/
Understanding Permissions and Roles

Understanding Permissions and Roles

This page is a reference guide for all privileges, product entitlement roles, and permissions available in Barracuda Cloud Control (BCC). For step-by-step instructions on assigning these to users, see How to Manage Users.

BCC permissions and roles are managed by each individual service. By default, not all services grant the same role. When assigning an LDAP group entitlements via the Settings > Admin > Groups page, users are assigned the default account rights based on the selected product.

See also: How to Add Entitlements via LDAP Group Membership and How to Add a User Group.

BCC Privileges

BCC privileges control account-level access. These are set on the Settings > Users > User Details page.

  • User Management – User can add, remove, and edit user accounts on the BCC account. This privilege is also required to connect appliances via Barracuda Appliance Control. If a user has User Management privileges, their Appliance Control user role is automatically set to Account Admin.

  • Billing Administration – User can update account billing information.

Users without either privilege can still access products enabled in their Product Entitlements, but cannot manage other users or billing.

Barracuda Appliance Control

By default, a user is granted Account Admin rights when Appliance Control is selected in the Product Entitlements section and the user has User Management privileges. If the user does not have User Management privileges, they are assigned No Permissions by default.

To modify the user role, click Configure Permissions below Appliance Control on the user's Product Entitlements page. The following roles are available:

  • Account Admin – The user has User Management privileges on BCC. Can manage users and connect/disconnect devices to Appliance Control. This role is set automatically when User Management is enabled.

  • All Actions – The user can perform all actions except those related to user management.

Note: A user must have All Actions or Account Admin privileges to access Barracuda Cloud Protection Layer (CPL).

  • View Reports, Logs, and Dashboard Only – The user can create and view reports, view logs, and view the Dashboard of connected Barracuda Networks devices. This user cannot access CPL.

  • View Dashboard Only – The user can only view the Dashboard of connected Barracuda Networks devices. This user cannot access CPL.

  • No Permissions – Default role for users without User Management privileges. The user does not have access to any devices under Appliance Control.

Device Access

All devices connected to the account display in the Access field. Select one or more devices to which the user has access. Account Admins have access to all devices on the account.

Group Permissions

Add a user to a group to set device permissions based on the group settings. See How to Add a User Group.

Effective Permissions

The Effective Permissions display shows the resulting permissions based on both User Permissions (role and device access) and Group Permissions.

Barracuda Backup Appliance

By default, a user is granted Account Administrator rights when Backup is selected in the Product Entitlements section. To modify the user role, click Configure Permissions below Backup on the user's Product Entitlements page. The following roles are available:

  • Account Administrator – User has full access to all Barracuda Backup appliances within the account.

  • Barracuda Backup Appliance Administrator* – User has full access to selected Barracuda Backup appliances. User cannot edit or view other user accounts. When selected, the Backup Server Permissions section displays.

  • Operator* – User access is limited to viewing statistics and modifying backup configuration for selected Barracuda Backup appliances. Operators cannot restore data or edit user accounts.

*For both Barracuda Backup Appliance Administrator and Operator, you can grant or deny access to specific backup appliances. In the Grant Access To section:

  • Select the Select All Backup Appliances checkbox to grant access to all appliances.

  • Clear the checkbox to view a list of appliances and select only those for which you want to grant access.

Email Notifications

You can configure the following email notifications for Backup users:

  • Backup Summary Reports for each appliance daily – A report is sent each day between 8–9am.

  • Backup Detailed Reports for each backup job – A report is sent each time a backup job completes.

  • Alerts – An alert is sent if an error occurs during a backup job or if the Barracuda Backup appliance goes offline.

  • Notices – A notice is sent when the Barracuda Backup Server appliance is updated.

IP Login Restrictions

To restrict the IP address from which a user can sign in, enter a value or range of values in the Allowed IP Login Addresses field. Use a comma to separate multiple IP blocks or ranges.

Barracuda Web Security Service

By default, a user is granted Administrator rights when Web Security is selected in the Product Entitlements section. The Administrator role has all permissions and is the only role that can create policies. The Limit Access To setting does not apply to this role. To modify the user role, sign in to the Barracuda Web Security Gateway web interface. The following roles are available:

  • Read Only – User has read-only permissions on all tabs, and can run but not schedule reports. The Limit Access To setting does not apply.

  • Manage – User has read-only permissions on the Dashboard and Log pages, can view and schedule reports, and can create exceptions on the BLOCK/ACCEPT > Exceptions page. The Limit Access To setting applies.

  • Monitor – User has read-only permissions on the Dashboard and Log pages, and can view and schedule reports. The Limit Access To setting applies.

  • Support – User has read-only permissions on the Dashboard, Log, and Reports pages. User can create exceptions on the BLOCK/ACCEPT > Exceptions page.

Email Gateway Defense

By default, the user is granted administrator rights when Email Gateway Defense is selected in the Product Entitlements section. To modify the user role, log into the Email Gateway Defense web interface. The following roles are available:

  • Administrator – Administrators can:

    • View messages for any domain within the account.

    • Deliver messages for any domain within the account.

    • View and edit all information about a domain.

    • View and edit all domain level settings and policies.

    • View and edit all account level settings and policies.

    • Impersonate users in the Users list.

    • View, search, and export the Audit log.

    • View in-product Support pages and modify security settings view and modify all aspects of all domains, and configure global and domain-level settings.

  • Domain administrator – For domains to which they are granted Admin privileges, Domain administrators can:

    • View messages for any recipient within a permitted domain.

    • Deliver messages for any recipient within a permitted domain.

    • View and edit all information about a permitted domain.

    • View and edit all domain level settings and policies within the permitted domain.

    • Impersonate users in the Users list within the domain.

    • View, search, and export the Audit log.

Note that this feature is only available for existing customers with domain-specific settings.

  • Help Desk – Help Desk role users can:

    • View message headers for any recipient within a permitted domain.

    • Deliver messages for any recipient within a permitted domain.

    • View all domain level settings and policies within the permitted domain.

      Note: The Help Desk role cannot view the message body for recipient messages within the domain or the Audit log.

  • User – Users can configure user-level settings on their own account based on the security requirements implemented by the account or domain administrator:

    • View messages.

    • Deliver messages.

    • Update user sender policies.

    • Modify quarantine notification settings.

Note: For each BCC account, use only one of the following email protection products:

  • Barracuda Email Security Gateway linked appliance

  • OR -

  • Email Gateway Defense subscription

Email Security Gateway

The following roles are available for Barracuda Email Security Gateway:

  • Domain Administrator – Can configure all domain settings for designated domains, including account settings for users with lesser permissions. Can view message contents (if privacy settings permit), manage per-user quarantine settings, and configure Default User Features. If granted "all_domains" permissions, can manage settings for all domains. Can create or change the role of other Domain Admins and manage Helpdesk accounts.

  • Help Desk – Can manage basic account settings for users (spam scoring, Allow List/Block List, notification settings). Can assist users with quarantine inboxes, view the Message Log for managed domains, deliver quarantined messages (cannot view message body), and access domain-level status and reports. Can edit roles for users with lesser permissions.

  • User – Can view and manage their own quarantine inbox, modify settings for quarantine/spam tagging/block levels, change their password (if SSO is not configured), and create Allow Lists and Block Lists. If permitted, can disable quarantine for their account.

  • Governance, Risk Management and Compliance (GRC) Account – Has access to Outbound Quarantine logs and can take the following actions on outbound quarantined messages:

    • Deliver – GRC determines the message is allowed per policy.

    • Reject – GRC determines the message is not allowed. If configured, a bounce message is sent to the sender.

    • Delete – GRC determines the message is not allowed. The message is removed from the Outbound Quarantine log.

Barracuda Message Archiver

By default, a user is granted User rights when Archiver is selected in the Product Entitlements section. To modify the user role, sign in to the Barracuda Message Archiver web interface. The following roles are available:

  • User – Can search and view messages accessible to the account (sender/recipient or via Alias Linking). Can download add-ins and tools and view the Task Manager.

  • Auditor – Can create and activate Retention Policies, and view, search, and export messages for accessible domains. Can save and name Advanced searches for later use. To create a Domain Auditor (access to a subset of domains), set the role to Auditor and specify at least one domain. If no domains are specified, all messages are accessible. Auditors have no access to system or network configuration.

  • IT Admin – Can modify system and network configuration settings. Has no access to policies or messages.

  • Admin – Can view all items from any user, create and activate policies, and make system or network changes.

Barracuda Cloud Archiving Service

By default, a user is granted User rights when Archiver is selected in the Product Entitlements section. To modify the user role, sign in to the Barracuda Cloud Archiving Service web interface. The following roles are available:

  • User – Can search and view messages accessible to the account (sender/recipient or via Alias Linking). Can download add-ins and tools and view the Task Manager.

  • Auditor – Can create and activate Retention Policies, and view, search, and export messages for accessible domains. Can save and name Advanced searches for later use. To create a Domain Auditor, set the role to Auditor and specify at least one domain. If no domains are specified, all messages are accessible. Auditors have no access to system or network configuration.

  • Admin – Can view all items from any user, create and activate policies, and make system or network changes.

Barracuda Vulnerability Manager

By default, a user is granted Administrator rights when Vulnerability Manager is selected in the Product Entitlements section. Administrator is the only role for this service.

We value your feedback.
If you have questions, suggestions, or feedback on our documentation, contact the Campus Product Documentation team.
For general product inquiries or technical support, please contact the global Barracuda Support team.