Manage WatchGuard Cloud Operators and Roles

Users who can log in to WatchGuard Cloud to view and manage account information and configure services are called operators. Your operator role determines what information you can see and what actions you can take in your own account or managed accounts. Based on your permissions, some pages could show as read only. If your operator role does not have permission to view a page, you see this error message:

You do not have permission to view this page. Contact your administrator.

To implement granular role-based access control (RBAC) over functional areas of the WatchGuard Cloud user interface, Owner and Administrator operators can create custom roles. For more information on granular permissions, go to Manage Custom Operator Roles.

Operators are separate from licensed users of a WatchGuard product or service. They do not require a license and can only log in to WatchGuard Cloud. You must create a separate user account for any operator who uses a product or service such as AuthPoint or Endpoint Security.

Your operator role determines what you can see and do in WatchGuard Cloud. Only operators with the built-in Owner or Administrator role have permissions to manage operators and roles.

There are different operator roles for Subscriber accounts and Service Provider accounts. Every account must have an Owner or Administrator operator with full privileges.

Built-in Subscriber Operator Roles

There are three built-in operator roles for Subscriber accounts:

  • Administrator — Administrators have full permissions within their Subscriber account and managed services. They can add custom branding options to the account. They are the only Subscriber operators who can add, edit, and delete other operators. Administrators could have access to the Advanced Visualization Tool with a WatchGuard Endpoint Security license (Advanced Reporting Tool and Data Control modules).
  • Analyst — Analysts have full permissions to configure services and read-only permission everywhere else.
  • Observer — Observers have read-only permission throughout their account.

For a list of the default permissions available in each built-in role, go to Default Permissions for Built-in Roles.

If you add an operator to a tier-1 Subscriber account, or a tier-n Service Provider or Subscriber account, the new operator can only log in to WatchGuard Cloud (cloud.watchguard.com), not Support Center.

Built-in Service Provider Operator Roles

There are four built-in operator roles for Service Provider accounts:

  • Owner — Owners have full permissions within their Service Provider account and managed services. They can add custom branding options to the account. They are the only Service Provider operators who can add, edit, and delete operators for their account. When there is an Endpoint Security product license and modules, Owners could have access to the Advanced Visualization Tool (Advanced Reporting Tool or Data Control modules).
  • Sales — Sales operators have full permissions for inventory and account management, but read-only permission for configure services and operators.
  • Helpdesk — Helpdesk operators have full permissions to configure services and read-only permission everywhere else.
  • Auditor — Auditors have read-only permission throughout their Service Provider account.

For a list of the default permissions available in each built-in role, go to Default Permissions for Built-in Roles.

Role Mapping

Because different operator roles are available for Service Providers and Subscribers, when Service Providers view a Subscriber account, their permissions are mapped to the relevant Subscriber operator role. Role mapping occurs when a Service Provider operator looks at the Subscriber account for a managed account or their own Subscriber account.

Service Provider Role Mapped Subscriber Role
Owner Administrator
Sales Observer
Helpdesk Analyst
Auditor Observer

Custom Operator Roles

On the Roles page, you can create a custom role that is based on a built-in role. You can enable or disable read/write or read-only permissions for different features in WatchGuard Cloud. For example, the Sales role can only read scheduled reports by default. You can create a custom role based on the Sales role that enables read/write permissions for the Scheduled Reports page. For more information, go to Manage Custom Operator Roles.

Related Topics

Add Operators to Your Account

Add Operators to Managed Accounts

Enable MFA for WatchGuard Cloud Operators

Delete Operators

Manage Custom Operator Roles

Default Permissions for Built-in Roles