Skip to main content

Welcome to our updated site!

Skyhigh Security

About User Roles and Access Levels

Roles control the areas of the Skyhigh CASB user interface or Skyhigh Cloud Connector that a user can view or access. You can set your role-based access control (RBAC) levels to restrict certain users from sensitive areas of the system or to create workflows for users with dedicated responsibilities. All users must have at least one role; users can have multiple roles at once. 

You can also give functions of roles Read Only or Manage access. Learn more in About Read Only vs Manage Access.

Once a user has been assigned a role, that user cannot change or manage users who have different roles assigned, including User Managers. This prevents users with a lower access level from making changes to users with higher access levels, and also prevents users with more broad access from improperly granting access to other users. A trusted user with all roles assigned can make changes to other users' access to all areas.

Role Name Default Functions Description
Primary User

The Primary User is the account administrator and main point of contact for upgrades and ordering for all Skyhigh Security services. To make someone else the primary user, please contact Skyhigh Security Support.


By default, Administrators are able to configure Structured App CSPs, CASB Connect Apps, IaaS deployments, and so on. Additionally, Admins can manage and create users, and have access to the Audit Log. They also have access to Activity Settings and Anomaly Settings. 

Setting Setup & Configuration allows only read access to cloud service configurations. Setting User Manager to Read Only allows an Admin to view users, but not modify any account.

Administrators cannot be assigned to or subject to Data Jurisdiction restrictions.

Compliance Manager

Users with the User Manager role can make tenant-level changes that affect the information seen by other Skyhigh CASB users. User Managers can:

Given the access to make tenant-level changes, User Managers cannot be assigned to or subject to Data Jurisdiction restrictions.

Policy Management

Users with the Policy Management role interact with the rules-based portions of the product, including those listed in the previous column. 

Users with this role can also manage the settings that govern policies.

Policy Managers cannot be assigned to or subject to Data Jurisdiction restrictions.

Incident Management

Users with the Incident Manager role can access the pages listed in the previous column. 

Usage Analytics User

Users with the Usage Analytics User role can access these pages:

Cloud Security Advisor Dashboard Manager Cloud Security Advisor The Cloud Security Advisor Dashboard Manager role is required to take waivers and credits for Visibility and Control metrics in the Cloud Security Advisor. 

Custom Apps Owner

 Custom Apps

The Custom Apps Owner role can only be assigned once a user has another role configured. It's not standalone.

Detokenization Privilege View detokenized user names  Instead of random tokens, a user with this access can view user names. The Detokenization Privilege can only be assigned once a user has another role configured. It cannot be assigned as a standalone role.

Cloud Connector User

Skyhigh Cloud Connector

Users must have the Cloud Connector User role to configure Cloud Connector. The Cloud Connector User role can be assigned separately from the Admin dashboard. So, the User must have an Admin role to access the Cloud Connector option under Settings > Infrastructure in Skyhigh CASB.

Skyhigh Security Service Edge Hybrid (WPS2) license users can also access Cloud Connector option under Settings > Infrastructure. For details, see Cloud Connector User Role for SSE Hybrid Users.

All Cloud Connector users can detokenize reports by uploading them to Cloud Connector, but if they want to view detokenized information within Skyhigh CASB, they still require the Detokenization Privilege.

ePO Connector Skyhigh Security Integrations The Trellix ePO Connector role allows the user to set up integrations between Trellix ePolicy Orchestrator and Skyhigh CASB.


  • Was this article helpful?