, do as follows:

  1. Go to Settings & Policies > Manage Administrators.
  2. Click Roles and Add role.
  3. Give the custom role a name and a description.
  4. Select the Base role you want to use as the basis for the custom role.

    For example, if you choose Help Desk as the Base role, administrators with the custom role have Help Desk permissions in Sophos Central Partner.

  5. Choose the product and access type you want the role to have in Sophos Central Admin.

    For example, you create a custom role called Endpoint Help Desk. This custom role uses Read-only as its Base role and Endpoint Protection as its selected product with an access type of Help Desk.

    This custom role allows any administrators assigned to this role to access Endpoint Protection in Sophos Central Admin with Help Desk permissions. They have the same permissions in Sophos Central Partner as an administrator with the Partner Read-only role.

    1. Choose more than one product, if required.

      You can choose different access types for different products.

      For example, you can create a custom role that has Help Desk access permissions for Endpoint Protection and Read-only access for Mobile. You can set the permissions for all other products to None. This means that the custom role only has access in Sophos Central Admin to Endpoint Protection with Help Desk permissions and Mobile with Read-only permissions.

  6. Choose the additional access and management options for the custom role in Sophos Central Admin.

    • Enable access to logs & reports
    • Enable policy management (add, edit, and delete)
    • Enable policy assignment to users, device, etc.. (turn policies on and off; and add users, user groups, devices, and device groups to existing policies)
    • Enable global search management

    For example, this allows a Partner Super Admin to add these permissions to a Read-only or Help Desk role. You can also use these options to reduce the permissions for an Admin role. For example, you could prevent the custom role from managing policies.


    These additional options only apply to the selected products for the custom role.

    The additional options are the same for all products and access types for the custom role.

  7. Select Save.

You can now assign this role to administrators.