Roles control the areas of the Skyhigh CASB user interface or Skyhigh Cloud Connector or Cloud Firewall that a user can view or access. You can set your role-based access control (RBAC) levels to restrict certain users from sensitive areas of the system or to create workflows for users with dedicated responsibilities. All users must have at least one role; users can have multiple roles at once.
You can also give functions of roles Read Only or Manage access. Learn more in About Read Only vs Manage Access.
Once a user has been assigned a role, that user cannot change or manage users who have different roles assigned, including User Managers. This prevents users with a lower access level from making changes to users with higher access levels, and also prevents users with more broad access from improperly granting access to other users. A trusted user with all roles assigned can make changes to other users' access to all areas.
The Primary User is the account administrator and main point of contact for upgrades and ordering for all Skyhigh Security services. To make someone else the primary user, please contact Skyhigh Security Support.
By default, Administrators are able to configure Structured App CSPs, CASB Connect Apps, IaaS deployments, and so on. Additionally, Admins can manage and create users, and have access to the Audit Log. They also have access to Activity Settings and Anomaly Settings.
Setting Setup & Configuration allows only read access to cloud service configurations. Setting User Manager to Read Only allows an Admin to view users, but not modify any account.
Administrators cannot be assigned to or subject to Data Jurisdiction restrictions.
Users with the User Manager role can make tenant-level changes that affect the information seen by other Skyhigh CASB users. User Managers can:
Given the access to make tenant-level changes, User Managers cannot be assigned to or subject to Data Jurisdiction restrictions.
Users with the Policy Management role interact with the rules-based portions of the product, including those listed in the previous column.
Users with this role can also manage the settings that govern policies.
Policy Managers cannot be assigned to or subject to Data Jurisdiction restrictions.
Users with the Incident Manager role can access the pages listed in the previous column.
Usage Analytics User
Users with the Usage Analytics User role can access these pages:
|Cloud Security Advisor Dashboard Manager
|Cloud Security Advisor
|The Cloud Security Advisor Dashboard Manager role is required to take waivers and credits for Visibility and Control metrics in the Cloud Security Advisor.
Custom Apps Owner
The Custom Apps Owner role can only be assigned once a user has another role configured. It's not standalone.
|View detokenized user names
|Instead of random tokens, a user with this access can view user names. The Detokenization Privilege can only be assigned once a user has another role configured. It cannot be assigned as a standalone role.
Cloud Connector User
Users must have the Cloud Connector User role to configure Cloud Connector. The Cloud Connector User role can be assigned separately from the Admin dashboard. So, the User must have an Admin role to access the Cloud Connector option under Settings > Infrastructure in Skyhigh CASB.
Skyhigh Security Service Edge Hybrid (WPS2) license users can also access Cloud Connector option under Settings > Infrastructure. For details, see Cloud Connector User Role for SSE Hybrid Users.
|Skyhigh Security Integrations
|The Trellix ePO Connector role allows the user to set up integrations between Trellix ePolicy Orchestrator and Skyhigh CASB.
|Cloud Firewall user
|Skyhigh Cloud Firewall
Users with Cloud Firewall Administrator role can manage and create users, and have access to the Audit Log. They also have access to Web Gateway setup and Client Proxy Management.
Users with the Cloud Firewall Policy Management role interact with the rules-based portions of the product in the Cloud Firewall policy page and the list catalog associated with the Cloud Firewall page.