About Administrator Roles

Understand the functions that different administrator roles can perform in Oracle CASB Cloud Service.

Oracle CASB Cloud Service provides different roles to make it possible to limit a new administrator to particular cloud applications and functions in the Oracle CASB Cloud Service console.

If you are the first Oracle CASB Cloud Service user in your organization, you should add a backup administrator as soon as possible.

Every Oracle CASB Cloud Service administrator is assigned one of these defined roles:

  • Tenant Administrator: Has all administrator privileges, and adds and manages other administrators. Only a Tenant Administrator can add and remove other Oracle CASB Cloud Service users, so it is important to always have at least one back-up tenant administrator.

    The first Tenant Administrator in your organization is known as the root tenant administrator. This special tenant administrator:

    • Can’t be deleted. 

    • Is the only tenant administrator that can access Configuration, SSO Settings to enable single sign-on for Oracle CASB Cloud Service.

  • Security Analyst: Creates policies, reviews threat analytics, monitors the health of your enterprise, and manages incidents. A Tenant Administrator can limit a Security Analyst's view to particular application instances. This also limits the Security Analyst's ability to view policies to only those that apply to these application instances. 

  • Compliance Manager: Reviews threat analytics, monitors the health and compliance of your enterprise, and manages incidents.  Compliance Managers cannot view policies.

  • SOC Operator: Performs functions required for system and organization control (SOC) compliance, with limited capabilities.

    • Can only access Summary on Dashboard, Apps, Risk Events, Reports, and Incidents sections of Oracle CASB Cloud Service.

    • Can’t drill down from Access Map in Dashboard to see details of mapped activity.

    • Can view details of mapped activity in Risk Events and Incidents.

    • Can’t view any personally identifiable information, including user names or IDs, IP addresses. resource names, and some activity identifiers. Exception: can view resource names in Risk Events.

    • Can view details for incidents and threats, but any personally identifiable information, except for object names, is masked, represented by a string of asterisks (“*****”).

    • Can view on the Reports page only reports for Office 365 and ServiceNow, and for those reports that are generic for the system (not application-specific).

    • Can view and create incidents.

    • Can only modify, resolve, or delete incidents that he or she has created.

In addition, all administrators have the option to automatically receive email notification for high risk events by setting a preference for notifications. See Setting Your Preferences.