Enterprise Threat Protector roles

These roles are available for Enterprise Threat Protector (ETP). Contact your Control Center administrator to assign one of these roles.
Role Role Permission in Control Center Description
Super Administrator etpAdmin Can perform all operations, view all reports, and see all reporting data in ETP.
Delegated Administrator etpDelegatedAdmin A delegated administrator can:
  • Create locations, sub-locations, policies, and custom lists
  • Manage assigned locations, sub-locations, policies, and custom lists.

    A delegated administrator cannot change the IP addresses or CIDR blocks that are configured to an assigned sub-location.

  • View locations, sub-locations, policies, and custom lists created by other administrators
  • Deploy assigned locations, sub-locations, policies, and custom lists, as well as locations, sub-locations, policies, and custom lists they created

For more information, see Delegated access.

If the delegated access feature is enabled in ETP, a super administrator can assign the delegated administrator role to an ETP user.

For more information, see Assign a delegated administrator role.
Tenant Administrator

(formerly called a strict delegated administrator)

etpStrictDelegatedAdmin A tenant administrator can:
  • Create locations, sub-locations, policies, and custom lists
  • Manage assigned locations, sub-locations, policies, and custom lists

    A tenant administrator cannot change the IP addresses or CIDR blocks that are configured to an assigned sub-location.

  • Deploy assigned locations, sub-locations, policies, and custom lists, as well as locations, sub-locations, policies, and custom lists they created

For more information, see Tenant access.

If the tenant access feature is enabled in ETP, a super administrator can assign this role to an ETP user. For more information, see Assign a tenant administrator role.
Report Viewer etpReportViewer Can view reports and reporting data in ETP. A report viewer cannot view configuration settings.

By default, a report viewer cannot see the DNS Activity, Summary of Proxy Activity, Proxy Activity, and Identity Provider Activity reports. The etpRestrictedPageViewRole permission is required to view these reports.
Viewer etpViewer Has read-only privileges. A viewer can view report data and configuration settings.

By default, a viewer cannot see the DNS Activity, Summary of Proxy Activity, Proxy Activity, and Identity Provider Activity reports. The etpRestrictedPageViewRole permission is required to view these reports.
etpRestrictedPageViewRole Grants access to the DNS Activity, Proxy Activity, Summary of Proxy Activity, and Identity Provider Activity reports. This is a permission that your Control Center administrator can assign to any ETP role. Unlike other permissions in ETP, this permission cannot be the only one assigned to an ETP user. For example, your Control Center administrator cannot create a role that only has this permission assigned. If you want a Report Viewer to also see these reports, make sure your administrator assigns this additional permission to the user.