MySonicWall

Manage CSE Admins via MySonicWall

  • Updated on

Important: Cloud Secure Edge orgs are provisioned in MySonicWall or SonicWall Unified Management. Admin identities, access levels, and tenant restrictions must be managed within those central portals and not within the CSE console itself. The sections below cover the recommended workflow. If your org is not managed through MySonicWall or Unified Management, refer to the legacy admin management docs.

Role-Based Access Control (RBAC) for CSE, which encompasses both Secure Private Access (SPA) and Secure Internet Access (SIA) under a shared console, is centrally managed through SonicWall Unified Management (the successor to MySonicWall) or the MySonicWall (MSW) portal.

Roles and corresponding access levels

For modern CSE deployments, access is determined by the User Group a user belongs to. There are only three functional access levels:

  • Admin: Full read and write capabilities within the CSE console.
  • Read-Only: Can view configurations, logs, and settings, but cannot make changes.
  • No Access: The user cannot view or log into the CSE tenant. This is the default state for any user who has not been added to a group with explicit CSE privileges.

Permissions rules

  • Principle of Least Privilege: SonicWall Unified Management and MSW strictly enforce the principle of least privilege. If a user is a member of multiple User Groups with conflicting permissions for CSE (e.g., one group grants “Admin” and another grants “Read-Only”), the minimum permission will apply. To ensure that a user has Admin access, verify that they are not also placed in a restricted or Read-Only group.

  • Super Admins: Users designated as Super Admins automatically inherit full Admin access to all tenants and products within the organization account, regardless of specific User Group assignments. This includes all affiliated tenants.

  • The Default User Group: Every organization has a built-in “Default User Group”. This group is hardcoded to have Admin permissions to all products and access to all native tenants (excluding affiliations). Note that these permissions and tenant scopes cannot be changed; You can only modify which users are members of this Default User Group.

Important: If you require an external Identity Provider (IDP) like Entra ID (Azure AD) or Okta for your admins, do not configure this in the CSE console. Admin IDP must be configured directly within Unified Management or MSW. Once federated with your IDP, user authentication and group mappings will cascade down to CSE automatically.

For instructions on configuring your IDP, refer to the official SonicWall documentation:

Affiliations are necessary when two different MSW/UM orgs need to give each other access to products or consoles. If you are an MSP or Partner managing customer environments and need access to their CSE tenant, you must use the Affiliations feature.

  1. The Partner/MSP initiates an Affiliation request from their account to the Customer’s account.

    • MSW Path: Navigate to My Workspace > User Groups > Affiliations tab.

  2. The Customer’s Super Admin approves the request.

  3. Once established, the Partner can assign their own employees to User Groups that have access to the newly affiliated Customer tenant.

Steps to Configure Admin Access in Cloud Secure Edge

All role assignments are handled by associating users with specific User Groups and defining the permissions of those groups. Steps are provided below for both the new Unified Management interface and the MySonicWall interface.

To make a user a CSE Admin, you can either add them to an existing admin group (such as the default group) or create a new one.

In MySonicWall:

  1. Navigate from My Workspace > User Groups.

  2. Select an existing group or select the + icon to create a new User Group.

  3. Select Add User, select the target user(s), and select Add.

  4. Navigate to the Permissions section. Select Edit at the top of the Permissions tab.

  5. Locate the permissions for CSE/Cloud Secure Edge, and select the Admin role.

  6. Select Done to save your changes.

To give a user Read-Only visibility (for auditing, compliance, or view-only troubleshooting):

Note: Ensure this user is not also in an Admin group, or the Principle of Least Privilege will cause conflicts.

In MySonicWall:

  1. Navigate from My Workspace > User Groups.

  2. Create a new group or select an existing group intended for view-only purposes.

  3. Select Add User and assign the target user(s) to this group.

  4. Navigate to the Permissions section. Select Edit at the top of the Permissions tab.

  5. Locate the permissions for Cloud Secure Edge, and select the Read-Only role.

  6. Select Done to save your changes.

If you manage multiple tenants and need to restrict a user’s CSE access to specific environments, you must assign tenants at the group level.

In MySonicWall:

  1. Navigate from My Workspace > User Groups.

  2. Select the specific User Group you wish to restrict.

  3. Navigate to the Scope (or Tenant Assignment) section.

  4. Set the Scope of Operation to Tenant.

  5. Clear the global selection and check only the specific tenants the users in this group should have access to.

  6. Select Save. Users in this group will now only see the selected tenants when logging into the CSE console.