Enterprise Console roles update

Products

Cloud Secure Web Gateway - Cloud SWG Symantec ZTNA Blue Coat DLP Subscription CASB Securlet SAAS With DLP-CDS CASB Securlet SAAS CASB Securlet IAAS Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST Data Loss Prevention Cloud Package

Issue/Introduction

An enhancement to the Enterprise Console has been deployed to create and populate new roles intended to meet customer requests for more granular provisioning permissions. The deployment of subscriptions is now managed by a Super Admin for each product family.

Resolution

In the Enterprise Console, the previous “Global Admin” role could deploy all product subscriptions, modify existing Environments, and setup/change IDP federations. The change has divided permissions across five new roles. Four Super Admin roles resemble the Symantec Endpoint Super Admin role. Individuals may have multiple roles. The former “Global Admin” role has been deprecated and removed.

With the deprecation of the Global Admin role, there is no longer a role that has permission to modify the administrator roles across all products within the account. Instead, each product Super Admin has access to view and modify administrator for that product family only.

With the update, the five (5) new roles were created as follows:

Cloud SWG Super Admin - Able to deploy new Cloud SWG subscriptions into existing Environments or create new Environments for such deployments. In a future enhancement, it will have Administrator permissions in all deployed Cloud SWG Environments.
CASB Super Admin - Able to deploy new CloudSOC subscriptions into existing Environments or create new Environments for such deployments. In a future enhancement, it will have administrator permissions for all deployed CloudSOC environments.
DLP Super Admin - Able to deploy new DLP CDS subscriptions into existing Environments or create new Environments for such deployments. Can configure MIP and OCR functions for DLP scanning. In a future enhancement, it will have administrator permissions for all deployed CloudSOC environments.
ZTNA Super Admin - Able to deploy new ZTNA subscriptions into existing Environments or create new Environments for such deployments.
Account Settings Manager - Configuration of non-product functions. In Enterprise Console, this includes common settings and environment renaming. In the Accounts portal, this includes the management of accounts and IdP federation.

A mapping algorithm was used to convert the historical “Global Admin” role into the new roles. Generally, administrators will have more than one new role, as the former “Global Admin” offered broad access.

Going forward the new roles will be applied via the following rules:

For a customer’s first order, the Technical Contact will be granted the Account Settings Manager role
Per order, the Technical Contact will be granted the Product Super Admin matching the product subscriptions

For complete details about administrator roles in Enterprise Console, see Manage Administrators in Enterprise Console