Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=role-management-admin-roles-summary

Administration roles summary

We have predefined administration roles. These have some license specific capabilities.

You can also create custom roles. You can give these custom roles some license specific capabilities.

This page summarizes the differences between the roles.

Predefined roles

Administration roles divide security administration by responsibility level. Sophos Central includes several predefined roles. This table shows the access and capabilities for the predefined roles.

Role Access Capabilities
Super Admin Have access to everything you have licenses for in Sophos Central.

Can do everything you have licenses for in Sophos Central.

They are also the only administrators who can do the following:

  • Manage roles and role assignments.
  • Create, edit, assign, and delete custom roles.
  • Generate and manage API tokens.
  • Add and manage API credentials.
  • Create Sophos support tickets.
Admin

Have access to everything you have licenses for in Sophos Central.

No access to Super Admin only options.

 Can do everything you have licenses for in Sophos Central apart from the Super Admin specific tasks.
Help Desk

Read-only access to everything you have licenses for in Sophos Central.

No access to Super Admin only options.

Can do the following:

  • Look at sensitive logs or reports.
  • Receive and clear alerts.
  • Update the Sophos agent software on a computer.
  • Scan computers.
  • Change co-branding.
  • See users, campaigns, series, results, and reports for Phish Threat (needs a license).
Read-only

Read-only access to everything in Sophos Central.

No access to Super Admin only options.

Can do the following:

  • Look at sensitive logs or reports.
  • Receive alerts.
  • See users, campaigns, series, results, and reports for Phish Threat (needs a license).

Custom roles

You can create custom roles from base role types. You use custom roles to change the access and capabilities of the predefined roles. You can limit access by product and change the default capabilities for a base role. These capabilities only apply to the selected products for a custom role. See Add a custom role.

The base role types have the default capabilities shown in the table.

Note

You can only use one of the two policy capability options. Turning on one of the options turns the other off. The policy management option allows an administrator to do more than the policy assignment option. If you turn it on for the Help Desk or read-only base roles, it gives them the same capability for managing policies, devices and users as the full base role.

You won't see the license dependent capabilities if you don't have the correct license.

Role Capabilities and access Additional Capabilities
Full Same access and capabilities as the predefined Admin role.

These are turned on by default:

  • Enable access to logs & reports.
  • Enable policy management (add, edit, and delete).

If you have a Live Response license, you can also add the following:

  • Start Live Response sessions on computers (needs access to Endpoint Protection).
  • Manage Live Response settings for computers (needs access to Endpoint Protection).
  • Start Live Response sessions on servers (needs access to Server Protection).
  • Manage Live Response settings for servers (needs access to Server Protection).
Help Desk Same access and capabilities as the predefined Help Desk role.

These are turned on by default:

  • Enable access to logs & reports.
  • Enable policy assignment to users, device, etc. (turn policies on and off; and add users, user groups, devices and device groups to existing policies).

If you have a Live Response license, you can also add the following:

  • Start Live Response sessions on computers (needs access to Endpoint Protection).
  • Start Live Response sessions on servers (needs access to Server Protection).
Read-only Same access and capabilities as the predefined Read-only role.

These are turned on by default:

  • Enable access to logs & reports.

License specific capabilities

There are some things that administrators can only do if you have specific licenses. Their capabilities depend on your licenses and their roles. These are included in the predefined roles if you have the correct license.

Option License Role
View the intelligence report. XDR Super Admin, Admin, Help Desk, Read-only
Request the intelligence report XDR Super Admin, Admin, Help Desk
Add items to the “Clean and Block” list. XDR Super Admin, Admin
Remove items from the “Clean and Block” list. XDR Super Admin, Admin
View blocked items. XDR Super Admin, Admin, Help Desk, Read-only
View on-demand threat graphs. XDR Super Admin, Admin, Help Desk, Read-only
Request an on-demand threat graph. XDR Super Admin, Admin, Help Desk
Isolate and un-isolate devices XDR Super Admin, Admin
Request a forensic snapshot XDR Super Admin, Admin, Help Desk
Start Live Response sessions on computers Live Response

Super Admin, Admin

Custom role with a full or Help Desk base role and access to Endpoint Protection.
Start Live Response sessions on servers Live Response

Super Admin, Admin

Custom role with a full or Help Desk base role and access to Server Protection.
Manage Live Response settings for computers Live Response

Super Admin, Admin

Custom role with a full base role and access to Endpoint Protection.
Manage Live Response settings for servers Live Response

Super Admin, Admin

Custom role with a full base role and access to Server Protection.