Managing User Roles
Your user account privileges determine, what you can see and do in the MSX user interface. In MSX, the permissions are managed using Role-Based Access Control (RBAC). RBAC restricts or authorizes system access for users based on their user roles. A role defines the privileges of a user in the system. Since users are not directly assigned with privileges, management of individual user privileges is simply a matter of assigning the appropriate roles.
A user is granted access to desired system resources only if the assigned role grants the access privileges. For example, a user with the Service Extension permissions can import service extension templates, define service extension parameters, define default parameter values, and so on. For more information on assigning roles to a user with appropriate permissions, see Managing Users .
SD-WAN-Specific Permissions
The table below lists the Cisco SD-WAN and SD-Branch category of permissions:
SD-WAN Service |
SD-WAN Data Plane |
Allows users with manage permissions to add, edit, or delete sites (data plane). View permission allows you to view sites (Data Plane) and the status of the sites. |
SD-WAN Maintenance |
Allows users with manage permission to debug and access SD-WAN GET APIs. Using these APIs, users can query SD-WAN databases, or query Cisco SD-WAN to check on status of various components. |
|
SD-WAN Control Plane |
Allows users with manage permissions to create, attach, delete, detach Control Plane. View permission allows users to view a control plane that is already created or attached and see the status of the Control Plane components. |
|
SD-WAN Orchestrator Settings |
Allows users with manage permission to configure orchestrator settings to spin up a new Control Plane. For more information, see |
|
SD-WAN Traffic Policy |
Allows users with manage permission to add and modify Application Relevance policy or Path Preference policy to the Cisco SD-WAN fabric. For more information on how to configure these traffic policies for Cisco SD-WAN, see Configuring SD-WAN Traffic Policies. This permission along with Service Configuration Application manage permission is also required to configure application relevance for various applications across MSX managed sites that have MX device models (Meraki SD-WAN appliance). |
|
SD-WAN Bulk Site |
Allows users to download the template to their local machine and to view or manage the template. |
|
Cisco MSX SD-Branch Operations |
Template Data Operations |
Allows users with manage permissions to manage predefined data for Cisco MSX SD-Branch service templates. |
Template Operations |
Allows users with manage permissions to add, edit, or delete Cisco MSX SD-Branch service templates and edit tenant access to SD-Branch service templates |
|
SD-Branch Settings Operations |
Allows users with manage permissions to manage Cisco MSX SD-Branch settings. |
|
SD-Branch Sites Operations |
Allows users with manage permissions to add, edit, or delete Cisco MSX SD-Branch sites. |
Along with the preceding permissions, SD-WAN services also need permissions from the MSX platform side. For more information on minimum permissions (platform) that are required to perform a task in SD-WAN and on the complete list of MSX permissions, see Cisco Managed Services Accelerator (MSX) Platform and Service Pack Permissions Addendum.
Adding a User Role
To add a user role:
Procedure
Step 1 |
Log in to the Cisco MSX Portal. |
||||||
Step 2 |
In the main menu, click Roles.The Manage Roles screen appears. |
||||||
Step 3 |
Click the Add Role button. |
||||||
Step 4 |
Enter the role name, display name, and description. |
||||||
Step 5 |
To assign the permission for the roles, click Category and select the corresponding check boxes for the permissions that you want to grant to the role. For permissions related to SD-WAN, see SD-WAN-Specific Permissions. The types of permission you can grant are::
|
||||||
Step 6 |
Click Save. |
Modifying an Existing Role
To modify an existing role:
Procedure
Step 1 |
Log in to the Cisco MSX Portal. |
||||||
Step 2 |
In the main menu, click Roles to view the list of roles.The Manage Roles screen appears. |
||||||
Step 3 |
Select the role that you want to modify and click the Edit icon. |
||||||
Step 4 |
To assign or revoke the permission for the roles, click Category and select or clear the corresponding check box for the permissions.The types of permission you can grant are:
|
||||||
Step 5 |
Click Save. |