TDR Operator Roles and Permissions

In your Threat Detection and Response account, Operator roles determine what information a user can see, and what actions a user can complete. The roles and permissions in TDR are managed as Operator roles in the WatchGuard Portal. All configuration tasks in TDR must be performed by an Operator with an Administrator or Analyst role.

TDR Operator roles are the same as WatchGuard Cloud roles. For information about WatchGuard Cloud Operator roles, see Manage WatchGuard Cloud Operators.

To manage user accounts or change operator roles, see Manage User Accounts in the WatchGuard Portal.

Subscriber Operator Roles

TDR Operators in a Subscriber account can have the Observer, Analyst, or Administrator roles.


An Operator assigned the Observer role has view permissions only for TDR.

Observers can:

  • See the Dashboard and CYBERCON level
  • See incidents and indicators
  • See information about network events


An Operator assigned the Analyst role can complete most actions but cannot manage Operator accounts.

Analysts can:

  • Change the CYBERCON level
  • See the Dashboard
  • Take action on incidents and indicators
  • Add policies and exclusions
  • Generate and schedule reports
  • Set up AD Helper, Host Sensors, and Fireboxes
  • See information about hosts and network events
  • See domain and group information
  • Add signature overrides
  • See the Audit Log


A user assigned the Administrator role has the same permissions as an Analyst. In addition, Administrators can manage Operator accounts and reset features to default settings.

Administrators can:

  • Manage Operator accounts and Operator roles
  • Reset features to default settings

Service Provider Operator Roles

Service Provider accounts manage multiple customer accounts. TDR Operators in a Service Provider account can have the Owner, Sales, Helpdesk, and Auditor roles.


An Operator assigned the Owner role in a Service Provider account can assign Host Sensor licenses to managed customer accounts. Owners can also complete the same actions for a managed account as Administrators.


  • Assign Host Sensor licenses to managed accounts
  • Configure the global Host Sensor settings in each managed account
  • Manage all customer accounts with the same privileges as a user assigned the Administrator role


An Operator assigned the Sales role has read-only permission to configure services and Operators.


An Operator assigned the Helpdesk role has the same permissions as an Analyst role for all accounts managed from the Service Provider account.


An Operator assigned to the Auditor role has read-only permission throughout their Service Provider account.

See Also

TDR Account Types