Managing Admins for Cloud Secure Edge

Overview

Role-Based Access Control (RBAC) for SonicWall Cloud Secure Edge (CSE) — which encompasses both Secure Private Access (SPA) and Secure Internet Access (SIA) under a shared console — is centrally managed through SonicWall Unified Management (the successor to MySonicWall) and the classic MySonicWall (MSW) portal.

Managing admin identities, access levels, and tenant restrictions must be done within these central portals rather than the CSE console itself.

Understanding Roles & Privileges

For modern CSE deployments, access is determined by the User Groups a user belongs to. There are only three functional access levels:

• Admin: Full read and write capabilities within the CSE console.

• Read-Only: Can view configurations, logs, and settings, but cannot make changes.

• No Access: The user cannot view or log into the CSE tenant. This is the default state for any user who has not been added to a group with explicit CSE privileges.

Important Privilege Rules:

1. The Principle of Least Privilege: SonicWall Unified Management and MSW strictly enforce the principle of least privilege. If a user is a member of multiple User Groups with conflicting permissions for CSE (e.g., one group grants "Admin" and another grants "Read-Only"), the minimum permission will apply. To ensure a user has Admin access, ensure they are not also placed in a restricted or Read-Only group.

2. Super Admins: Users designated as Super Admins automatically inherit full Admin access to all tenants and products within the organization account, regardless of specific User Group assignments. This includes all affiliated tenants. For more information, refer to the Assigning a Super Admin Role Guide.

3. The Default User Group: Every organization has a built-in "Default User Group". This group is hardcoded to have Admin permissions to all products and access to all native tenants (excluding affiliations). These permissions and tenant scopes cannot be changed. You can only modify which users are members of this Default User Group.

Important: Setting Up Admin IDP

If you require an external Identity Provider (IDP) like Entra ID (Azure AD) or Okta for your administrators, do not configure this in the CSE console.

Admin IDP must be configured directly within Unified Management or MSW. Once federated with your IDP, user authentication and group mappings will cascade down to CSE automatically.

• For instructions on configuring your IDP, please refer to the official SonicWall documentation:

  • KB Article: MySonicWall External IDP Integration

  • User Guide: Configuring an External Identity Provider

Important: Partner Access via Affiliations (MSPs/Resellers)

Affiliations are necessary when two different MSW/UM organizations need to give each other access to products or consoles. If you are an MSP or Partner managing customer environments and need access to their CSE tenant, you must use the Affiliations feature.

1. The Partner/MSP initiates an Affiliation request from their account to the Customer's account.

   • Unified Management Path: Navigate to Admin Settings > Users Access Management > User groups > Affiliations tab.

   • MSW Path: Navigate to My Workspace > User Groups > Affiliations tab.

2. The Customer's Super Admin approves the request.

3. Once established, the Partner can assign their own employees to User Groups that have access to the newly affiliated Customer tenant.

4. For complete step-by-step instructions, refer to the Initiating an Affiliation Guide.

Step-by-Step Scenarios: Configuring CSE Access

All role assignments are handled by associating users with specific User Groups and defining the permissions of those groups. Instructions are provided below for both the new Unified Management interface and the classic MySonicWall (MSW) interface.

1. Granting Full Admin Access

To make a user a CSE Admin, you can either add them to an existing administrative group (such as the default group) or create a new one.

In SonicWall Unified Management:

1. Navigate to Admin Settings > Users Access Management > User groups.

2. Select an existing group or click + New user group.

3. Add the target user(s) to the group.

4. In the group's permissions settings, locate the section for CSE/Cloud Secure Edge and select the Admin role.

5. Click Save.

In Classic MSW:

1. Navigate to My Workspace > User Groups.

2. Select an existing group or click the + icon to create a new User Group.

3. Click Add User, select the target user(s), and click Add.

4. Navigate to the Permissions section.

5. Locate the permissions for CSE/Cloud Secure Edge and select the Admin role.

6. Click Save.

2. Granting Read-Only Access

To give a user Read-Only visibility (for auditing, compliance, or view-only troubleshooting). Note: Ensure this user is not also in an Admin group, or the Principle of Least Privilege will cause conflicts.

In SonicWall Unified Management:

1. Navigate to Admin Settings > Users Access Management > User groups.

2. Create a new group or select an existing group intended strictly for view-only purposes.

3. Add the target user(s) to this group.

4. In the group's permissions settings, locate the section for CSE/Cloud Secure Edge and select the Read-Only role.

5. Click Save.

In Classic MSW:

1. Navigate to My Workspace > User Groups.

2. Create a new group or select an existing group intended for view-only purposes.

3. Click Add User and assign the target user(s) to this group.

4. Navigate to the Permissions section.

5. Locate the permissions for CSE/Cloud Secure Edge and select the Read-Only role.

6. Click Save.

3. Scoping Access to Specific Tenants (Multi-Tenant Environments)

If you manage multiple tenants and need to restrict a user's CSE access to specific environments, you must assign tenants at the group level.

In SonicWall Unified Management:

1. Navigate to Admin Settings > Users Access Management > User groups.

2. Click the Assign Tenants option above the User groups list.

3. Select the User group(s) you wish to restrict.

4. Select only the specific tenants the users in this group should have access to, then click Assign.

   • Alternatively, you can click into a specific User Group and edit its assigned tenants directly.

In Classic MSW:

1. Navigate to My Workspace > User Groups.

2. Select the specific User Group you wish to restrict.

3. Navigate to the Scope (or Tenant Assignment) section.

4. Set the Scope of Operation to Tenant.

5. Clear the global selection and check only the specific tenants the users in this group should have access to.

6. Click Save. Users in this group will now only see the selected tenants when logging into the CSE console.