Manage a Delegated Account
Customers can search for a Service Provider to help them manage their account. They might need long term help with the management of their account, security services, and inventory (tier-1 Subscriber accounts only), or they might only need someone to manage their account for a short period of time. For information on delegated inventory, go to Inventory Management for Tier-1 Subscriber Delegated Accounts.
Account delegation does not provide access to all features or services. For example, you cannot copy the configuration from one device to another in a delegated account.
If customers contact you to request help with the management of their accounts and you agree to do so, then they delegate their account to you. As the Service Provider, you must initiate the account delegation process with a request for account access. Account delegation continues until it is removed by either side.
When you manage a delegated account as a Service Provider, you have the read and write permissions of the Subscriber Analyst role. For information about the permissions available in the Analyst role, go to Default Permissions for Built-in Roles.
As a Service Provider, in the delegated account, you can:
- Configure all security services.
- Configure security settings.
- Manage the inventory of a tier-1 Subscriber account. As a tier-1 Service Provider, you can add more licenses and devices to a delegated tier-1 Subscriber account. You can only edit and remove devices from the tier-1 Subscriber account that you added.
As a Service Provider, in the delegated account, you cannot:
- Update platform settings, like accounts and operators.
- Manage licenses and devices that the tier-1 Subscriber account added.
You cannot manage a delegated account that is in a different cloud region.
Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Manage Tenants permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.
Request Account Access
To request access to manage an account, you generate a verification code and send it to the owner or administrator of the account you want to access. The recipient uses the verification code to approve your access request and delegate management of their account to you.
To request account access:
- From Account Manager, select the account you want to request access for.
- Select Administration > Overview.
- Click Request Access to an Account or Request Access (if you already manage delegated accounts, the Managed Access tile is different).
- On the Managed Access page, click Request Account Access.
- To generate the verification code, click Next.
- Click Copy to Clipboard to copy the verification code shown on the page. You must send an email with the verification code to the owner of the account. We recommend that you use the provided text as a template.
- Send the verification code to the owner of the delegated account.
The client uses the verification code to give you access to their account. When they approve your request for account access, the account is shown as a delegated account on the Managed Access page. By default, account delegation continues until you or the delegated account remove access.
To remove delegation of a tier-1 Subscriber account, you must first remove all inventory (devices and services) and inherited Firebox templates from the account.
See and Manage Delegated Accounts
Accounts that have been delegated to you are visible in Account Manager. To identify a delegated account, look for the label (Delegated) next to the account name.
Only accounts that accept your access request appear in Account Manager. Delegated accounts do not appear while the request is pending and they are removed after your account access is revoked.
You can also see the accounts with delegated access on the Managed Access page in the Accounts section.
You can log in to and manage a delegated account as if it were a customer account from Account Manager.
To log in to and manage a delegated account:
- From Account Manager, select the delegated account.
The Subscriber view opens for the account.
The same role mapping permissions apply when an operator from your account makes changes to a delegated account. To learn more, go to Role Mapping.
Remove Access
You can remove your access from an account.
To remove delegation of a tier-1 Subscriber account, you must first remove all inventory (devices and services) and inherited Firebox templates from the account.
To remove access:
- From Account Manager, select the account you want to remove access for.
- Select Overview > Administration.
- Select Managed Access.
- In the Accounts section, filter the list to show all delegated accounts.
- In the row for the account you want to remove access to, click .
- Click Revoke Access.
- In the confirmation dialog box, click Revoke Access.
Manage Account Access Requests
You can see and manage your pending access requests on the Managed Access page.
From the drop-down list in the Accounts section, select Pending to see your account access requests that have not yet been accepted. The Token ID column shows the relevant verification code and the Status column shows the date that the verification code expires.
Click to delete a verification code and cancel your account access request. When you delete a verification code, it is no longer valid and does not work if a customer tries to use it to give you access to their account.
Inventory Management for Tier-1 Subscriber Delegated Accounts