Post Sales Support Entitlement Education

Welcome

The below information has been created to aid Cisco’s partners and customers that have purchased technical support and/or advanced hardware replacements from Cisco and need to understand how to request access to receive the support and the options to manage user access to purchased support.

Education

All individuals who interact with Cisco’s services and tools are required to create and maintain a Cisco profile on Cisco.com. Prior to receiving technical support services from Cisco, individuals must log into their Cisco profile (id.cisco.com) to ensure their company name and address is entered. Cisco profiles that are active and include a Cisco registered company name and address may request access to Cisco support.

The company(s) that may consume the support (technical support, advanced hardware replacements, software downloads) for the products on a contract/subscription, the "entitled party", is determined by the services purchased. Cisco services have an entitled party of either “Bill-To” or "Install-At".

"Bill-to" Entitled Services (aka Partner Branded Support)

When a service is Bill-To entitled, only users from the Bill-To company can obtain Cisco support. Bill-To companies, typically Cisco partners, purchase services directly or via distributors for resale. This entitlement is common for partner-branded services or Cisco service provider ("SP") services, where the partner supports the end customers ("Install-At" parties). End customers cannot receive direct support from Cisco for products with Bill-To entitled services coverage.

Partner Enabled Software Downloads

End customer users are not eligible for Bill-To entitled support from Cisco. However, partner branded services may include "software-download-only" access for customers. This access is limited to software for their company's hardware and does not include Cisco technical support or hardware replacements. Customers must contact the partner, not Cisco, for technical support as per the service agreement between Cisco and the partner.

"Install-At" Entitled Services (aka Cisco Branded Support)

Cisco-branded support that Cisco provides directly to end customers is called "Install-At" entitled support. Users whose Cisco profiles are linked to a customer on the contract or subscription may be eligible to receive support when requested and the required information is provided. Additionally, Cisco entitles partner users who resold the coverage to assist with post-sales technical support. Both Bill-To company and end customer users may access Install-At entitled services.

Full Support Access

When granted access to a contract, the contract + parent company is added to the to the individual's Cisco profile. Full support access provides access to all services on a contract or subscription belonging to the user’s associated parent company. The contract or subscription may provide Cisco technical assistance, advanced hardware replacements, and/or software downloads.

When a user is granted access to a contract + the Bill-to parent company on the contract, the user receives full support access to all services on the contract. When a contract contains multiple end customer companies, Bill-to company association grants support access for all products on the contract across those companies. Access to a specific customer (Install-At) parent company provides full support for that company's service lines only. Users are entitled to support for products owned by their assigned parent company when multiple customer parent companies are on the same contract.

Software-Download-Only Access

Software-download-only access allows end customer users to download software updates for products on a partner-branded support contract. This access is exclusive to those who purchased partner-branded support from a Cisco partner. Partner users are entitled to full support access and should not be granted software-download-only access. Cisco's access-evaluation automation grants them full support upon request for access.

Support via Bill-To ID(s)

Partner employees may access support through a Bill-To ID, covering all contracts linked to that Bill-to ID, rather than requesting access to each contract individually. One Bill-To ID may encompass hundreds or thousands of active contracts. Access via a Bill-To ID associates the user with the Bill-To company for each linked contract.

Services"Bill-to" Entitled Contract (Partner Branded/ SP)"Install-at" Entitled Contract (Cisco Branded)
Remote Tech SupportContract Bill-to users entitledCustomer Users and Partner Users entitled
Hardware Parts Replacement, Rapid Parts ReplacementContract Bill-to users entitledCustomer Users and Partner Users entitled
Software Center Access – Major/ Minor Software UpdatesContract Bill-to users entitledCustomer Users and Partner Users entitled
Partner Support- Software Downloads Only - No TAC/RMAEnd Customer Users entitled
N/A

Access to Support Contract(s)

Anyone with an active Cisco Profile can request technical support access via their Cisco Profile, CX Cloud, software download center, or support case manager (SCM). Users logged into Cisco.com can request access by entering an active contract or serial number. Cisco's access evaluation automation reviews all requests, considering factors like profile status, company details, parent company, contract or subscription details, and requested access type. This automation reduces the workload for SAMT Admins, allowing them to focus on oversight, and enhances customer experience by minimizing delays in access approvals. 

When the evaluation recommends "Add", the contract is added to the requestor's profile. If "Deny" is recommended, the requestor receives an explanation, and no changes are made to their Cisco profile.

To request support from Cisco, users can use the support case manager (SCM) interface. SCM allows users with an active Cisco profile to request support for products on active contracts, subscriptions, or warranties. If a serial number, contract number, or subscription ID with active coverage isn't in the user's profile, SCM's 'real-time onboarding' lets them request access and open a support case upon approval. When a subscription ID is provided, SCM searches for linked active contracts and provides onboarding if they aren't in the user's profile.

Access to AppDynamics (AppD) support is granted solely by an AppD application administrator; real-time onboarding is not available. Once granted access, the user's Cisco profile receives the subscription reference ID, entitling them to AppD support. Having access to a contract with AppD support does not automatically entitle a user to AppD support.

Access to Support via a Bill-To ID

Partner users may request support access to all contracts under a Bill-to ID by requesting access to the Bill-to ID from their Cisco profile. Cisco’s access-evaluation-automation verifies the Bill-to ID's validity and checks for an assigned SAMT Bill-to ID Administrator. All requests for Bill-to ID access route to the SAMT Bill-to ID Admin for review in SAMT. When there is no SAMT Bill-to ID Admin assigned to a Bill-to ID, support access cannot be granted, and the requestor is notified.

Partner users who wish to become SAMT Administrators for their company's Bill-to ID(s) can request the role through their Cisco account team. Alternatively, they can visit https://web-help.cisco.com and complete the contact form. Requestor should provide CCOIS/Email of the user who is being added as a SAMT Admin.

Support via a Bill-to ID does not include AppDynamics (AppD). Only an AppD application administrator can grant access to AppD support.

Any user with access to the Bill-to ID who does not work for the Bill-to ID company and whose access is not revalidated by a SAMT Bill-to ID Administrator as required every 6 months, will lose access to support through the Bill-to ID. When this occurs, the individual and the SAMT Administrator(s) are notified. When partner users are disassociated by their partner administrator in the Partner Self-Service (“PSS”) tool, contract and Bill-to ID support entitlements are removed from their Cisco profiles.


Request Access

According to Cisco's Service Access Policy, only users employed by an entitled party on a service contract can utilize those service entitlements. Cisco's access evaluation automation and agents will deny requests if a user's Cisco profile isn't linked to an entitled company on the contract. However, there may be instances where the contract's entitled party, whether a partner or end customer, needs a third party to utilize their service entitlements.

A third-party refers to a company not listed on the contract. Examples include a company hired by the end customer to manage network support, a service partner temporarily outsourced by the entitled services partner for customer support, or a company that has merged with or been acquired by an entitled company. In these cases, the third-party is neither the end customer company listed as a site on the contract nor the partner who sold the contract.

Cisco can grant access to third-party users with written approval from the contract's entitled company. However, Cisco won't manage or remove this access unless specifically requested. Therefore, it is advisable for the entitled company to appoint a Service Access Management Tool (SAMT) Administrator to oversee and manage third-party access. The responsibility for managing and maintaining third-party access within SAMT lies with the entitled company.

SAMT offers advanced features like email domain rules to simplify third-party user management. Contact SAMTSupport@Cisco.com to configure these rules, which can either automatically approve requests from users with matching email domains or route them to SAMT Administrators for review. This minimizes the need for a SAMT Administrator to proactively grant access to third-party users.


Third Party Access Requests

Cisco offers the Service Access Management Tool (SAMT), a web-based interface allowing customers and partners to manage user access to services, including technical support, hardware replacement, and software upgrades. SAMT Administrators are authorized by their companies to determine who can access these support services. While Cisco's access-evaluation automation reduces the need for manual user access administration, having a SAMT Administrator is recommended for data security and fraud prevention. The automation handles access requests but does not manage ongoing access, so customers and partners should appoint at least one person to oversee user access in SAMT.

Cisco partners resell services to customers, creating contracts or subscriptions listing the partner as the Bill-to company and customers as Install-at companies. Although the partner employee is managing user access to the contract for the Bill-to company, they also manage user access to the services resold to the customer companies residing on the contract. There are two types of Bill-to company SAMT administrators: contract administrators and Bill-to ID administrators.

  • Contract Bill-to Company Administrators

    A SAMT Admin working for the Bill-to company (typically a Cisco partner reseller) may manage user access for one or more service contracts. When managing user access to a contract as a SAMT Administrator, the Admin is associated with the Bill-to company on the contract.

    When a contract includes Cisco-branded, customer-entitled services, the partner Admin can grant access to both partner (Bill-To company) and customer (Install-at company) users. Admins must ensure users are correctly assigned to their respective companies on the contract. Associating a customer-user with the partner company (Bill-To) may expose them to unrelated data. Only users working for or on behalf of the Bill-To company should be associated with the Bill-To company.

  • Bill-to ID Administrators

    A SAMT Admin may also manage all the contracts the Bill-to company using a specific Bill-to ID by becoming a SAMT Bill-to ID Admin (BID Admin). This is accomplished by assigning an individual as a SAMT Bill-to ID Admin (aka "BID Admin"). When users have been granted support via a Bill-to ID and a new contract under the Bill-to ID becomes active, those users will automatically have support access to the contract, excluding support for some SaaS products. Only a SAMT Admin for the Bill-to ID can grant access, and all user requests are sent to the SAMT Bill-to ID Admin.

Cisco policy prohibits Cisco-branded support contracts for products owned by multiple customers, but such contracts do exist. Special care is needed when granting users access to such contracts. Users should only access services for their associated company. When the user works for the contract’s Bill-To parent company, the user should be granted access to the contract and Bill-to. Bill-to association to a contract entitles the user to support for all customer-owned products on the contract. Therefore, to avoid customer data exposure between customers, it is imperative that only partner company users be granted access to the contract’s Bill-to company.

Customers that purchase Cisco-branded customer-entitled support from a Cisco services reseller may manage their users’ access to the support on the contract. Cisco resellers can email web-help-sr@cisco.com with the contract numbers and the email addresses of the customer's nominated SAMT Administrators. Cisco partners may also manage customers access in SAMT, serving as either the . SAMT Bill-to contract administrators or Bill-To ID SAMT Admins. Customer (Install-At) entitled services may be managed by customer and partner SAMT Administrators simultaneously.

Access requests to contracts are routed to the SAMT Administrators for review in SAMT when the contract is locked, email domain rules for “review” are met, or a Cisco agent requests it. All Bill-to ID access requests go to the designated SAMT Bill-to ID Administrators.

Cisco provides the access evaluation of each request, advising if it should be approved, denied, or reviewed further by the SAMT Admin. If an Admin grants access against Cisco’s "deny" advice, they must provide a comment explaining the decision. Optional comments can be added when denying a request or approving. Optional comments can be added when denying a request or approving one when Cisco advises "review" or "approve." Granting user access to a company when the user is not authorized to obtain support on behalf of that company could expose protected customer data, potentially making the SAMT Admin or their company liable.

Requests should be reviewed and processed within 48 hours of receipt in SAMT. If not processed within 28 days, requests are canceled by the system, and both requestors and SAMT Admins are notified. The requestor can submit a new request or contact Cisco at web-help-sr@cisco.com to obtain the SAMT Admin(s)' email address for assistance.

Only SAMT partner Bill-to contract and Bill-to ID Admins can process requests for full support to Bill-to (partner) entitled contracts. Once approved, the requestor is associated with both the contract and the Bill-to parent company, even if their parent company differs from the Bill-to parent company.

When a partner Admin approves requests for full support access to an Install-At (customer) entitled contract, SAMT tries to match the user with their company on the contract. If the requestor’s company doesn't match the Bill-To or customer parent companies, the SAMT Admin must select the correct parent company for association. Associating a user with the Bill-to parent company allows them to access and manage all support cases for all customers on the contract. Therefore, it's crucial to associate the user with the correct parent company, especially if multiple customer companies are on the contract. Admins can adjust company associations within SAMT when managing multiple entitled companies on the contract.

When a SAMT customer (Install-at) Admin approves full support access to an Install-At customer-entitled contract, SAMT associates the requestor with the Admin's parent company. If the contract involves multiple customer companies and the Admin manages more than one, SAMT attempts to associate the user to the company on the contract the Admin manages and that matches the user’s company. If the requestor’s company doesn’t match any end customer parent company, the SAMT Admin must select the correct parent company. Company associations can be adjusted in SAMT when the Admin manages multiple entitled companies on the contract.

When software-download-only access requests for Bill-to (partner only) entitled contracts are approved, SAMT tries to associate the user with their matching company on the contract. If the requestor’s company doesn't match any end customer parent company, the SAMT Admin must choose the correct parent company. The user can then download software only for products belonging to the associated company. Partner users are permitted to download software on partner-branded contracts via full support access and should not be granted software-download-only access. Cisco’s access automation grants partner employees full support access to these contracts when requested.

Bill-to ID Requests

When a request for Bill-to ID access is approved by a SAMT Bill-to ID Admin, the Bill-to ID is added to the requestor’s Cisco profile for support purposes only and not for commerce tool access. This grants the requestor full support access as a Bill-to parent company user to all contracts under the Bill-to ID. Only SAMT Bill-to ID Admins can grant this support access via a Bill-to ID; Cisco agents and automation cannot.

Administer and Manage Access to Support

Cisco partner and customer administrators can use SAMT to view and modify users' access to their contracts, whether granted by Cisco or SAMT Administrators. Access can be proactively given without waiting for user requests. SAMT allows monitoring and removal of access as needed, which is crucial when individuals should no longer have access. Since Cisco isn't aware of employment changes or third-party affiliations, it is imperative that SAMT Admins diligently review and manage contract access regularly.

Revalidate Users' Access to Support

Cisco mandates that SAMT Administrators revalidate user access to contracts annually and users with Bill-To ID access every six months. This ensures only authorized individuals have access to partner/customer services and protects confidential data. Revalidation notices are sent 30 days before the due date, followed by a 15-day reminder, and a final notice one day before the contract or Bill-to ID is marked "overdue."

SAMT Admins cannot associate users with "overdue" contracts or Bill-to IDs, but they can remove access anytime. Users with access to overdue contracts retain their access, but Bill-To ID access involves high data visibility, so only the Bill-to ID parent company's users should have it. If Bill-to ID revalidation isn't completed by the due date, users whose Cisco profile parent company doesn't match the Bill-to ID's parent company lose access. When this happens, both the user and SAMT Bill-To ID Admins are notified. The user can request access again, but no approvals, or new access can be granted until the current users are revalidated.

Within SAMT there are some advanced features that assist our administrators to better filter and sort the ways in which they want to grant access to users.

Users granted contract support access retain it until revoked or the contract ends. Bill-To ID access continues indefinitely until revoked. For temporary access needs, like third-party integrators or temporary employees, SAMT Admins can set, modify, or remove a user’s access expiration date for a contract or Bill-To ID. These dates are visible to all SAMT Admins of that contract or Bill-To ID and cannot be set or modified by Cisco agents.

Cisco's access request evaluation automation checks if a user's Cisco profile parent company matches the entitled parent company on the requested contract. If there's no match, the request is denied. However, SAMT Administrators can enable email domain matching rules to override denials, allowing access for users from an unentitled or third-party company.

A SAMT Admin may enable automatic approval or require the ability to review requests from users with matching email domains. A contract can have either an auto-approve or a review email domain rule for each entitled parent company, but not both auto-approve and review simultaneously. These rules are assessed by Cisco's automation before checking the requestor's Cisco profile parent company against the contract's entitled parent companies. If the rule doesn’t match the requestor, the evaluation checks for a parent company match. If matched, access is granted unless a lock is enabled (see Lock Cisco from Granting Access). Without a match, the request is denied.

Email domain rules are not applicable for software-download-only requests or for associating customer companies to Install-at customer-entitled contracts with multiple end customer companies. For these contracts, email domain settings can only be used for user access to the partner (Bill-To) company, granting access to all service lines on the contract.

  • Auto-Approve Email Domain Rules
    The auto-approve option is used when a requestor should have access to a parent company's support on a contract, even when their company isn't listed on the contract. This is useful in cases like mergers or acquisitions where multiple email domains exist. If a requestor's email matches the auto-approve domain set in SAMT, they are granted access to the services of the indicated parent company’s products, regardless of parent company mismatch. The contract is then added to their profile. If the Admin manages only one parent company on the contract, the requestor is associated with support for that company’s products. When the contract is also locked from Cisco (see Lock Cisco from Granting Access), the email domain rule takes precedence. The request is approved and not sent to SAMT Administrators for review.
  • Review Rules
    When a SAMT Admin wants to review requests to a contract from individuals with a specific email domain before approval, a review email domain rule should be set. This is useful when only certain individuals, like those from a specific department, should be entitled support on a contract on behalf of a customer or partner. If the contract is locked from Cisco, the email domain rule takes precedence, and the request is sent to the SAMT Administrators for review.

When a request is processed by Cisco’s access evaluation automation (such as from SCM, profile manager, CX Cloud, or software download center), if any criteria fail, the request is denied, the requestor is notified, and the SAMT Admin does not receive the request in SAMT. When the decision is “Add”, the contract + parent company association is deposited in the requestor's Cisco profile. However, SAMT Admins have the option to lock Cisco’s automation from adding the contract to the Cisco profile and have the request routed to the SAMT Admins for review instead. The contract is not deposited in the requestor's profile unless the SAMT Administrator approves the request. Users requesting access to a locked contract receive a message that the request is pending review by a contract administrator. When the request is processed by a SAMT Admin, the requestor receives a notification of the decision. Unlocking a contract removes the restriction and permits Cisco automation to grant access when the request evaluation passes. When a contract is in a locked state, any SAMT Admin of the contract may remove the lock. Denied requests are not sent to the SAMT Admin(s) when the contract is locked. Note that locking Cisco from granting access does not lock other SAMT Admins of the contract (peer Admins) from granting access in SAMT.

Block Contract Requests from Specific Individuals

The block action in SAMT prevents a specific individual from being associated for full support access to a contract when they request access from Cisco. Software-download-only access cannot be blocked if it is available on the contract. The blocked contract remains inaccessible for support in the individual's profile until a SAMT Admin unblocks it in SAMT.

SAMT Administrators are notified of different events that they should be aware of and/or act as needed.

  • Cisco Profile Updates
    When a user updates their company affiliation in their Cisco profile, SAMT Admins managing any contracts the user accesses are notified. Admins should review these notifications and adjust or remove the user's support access as necessary.
  • Updates by Cisco
    When Cisco grants or removes access, SAMT Admins of the contracts are notified who received the access and to which contract(s). SAMT Admins should review these notifications and take appropriate action to remove or adjust support access to their contracts, as needed.
  • Peer SAMT Administrator Notifications
    When a peer SAMT Administrator performs actions in SAMT such as adding and removing access or onboarding or offboarding other Admins, notifications are issued. SAMT Admins should contact each other with any questions about the transactions.
  • Requests Pending Review and Cancelled
    All access requests should be reviewed and processed within 24 to 48 hours of receipt in SAMT. SAMT Admins are notified of pending requests, and a reminder is sent if any requests are pending for a week or more. Requests not processed within 28 days are automatically canceled, with notifications sent to both requestors and SAMT Admins. Timely processing is crucial as urgent technical support might be delayed without necessary access.
  • Messages and Reminders
    Cisco users may send messages from their Cisco profiles to administrators of a contract. These messages are issued to all SAMT Administrators of the contract. SAMT Admins should review the notifications and act, if needed.
  • Revalidation Notifications
    SAMT Admins must revalidate users with Bill-To ID support access every six months and contract access annually. Notifications are sent 30 days, 15 days, and one day before the revalidation due date. SAMT BID Admins can't associate users with "overdue" contracts or Bill-To IDs but can remove users. Access is removed for users whose parent company differs from the Bill-To ID's parent company, with notifications sent to affected users and SAMT Admins. SAMT Admins should review the users with access to their contracts and/or Bill-To IDs regularly. Failure to do so may result in data exposure and a high risk of fraud.

Notifications Explained

 

  • Tell Cisco that an Individual has Left My Company
    When an individual leaves a company, it's important to remove their access to the company's support contracts to prevent data breaches and fraud. If a SAMT Admin should notify Cisco by using the "Contact Cisco" link found in the help section of SAMT. The help button is located at the top right corner of the SAMT homepage, marked by a blue question mark. Click on the question mark, then select "Contact Cisco," to open a contact form with various topics to choose from. Choose "Notify Cisco that an individual has left my company" and provide relevant information in the fields that appear. Cisco Agents will review the submission and adjust the user's access accordingly.
  • Tell Cisco about Unauthorized Support Access/Usage
    If ever a SAMT Admin has reason to believe that an individual is completing or attempting unauthorized actions, they may submit this information and all relevant details to Cisco here. We will review the information and act as necessary.