It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda Cloud Control
Overview Documentation Materials

Understanding Entitlement Permissions and Roles

  • Last updated on

Barracuda Cloud Control permissions and roles are managed by each individual service. By default, not all services grant the same role.

When assigning an LDAP group entitlements via the Home > Admin > Groups page, users are assigned the default account rights based on the selected product.

See also: How to Add Entitlements via LDAP Group Membership and How to Add a User Group.

Barracuda Backup Appliance

By default, the user is granted account administrator rights when Backup is selected in the Product Entitlements section. To modify the user role, click Configure Permissions below Backup; the Configuration page displays where you can set the following options:

  • Turn on the Barracuda Email Notifications for this user:
    • Backup Summary Reports for each appliance daily – When turned on, a report is sent to this user each day between 8-9am.
    • Backup Detailed Reports for each backup job – When turned on, a report is sent to this user each time a backup job completes.
    • Alerts – When turned on, an alert is sent to this user if an error occurs during a backup job or if the Barracuda Backup appliance goes offline.
    • Notices – when turned on, a notice is sent to this user when the Barracuda Backup Server appliance is updated.
  • Authentication– To restrict the IP address from which this user is allowed to log in, enter a value in the Allowed IP Login Addresses field. Use a comma to separate multiple IP blocks or ranges.
  • Specify user Permissions:
    • Account Administrator – User has full access to all Barracuda Backup appliances within the account.
    • Barracuda Backup Appliance Administrator*  – User has full access to all selected Barracuda Backup appliances; user does not have edit or view user accounts access. When selected, the Backup Server Permissions section displays:
    • Operator* – User access is limited to viewing statistics and modifying backup configuration for selected Barracuda Backup Appliances. Operators cannot restore data or edit user accounts.

*For both Barracuda Backup Appliance Administrator and Operator permissions, you can grant or deny access to backup appliances. In the Grant Access To… section, use the Select All Backup Appliances checkbox to grant or deny access to backup appliances:

  • Select the checkbox to allow access to all backup appliances.
  • Clear the checkbox to view a list of backup appliances. Select only those appliances for which you want to grant access. 

Barracuda Web Security Service

By default, the user is granted administrator rights when Web Security is selected in the Product Entitlements section. The administrator role has all permissions and is the only role that can create policies. The Limit Access To setting does not apply to this role. To modify the user role, log in to the Barracuda Web Security Gateway web interface. The following roles are available:

  • Read Only – User has read-only permissions on all tabs, and can run, but not schedule, reports. The Limit Access To setting does not apply to this role.
  • Manage – User has read-only permissions on the Dashboard and Log pages, can view and schedule reports, and can create exceptions on the  BLOCK/ACCEPT > Exceptions  page. The Limit Access To setting applies.
  • Monitor – User has read-only permissions on the Dashboard and Log pages, and can view and schedule reports. The Limit Access To setting applies.
  • Support – User has read-only permissions on the Dashboard, Log, and Reports pages. User can create exceptions on the  BLOCK/ACCEPT > Exceptions page.

Email Gateway Defense

By default, the user is granted domain administrator rights when Email Gateway Defense is selected in the Product Entitlements section. The domain administrator can view message content (if privacy settings allow) for designated domains, enable/disable per-user quarantine at the domain level, and, if per-user quarantine is disabled, specify a global quarantine email address for designated domains. Additionally, the domain administrator can enable/disable some default user features for new accounts and designated domains. To modify the user role, log into the Barracuda Email Security Gateway web interface. The following roles are available:

  • User Role – User has the following permissions:
    • Modify individual settings for quarantine, spam tag, and block levels;
    • Manage quarantine inbox including mark as spam/not spam, deliver, mark as safe, and delete quarantined messages;
    • Change password (if Single Sign-On authentication is not configured);
    • Create allow lists and block lists for email addresses and domains; and
    • Manage a personal Bayesian database.
  • Helpdesk Role – User has all User Role permissions. Additionally, user can:
    • Change or update user account settings in the domain(s) to which the helpdesk user is assigned, which includes users spam scoring, allow or block, quarantine enable/disable, notification and Bayesian filtering settings;
    • View the Message Log for the domain(s) managed and deliver quarantined messages;
    • Log into an account with lesser permissions and manage the associated quarantine inbox including mark as spam/not spam, deliver, allow and delete quarantined messages;
    • View domain-level status and reports (excluding the daily False Positive and False Negative, which can only be generated at the global level by the administrator); and

    • Edit account roles for account holders with lesser permissions.

      The Helpdesk role has the above permissions for all domains configured on the Barracuda Email Security Gateway if Managed domains on the USERS > Account View > Edit Role page for this account holder includes all_domains.

      Additionally, a Helpdesk account holder with all_domains permission can:

      • Change the role of a Helpdesk account holder to the User role if that Helpdesk account holder does not have all_domains permissions, and
      • Log into and manage the quarantine inbox of a Helpdesk or a Domain Admin who does not have all_domains permissions.

      If the Helpdesk account holder only administers a subset of all domains configured on the Barracuda Email Security Gateway, only those domains display in the DOMAINS page.

  • Governance, Risk Management and Compliance (GRC) Account Role – User has access to Outbound Quarantine logs, and can take the following actions with outbound quarantined messages:
    • Deliver – GRC determines that the message is allowed, per policy.
    • Reject  – GRC determines that the message is not allowed for delivery, per policy. If the Admin has configured it on the ADVANCED > Bounce/NDR Settings page, this action sends a bounce message to the sender.
    • Delete  – GRC determines that the message is not allowed for delivery. The message is removed from the Outbound Quarantine log.
Note

For each Barracuda Cloud Control account, use only one of the following email protection products:

  • Barracuda Email Security Gateway linked appliance
    - OR -
  • Email Gateway Defense subscription

Barracuda Message Archiver

By default, the user is granted user rights when Archiver is selected in the Product Entitlements section. To modify the user role, log in to the Barracuda Message Archiver web interface. The following roles are available:

  • User  – User can search and view messages accessible to the account, either because the username for the account is also that of the sender or recipient of a message, or because it has been given explicit access to view an email address via Alias Linking. Additionally, user can download enabled add-ins and tools and view the Task Manager.

  • Auditor  –User can create and activate policies , and view, search, and export any messages to/from the domains to which they have access. Additionally, Auditors can save and name an Advanced search for re-execution at a later time from the Saved Searches tab.

    To create a Domain Auditor (an auditor with access to only a subset of the domains on your Barracuda Message Archiver), set the role to Auditor and specify at least one domain. If no domains are specified, then all messages in the entire Barracuda Message Archiver are accessible. No auditor account has access to any system or network configuration information on the Barracuda Message Archiver.

  • IT Admin – User can modify system and network configuration settings, and has no access to policies or any messages on the Barracuda Message Archiver.
  • Admin – User can view all items from any user, not just those listed for the account. Additionally, user can create and activate policies, and can make other system or network changes.

Barracuda Cloud Archiving Service

By default, the user is granted user rights when Archiver is selected in the Product Entitlements section. To modify the user role, log in to the Barracuda Cloud Archiving Service web interface. The following roles are available:

  • User – User can search and view messages accessible to the account, either because the username for the account is also that of the sender or recipient of a message, or because it has been given explicit access to view an email address via Alias Linking. Additionally, user can download enabled add-ins and tools and view the Task Manager.

  • Auditor – User can create and activate policies, and view, search, and export any messages to/from the domains to which they have access. Additionally, Auditors can save and name an Advanced search for re-execution at a later time from the Saved Searches tab.

    To create a Domain Auditor (an auditor with access to only a subset of the domains on your Barracuda Cloud Archiving Service), set the role to Auditor and specify at least one domain. If no domains are specified, then all messages in the entire Barracuda Cloud Archiving Service are accessible. No auditor account has access to any system or network configuration information on the Barracuda Cloud Archiving Service.

  • Admin  – User can view all items from any user, not just those listed for the account. Additionally, user can create and activate policies, and can make other system or network changes.

Barracuda Vulnerability Manger

By default, the user is granted administrator rights when Vulnerability Manager is selected in the Product Entitlements section. Administrator is the only role for this service.

Barracuda Appliance Control

By default, the user is granted account administrator rights when Appliance Control is selected in the Product Entitlements section and can perform all actions except those related to other users. If this user is granted User Management privileges, the user can add, modify, and remove users, and can set the following permissions:

  • View Dashboard Only – User can view statistics.

  • View Reports, Logs, and Dashboard Only – User can create and view reports, and view logs and statistics.

    Note that this user will not be able to access Barracuda Cloud Protection Layer (CPL). The user must have Barracuda Appliance Control All Actions or Account Admin privileges to access CPL.

  • All Actions – The account can perform all actions except those related to other users.
Previous Article Next Article