Manage Custom Operator Roles

Add and manage operators and roles for your account on the Operators and Roles page in WatchGuard Cloud. Operator roles and the permissions in a role determine what information the operator can see and the actions they can take in their own account and the accounts they manage.

To implement granular role-based access control (RBAC) over functional areas of the WatchGuard Cloud user interface, Owner and Administrator operators can create custom roles from built-in operator roles. For information on the built-in roles, go to Manage WatchGuard Cloud Operators and Roles. For a list of the default permissions available with built-in roles, go to Default Permissions for Built-in Roles.

From the Operators and Roles page, you can:

• Add a Custom Operator Role
• Edit a Custom Operator Role
• Delete a Custom Operator Role
• Export a List of Operator Roles

Your operator role determines what you can see and do in WatchGuard Cloud. The permission to add, edit, and delete a custom operator role is available only to operators with the Owner (Service Provider) or Administrator (Subscriber) built-in role.

Custom Operator Role Use Cases

There are some common scenarios when you might want to add custom operator roles.

Account-based Segregation

You can use custom operator roles to provides operators with limited access to specific accounts. This could be used to make sure that they cannot manage internal activities for a specific account.

Product-specific Administrators

You can use custom operator roles to give different operators access to specific products or features. For example, you can create a custom role for administrators that allows access to network security features only and a different custom role for administrators that allows access to the AuthPoint management UI only.

Platform Granularity

You can use custom operator roles to enable or disable specific permissions in the Service Provider Administration, Account Administration, or System Administration feature areas. For example, you can create a custom role for operators who cannot manage inventory or trials. Or, you could create a custom role for operators who can view and schedule reports, but not view or configure alerts or notification rules.

Add a Custom Operator Role

The permission to add a custom operator role is available only to operators with the Owner (Service Provider) or Administrator (Subscriber) built-in role.

When you add a custom operator role, you enable or disable access to the features in a selected built-in role to create a new role. You do not change the built-in role.

Before you add a custom operator role, review this information:

• In the Add Role page, the label next to a permission indicates whether the permission provides read/write access or read-only access to a feature or product.
• To create a new custom role from a built-in role, you must change at least one permission.
• If you remove read/write access for a permission, an operator with the assigned role cannot edit the functional area, product, or service.
• If you remove read-only access for a permission, the functional area is no longer visible to the operator.
• With the exception of the Manage Inventory permission in the Owner role, you cannot remove granular permissions that are part of a built-in role.
• When WatchGuard adds new features, you can update custom operator roles with access permissions for the new feature. WatchGuard does not automatically add new features to custom operator role definitions.

To add a custom operator role, from WatchGuard Cloud:

1. (Service Providers only) From Account Manager, select the account you want to add a new role for.
2. Select Administration > Operators and Roles.
3. On the Role page, click Add Role.
4. In the Role Name text box, type a name for the custom role. The role name must be unique and a minimum of four characters. It cannot be the same as any of the built-in role names.
   Role names can include up to 60 characters, and can contain alphanumeric characters, underscores, hyphens, periods, and spaces. You can use periods only in the middle of a role name. We recommend that you use descriptive role names to make the role easy to identify when you assign it to an operator.

5. From the Built-in Role drop-down list, select the built-in role you want to create the new role from. Permissions are enabled by default based on the level of access associated with the selected role. For a list of the default permissions, go to Default Permissions for Service Provider Operator Roles and Default Permissions for Subscriber Operator Roles.
6. In the Additional Permissions section:
   • To include or exclude granular permissions in a feature area, select or clear check boxes for the permissions you want to include or exclude.
     In the previous image, we add read/write access to Schedule Reports.
   • To enable operator access to devices or an entire product or service, select the check box next to a permission.
     For example, if you do not select the AuthPoint check box, an operator with this role does not have access to the AuthPoint management UI, even if you have allocated users to their account. They will not see AuthPoint alerts, notifications, or reports.
7. Click Save.
   The new role shows in the table with the available permissions.

8. Assign the custom role to an operator. For more information, go to Add Operators to Your Account.

If an Owner operator is the last or only operator with the Owner role in an account, you cannot assign a custom operator role to them. Every account must have an Owner or Administrator operator with full privileges.

Edit a Custom Operator Role

The permission to modify custom operator roles is only available to operators with the Owner (Service Provider) or Administrator (Subscriber) built-in role. Operators cannot modify their own role or permissions.

You can add and remove read/write permissions from an operator role. You cannot change a built-in role. If you want to change a built-in role, we recommend that you add a new role.

When WatchGuard adds new features, you can update custom operator roles with access permissions for the new feature. WatchGuard does not automatically update custom operator role definitions when new features release.

To edit a custom operator role, from WatchGuard Cloud:

1. (Service Providers only) From Account Manager, select the account you want to add a new role for.
2. Select Administration > Operators and Roles.
3. On theRole page, from the Name column, select the role you want to edit.
4. Edit the Role Name, if needed.
5. In the Additional Permissions section, select or clear the check boxes for the permissions you want to add or remove from the role.
   A label next to the permission indicates whether the permission provides read/write access or read-only access to the feature. You must select at least one check box.
6. Click Save.
   Operators that have this role assigned now have the revised permissions.

If an operator is the last or only operator with the Owner or Administrator role in an account, you cannot assign a custom operator role to them. Every account must have an Owner or Administrator operator with full privileges.

Delete a Custom Operator Role

The permission to delete a custom operator role is only available to operators with the Owner (Service Provider) or Administrator (Subscriber) built-in role.

Before you delete a custom operator role, confirm that the role is not assigned to any operators. If you delete a custom role with assigned operators, all assigned operators revert to the built-in role used to create the custom role.

For example, if you create a custom role from the built-in Sales role, then delete it later, any operators with the custom role assigned revert to permissions from the built-in Sales role.

To delete a custom operator role, from WatchGuard Cloud:

1. (Service Providers only) From Account Manager, select the account you want to delete the custom role from.
2. Select Administration > Operators and Roles.
3. On the Role page, click in the row that you want to delete the role for.

4. Click Delete.
5. Click Delete.
   All assigned operators revert to the built-in role used to create the custom role.

Export a List of Operator Roles

To export a list of operator roles to a .CSV file, from WatchGuard Cloud:

1. (Service Providers only) From Account Manager, select the account you want to delete the custom role from.
2. Select Administration > Operators and Roles.
3. On the Role page, click .
   The .CSV file downloads automatically.

Related Topics

Custom Operator Roles — Configuration Examples

Manage WatchGuard Cloud Operators and Roles

Default Permissions for Built-in Roles

Add Operators to Your Account

Add Operators to Managed Accounts

Enable MFA for WatchGuard Cloud Operators

Delete Operators