Understanding User Roles

Control Manager uses the following as the default user roles. Administrators cannot modify access permissions for the default user roles. A description for each role is available on the management console.

  • Administrator and DLP Compliance Officer

  • Administrator

  • DLP Compliance Officer

  • DLP Incident Reviewer

  • Operator

  • Power User

  • SSO Users

Control Manager also supports custom user roles. Custom user roles allow Control Manager administrators to specify which Control Manager web console menu items other users can access.

Note:

The Operator and Power User roles in previous versions do not have permissions to Policy Management menu items. After upgrading to this version, these two roles will have read-only permissions, which cannot be changed.

If a custom user role in a previous Control Manager version has permissions to Policy Management menu items, the role will have full control permissions after upgrading to the current release. You can change the permissions to "maintain" or "read-only". A custom user role without these permissions will continue to not have permissions after upgrading.

The following table shows all the features that each default user role can access.

Table 1. User Role Access

Menu Item

Administrator*

DLP Compliance Officer

DLP Incident Reviewer

Operator

Power User

Dashboard

Directories

Users/Endpoints

No permission

No permission

Products

No permission

No permission

Policies

Policy Management

No permission

No permission

Read only

Read only

Policy Resources

Policy Template Settings

No permission

No permission

No permission

No permission

DLP Data Identifiers

No permission

No permission

No permission

No permission

DLP Templates

No permission

No permission

No permission

No permission

Logs

New Ad Hoc Query

No permission

No permission

Saved Ad Hoc Queries

No permission

No permission

Log Aggregation

No permission

No permission

No permission

No permission

Log Maintenance

No permission

No permission

No permission

Reports

My Reports

No permission

No permission

One-time Reports

No permission

No permission

No permission

Scheduled Reports

No permission

No permission

No permission

Custom Templates

No permission

No permission

No permission

Report Maintenance

No permission

No permission

No permission

Updates

Manual Download

No permission

No permission

No permission

Scheduled Download

No permission

No permission

No permission

Component List

No permission

No permission

No permission

Deployment Plan

No permission

No permission

No permission

Scheduled Download Exceptions

No permission

No permission

No permission

Update / Deployment Settings

No permission

No permission

No permission

Administration

Account Management

My Account

No permission

No permission

User Accounts

No permission

No permission

No permission

No permission

User Roles

No permission

No permission

No permission

No permission

User Groups

No permission

No permission

No permission

No permission

Managed Servers

No permission

No permission

No permission

No permission

Command Tracking

No permission

No permission

No permission

Event Center

Event Notifications

No permission

No permission

No permission

No permission

General Event Settings

No permission

No permission

No permission

No permission

License Management

Control Manager

No permission

No permission

No permission

No permission

Managed Product

No permission

No permission

No permission

No permission

Administration

Settings

Agent Communication Schedule

No permission

No permission

No permission

No permission

Communication Time-out Settings

No permission

No permission

No permission

No permission

Proxy Settings

No permission

No permission

No permission

No permission

Web Console Settings

No permission

No permission

No permission

No permission

Smart Protection Network Settings

No permission

No permission

No permission

No permission

Product Agent Settings

No permission

No permission

Active Directory and Widget Settings

No permission

No permission

No permission

No permission

Parent Control Manager Settings

No permission

No permission

No permission

No permission

Suspicious Objects (including sub-menus)

No permission

No permission

No permission

No permission

Indicators of Compromise

No permission

No permission

No permission

No permission

Tools

No permission

No permission

No permission

No permission

Note:

The Administrator role and the following roles have the same access permissions:

Administrator and DLP Compliance Officer

SSO Users

Trend Micro suggests configuring user roles and user account settings in the following order:

  1. Specify which products/directories the user can access (step 4 of Editing a User Account).

  2. Specify which menu items the user can access. If the default user roles are not sufficient, see Adding a User Role or Editing a User Role.

  3. Specify the user role for the user's account (step 4 of the Editing a User Account).