Users who can log in to WatchGuard Cloud to view and manage account information and configure services are called operators. Your operator role determines what information you can see and what actions you can take in your own account or managed accounts. Based on your permissions, some pages could show as read only. If your operator role does not have permission to view a page, you see this error message:
You do not have permission to view this page. Contact your administrator.
To implement granular role-based access control (RBAC) over functional areas of the WatchGuard Cloud user interface, Owner and Administrator operators can create custom roles. For more information on granular permissions, go to Manage Custom Operator Roles.
Operators are separate from licensed users of a WatchGuard product or service. They do not require a license and can only log in to WatchGuard Cloud. You must create a separate user account for any operator who uses a product or service such as AuthPoint or Endpoint Security.
Your operator role determines what you can see and do in WatchGuard Cloud. Only operators with the built-in Owner or Administrator role have permissions to manage operators and roles.
There are different operator roles for Subscriber accounts and Service Provider accounts. Every account must have an Owner or Administrator operator with full privileges.
Built-in Subscriber Operator Roles
There are three built-in operator roles for Subscriber accounts:
- Administrator — Administrators have full permissions within their Subscriber account and managed services. They can add custom branding options to the account. They are the only Subscriber operators who can add, edit, and delete other operators. Administrators could have access to the Advanced Visualization Tool with a WatchGuard Endpoint Security license (Advanced Reporting Tool and Data Control modules) and can manage WatchGuard Orion services if their account is approved by WatchGuard .
- Analyst — Analysts have full permissions to configure services and read-only permission everywhere else.
- Observer — Observers have read-only permission throughout their account.
For a list of the default permissions available in each built-in role, go to Default Permissions for Built-in Roles.
If you add an operator to a tier-1 Subscriber account, or a tier-n Service Provider or Subscriber account, the new operator can only log in to WatchGuard Cloud (cloud.watchguard.com), not Support Center.
Built-in Service Provider Operator Roles
There are four built-in operator roles for Service Provider accounts:
- Owner — Owners have full permissions within their Service Provider account and managed services. They can add custom branding options to the account. They are the only Service Provider operators who can add, edit, and delete operators for their account. When there is an Endpoint Security product license and modules, Owners could have access to the Advanced Visualization Tool (Advanced Reporting Tool or Data Control modules) and WatchGuard Orion management for their account and managed accounts. (WatchGuard approval is required to purchase and manage WatchGuard Orion.)
- Sales — Sales operators have full permissions for inventory and account management, but read-only permission for configure services and operators.
- Helpdesk — Helpdesk operators have full permissions to configure services and read-only permission everywhere else.
- Auditor — Auditors have read-only permission throughout their Service Provider account.
For a list of the default permissions available in each built-in role, go to Default Permissions for Built-in Roles.
There is a built-in No Access role that is only available when you add or edit an operator. It is not available for custom roles. Operators who have the No Access role cannot log in to WatchGuard Cloud until you assign a different role to them. Operators with the No Access role have a red status icon next to their user name.
Role Mapping
Because different operator roles are available for Service Providers and Subscribers, when Service Providers view a Subscriber account, their permissions are mapped to the relevant Subscriber operator role. Role mapping occurs when a Service Provider operator looks at the Subscriber account for a managed account or their own Subscriber account.
| Service Provider Role | Mapped Subscriber Role |
|---|---|
| Owner | Administrator |
| Sales | Observer |
| Helpdesk | Analyst |
| Auditor | Observer |
Custom Operator Roles
On the Roles page, you can create a custom role that is based on a built-in role. You can enable or disable read/write or read-only permissions for different features in WatchGuard Cloud. For example, the Sales role can only read scheduled reports by default. You can create a custom role based on the Sales role that enables read/write permissions for the Scheduled Reports page. For more information, go to Manage Custom Operator Roles.
Add Operators to Managed Accounts