I've been wrangling with Sophos Central Partner roles. Previously our Project Managers have held the Partner Super Admin role, this was required because they are regularly deploying Sophos Firewalls to clients and need to add a Central Super Admin user to a customer tenant as well as applying Firewall Templates. Any role below Partner Super Admin does not permit the above.
Additionally the Partner Super Admin role does not allow selection of what customers they can manage. We want this because it seems reasonable to exclude our own NFR tenant which has MDR Complete Endpoints and our own Firewall attached. For reasons of security and zero trust (the industry 'movement', not ZTNA) we wish to only have management have access to our own tenant
So you can hopefully see our security requirements are at odds with job function. If we downgrade PM permissions then they can't properly deploy Firewalls. If we give them what they need, then they have access to our tenant with permissions to change anything.
Thanks for reaching out to the Sophos Community forum.
When checking the "Role" options available from the Partner Portal, it does not appear there are options that will allow you to configure a role or account with this specific level of access.
I'd suggest reaching out to your Sophos Account Manager to express the need for this in your environment and to submit a feature request for this to be possible, as I suspect others will also want to implement similar restrictions. If you'd like assistance in finding out who your AM is, please send me a private message, and I'd be happy to assist.