I've been wrangling with Sophos Central Partner roles. Previously our Project Managers have held the Partner Super Admin role, this was required because they are regularly deploying Sophos Firewalls to clients and need to add a Central Super Admin user to a customer tenant as well as applying Firewall Templates. Any role below Partner Super Admin does not permit the above.
Additionally the Partner Super Admin role does not allow selection of what customers they can manage. We want this because it seems reasonable to exclude our own NFR tenant which has MDR Complete Endpoints and our own Firewall attached. For reasons of security and zero trust (the industry 'movement', not ZTNA) we wish to only have management have access to our own tenant
So you can hopefully see our security requirements are at odds with job function. If we downgrade PM permissions then they can't properly deploy Firewalls. If we give them what they need, then they have access to our tenant with permissions to change anything.
[edited by: Qoosh at 5:47 PM (GMT -8) on 5 Jan 2023]