CloudGuard Dome9 Help

Users & Roles


Dome9 supports three types of users:

  • Super User - can access and manage any account resource, add new users and change their privileges. There can be multiple Super Users in the system.

  • Account Owner - manages Dome9 Account related issues such as billing and subscription plan and has the same privileges as a Super User. Only a single Account Owner exists per account.

    An Account Owner can assign another user to become an Account Owner. In this case, the Account Owner becomes a Super User.

  • Normal User - can be delegated authority to manage access or create specific new Servers or security groups.

A Dome9 user is identified by an email address.

The following table compares the privileges assigned to different types of users:

  Manage Dome9 Account Add users and modify privileges Access and manage any resource Access and manage assigned resources only
Account Owner
Super User
Normal User


You can define roles, and assign them to users. You assign permissions to a role, When you assign a role to a user, the permissions of the role are granted to the user (so, no need to assign these permissions to the user explicitly).

You can define any number of roles, to cover all the different types of users you will need for your Dome9 accounts, each with the permissions appropriate for it.


You can grant the following permissions to users or roles to perform actions on Dome9. Permissions are hierarchical, so that if they are applied to an Organizational Unit, they will apply to all accounts in it.



Applicable Resources

Dynamic Access

Create Dynamic Access Leases on AWS services (seeDynamic Access Leasing)

Dynamic Access Leases (AWS)


Create Dome9 agents on hosts. This feature is for legacy support of Dome9 agents. Newer accounts do not use agents

Dome9 agents


Create, modify, and delete Security Groups in selected cloud accounts. You can select all accounts, specific accounts, or accounts in specific Organizational Units

All cloud account resources


View all system resources, without the ability to change them. The resources can be for all accounts, selected accounts, or for accounts in selected Organizational Units

All cloud account resources


Actions to manage users and roles are in the Users & Roles menu

See also

Single Sign-On

Account Lockout for Failed Password