There are different operator roles for Subscriber accounts and Service Provider accounts. Owner and Administrator operators can create custom roles from built-in operator roles. For information on custom operator roles, go to Manage Custom Operator Roles.
For a list of the default permissions available with each built-in role, go to the appropriate section:
- Default Permissions for Service Provider Operator Roles
- Default Permissions for Subscriber Operator Roles
Your operator role determines what you can see and do in WatchGuard Cloud. Only operators with the built-in Owner or Administrator role have permissions to manage operators and roles.
Default Permissions for Service Provider Operator Roles
Permissions you can enable or disable for a Service Provider custom role depend on the built-in role selected. There are four built-in operator roles that Service Providers accounts can use to create a custom role:
- Owner — Owners have full permissions within their Service Provider account and managed services. They can add custom branding options to the account. They are the only Service Provider operators who can add, edit, and delete operators for their account. When there is an Endpoint Security product license and modules, only Owners have access to the Advanced Visualization Tool (Advanced Reporting Tool or Data Control modules).
- Sales — Sales operators have full permissions for inventory and account management, but read-only permission for services and operators.
- Helpdesk — Helpdesk operators have full permissions to configure services and read-only permission everywhere else.
- Auditor — Auditors have read-only permission throughout their Service Provider account.
This table lists the permissions enabled by default with each built-in role and shows whether the permissions are available as read/write or read-only. If a permission is enabled or disabled by default, the text Enabled or Disabled shows in the relevant column. If a permission is read/write or read only, it shows as Read/Write or Read Only in the column. When read/write access is removed, the functional area is not editable. If read-only access is removed, the functional area is not visible.
In a built-in role, there are top-level categories for the permissions (Service Provider Administration, Account Administration, and System Administration). These top-level categories are more than the summation of any permissions they contain. The granular permissions within a top-level category are the only permissions you can add or, in the case of Service Provider Administration only, the only permission you can remove (Manage Inventory).
Some permissions are linked to other permissions. For example, the ThreatSync permission is linked to the AuthPoint, Devices, and Endpoint Security permissions. ThreatSync provides extended detection capabilities through the correlation of data from Fireboxes, Access Points and WatchGuard Endpoint Security (Advanced EPDR, EPDR, EDR, and EDR Core). When you select ThreatSync, it automatically selects the linked permissions.
Owner Built-In Role Default Permissions (Service Provider Operators)
| Service Provider Permissions | Description | Enabled by Default | Disabled by Default | Read/Write Permission | Read-Only Permission |
|---|---|---|---|---|---|
| Service Provider Administration | Enables all Service Provider administration permissions in the built-in role. | Enabled | Read/Write | ||
| - Manage Inventory | Provides the ability to allocate inventory to managed accounts. This includes inventory allocation for products the operator might not have access to the management UI for (for example, ThreatSync or Endpoint Security). | Enabled | Read/Write | ||
| Account Administration | Provides access to all account administration functionality in the built-in role. | Enabled | Read/Write | ||
| System Administration | Provides access to all system administration functionality in the built-in role. | Enabled | Read/Write | ||
| ThreatSync | Provides access to the ThreatSync management UI. When the ThreatSync permission is enabled, the applications and devices used to generate ThreatSync incidents are enabled automatically. | Enabled | Read/Write | ||
| AuthPoint | Provides access to the AuthPoint management UI. | Enabled | Read/Write | ||
| Devices | Provides access to manage devices (Fireboxes and access points). | Enabled | Read/Write | ||
| Endpoint Security | Provides access to the Endpoint Security management UI. | Enabled | Read/Write |
Sales Built-In Role Default Permissions (Service Provider Operators)
| Service Provider Permissions | Description | Enabled by Default | Disabled by Default | Read/Write Permission | Read-Only Permission |
|---|---|---|---|---|---|
| Service Provider Administration | Enables all Service Provider administration permissions in the built-in role. | Enabled | Read/Write | ||
| - Configure Account Groups | Provides the ability to add, edit, and delete account groups. | Disabled | Read/Write | ||
| Account Administration | Provides access to all account administration functionality in the built-in role. | Enabled | Read/Write | ||
| - Configure Beta Features | Provides the ability to enable and disable beta features. | Disabled | Read/Write | ||
| - Configure Branding | Provides the ability to edit custom branding. | Disabled | Read/Write | ||
| - Manage Data Retention Licenses | Provides the ability to allocate and deallocate Data Retention Licenses. | Disabled | Read/Write | ||
| System Administration | Provides access to all system administration functionality in the built-in role. | Enabled | Read Only | ||
| - Acknowledge Alerts |
Provides the ability to view and acknowledge alerts. |
Disabled | Read/Write | ||
| - Configure Notification Rules | Provides the ability to add, edit, and delete notification rules. | Disabled | Read/Write | ||
| - Schedule Reports | Provides the ability to view and schedule reports. | Disabled | Read/Write | ||
| ThreatSync | Provides access to the ThreatSync management UI. | Enabled | Read Only | ||
| AuthPoint | Provides access to the AuthPoint management UI. | Enabled | Read Only | ||
| Devices | Provides access to manage devices (Fireboxes and access points). | Enabled | Read Only | ||
| Endpoint Security | Provides access to the Endpoint Security management UI. | Enabled | Read Only |
Help Desk Built-In Role Default Permissions (Service Provider Operators)
| Service Provider Permissions | Description | Enabled by Default | Disabled by Default | Read/Write Permission | Read-Only Permission |
|---|---|---|---|---|---|
| Service Provider Administration | Enables all Service Provider administration permissions in the built-in role. | Enabled | Read/Write | ||
| - Manage Tenants | Provides the ability to add, edit, convert, and delete managed accounts, and request account delegation. | Disabled | Read/Write | ||
| - Configure Account Groups | Provides the ability to add, edit, and delete account groups. | Disabled | Read/Write | ||
| - Manage Inventory | Provides the ability to allocate inventory to managed accounts. | Disabled | Read/Write | ||
| Account Administration | Provides access to all account administration functionality in the built-in role. | Enabled | Read/Write | ||
| - Configure Beta Features | Provides the ability to enable and disable beta features. | Disabled | Read/Write | ||
| - Configure Branding | Provides the ability to edit custom branding. | Disabled | Read/Write | ||
| - Manage Delegation | Provides the ability to delegate and revoke account access. | Disabled | Read/Write | ||
| - Manage Data Retention Licenses | Provides the ability to allocate and deallocate Data Retention Licenses. | Disabled | Read/Write | ||
| System Administration | Provides access to all system administration functionality in the built-in role. | Enabled | Read/Write | ||
| - Acknowledge Alerts |
Provides the ability to view and acknowledge alerts. |
Disabled | Read/Write | ||
| - Configure Notification Rules | Provides the ability to add, edit, and delete notification rules. | Disabled | Read/Write | ||
| - Schedule Reports | Provides the ability to schedule and delete reports. | Disabled | Read/Write | ||
| ThreatSync | Provides access to the ThreatSync management UI. | Enabled | Read/Write | ||
| AuthPoint | Provides access to the AuthPoint management UI. | Enabled | Read/Write | ||
| Devices | Provides access to monitor and configure devices (Fireboxes and access points). | Enabled | Read/Write | ||
| Endpoint Security | Provides access to the Endpoint Security management UI. | Enabled | Read/Write |
Auditor Built-In Role Default Permissions (Service Provider Operators)
| Service Provider Permissions | Description | Enabled by Default | Disabled by Default | Read/Write Permission | Read-Only Permission |
|---|---|---|---|---|---|
| Service Provider Administration | Provides read-only access to all Service Provider administration permissions in the built-in role. | Enabled | Read Only | ||
| - Manage Tenants | Provides the ability to add, edit, convert, and delete managed accounts, and request account delegation. | Disabled | Read/Write | ||
| - Configure Account Groups | Provides the ability to add, edit, and delete account groups. | Disabled | Read/Write | ||
| - Manage Inventory | Provides the ability to allocate inventory to managed accounts. | Disabled | Read/Write | ||
| - Manage Trials | Provides the ability to start, extend, and cancel trials for managed accounts. | Disabled | Read/Write | ||
| Account Administration | Provides read-only access to all account administration functionality in the built-in role. | Enabled | Read Only | ||
| - Configure Beta Features | Provides the ability to enable and disable beta features. | Disabled | Read/Write | ||
| - Configure Branding | Provides the ability to edit custom branding. | Disabled | Read/Write | ||
| - Manage Delegation | Provides the ability to delegate and revoke account access. | Disabled | Read/Write | ||
| - Manage Accounts | Provides the ability to edit contact details for managed accounts. | Disabled | Read/Write | ||
| - Manage Data Retention Licenses | Provides the ability to allocate and deallocate Data Retention Licenses. | Disabled | Read/Write | ||
| System Administration | Provides read-only access to all system administration functionality in the built-in role. | Enabled | Read Only | ||
| - Acknowledge Alerts |
Provides the ability to view and acknowledge alerts. |
Disabled | Read/Write | ||
| - Configure Notification Rules | Provides the ability to add, edit, and delete notification rules. | Disabled | Read/Write | ||
| - Schedule Reports | Provides the ability to schedule or delete. | Disabled | Read/Write | ||
| ThreatSync | Provides read-only access to the ThreatSync management UI. | Enabled | Read Only | ||
| AuthPoint | Provides read only access to the AuthPoint management UI. | Enabled | Read Only | ||
| Devices | Provides read-only access to device management. | Enabled | Read Only | ||
| Endpoint Security | Provides read-only access to the Endpoint Security management UI. | Enabled | Read Only |
Default Permissions for Subscriber Operator Roles
Permissions you can enable or disable for a Subscriber custom role depend on the built-in role selected. There are three built-in operator roles that an Administrator operator can use to create a custom role:
- Administrators — They can add custom branding options to the account. They are the only Subscriber operators who can add, edit, and delete other operators. Administrators have access to the Advanced Visualization Tool with a WatchGuard Endpoint Security license and the Advanced Reporting Tool or Data Control module.
- Analysts —Analysts have full permissions to configure services and read-only permission everywhere else.
- Observers — Observers have read-only permission throughout their account.
This table lists the permissions enabled by default with each built-in role and shows whether the permissions are available as read/write or read-only. If a permission is enabled or disabled by default, the text Enabled or Disabled shows in the relevant column. If a permission is read/write or read only, it shows as Read/Write or Read Only in the column. When read/write access is removed, the functional area is not editable. If read-only access is removed, the functional area is not visible.
In the built-in role, there are top-level categories for the permissions (Account Administration and System Administration). These top-level categories are more than the summation of any permissions they contain. The granular permissions within a top-level category are the only permissions you can add.
Some permissions are linked to other permissions. For example, the ThreatSync permission is linked to the AuthPoint, Devices, and Endpoint Security permissions. ThreatSync provides extended detection capabilities through the correlation of data from Fireboxes, Access Points and WatchGuard Endpoint Security (Advanced EPDR, EPDR, EDR, and EDR Core). When you select ThreatSync, it automatically selects the linked permissions.
Administrator Built-In Role Default Permissions (Subscriber Operators)
| Subscriber Permissions | Description | Enabled by Default | Disabled by Default | Read/Write Permission | Read Only Permission |
|---|---|---|---|---|---|
| Account Administration | Provides access to all account administration functionality in the built-in role. | Enabled | Read/Write | ||
| - Manage Trials | Only available to tier-1 Subscriber accounts. Provides the ability to start, extend, and cancel trials for their account. | Disabled | Read/Write | ||
| System Administration | Provides access to all system administration functionality in the built-in role. | Enabled | Read/Write | ||
| ThreatSync | Provides access to the ThreatSync management UI. | Enabled | Read/Write | ||
| AuthPoint | Provides access to the AuthPoint management UI. | Enabled | Read/Write | ||
| Devices | Provides access to monitor and configure devices (Fireboxes and access points). | Enabled | Read/Write | ||
| Endpoint Security | Provides access to the Endpoint Security management UI. | Enabled | Read/Write |
Analyst Built-In Role Default Permissions (Subscriber Operators)
| Subscriber Permissions | Description | Enabled by Default | Disabled by Default | Read/Write Permission | Read Only Permission |
|---|---|---|---|---|---|
| Account Administration | Provides access to all account administration functionality in the built-in role. | Enabled | Read Only | ||
| - Configure Beta Features | Provides the ability to enable and disable beta features. | Disabled | Read/Write | ||
| - Configure Branding | Provides the ability to edit custom branding. | Disabled | Read/Write | ||
| - Manage Data Retention Licenses | Provides the ability to allocate and deallocate Data Retention Licenses. | Disabled | Read/Write | ||
| System Administration | Provides access to all system administration functionality in the built-in role. | Enabled | Read/Write | ||
| ThreatSync | Provides access to the ThreatSync management UI. | Enabled | Read/Write | ||
| AuthPoint | Provides access to the AuthPoint management UI. | Enabled | Read/Write | ||
| Devices | Provides access to monitor and configure devices (Fireboxes and access points). | Enabled | Read/Write | ||
| Endpoint Security | Provides access to the Endpoint Security management UI. | Enabled | Read/Write |
Observer Built-In Role Default Permissions (Subscriber Operators)
| Subscriber Permissions | Description | Enabled by Default | Disabled by Default | Read/Write Permission | Read Only Permission |
|---|---|---|---|---|---|
| Account Administration | Provides read-only access to all account administration functionality in the built-in role. | Enabled | Read Only | ||
| - Configure Beta Features | Provides the ability to enable and disable beta features. | Disabled | Read/Write | ||
| - Configure Branding | Provides the ability to edit custom branding. | Disabled | Read/Write | ||
| - Manage Delegation | Provides the ability to delegate and revoke account access. | Disabled | Read/Write | ||
| - Manage Data Retention Licenses | Provides the ability to allocate and deallocate Data Retention Licenses. | Disabled | Read/Write | ||
| System Administration | Provides read-only access to all system administration functionality in the built-in role. | Enabled | Read Only | ||
| - Acknowledge Alerts |
Provides the ability to view and acknowledge alerts. |
Disabled | Read/Write | ||
| - Configure Notification Rules | Provides the ability to add, edit, and delete notification rules. | Disabled | Read/Write | ||
| - Schedule Reports | Provides the ability to schedule or delete. | Disabled | Read/Write | ||
| ThreatSync | Provides read-only access to the ThreatSync management UI. | Enabled | Read Only | ||
| AuthPoint | Provides read-only access to the AuthPoint management UI. | Enabled | Read Only | ||
| Devices | Provides read-only access to device management. | Enabled | Read Only | ||
| Endpoint Security | Provides read-only access to the Endpoint Security management UI. | Enabled | Read Only |
Manage WatchGuard Cloud Operators and Roles