|Setting up Enterprise Console|
You can set up role-based access to the console by setting up roles, adding rights to the roles, and then assigning Windows users and groups to the roles. For example, a Help Desk engineer can update or clean up computers, but cannot configure policies, which is the responsibility of an Administrator.
To open Enterprise Console, a user must be a member of the Sophos Console Administrators group and be assigned to at least one Enterprise Console role and one sub-estate. Members of the Sophos Full Administrators group have full access to Enterprise Console.
You can create your own roles or use preconfigured roles.
You can assign a user as many roles as you like, by adding to the roles either the individual user or a Windows group the user belongs to.
If a user does not have rights to perform a certain task within the console, they can still view configuration settings pertaining to that task. A user who is not assigned any role cannot open Enterprise Console.
You can also restrict the computers and groups that users can perform operations on. You can split your IT estate into sub-estates and assign Enterprise Console groups of computers to the sub-estates. You can then control access to the sub-estates by assigning Windows users and groups to them. The Default sub-estate contains all Enterprise Console groups, including the Unassigned group.
A user can only see the sub-estate that they are assigned to. If a user has been assigned to more than one sub-estate, they can choose which sub-estate to view, one sub-estate at a time. The sub-estate that is open in Enterprise Console is the active sub-estate. A user cannot edit a policy that is applied outside their active sub-estate.
Roles and sub-estates