Settings (Gear icon) menu
|
Settings (Gear icon):
-
Settings
-
App Management
-
System Administration
-
Audit Logs
-
Change Password
|
Admin
|
Users can perform all of these functions.
|
Users can only change their own password.
|
Policy Admin
|
Users have access to only these functions: Settings, Audit Logs, and Change Password. See Discovery Credentials and Controller Settings in this table for details about the functions that a policy admin can perform.
|
Users have access to only these functions: Settings, Audit Logs, and Change Password. See Users and Groups in this table for details about the functions that a policy admin with a limited RBAC scope can perform.
|
Observer
|
Users have access to only these functions: Audit Logs, and Change Password.
|
Users have access to only these functions: Audit Logs, and Change Password.
|
Settings
|
Users and Groups:
-
Change Password
-
Internal Users
-
External Users
-
External Authentication
-
Groups
|
Admin
|
Users can perform all of these functions
|
Users can create and edit internal users, external users, and groups, but they cannot configure external authentication.
|
Policy Admin
Observer
|
Users do not have permission to perform these functions.
|
Users do not have permission to perform these functions.
|
Observer
|
Users do not have permission to view these functions.
|
Users do not have permission to view these functions.
|
Discovery Credentials:
-
CLI Credentials
-
SNMPv2c
-
SNMPv3
-
SNMP Properties
-
Device Controllability
|
Admin
|
Users can perform all of these functions
|
Users do not have permission to perform these functions.
|
Policy Admin
|
Users can perform all of these functions
|
Users do not have permission to perform these functions.
|
Observer
|
Users do not have permission to view these functions.
|
Users do not have permission to view these functions.
|
Network Settings:
|
Admin
|
Users can perform all of these functions
|
Users do not have permission to perform these functions.
|
Policy Admin
|
Users do not have permission to perform these functions.
|
Users do not have permission to perform these functions.
|
Observer
|
Users do not have permission to view these functions.
|
Users do not have permission to view these functions.
|
Controller Settings:
-
Update
-
Backup and Restore
-
Logging Level
-
Auth Timeout
-
Password Policy
-
Prime Credentials
-
Telemetry Collection
-
Controller Proxy
|
Admin
|
Users can perform all of these functions
|
Users do not have permission to perform these functions.
|
Policy Admin
|
Users can configure only the logging level, prime credentials, and telemetry collection.
|
Users do not have permission to perform these functions.
|
Observer
|
Users do not have permission to view these functions.
|
Users do not have permission to view these functions.
|
Discovery
|
Discovery Credentials
Discovery Jobs
Discovery Results
|
Admin
Policy Admin
|
Users can define discovery credentials and create discovery jobs.
Note
|
Once saved, discovery credentials are not visible to any user.
|
Users can also view discovery results.
|
Only users with access to all resources (RBAC scope set to ALL) can define discovery credentials, perform discovery and view discovery results.
Note
|
Once saved, discovery credentials are not visible to any user.
|
|
Observer
|
Users can view discovery results.
|
Users cannot view discovery results. Only users with access to all resources (RBAC scope set to ALL) can view discovery results.
|
Device and Host Inventory
|
Device Roles
|
Admin
Policy Admin
|
Users can change device roles for all devices.
|
Users can change device roles, however only for the devices defined in their custom RBAC scope. Resources that are not in the user's scope are not displayed.
|
Observer
|
Users can view device roles for all devices but cannot make any changes.
|
Users can view device roles, however only for the devices defined in their custom RBAC scope. Resources that are not in the user's RBAC scope are not displayed.
|
Device Tags
Policy Tags
Location Tags and Markers
|
Admin
Policy Admin
|
Users can create and change device tags, policy tags, and location tags and markers for all devices.
|
Users can create and change device tags, policy tags, and location tags and markers, however only for the devices defined in their custom RBAC scope. Resources that are not in the user's scope are not displayed.
|
Observer
|
Users can view device and policy tags for all devices but cannot make any changes.
|
Users can view device and policy tags, however only for the devices defined in their custom RBAC scope. Resources that are not in the user's RBAC scope are not displayed.
|
Config Display
|
Admin
Policy Admin
Observer
|
Users can view configuration files for all devices and hosts.
|
Users can view configuration files, however only for the devices defined in their custom RBAC scope. Resources that are not in the user's scope are not displayed.
|
Topology
|
Topology Map
Topology Map Layout
Saving Topology Map Layout
|
Admin
Policy Admin
|
Users can view all devices on the topology map, and they can change and save the topology map layout.
|
Users can view the topology map, and they can change and save the topology map layout.
The full network topology is shown. However, resources that are not in the user's RBAC scope are dimmed and labeled as unauthorized. No information or only basic information about the dimmed resources is displayed.
|
Observer
|
Users can view all of the devices on the topology map but cannot save a changed topology map layout.
|
Users can view all of the devices on the topology map, but details are displayed only for the resources defined in their custom RBAC scope. Resources that are not in the user's RBAC scope are dimmed and labeled as unauthorized. No information or only basic information about the dimmed resources is displayed.
Users cannot save a changed topology map layout.
|
Device Roles
Device Tags
Policy Tags
|
Admin
Policy Admin
|
Users can view and change device roles, device tags, and policy tags for all devices.
|
Users can view and change device roles, device tags, and policy tags, however only on the resources defined in their custom RBAC scope.
The full network topology is shown. However, resources that are not in the user's RBAC scope are dimmed and labeled as unauthorized. No information or only basic information about the dimmed resources is displayed.
|
Observer
|
Users can view all of the devices on the topology map but cannot change the topology map layout.
|
Users can view all of the devices on the topology map but cannot change the topology map layout. However, details are displayed only for the resources defined in their custom RBAC scope.
Resources that are not in the user's RBAC scope are dimmed and labeled as unauthorized. No information or only basic information about the dimmed resources is displayed.
|
EasyQoS
|
Policy Scopes
|
Admin
Policy Admin
|
Users can view and create policy scopes. When displaying policy scopes, users can view all devices in policy scopes.
|
Users can create policy scopes, however they can only contain devices that are in their custom RBAC scope.
When displaying policy scopes, users can view only the resources defined in their RBAC scope. Resources that are not in the user's RBAC scope are dimmed and shown as locked.
|
Observer
|
Users can view all of the policy scopes. When displaying policy scopes, users can view all devices in policy scopes.
|
Users can view EasyQoS information, however only for the resources defined in their custom RBAC scope.
Users can view information about only the devices defined in their RBAC scope. Devices that are not in the user's RBAC scope are locked and labeled as unauthorized.
|
Application Registry |
Admin
Policy Admin
|
Users have the full application registry functionality.
Users can view the applications in the registry, including details about each application, and they can sort the display of applications.
They can mark applications as favorites, create custom applications, and edit both custom and NBAR (default) applications.
|
Users can view the applications in the registry, including details about each application, and they can sort the display of applications.
They cannot mark applications as favorites or create custom applications. They cannot edit custom or NBAR (default) applications.
|
Observer
|
Users can view the applications in the registry, including details about each application, and they can sort the display of applications.
|
Same as an observer with full RBAC scope.
|
Policies (create, abort, restore, preview, reset, apply, clone, show history for, and delete)
|
Admin
Policy Admin
|
Users can perform all of the policy-related functions.
|
Users can perform all of the policy-related functions, but only on policies whose policy scopes contain devices defined in the user's custom RBAC scope. If a policy's policy scope contains any devices that are not in the user's custom RBAC scope, the user will not be allowed to perform any functions on that policy. The policy will be locked and will indicate that the user does not have permission to perform any functions to the policy.
A user can view policies whether or not they contain devices in the user's RBAC scope. If a policy contains devices that are not in the user's RBAC scope, the devices details are not displayed. The device is locked and labled as an unauthorized device.
|
Observer
|
Users can view all of the policy-related functions, but only on policies whose policy scopes contain devices defined in their custom RBAC scope. If a policy's policy scope contains any devices that are not in the user's custom RBAC scope, the user will not be allowed to perform any functions on that policy. The policy will be locked and will indicate that the user does not have permission to modify the policy.
A user can view policies whether or not they contain devices in the user's RBAC scope, but the devices details are not displayed. The device is locked and labeled as an unauthorized device.
|
Same behavior as an observer with full RBAC scope.
|
Bandwidth Profile
|
Admin
Policy Admin
|
Users can create, edit, and delete custom bandwidth profiles for all resources.
|
Users can only view custom bandwidth profiles.
|
Observer
|
Users can only view custom bandwidth profiles.
|
Users can only view custom bandwidth profiles.
|
SP Profile
|
Admin
Policy Admin
|
Users can create custom SP profiles and edit existing SP profiles for all resources. |
Users can view the existing NBAR and custom SP profiles for resources that are in their custom scope, but cannot edit them.
|
Observer
|
Users can view the existing NBAR and custom SP profiles for all resources, but cannot edit them.
|
Users can view the existing NBAR and custom SP profiles for all resources, but cannot edit them.
|
Dynamic QoS
|
Admin
Policy Admin
|
Users can enable and disable dynamic QoS and view dynamic QoS troubleshooting information about all devices.
|
Users can enable and disable dynamic QoS and view dynamic QoS troubleshooting information about all devices.
|
Observer
|
Users cannot enable or disable dynamic QoS. However, they can view dynamic QoS information about all devices.
|
Users cannot enable or disable dynamic QoS. However, they can view dynamic QoS information about all devices.
|
Path Trace
|
Basic Path Trace
ACL Path Trace
Path Trace with QoS, interface, device, and performance monitor statistics
|
Admin
Policy Admin
|
Users can perform all types of path traces on all resources.
|
Users can perform ACL traces and traces that gather QoS, interface, device and performance monitor statistics, however, only for the resources defined in their RBAC scope.
When the results of a path trace are displayed, the resources that are not in the user's RBAC scope are locked and labeled as unauthorized.
|
Observer
|
Users can perform ACL traces and traces that gather QoS, interface, and device statistics. However, they are unable to perform path traces that gather Performance Monitor statistics. Performance Monitor traces require performance monitoring to be enabled for all flows on all network devices in the path, and an observer does not have permission to make changes on devices.
|
Users can perform ACL traces and traces that gather QoS, interface, and device statistics. However, they are unable to perform path traces that gather Performance Monitor statistics. Performance Monitor traces require performance monitoring to be enabled for all flows on all network devices in the path, and observers do not have permission to make changes or to access all devices.
When the results of a path trace are displayed, the resources that are not in the user's RBAC scope are locked and labeled as unauthorized.
|
Cisco IWAN
|
All Cisco IWAN functions |
Admin
|
Users can perform the full range of functions for all devices.
|
Not applicable.
|
Policy Admin
Observer
|
Not applicable.
|
Not applicable.
|
Cisco Network PnP
|
All Cisco Network PnP functions |
Admin
|
Users can perform the full range of functions for all devices.
|
Not applicable.
|
Policy Admin
Observer
|
Not applicable.
|
Not applicable.
|