User Roles

This topic describes the user roles that you can assign user accounts in Cloud Email Protection. Roles in Cloud Email Protection are divided into two categories:

  • User roles, which are read-only roles that allow users to only view specific areas in Cloud Email Protection, the "R" in the common "CRUD" (create, read, update, delete) paradigm.
  • Administrator roles, which allow users to make changes is various areas of Cloud Email Protection, the "C," "U", and "D" in "CRUD."

Roles are by default hierarchical. That is, what you assign a user account a role, that account is also assigned all roles "below" the selected role automatically. Roles below the selected role can be unassigned manually.

The following table lists the available roles in order of that hierarchy.

Role Description
Administrator Roles
Organization Administrator

An Organization Administrator will by default have all permissions of a read-only, auditing, and user administrator unless those roles are specifically unselected. In addition the organization administrator can make changes to organization settings, policies, and address groups:

  • View and edit organization settings at Manage > Organization.
  • View, create, and edit policy configurations at Manage > Policies.
  • Create on-demand policies at Search Messages (if applicable to customer configuration).
  • View, approve, deny, or undo senders and IPs at Manage > Senders.
  • View metrics and update configurations at Manage > Sensors.
  • View, create, and edit address groups at Manage > Address Groups.
User Administrator

A user administrator will by default have all permissions of a read-only user and auditing user unless those roles are specifically unselected. In addition and auditing user can:

  • Create and edit users at Manage > Users.
User Roles
Auditing User

An auditing user will by default have all permissions of a read only user, unless the read only role is specifically unselected. In addition an auditing user can:

  • View and search user audit logs at Manage > Users.
Read-only User

A read only user can search and view data in Cloud Email Protection, but cannot make changes or edits anywhere.

  • View and search data on all pages under the Analyze menu (Overview, Messages, Domains, IP Addresses, and Search Messages).
  • View policy configurations on the Manage > Policies page. Cannot create new policies, on-demand policies, or edit policies.
  • View reports on Manage > Reports.
  • View senders on Manage > Senders. Cannot Approve, Deny, or Undo senders or IPs.
  • View metrics and configurations on Manage > Sensors. Cannot modify sensor configurations.
  • View own user settings and enable API credentials on Manage > Users. Cannot change own user role.
  • View address group configurations on Manage > Address Groups. Cannot create or edit address groups.