Environment access control

You can put cloud environments into groups and control who can access each group.

To do this, you create an environment tag for each group and assign the tag to administrators. For example you can create separate tags for AWS accounts, Microsoft Azure subscriptions, or GCP projects.

Only administrators with the Super Admin role can create and edit environment tags, and assign them to other administrators.

Administrators with tags assigned to them can only see information about the environments with those tags in Sophos Cloud Optix. The same access level, full or read-only, applies to all environments to which the administrator has access. The administrator's role defines the level of access.

Sophos Central Enterprise users can segment their cloud environments using sub-estates instead of environment tags.

More resources

Understanding environment access control

You need to know what environment tags allow administrators with different roles to do.

Administrator capabilities

Super Admin administrators always see all your Sophos Cloud Optix environments and can't have environment tags assigned to them.

Administrators with environment tags assigned to them don't automatically see new environments added to Sophos Cloud Optix, including environments they add themselves. To give access to new environments, a Super Admin must add the new environments to tags, then assign the tags to the appropriate administrators.

Administrators with environment tags assigned to them don't see Audit Logs in Sophos Cloud Optix. Audit Logs provide information about activity relating to all Sophos Cloud Optix environments and aren't available to administrators with restricted access.

Environment tags can also be used in the Environments filter. This allows administrators with access to all data to see only selected environments. This setting persists when users sign out and only changes when the Environments filter is changed.

Only Super Admin administrators can configure third-party integrations such as Jira, Slack, and ServiceNow, and the Sophos Cloud Optix REST API. Information available through integrations and the Sophos Cloud Optix REST API isn't limited to specific environments for specific administrators.

New administrators

When you add new Admin or Read-only administrators, they see all your Sophos Cloud Optix environments. A Super Admin must then restrict new administrators' to specific environments by assigning environment tags to them.

When you add a new administrator with a Custom role in Sophos Central, they can't see any of your Sophos Cloud Optix environments. A Super Admin must then allow access to specific environments by assigning environment tags to them.

Use a Custom role in Sophos Central to prevent new administrators from seeing information about all your Sophos Cloud Optix environments.

Create environment tags

Super Admin administrators can create environment tags as follows:

1. Click Users.
2. On Environment Tags, click Add Environment Tag.
3. Enter a Tag Name.
4. Select cloud environments for the tag.
5. Select administrators to assign the tag to and click OK. The new tag appears on Environment Tags.

You can also add tags to environments. To do this, click Environments. You can also assign tags to administrators later.

Assign environment tags to administrators

Super Admin administrators can assign existing environment tags to other Sophos Cloud Optix administrators as follows:

1. Click Users. A list of current Sophos Cloud Optix administrators is displayed.
2. Click the tag icon under Actions for an administrator.

3. Choose the environment tags to assign to the administrator and click Apply.

   Administrators can now only see information in Sophos Cloud Optix for the environments associated with the tags assigned to them.