Environment access control

You can control which cloud environments each administrator can see in their Sophos Cloud Optix console.

Introduction

You can group cloud environments together and control who can access them. To do this you create an environment tag for each group and assign the tag to administrators. For example you can create separate tags for AWS accounts, Azure subscriptions or GCP projects.

Only administrators with the Super Admin role can create and edit environment tags and assign them to other administrators.

Administrators with tags assigned to them can only see information about those environments in their Sophos Cloud Optix console. The same level of access, full or read-only, applies to all environments to which the administrator is granted access. The level of access is defined by the administrator's role.

Understanding environment access control

You need to know what environment tags allow administrators with different roles to do..

Administrator capabilities

Super Admin administrators always see all environments in Sophos Cloud Optix and cannot have environment tags assigned to them.

Administrators with environment tags assigned to them do not automatically see new environments that are added to Sophos Cloud Optix, including environments they add themselves. A Super Admin needs to add new environments to tags and assign the tags to the appropriate administrators to provide access.

Administrators with environment tags assigned to them do not see Audit Logs in Sophos Cloud Optix. Audit Logs provide information about activity relating to all environments in Sophos Cloud Optix and are not available to administrators with restricted access.

Only Super Admin administrators can configure third-party integrations (for example Jira, Slack, ServiceNow) and the Sophos Cloud Optix API. Information available through the integrations and the Sophos Cloud Optix API is not limited to specific environments for specific administrators.

New administrators

When you add Admin or Read-only administrators they can see all environments in Sophos Cloud Optix. A Super Admin can then restrict the new administrator's access to specific environments by assigning environment tags to them.

When you add a new administrator with a Custom role in Sophos Central they can't see any environments in Sophos Cloud Optix. A Super Admin must then allow access to specific environments by assigning environment tags to them.

Tip Use a Custom role in Sophos Central to prevent new administrators from being able to see information about all Sophos Cloud Optix environments.

Create environment tags

Super Admin administrators can create environment tags as follows:

  1. Under Settings click Users.
  2. On the Environment Tags tab click Add Environment Tag.
  3. Enter a Tag Name.
  4. Select cloud environments for the tag.
  5. Select the administrators you want to assign the tag to and click OK.
    The new tag is now listed on the environment tags tab.

You can also add tags to environments. To do this, click Settings > Environments. You can also assign tags to administrators later.

Assign environment tags to administrators

Super Admin administrators can assign existing environment tags to other Sophos Cloud Optix administrators as follows:

  1. Under Settings click Users.
    A list of current Sophos Cloud Optix administrators is displayed.
  2. Click the tag icon Image of tag icon under Actions for an administrator.
  3. Choose the environment tags to assign to them and click Apply.

    Administrators can now only see information in Sophos Cloud Optix for the environments associated with the tags assigned to them.