- Create locations, sub-locations, policies, and custom lists
- Manage the locations, policies, and custom lists that a super administrator has allowed them to access. If a tenant administrator is assigned a sub-location, they can modify only the policy that is assigned to the sub-location. They cannot change the IP address or CIDR ranges that are configured for the sub-location.
- Assign locations and custom lists that they created or are allowed to manage in a policy. A tenant administrator can assign these locations and custom lists to a policy they are permitted to access. If a location contains sub-locations, the sub-locations are also assigned.
- Deploy locations, sub-locations, policies, and custom lists they created or modified.
- View and analyze DNS event data on the Dashboard, threat, access control, and DNS Summary reports based on assigned locations.
- Schedule a report. Report results are based on the locations that the tenant administrator is allowed to access.
- Add email addresses for alert and system issues communication emails. A tenant administrator can add email addresses, but they can only select that users receive alert and system issue communication emails. For the data that’s reported in an alert communication, a tenant administrator can associate the locations they are allowed to manage.
- View the settings associated with
locations, policies, and custom lists that they did not create or that they are
not allowed to access.
If a tenant administrator is assigned a sub-location and not the parent location, the tenant administrator has read-only access to the parent location.
- View settings on other configuration pages.
- Access the ETP Client, Error Pages, Custom Responses, Security Connector, Certificates, and Deployment History. A tenant administrator can access the Communication and the Scheduled Reports pages to add email addresses and schedule reports.
- View HTTP or HTTPS threat events on the Dashboard and event reports.
- View network traffic and security connector activity.
- Tenant administrator access to a deleted location, policy, or custom list is automatically removed after a super administrator makes a tenant access change. If the super administrator makes a change before the deletion is deployed, the tenant administrator cannot deploy it. In this case, the tenant administrator must contact an ETP super administrator to deploy the deleted location, policy, or custom list.
- If the pending change list includes modifications for lists that are both accessible and not accessible to the tenant administrator, the tenant administrator cannot deploy any of these changes. This includes changes associated with lists they are allowed to access. To deploy these changes, the tenant administrator must contact an ETP super administrator.
After you assign specific locations, sub-locations, policies, and custom lists to a tenant administrator, as a super administrator, you can filter data in your view to see what’s visible to a specific tenant administrator. For more information, see Show data available to a tenant administrator.