Managing roles and sub-estates

Important If you already use role-based administration, you must have the Role-based administration right to set up roles and sub-estates. The System Administrator role that includes the Sophos Full Administrators Windows group has full rights and does not require setting up. For more information, see What are the preconfigured roles? and What tasks do the rights authorize?.

You can set up role-based access to the console by setting up roles, adding rights to the roles, and then assigning Windows users and groups to the roles. For example, a Help Desk engineer can update or clean up computers, but can't configure policies, which is the responsibility of an Administrator.

To open Sophos Enterprise Console, a user must be a member of the Sophos Console Administrators group and be assigned to at least one Sophos Enterprise Console role and one sub-estate. Members of the Sophos Full Administrators group have full access toSophos Enterprise Console.

Note If you want to allow a user to use a remote or additional Sophos Enterprise Console, see How can another user use Sophos Enterprise Console?.

You can create your own roles or use preconfigured roles.

You can assign a user as many roles as you like, by adding to the roles either the individual user or a Windows group the user belongs to.

If a user does not have rights to perform a certain task within the console, they can still view configuration settings pertaining to that task. A user who is not assigned any role cannot open Sophos Enterprise Console.

You can also restrict the computers and groups that users can perform operations on. You can split your IT estate into sub-estates and assign Sophos Enterprise Console groups of computers to the sub-estates. You can then control access to the sub-estates by assigning Windows users and groups to them. The Default sub-estate contains all Sophos Enterprise Console groups, including the Unassigned group.

A user can only see the sub-estate that they are assigned to. If a user has been assigned to more than one sub-estate, they can choose which sub-estate to view, one sub-estate at a time. The sub-estate that is open in Sophos Enterprise Console is the active sub-estate. A user cannot edit a policy that is applied outside their active sub-estate.

Figure: Roles and sub-estates

Roles and sub-estates