Create Roles for Restricted Administrators
To create roles for a restricted admin:
Go to Settings > Administration > Roles.
Click Create New.
Provide a Role name, and description if desired. The role type is set to Read Only by default.
Specify the list of users and/or groups the admin will have access to.
Allow access to file content, this allows admins to download, preview, and view files from API-enabled Protection and Forensics.
Optionally, you can choose the option to obfuscate none or specific fields. Obfuscate is a form of data masking for security reasons. Enable this to hide sensitive data in the UI. This only applies to Events, API-enabled Protection, Reports, Forensics, and Malware functional areas.
In the example above, the IT group is chosen. The IT group is the Active Directory Group exported to the tenant instance in the Netskope cloud using AD Importer. You can also choose individual users. Other options include:
Obfuscate None: If you choose this option, restricted admins who are assigned this role can see sensitive data such as username, source IP, etc.
Specific Fields: Select this option to mask the following information from users: User names and IPs, Source location information, File and object names, App names, URLs, and Dest IPs.
Scope: If you choose a specific list of Users, Groups, or App Instances under Scope, a restricted admin who is assigned this role can only view the data pertaining to those users or the specific Active Directory group, like viewing cloud apps usage for these users, creating reports for these users, etc. Restricted admins cannot view data of other users who are not part of this group.
Note
Users and groups can be automatically populated from the Microsoft Active Directory. This requires an AD Importer to be installed on the AD server, or a member server that can export the AD usernames and group names to your tenant instance in the Netskope cloud.
Select Scope, All events or select specific events. Selecting this option restricts the scope of data shown in the UI. This only applies to Events, Reports, Forensics, and Malware functional areas.
Click Create.
Now you can assign a role to a restricted admin.