Environment access control

You can control which cloud environments each administrator can see in their Sophos Cloud Optix console.

You can collect cloud environments into groups and control who can access them. To do this, you create an environment tag for each group and assign the tag to administrators. For example you can create separate tags for AWS accounts, Microsoft Azure subscriptions, or GCP projects.

Only administrators with the Super Admin role can create and edit environment tags and assign them to other administrators.

Administrators with tags assigned to them can only see information about those environments in their Sophos Cloud Optix console. The same access level, full or read-only, applies to all environments to which the administrator is granted access. The administrator's role defines the level of access.

Note You can't apply environment tags to the following users:
  • Users accessing Sophos Cloud Optix from Sophos Central Enterprise with the Enterprise Admin role.
  • Users accessing Sophos Cloud Optix from Sophos Central Partner with the Partner Admin role.
These users always have access to all environments in Sophos Cloud Optix.

Understanding environment access control

You need to know what environment tags allow administrators with different roles to do.

Administrator capabilities

Super Admin administrators always see all your Sophos Cloud Optix environments and can't have environment tags assigned to them.

Administrators with environment tags assigned to them don't automatically see new environments that are added to Sophos Cloud Optix, including environments they add themselves. To give access to new environments, a Super Admin must add the new environments to tags, then assign the tags to the appropriate administrators.

Administrators with environment tags assigned to them don't see Audit Logs in Sophos Cloud Optix. Audit Logs provide information about activity relating to all Sophos Cloud Optix environments and aren't available to administrators with restricted access.

Only Super Admin administrators can configure third-party integrations such as Jira, Slack, and ServiceNow, and the Sophos Cloud Optix REST API. Information available through the integrations and the Sophos Cloud Optix REST API isn't limited to specific environments for specific administrators.

New administrators

When you add new Admin or Read-only administrators, they see all your Sophos Cloud Optix environments. A Super Admin must then restrict new administrators' to specific environments by assigning environment tags to them.

When you add a new administrator with a Custom role in Sophos Central, they can't see any of your Sophos Cloud Optix environments. A Super Admin must then allow access to specific environments by assigning environment tags to them.

Use a Custom role in Sophos Central to prevent new administrators from seeing information about all your Sophos Cloud Optix environments.

Create environment tags

Super Admin administrators can create environment tags as follows:

  1. Go to Settings and click Users.
  2. On Environment Tags, click Add Environment Tag.
  3. Enter a Tag Name.
  4. Select cloud environments for the tag.
  5. Select administrators to assign the tag to and click OK.
    The new tag appears on Environment Tags.

You can also add tags to environments. To do this, go to Settings and click Environments. You can also assign tags to administrators later.

Assign environment tags to administrators

Super Admin administrators can assign existing environment tags to other Sophos Cloud Optix administrators as follows:

  1. Go to Settings and click Users.
    A list of current Sophos Cloud Optix administrators is displayed.
  2. Click the tag icon Environment tag icon under Actions for an administrator.
  3. Choose the environment tags to assign to the administrator and click Apply.

    Administrators can now only see information in Sophos Cloud Optix for the environments associated with the tags assigned to them.