Users & Roles


Dome9 supports three types of users:

  • Super User - can access and manage any account resource, add new users and change their privileges. There can be multiple Super Users in the system.

  • Account Owner - manages Dome9 Account related issues such as billing and subscription plan and has the same privileges as a Super User. Only a single Account Owner exists per account.

    An Account Owner can assign another user to become an Account Owner. In this case, the Account Owner becomes a Super User.

  • Normal User - can be delegated authority to manage access or create specific new Servers or security groups.

A Dome9 user is identified by an email address.

The following table compares the privileges assigned to different types of users:

  Manage Dome9 Account Add users and modify privileges Access and manage any resource Access and manage assigned resources only
Account Owner
Super User
Normal User


You can define roles, and assign them to users. You assign permissions to a role, When you assign a role to a user, the permissions of the role are granted to the user (so, no need to assign these permissions to the user explicitly).

You can define any number of roles, to cover all the different types of users you will need for your Dome9 accounts, each with the permissions appropriate for it.


You can grant the following permissions to users or roles to perform actions on Dome9.

You can select the cloud entities on which the permissions will apply. You can select an Organizational Unit, which selects all the cloud accounts in the unit, or specific cloud accounts and, within the account, specific regions and VPCs.



Applicable Resources

Dynamic Access

Use Dynamic Access Leases on AWS services (seeDynamic Access Leasing)

Dynamic Access Leases (AWS)


Create Security Groups in your cloud accounts

Security Groups in your cloud accounts


Create, modify, and delete Dome9 system resources, including accounts, leases, settings, users, roles, and network security entities such as Security Groups, in selected cloud accounts. You can select all accounts, specific accounts, or accounts in specific Organizational Units

All Dome9 system resources


View all Dome9 system resources, without the ability to change them. The resources can be for all accounts, selected accounts, or for accounts in selected Organizational Units

All Dome9 system resources

Rulesets and Content Create, modify, and delete Compliance Rulesets and Rules Rulesets, rules
Integrations and Notifications Create, modify, and delete Compliance Notification Policies Notification Policies
Polices Create, modify, and delete Compliance Policies Dome9 Compliance policies
Alerts, Configurations and Actions Comment or acknowledge Compliance and Logic alerts, add Exclusions or Remediations for specific compliance rules Dome9 Alerts, rules




Actions to manage users and roles are in the Users & Roles menu

See also

Single Sign-On

Account Lockout for Failed Password