Home
Support
Product Support
Cloud and Systems Management
Cisco Secure Equipment Access
Install and Upgrade Guides

Cisco Secure Equipment Access Quick Start Guide for Industrial Routers

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Table of contents

Expand all sections

About this document

Secure Equipment Access Overview

Cisco Secure Equipment Access service
Prerequisites for enabling SEA
Enabling the SEA service

Add Network Devices and Assets

Network devices onboarding and SEA Agent deployment
Operational technology (OT) assets

Manage Access Control Groups

Access control groups

Remote Sessions Configurations

Configure remote sessions

Access control groups

Updated: June 13, 2025

Want to summarize with AI?

On this page

Overview

Types of access control groups
How remote session access requests work
Create access control groups for scheduled or request access
Assign approvers to an access control group
Schedule statuses
Send invitations to group members for a scheduled meeting

Overview

Define and manage secure remote access for groups of SEA users to specific remote assets.

An access control group is a security feature that provides administrators with the ability to define and manage secure remote access for groups of SEA users to specific remote assets.

Provides granular control over who can access what and when.
Enables creation of groups and assignment of permissions for remote access.
Supports multiple access control group types for flexible access management.

Types of access control groups

There are three types of access control groups you can configure:

Always Active – users in this group can always access remote sessions defined in this group.
Scheduled Access – users in the group can log in to the IoT Operations Dashboard and access the remote sessions during the configured time window. No approvals required.
Request Access – users must explicitly request access to the remote assets, and they can access the assets only after the Access manager (approver) approves the requests.

How remote session access requests work

Remote session access requests provide a secure, policy-driven method for controlling access to OT assets through the IoT Operations Dashboard.

Summary

The following actors and components participate in the remote session access request process:

SEA System Admin or SEA Access Admin: Creates and configures access groups with request controls.
Remote access user: Requests access to the asset via the dashboard.
SEA Access Manager (or other approvers): Reviews and approves or rejects access requests.
IoT Operations Dashboard: Hosts the user interfaces for all actions.

This process ensures that only authorized users can access assets, with all actions subject to approval and audit.

Workflow

These stages describe how remote session access requests are processed:

The SEA System Admin or SEA Access Admin logs in to the IoT Operations Dashboard and creates an access control group with the Request Access feature enabled. At least one SEA user and one asset must be assigned to the group.
The remote access user logs in and requests access to an asset within an enabled group.
The SEA Access Manager (or other permitted roles such as SEA System Admin, SEA Access Admin, or any role with Access Approver permission) reviews and approves (or rejects) the access request.
Upon approval, the remote access user gains access to the asset for the specified time period.

Result

The system enforces policy-driven, auditable, and time-bound access for OT assets, minimizing the risk of unauthorized usage.

Create access control groups for scheduled or request access

Creating access control groups in Secure Equipment Access enables you to control remote access by grouping users and assets under defined access conditions.

Access control groups allow administrators to manage remote access for users and assets, supporting both scheduled and request-based workflows. Groups can be temporarily disabled during device upgrades, repairs, or other periods when access should be restricted.

Before you begin

You must be an SEA System Admin or SEA Access Admin.

Procedure

	1.	From the Service panel, choose Secure Equipment Access > Access Management.
	2.	On the Access Management page, review the Access Control Groups table to see the available groups and their details, including group names and the number of users assigned.
	3.	Click Add Group and enter a name and a description.
	4.	Select the group type: Request Access: Use request-based workflow for access. Scheduled Access: Set the time zone, start date/time, and end date/time for scheduled access.
	5.	(Optional) Click the Group Enabled toggle switch to disable the group as needed. When disabled, users cannot access remote sessions in the group.
	6.	(Optional) Click the Enforce Inline (SSH/RDP/VNC) Recording toggle switch if you want to record remote sessions accessed by group members, and click Next.
	7.	(Optional) In the Assign Users section, select the users you want to add to the group and click Next. These users will be authorized to access the remote sessions assigned to the group.
	8.	(Optional) In the Assign Remote Sessions section, choose the assets you want the group’s users to access and click Next.
	9.	Review all settings and confirm to create the access control group.

A new access control group is created with your chosen settings. Group members can access assigned remote sessions according to scheduled or request access conditions. If inline recording is enabled, remote sessions are automatically recorded.

What to do next

For request access groups, assign approvers who will handle access requests from group members.

Assign approvers to an access control group

This process is essential for groups configured with the Request Access type, ensuring requests are explicitly approved.

Before you begin

The approver must have the Access Admin or Access Manager role.

Procedure

	1.	From the Service panel, choose Secure Equipment Access > Access Management.
	2.	On the Access Management page, click the name of the access group created for the Request Access feature.
	3.	In the Access Approvers section, click Add access approver.
	4.	In the Add access approver window, select an approver from the available list, and click Save.

The selected approvers receive an email notification when a member of the group requests access to a session. Even if you are a tenant admin, you won't receive the email notification unless you are explicitly selected as an approver. The approvers can log in to the IoT Operations Dashboard and manage the access requests.

Schedule statuses

The Schedule column in the Access Control Groups page indicates the current access state for a remote session.

Determines when remote access is available.
Distinguishes between ongoing, scheduled, active, and expired sessions.

When you go to Secure Equipment Access > Access Management > Access Control Groups, the Schedule column lists the four possible statuses for a remote session.

Always Active: No specific time for access; access is always available.
Scheduled: A specific time span for access to a session has been scheduled for a future date.
Active: The scheduled time for access to a session is currently in progress.
Schedule Expired: The scheduled time for access to a session has expired.

Note

If a scheduled session is listed as Schedule Expired, you can update that expired session for a future date without creating a new scheduled session.

Send invitations to group members for a scheduled meeting

Invite some or all group members to participate in scheduled remote access sessions.

Before you begin

You must be an SEA System Admin or SEA Access Admin.

Procedure

	1.	Go to Secure Equipment Access > Access Management.
	2.	Select a group that has the meeting scheduled.
	3.	In the Actions column, choose Send Invitation from the drop-down list.
	4.	In the Select members for invitation notification window, select the group members to whom you want to send the invitation.
	5.	After choosing members, click Send.

Each member receives an email with meeting information.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.