Apex Central provides default user roles that you can assign to user accounts. User roles define which areas of the Apex Central web console a user can access and control. Although you can add access rights to a default user role, you cannot remove any of the predefined access rights from a default user role.


Only the <Root> account created during installation, or user accounts that have been assigned the Administrator or Administrator and DLP Compliance Officer user role, can create new user accounts and assign user roles.

For more information about adding or editing custom user roles, see the following topics:

The following table describes the default roles available on the User Roles screen.



Administrator_and_DLP Compliance_Officer

  • Can perform all actions on all menu items

  • Can monitor, review, and investigate DLP incidents triggered by any Active Directory user


  • Can perform all actions on all menu items

  • Cannot monitor, review, or investigate DLP incidents triggered by any Active Directory user


  • Can perform all actions on the Dashboard

  • Can monitor, review, and investigate DLP incidents triggered by any Active Directory user


This user role is only available to Active Directory users or groups.


  • Can perform all actions on the Dashboard

  • Can only monitor, review, and investigate DLP incidents triggered by Active Directory users that report to the DLP Incident Reviewer


This user role is only available to Active Directory users or groups.

For more information, see the following topics:


  • Can perform all actions on all the Dashboard and Directories menu items

  • Can perform log queries, view reports generated and sent by other users, and update user account information

  • Can only view information on the Policy Management screen

  • Cannot monitor, review, or investigate DLP incidents triggered by any Active Directory user


  • Can perform all actions on all the Dashboard and Directories menu items

  • Can perform log queries, maintain logs, and generate and maintain reports

  • Can only view information on the Policy Management screen

  • Cannot monitor, review, or investigate DLP incidents triggered by any Active Directory user


  • Can view information on all menu items and update user account information

  • Can perform all actions on the Dashboard

  • Can perform log queries, generate reports, create custom report templates, search directories, and create and use custom tags/filters to manage the User/Endpoint Directory tree

  • Cannot view reports generated by other users


  • Can perform all actions on all menu items

  • Cannot monitor, review, or investigate DLP incidents triggered by any Active Directory user


This user role is hidden by default.


  • Can investigate security threat incidents on managed endpoints/servers


The Operator and Power User roles in previous versions do not have permissions to perform actions on Policy Management menu items. After upgrading to this version, these two roles will have read-only permissions, which cannot be changed.