Skip to main content

List of all Roles

The following are all the roles currently supported by SASE:

RoleUI LabelDescription
auditorAuditorThis role provides read-only access to functions related to all configuration, including subscriptions and licenses. Assign this role to users or service accounts that need to examine the system for accuracy.
business_adminBusiness AdministratorThis role provides access to all subscription and license management. This role also provides read-only access to other functions, including but not limited to: access policies, service accounts, and tenant service group operations.
data_security_adminData Security AdministratorThis role provides access to all data security functions. In addition, it provides read-only access to logs. This role contains a very small subset of privileges compared to the Security Admin role.
deployment_adminDeployment AdministratorThis role provides access to functions related to deployments. In addition, this role provides read-only access to other functions.
iam_adminIAM AdministratorThis role provides access to identity and authentication functions. In addition, it provides read-only access to logs. Assign this role to users or service accounts that need to manage users or service accounts.
msp_iam_adminMSP IAM AdministratorThis role provides access to identity and authentication functions for all tenants in a multitenant hierarchy. In addition, it provides read-only access to logs.
msp_superuserMSP SuperuserThis role provides full read and write access to all functions for all tenants in a multitenant hierarchy. Assign this role only to users or service accounts that need unrestricted access to the MSP portal.
network_adminNetwork AdministratorThis role provides access to functions related to network configuration. This role also provides read-only access to other functions, including but not limited to: alerts, license quotas, devices, and tenant service group operations.
security_adminSecurity AdministratorThis role provides access to functions related to security policy configuration. This role also provides read-only access to other functions, including but not limited to: alerts, license quotas, devices, and tenant service group operations.
soc_analystSOC AnalystThis role provides read-only access to functions related to logs, reports, events, alerts, and all configuration. Assign this role to users or service accounts that need to view and investigate threats and trends.
superuserSuperuserThis role provides full read and write access to all the available system-wide functions. It includes all the permissions of all the other roles, including MSP Superuser. Assign this role only to users or service accounts that need unrestricted access.
tier_1_supportTier 1 SupportThis role provides access to specific incident remediation workflows that update network, security, SD-WAN, GlobalProtect, and device configuration. This role also provides read-only access to other functions.
tier_2_supportTier 2 SupportThis role provides access to specific incident remediation workflows that update network, security, SD-WAN, GlobalProtect, and device configuration. This role also provides read-only access to other functions.
view_only_adminView Only AdministratorRead only access to all functions.