In addition to the CLP administrator that has full access to the management console, Cloud App Security supports customizing administrative roles to grant limited access to users or groups that they need to perform their tasks. For example, specify a role to let one view and manage only Advanced Threat Protection policies, while another can view the existing Data Loss Prevention policies without having the ability to edit them. This enables more fine-grained, role-based access control and lowers the risk of corporate data exposure to attackers.
Cloud App Security comes with a default global administrator role that has unrestricted permissions, and up to four custom roles that you can create to fit the specific needs of your organization. Cloud App Security role-based access control provides the following:
Define a role by specifying permissions for it and optionally adding users or groups as members.
Create an administrator account by adding a user and assigning an appropriate role to it.
Only a user with the global administrator role can add an administrator account, create a custom role, and assign users or groups to the role.