Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 2135 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Advice regarding Sophos Central and "Server Protection"

Mark Smith6

Our desktop estate as been protected by Central for some months but we've recently started testing some of the Microsoft Windows server estate. We're having a number of issues currently as the Desktop estate is managed by a different team from the server estate and there's a risk one party or the other could make a change that impacts each other.  

It looks like the role based access is fairly limited and we practically need Admin rights to be able do the tasks we need to. Could somebody help answer/clarify these queries please?

 

Is there a way to provide console/admin access just over the "Server" elements, more specifically?

1. What permission(s) are needed to be able to add/amend Groups?

2. What permission(s) are needed to be able to add/amend/assign policies? 

 

Is there a way to separate the "Admin" tasks for example Desktop Admins are only able to amend/assign policies to the desktop machines and Server Admins are only able to amend/assign policies to the server machines?

 

Thanks in advance for any assistance/responses. 

 



This thread was automatically locked due to age.
  • 0

    Hi  

    The feature which you need is available in the role management under global settings. You can add the customer role where one user can have access to server protection only where he has admin rule for server protection product but he can't change anything in the other product group.

    Please make sure you have one user that is in super admin rule, so when you want to change any role for any of the users, you can do that without any issues.

    Please refer to this document which has information regarding this topic.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Jasmin

    Hi Jasmin, 

     

    Thanks for your reply and assistance. That is what we've done already, the current new role for Server admin has these permissions:

    However, it cannot amend/create any new policies and I'm told if they tick the box in here for "Access policy management" it will allow access to all policies, not just the server ones. IS that correct or because this role only has the "server protection" enabled we'll only be able to administer those policies?

    Additionally I'm unable to create/manage Groups. If I go in to "Server Protection - Server - Server Groups" Then I can see a single group that's been created but cannot manage membership of it and there's no option to add any other groups. 

     

     

  • +1 in reply to Mark Smith6

    Hi  

    As per the screenshot, you choose Help Desk as the Base role, administrators with the custom role have Help Desk permissions, hence it will have read-only access for all settings in Sophos Central. You can restrict access for a custom role to a specific product. This custom role allows any administrators assigned to this role to access Server Protection with Help Desk permissions

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to Shweta

    Hi Shweta, 

    Just to confirm the base role should be "FULL" and then because we only select the "Server Protection" with access then we'll be able to add/amend policies and server groups?

    Unfortunately I cannot test it so need to raise a request with the relevant team first. 

    Thanks

    Mark

  • 0 in reply to Mark Smith6

    Hi  

    You just need to enable the policy management in the global settings for Sophos central admin which will allow you to edit, apply policies to users and also will allow you to manage user, machine groups. I tested it and please refer my settings below which I kept for the user:

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Jasmin

    Hi Jasmin,

    Won't that give the person in the "Server role" access to all of the policies though, including the "Desktop" ones? That's my current problem. 

     

    I've now had the base permission changed to "FULL" and can add and amend server policies but not fully. I.e. I can't see any way to add an exclusion. If I look at the global exclusions it says to do it for an individual or group of devices to do it in the Policy but there's no option. 

    Is that my permissions? 

     

    Also I'm still not able to manage the server groups? There's just no buttons to add/delete them and I can't change membership of the one that's there. 

     

    Thanks for all the help so far, it's appreciated. 

     

     

     

  • +1 in reply to Mark Smith6

    Hi  

    Global exclusions and other shared features will not work till endpoint, server both have full access for that user.

    Unfortunately, it is also applicable to server groups as well. You can only edit the server groups if you have full access to endpoint protection.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Unfiltered HTML