Users and user groups

All users who are permitted to perform operations on a Cisco IOS XE Catalyst SD-WAN device device must have a login account. For the login account, you configure a username and a password on the device itself. These allow the user to log in to that device. A username and password must be configured on each device that a user is allowed to access.

The Cisco Catalyst SD-WAN software provides one standard username, admin, which is a user who has full administrative privileges, similar to a UNIX superuser. By default, the admin username password is admin. You cannot delete or modify this username, but you can and should change the default password.

User groups pool together users who have common roles, or privileges, on the Cisco IOS XE Catalyst SD-WAN device. As part of configuring the login account information, you specify which user group or groups that user is a member of. You do not need to specify a group for the admin user, because this user is automatically in the user group netadmin​ and is permitted to perform all operations on the SD-WAN device.

The user group itself is where you configure the privileges associated with that group. These privileges correspond to the specific commands that the user is permitted to execute, effectively defining the role-based access to the Cisco Catalyst SD-WAN software elements.

Standard user groups

Cisco Catalyst SD-WAN software provides standard user groups and allows creation of custom user groups as needed.

• basic: The basic group is a configurable group and can be used for any users and privilege levels. This group is designed to include users who have permission to both view and modify information on the device.

• operator: The operator group is also a configurable group and can be used for any users and privilege levels. This group is designed to include users who have permission only to view information.

• netadmin: The netadmin group is a non-configurable group. By default, this group includes the admin user. You can add other users to this group. Users in this group are permitted to perform all operations on the device.

• network_operations: From Cisco vManage Release 20.9.1, network_operations user group is supported. The network_operations group is a non-configurable group. Users in this group can perform all non-security-policy operations on the device and only view security policy information. For example, users can create or modify template configurations, manage disaster recovery, and create non-security policies such as application aware routing policy or CFlowD policy.

• security_operations: From Cisco vManage Release 20.9.1, security_operations user group is supported. The security_operations group is a non-configurable group. Users in this group can perform all security operations on the device and only view non-security-policy information. For example, users can manage umbrella keys, licensing, IPS signatures auto update, TLS/SSL proxy settings, and so on.

Users of the network_operations group are authorized to apply policies to a device, revoke applied policies, and edit device templates. Users of the security_operations group require network_operations users to intervene on day-0 to deploy security policy on a device and on day-N to remove a deployed security policy. However, after a security policy is deployed on a device, security_operations users can modify the security policy without needing the network_operations users to intervene.

Note

All user groups, regardless of the read or write permissions selected, can view the information displayed on the Cisco SD-WAN Manager Dashboard screen. Only admin users can view running and local configuration. Users associated with predefined operator user group do not have access to the running and local configurations. The predefined user group operator has only read access for the template configuration. If you need only a subset of admin user privileges, then you need to create a new user group with the selected features from the features list with both read and write access and associate the group with the custom user.

Account Lockout options

From Cisco Catalyst SD-WAN Manager Release 20.12.1, a netadmin user can enable the following account lockout options:

• Inactivity lockout: You can configure SD-WAN Manager to lock out users who have not logged in for a designated number of consecutive days. Locked out users cannot log in to SD-WAN Manager until an administrator unlocks their accounts. See Configure Account Lockout.

• Unsuccessful login lockout: You can configure SD-WAN Manager to prevent users who make a designated number of consecutive unsuccessful login attempts within a designated time period from logging in to SD-WAN Manager until a configured amount of time passes or an administrator unlocks their user accounts.

  By default, SD-WAN Manager locks out users for 15 minutes after five consecutive unsuccessful login attempts within 15 minutes. After the lockout period expires, a user can log in with the correct user name and password.

  See Configure unsuccessful login attempts lockout.

Ciscotac user accounts and privileges

The default CLI templates include configuration for the ciscotacro and ciscotacrw users. These users are enabled by default but you can disable them if needed.

• ciscotacro user: This account belongs to the operator user group and has read-only privileges. This account allows monitoring configurations but does not permit operations that modify network configurations.

• ciscotacrw user: This account belongs to the netadmin user group and has read-write privileges. This account allows modification of network configurations. Only this user can access the root shell using a consent token.

To allow the network administrator can access system shell, use the tools consent-token command. Starting Cisco Catalyst SD-WAN Control Components Release 20.12.x, the request support ciscotac command is deprecated.