Manage a Delegated Account

Customers can search for a Service Provider to help them manage their account. They might need long term help with the management of their account, security services, and inventory (tier-1 Subscriber accounts only), or they might only need someone to manage their account for a short period of time. For information on delegated inventory, go to Inventory Management for Tier-1 Subscriber Delegated Accounts.

Account delegation does not provide access to all features or services. For example, you cannot copy the configuration from one device to another in a delegated account.

If customers contact you to request help with the management of their accounts and you agree to do so, then they delegate their account to you. As the Service Provider, you must initiate the account delegation process with a request for account access. Account delegation continues until it is revoked by either side.

You cannot manage a delegated account that is in a different cloud region.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Manage Tenants permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

Request Account Access

To request access to manage an account, you generate a verification code in WatchGuard Cloud and send that verification code to the owner or administrator of the account.

The client uses this verification code to approve your account access request and delegate management of the account to you.

To request account access:

  1. From Account Manager, select the account you want to request access for.
  2. Select Administration > Overview.
  3. Click Request Access to an Account or Request Access (if you already manage delegated accounts, the Manage Access tile is different).

Screen shot of WatchGuard Cloud, Administration Overview

  1. On the Managed Access page, click Request Account Access.

Screen shot of WatchGuard Cloud, Request Account Access

  1. To generate the verification code, click Next.
  2. Click Copy to Clipboard to copy the verification code shown on the page. You must send an email with the verification code to the owner of the account. We recommend that you use the provided text as a template.

    Only the verification code is copied when you click Copy to Clipboard. You must manually copy the provided email text if you intend to use it as a template.

Screen shot of WatchGuard Cloud, Request Access Verification Code

  1. Send the verification code to the owner of the delegated account.

The client uses the verification code to give you access to their account. When they approve your request for account access, the account is shown as a delegated account on the Managed Access page. By default, account delegation continues until the Service Provider or Subscriber account revokes access.

To revoke delegation of a tier-1 Subscriber account, you must first remove all inventory (devices and services) and inherited Firebox templates from the account.

See and Manage Delegated Accounts

Accounts that have been delegated to you are visible in Account Manager. To identify a delegated account, look for the text (Delegated) next to the account name.

Screen shot of Account Manager, delegated account

Only accounts that accept your access request appear in Account Manager. Delegated accounts do not appear while the request is pending and they are removed after your account access is revoked.

You can also see all of the accounts that have been delegated to you on the Manage Access page in the Accounts section.

Screen shot of WatchGuard Cloud, Managed Access page, Delegated accounts

You can log in to and manage a delegated account as if it were a customer account from Account Manager.

To log in to and manage a delegated account:

  • From Account Manager, select the delegated account.
    The Subscriber view opens for the account.

The same role mapping permissions apply when an operator from your account makes changes to a delegated account. To learn more, go to Role Mapping.

Remove Access

You can remove your access from an account.

To revoke delegation of a tier-1 Subscriber account, you must first remove all inventory (devices and services) and inherited Firebox templates from the account.

To remove access:

  1. From Account Manager, select the account you want to remove access for.
  2. Select Overview > Administration.
  3. Select Managed Access.
  4. In the Accounts section, filter the list to show all delegated accounts.
  5. In the row for the account you want to remove access to, click .
  6. Click Revoke Access.
  7. In the confirmation dialog box, click Revoke Access.

Manage Account Access Requests

You can see and manage your pending access requests on the Manage Access page.

From the drop-down list in the Accounts section, select Pending to see your account access requests that have not yet been accepted. The Token ID column shows the relevant verification code and the Status column shows the date that the verification code expires.

Click to delete a verification code and cancel your account access request. When you delete a verification code, it is no longer valid and does not work if a customer tries to use it to give you access to their account.

Screen shot of WatchGuard Cloud, Remove Pending Token

Related Topics

Delegate Your Account

Inventory Management for Tier-1 Subscriber Delegated Accounts

Support Access to WatchGuard Cloud Accounts