Cisco Catalyst Center Administrator Guide, Release 3.2.x

PDF

Configure role-based access control

Updated: May 5, 2026

Want to summarize with AI?

Log in

Overview

Information about configuring role-based access control to define custom roles that permit or restrict user access to certain Catalyst Center functions.

Catalyst Center supports role-based access control (RBAC), which enables a user with SUPER-ADMIN-ROLE privileges to define custom roles that permit or restrict user access to certain Catalyst Center functions and sites.

Define a custom role and then assign a user to that role.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.

Procedure

1.

Define a custom role.

  1. From the main menu, choose System > Users & Roles > Role Based Access Control.

  2. Click Create a New Role.

  3. If a task overview window opens, click Let’s do it to go directly to the workflow.

  4. In the Create a New Role window, enter a name for the role. Then, click Next.

  5. In the Define the Access window, click the > icon corresponding to the desired function to view the associated features.

  6. Set the permission level to Deny, Read, or Write for the desired features. Click Next.

    If you set the permission level of a feature to Deny, the user to whom you assign this role cannot view this feature in the GUI.

    For dependent features, if you override the recommended permission level settings, a warning message indicating the permission level violation of dependent features is shown in the Summary window.

  7. Review the configuration settings. To make any changes, click Edit.

  8. Click Create Role.
2.

To assign a user to the custom role you created, go to Users & Roles > User Management.

  • To assign the custom role to an existing user:

    1. In the User Management window, click the radio button corresponding to the user to whom you want to assign the custom role, and then click Edit.

    2. In the Update Internal User slide-in pane, click the Roles drop-down list and choose the custom role.

    3. Click Save.

  • To assign the custom role to a new user:

    1. In the User Management window, click Add.

    2. In the Create Internal User slide-in pane, enter the first name, last name, and username.

    3. From the Roles drop-down list, choose the custom role.

    4. Enter the password and then confirm it.

    5. Click Save.
3.

If you were logged in while the administrator updated your access permissions, log out of Catalyst Center. Then log in again to apply the new permissions.

Catalyst Center user role permissions

Table 1. Catalyst Center user role permissions
Capability Description

Recommended permission settings for dependent capabilities

Assurance

Assure consistent service levels with complete visibility across all aspects of your network.

Monitoring

Monitor and manage the health of your network with issue troubleshooting and remediation, proactive network monitoring, and insights driven by AI Network Analytics.

This role lets you:

  • Resolve, close, and ignore issues.

  • Run Machine Reasoning Engine (MRE) workflows.

  • Analyze trends and insights.

  • Troubleshoot issues, including path trace, sensor dashboards, and rogue management.

  • Run workflows for rogue and Cisco Advanced Wireless Intrusion Prevention System (aWIPS). These workflows include AP-allowed list, vendor-allowed list, aWIPS profile creation, assigning an aWIPS profile, and so on.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read

  • Utilities > Machine Reasoner: Read

  • Utilities > Reports: Read

  • Utilities > App Hosting: Read

  • Utilities > Command Runner: Read

Settings

Configure and manage issues. Update network, client, and application health thresholds.

  • Assurance > Monitoring: Read

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Utilities > App Hosting: Read

Troubleshooting

Create and manage sensor tests. Schedule on-demand forensic packet captures (Intelligent Capture) for troubleshooting clients.

  • Assurance > Monitoring: Read

  • Assurance > Troubleshooting: Write

  • Network Provision > Device Provision: Write

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read

  • Utilities > Machine Reasoner: Read

  • Utilities > App Hosting: Read

  • Utilities > Command Runner: Read

Extensions

Open platform for accessible intent-based workflows, data exchange, notifications, and third-party app integrations.

Note

This permission cannot be assigned to a site-scoped (non-global) access group if set to Read/Write.

Event Subscription

Subscribe to near real-time notifications of network and system events. Initiate corrective actions.

Note

This permission must be set as Write when ITSM is integrated with Visibility and Control of Configurations.

  • System > System Settings: Read

ITSM

Configure and activate preconfigured bundles for ITSM integration.

Note

This permission cannot be assigned to a site-scoped (non-global) access group if set to Read/Write.

  • Extensions > Intent API: Write

Intent API

Access the product through REST APIs.

Network Design

Configure network profiles and settings. Manage templates. Update the software image repository. Configure wireless maps for managing your sites and network devices.

Profiles and Settings

Manage site-wide network settings such as AAA, NTP, DHCP, and so on. Manage telemetry and profiles.

  • Network Management > Hierarchy: Read

Wireless Maps

Visualize your wireless network and configure wireless maps.

  • Network Management > Hierarchy: Write

  • Network Management > Inventory: Write

  • Network Design > Profiles and Settings: Write

  • Assurance > Monitoring: Read

Network Management

Discover and build your network.

Discovery

Discover new devices on your network.

  • Network Management > Hierarchy: Write

  • Network Management > Inventory: Write

  • Network Design > Profiles and Settings: Read

Hierarchy

Create a network hierarchy of areas, buildings, and floors based on geographic location. This role also includes CMX server settings.

Inventory

Add, update, or delete devices on your network. Manage device attributes; view and manage network topology and configurations.

  • Network Management > Hierarchy: Read

  • Network Design > Profiles and Settings: Read

License

Manage software and network assets relative to license usage and compliance.

  • Assurance > Monitoring: Read

Network-wide Settings

Configure network-wide settings to monitor your network and device.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Read/Write.

Network Operations

Manage and maintain your network devices.

Compliance

Monitor device compliance and out-of-band changes. Manage Cisco field notices and view EoX statuses.

  • Network Management > Hierarchy: Read

  • Network Management > Network-wide Settings: Read

  • Security > Security Advisory: Read

  • Network Operations > SWIM: Read

LAN Automation

Provision your network through LAN automation.

  • Network Management > Hierarchy: Read

  • Network Management > Network-wide Settings: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read
Plug and Play

Automatically onboard new devices, assign them to sites, and configure them with site-specific settings.

  • Network Management > Hierarchy: Read

  • Network Management > Network-wide Settings: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read

RMA

Replace faulty devices in your network.

  • Network Management > Hierarchy: Read

  • Network Management > License: Read

  • Network Management > Inventory: Read

  • Network Operations > Plug and Play: Write

  • Network Operations > SWIM: Write

SWIM

Manage software images. Update physical and virtual network entities.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

Network Provision

Configure, upgrade, provision, and manage network devices.

Device Provision

Provision devices with site-specific settings and policies that are configured for the network. This role includes Application Policy, Application Visibility, Cloud, Site-to-Site VPN, Network/Application Telemetry, Security Service Insertion, Stealthwatch, and Umbrella provisioning.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read

  • Network Design > Template: Write

  • Network Operations > Plug and Play: Write

  • Network Operations > Compliance: Read

  • Utilities > Command Runner: Write

  • System > System Settings: Read

Network-wide Config

Manage virtual networks, extranet policies, and other network-wide configurations.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

SD-Access

Configure, manage, and monitor an SD-Access Fabric.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Management > Discovery: Read

  • Network Management > Network-wide Settings: Read

  • Network Provision > Device Provision: Write

  • Network Design > Template: Write

  • Network Operations > Plug and Play: Write

  • Network Operations > Network-wide Config: Read

  • Policy > Group-based Policy: Read

  • Network Operations > LAN Automation: Read

  • Network Operations > SWIM: Read

  • Network Operations > Compliance: Read

  • Network Design > Profiles and Settings: Read

  • Utilities > Event Viewer: Read

Policy

Configure and manage policies that reflect your organization's business intent.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Read/Write.

Application Policy

Manage QoS policies to make efficient use of network resources.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Read

  • Network Operations > Compliance: Read

  • Utilities > Command Runner: Write

  • System > System Settings: Read

Group-Based Policy

Manage group-based policies that enforce network segmentation and access control.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

IP-Based Access Control

Manage IP-based access control lists that enforce network segmentation.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

Security

Manage and control secure access to the network.

Audit Log

View logs of changes made through the UI or API to the system, network devices, and settings.

Rogue and aWIPS

Monitor rogue and aWIPS threats in your network.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Provision > Device Provision: Write

  • Assurance > Monitoring: Read

  • Assurance > Troubleshooting: Read

  • Network Design > Profiles and Settings: Write

  • Security > Audit Log: Write

  • System > System Settings: Read

  • Utilities > Reports: Write

Security Advisory

Scan the network for Cisco security advisories. Review the impact of published security advisories that may affect your network.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

Stealthwatch

Configure network elements to send data to Cisco Stealthwatch to detect and mitigate threats, even in encrypted traffic.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

  • Network Management > Hierarchy: Read

  • Network Management > Inventory: Read

  • Network Design > Profiles and Settings: Write

  • Network Provision > Device Provision: Write

  • System > System Settings: Read

  • System > System Administration: Read

Umbrella

Configure network elements to use Cisco Umbrella as the first line of defense against cybersecurity threats.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

System

Perform centralized administration for configuration management, network connectivity, software upgrades, and more.

System Administration

Manage core system administrative capabilities including HA, Disaster Recovery, and Backup and Restore.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

  • System > System Settings: Write

System Settings

Manage core system connectivity settings. This role includes Integrity Verification, Integration Settings, Debugging Logs, Telemetry Collection, System EULA, IPAM, Data Platform, Cisco Credentials, Smart account, Smart Licensing, SSM Connection Mode, and Device EULA.

This role also includes permissions related to certificate management.

This role enables the configuration of automatic updates to the machine reasoning knowledge base.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

Utilities

Use common utilities to help manage your network.

App Hosting

Deploy, manage, and monitor virtualized and container-based applications running on devices.

Bonjour

Use the wide-area bonjour service to enable policy-based service discovery across your network.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

Command Runner

Display the running configuration of a device.

  • Network Management > Inventory: Read

Event Viewer

View device and client events for troubleshooting.

Machine Reasoner

Scan the network for defects or bugs known by Cisco and troubleshoot various issues on your network through workflows.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

  • Network Management > Inventory: Read

  • Network Management > Hierarchy: Read

Remote Device Support

Allow Cisco support personnel to remotely troubleshoot managed network devices.

Note

This permission set cannot be assigned to a site-scoped (non-global) access group if set to Write.

Reports

Use predefined reporting templates to generate reports for all areas of your network.