Default Permissions for Built-in Roles

There are different operator roles for Subscriber accounts and Service Provider accounts. Owner and Administrator operators can create custom roles from built-in operator roles. For information on custom operator roles, go to Manage Custom Operator Roles.

For a list of the default permissions available with each built-in role, go to the appropriate section:

Your operator role determines what you can see and do in WatchGuard Cloud. Only operators with the built-in Owner or Administrator role have permissions to manage operators and roles.

Default Permissions for Service Provider Operator Roles

Permissions you can enable or disable for a Service Provider custom role depend on the built-in role selected. There are four built-in operator roles that Service Providers accounts can use to create a custom role:

  • Owner — Owners have full permissions within their Service Provider account and managed services. They can add custom branding options to the account. They are the only Service Provider operators who can add, edit, and delete operators for their account. When there is an Endpoint Security product license and modules, only Owners have access to the Advanced Visualization Tool (Advanced Reporting Tool or Data Control modules).
  • Sales — Sales operators have full permissions for inventory and account management, but read-only permission for services and operators.
  • Helpdesk — Helpdesk operators have full permissions to configure services and read-only permission everywhere else.
  • Auditor — Auditors have read-only permission throughout their Service Provider account.

This table lists the permissions enabled by default with each built-in role and shows whether the permissions are available as read/write or read-only. If a permission is enabled or disabled by default, the text Enabled or Disabled shows in the relevant column. If a permission is read/write or read only, it shows as Read/Write or Read Only in the column. When read/write access is removed, the functional area is not editable. If read-only access is removed, the functional area is not visible.

In a built-in role, there are top-level categories for the permissions (Service Provider Administration, Account Administration, and System Administration). These top-level categories are more than the summation of any permissions they contain. The granular permissions within a top-level category are the only permissions you can add or, in the case of Service Provider Administration only, the only permission you can remove (Manage Inventory).

Some permissions are linked to other permissions. For example, the ThreatSync Core permission is linked to the AuthPoint, Devices, and Endpoint Security permissions. ThreatSync provides extended detection capabilities through the correlation of data from Fireboxes, Access Points and WatchGuard Endpoint Security (Advanced EPDR, EPDR, EDR, and EDR Core). When you select ThreatSync, it automatically selects the linked permissions.

Owner Built-In Role Default Permissions (Service Provider Operators)

Service Provider Permissions Description Enabled by Default Disabled by Default Read/Write Permission Read-Only Permission
Service Provider Administration Enables all Service Provider administration permissions in the built-in role. Enabled   Read/Write  
- Manage Inventory Provides the ability to allocate inventory to managed accounts. This includes inventory allocation for products the operator might not have access to the management UI for (for example, ThreatSync or Endpoint Security). Enabled   Read/Write  
Account Administration Provides access to all account administration functionality in the built-in role. Enabled   Read/Write  
System Administration Provides access to all system administration functionality in the built-in role. Enabled   Read/Write  
ThreatSync Provides access to the ThreatSync management UI. When the ThreatSync permission is enabled, the applications and devices used to generate ThreatSync incidents are enabled automatically. Enabled   Read/Write  
AuthPoint Provides access to the AuthPoint management UI. Enabled   Read/Write  
Devices Provides access to manage devices (Fireboxes and access points). Enabled   Read/Write  
Endpoint Security Provides access to the Endpoint Security management UI. Enabled   Read/Write  

Sales Built-In Role Default Permissions (Service Provider Operators)

Service Provider Permissions Description Enabled by Default Disabled by Default Read/Write Permission Read-Only Permission
Service Provider Administration Enables all Service Provider administration permissions in the built-in role. Enabled   Read/Write  
- Configure Account Groups Provides the ability to add, edit, and delete account groups.   Disabled Read/Write  
Account Administration Provides access to all account administration functionality in the built-in role. Enabled   Read/Write  
- Configure Beta Features Provides the ability to enable and disable beta features.   Disabled Read/Write  
- Configure Branding Provides the ability to edit custom branding.   Disabled Read/Write  
- Manage Data Retention Licenses Provides the ability to allocate and deallocate Data Retention Licenses.   Disabled Read/Write  
System Administration Provides access to all system administration functionality in the built-in role. Enabled     Read Only
- Acknowledge Alerts

Provides the ability to view and acknowledge alerts.

  Disabled Read/Write  
- Configure Notification Rules Provides the ability to add, edit, and delete notification rules.   Disabled Read/Write  
- Schedule Reports Provides the ability to view and schedule reports.   Disabled Read/Write  
ThreatSync Provides access to the ThreatSync management UI. Enabled     Read Only
AuthPoint Provides access to the AuthPoint management UI. Enabled     Read Only
Devices Provides access to manage devices (Fireboxes and access points). Enabled     Read Only
Endpoint Security Provides access to the Endpoint Security management UI. Enabled     Read Only

Help Desk Built-In Role Default Permissions (Service Provider Operators)

Service Provider Permissions Description Enabled by Default Disabled by Default Read/Write Permission Read-Only Permission
Service Provider Administration Enables all Service Provider administration permissions in the built-in role. Enabled   Read/Write  
- Manage Tenants Provides the ability to add, edit, convert, and delete managed accounts, request account delegation.   Disabled Read/Write  
- Configure Account Groups Provides the ability to add, edit, and delete account groups.   Disabled Read/Write  
- Manage Inventory Provides the ability to allocate inventory to managed accounts.   Disabled Read/Write  
Account Administration Provides access to all account administration functionality in the built-in role. Enabled   Read/Write  
- Configure Beta Features Provides the ability to enable and disable beta features.   Disabled Read/Write  
- Configure Branding Provides the ability to edit custom branding.   Disabled Read/Write  
- Manage Delegation Provides the ability to delegate and revoke account access.   Disabled Read/Write  
- Manage Data Retention Licenses Provides the ability to allocate and deallocate Data Retention Licenses.   Disabled Read/Write  
System Administration Provides access to all system administration functionality in the built-in role. Enabled   Read/Write  
- Acknowledge Alerts

Provides the ability to view and acknowledge alerts.

  Disabled Read/Write  
- Configure Notification Rules Provides the ability to add, edit, and delete notification rules.   Disabled Read/Write  
- Schedule Reports Provides the ability to schedule and delete reports.   Disabled Read/Write  
ThreatSync Provides access to the ThreatSync management UI. Enabled   Read/Write  
AuthPoint Provides access to the AuthPoint management UI. Enabled   Read/Write  
Devices Provides access to monitor and configure devices (Fireboxes and access points). Enabled   Read/Write  
Endpoint Security Provides access to the Endpoint Security management UI. Enabled   Read/Write  

Auditor Built-In Role Default Permissions (Service Provider Operators)

Service Provider Permissions Description Enabled by Default Disabled by Default Read/Write Permission Read-Only Permission
Service Provider Administration Provides read-only access to all Service Provider administration permissions in the built-in role. Enabled     Read Only
- Manage Tenants Provides the ability to add, edit, convert, and delete managed accounts, request account delegation.   Disabled Read/Write  
- Configure Account Groups Provides the ability to add, edit, and delete account groups.   Disabled Read/Write  
- Manage Inventory Provides the ability to allocate inventory to managed accounts.   Disabled Read/Write  
- Manage Trials Provides the ability to start, extend, and cancel trials for managed accounts.   Disabled Read/Write  
Account Administration Provides read-only access to all account administration functionality in the built-in role. Enabled     Read Only
- Configure Beta Features Provides the ability to enable and disable beta features.   Disabled Read/Write  
- Configure Branding Provides the ability to edit custom branding.   Disabled Read/Write  
- Manage Delegation Provides the ability to delegate and revoke account access.   Disabled Read/Write  
- Manage Accounts Provides the ability to edit contact details for managed accounts.   Disabled Read/Write  
- Manage Data Retention Licenses Provides the ability to allocate and deallocate Data Retention Licenses.   Disabled Read/Write  
System Administration Provides read-only access to all system administration functionality in the built-in role. Enabled     Read Only
- Acknowledge Alerts

Provides the ability to view and acknowledge alerts.

  Disabled Read/Write  
- Configure Notification Rules Provides the ability to add, edit, and delete notification rules.   Disabled Read/Write  
- Schedule Reports Provides the ability to schedule or delete.   Disabled Read/Write  
ThreatSync Provides read-only access to the ThreatSync management UI. Enabled     Read Only
AuthPoint Provides read only access to the AuthPoint management UI. Enabled     Read Only
Devices Provides read-only access to device management. Enabled     Read Only
Endpoint Security Provides read-only access to the Endpoint Security management UI. Enabled     Read Only

Default Permissions for Subscriber Operator Roles

Permissions you can enable or disable for a Subscriber custom role depend on the built-in role selected. There are three built-in operator roles that an Administrator operator can use to create a custom role:

  • Administrator — Administrators can add custom branding options to the account. They are the only Subscriber operators who can add, edit, and delete other operators. Administrators have access to the Advanced Visualization Tool with a WatchGuard Endpoint Security license and the Advanced Reporting Tool or Data Control module.
  • Analyst —Analysts have full permissions to configure services and read-only permission everywhere else.
  • Observer — Observers have read-only permission throughout their account.

This table lists the permissions enabled by default with each built-in role and shows whether the permissions are available as read/write or read-only. If a permission is enabled or disabled by default, the text Enabled or Disabled shows in the relevant column. If a permission is read/write or read only, it shows as Read/Write or Read Only in the column. When read/write access is removed, the functional area is not editable. If read-only access is removed, the functional area is not visible.

In the built-in role, there are top-level categories for the permissions (Account Administration and System Administration). These top-level categories are more than the summation of any permissions they contain. The granular permissions within a top-level category are the only permissions you can add.

Some permissions are linked to other permissions. For example, the ThreatSync Core permission is linked to the AuthPoint, Devices, and Endpoint Security permissions. ThreatSync provides extended detection capabilities through the correlation of data from Fireboxes, Access Points and WatchGuard Endpoint Security (Advanced EPDR, EPDR, EDR, and EDR Core). When you select ThreatSync Core, it automatically selects the linked permissions.

Administrator Built-In Role Default Permissions (Subscriber Operators)

Subscriber Permissions Description Enabled by Default Disabled by Default Read/Write Permission Read Only Permission
Account Administration Provides access to all account administration functionality in the built-in role. Enabled   Read/Write  
- Manage Trials Only available to tier-1 Subscriber accounts. Provides the ability to start, extend, and cancel trials for their account.   Disabled Read/Write  
System Administration Provides access to all system administration functionality in the built-in role. Enabled   Read/Write  
ThreatSync Provides access to the ThreatSync management UI. Enabled   Read/Write  
AuthPoint Provides access to the AuthPoint management UI. Enabled   Read/Write  
Devices Provides access to monitor and configure devices (Fireboxes and access points). Enabled   Read/Write  
Endpoint Security Provides access to the Endpoint Security management UI. Enabled   Read/Write  

Analyst Built-In Role Default Permissions (Subscriber Operators)

Subscriber Permissions Description Enabled by Default Disabled by Default Read/Write Permission Read Only Permission
Account Administration Provides access to all account administration functionality in the built-in role. Enabled     Read Only
- Configure Beta Features Provides the ability to enable and disable beta features.   Disabled Read/Write  
- Configure Branding Provides the ability to edit custom branding.   Disabled Read/Write  
- Manage Data Retention Licenses Provides the ability to allocate and deallocate Data Retention Licenses.   Disabled Read/Write  
System Administration Provides access to all system administration functionality in the built-in role. Enabled   Read/Write  
ThreatSync Provides access to the ThreatSync management UI. Enabled   Read/Write  
AuthPoint Provides access to the AuthPoint management UI. Enabled   Read/Write  
Devices Provides access to monitor and configure devices (Fireboxes and access points). Enabled   Read/Write  
Endpoint Security Provides access to the Endpoint Security management UI. Enabled   Read/Write  

Observer Built-In Role Default Permissions (Subscriber Operators)

Subscriber Permissions Description Enabled by Default Disabled by Default Read/Write Permission Read Only Permission
Account Administration Provides read-only access to all account administration functionality in the built-in role. Enabled     Read Only
- Configure Beta Features Provides the ability to enable and disable beta features.   Disabled Read/Write  
- Configure Branding Provides the ability to edit custom branding.   Disabled Read/Write  
- Manage Delegation Provides the ability to delegate and revoke account access.   Disabled Read/Write  
- Manage Data Retention Licenses Provides the ability to allocate and deallocate Data Retention Licenses.   Disabled Read/Write  
System Administration Provides read-only access to all system administration functionality in the built-in role. Enabled     Read Only
- Acknowledge Alerts

Provides the ability to view and acknowledge alerts.

  Disabled Read/Write  
- Configure Notification Rules Provides the ability to add, edit, and delete notification rules.   Disabled Read/Write  
- Schedule Reports Provides the ability to schedule or delete.   Disabled Read/Write  
ThreatSync Provides read-only access to the ThreatSync management UI. Enabled     Read Only
AuthPoint Provides read-only access to the AuthPoint management UI. Enabled     Read Only
Devices Provides read-only access to device management. Enabled     Read Only
Endpoint Security Provides read-only access to the Endpoint Security management UI. Enabled     Read Only

Related Topics

Manage WatchGuard Cloud Operators and Roles

Manage Custom Operator Roles

Custom Operator Roles — Configuration Examples

Add Operators to Your Account

Add Operators to Managed Accounts