Cisco Catalyst SD-WAN Multitenancy Guide, Releases 26.x and Later

PDF

User roles in multitenant environment

Want to summarize with AI?

Log in

Explains user roles in multitenant environments, distinguishing provider and tenant responsibilities, and describes SD-WAN Manager views and access for providers and tenants


A multi-tenant environment includes the service provider and tenant roles. Each role has distinct privileges, views, and functions.


Provider role

  • The provider role entitles system-wide administrative privileges.

  • A user with the provider role has the default username admin.

  • The provider user can access SD-WAN Manager using the domain name of the service provider or by using the SD-WAN Manager IP address.

  • When using a domain name, the domain name has the format: https://managed-sp.com.

  • The admin user is part of the user group netadmin.

    Users in this group are permitted to perform all operations on the controllers and the WAN edge devices of the tenants. You can add additional users to the netadmin group.

  • You cannot modify the privileges of the netadmin group.

  • When you create a new provider user in SD-WAN Manager, including a netadmin user, by default, the user is not allowed SSH access to the SD-WAN Manager VM. To enable SSH access, configure SSH authentication using a AAA template and push the template to SD-WAN Manager. For more information on enabling SSH authentication, refer to the Cisco Catalyst SD-WAN User Management Guide.


SD-WAN Manager views for providers

Provider view

When a provider user logs in to multi-tenant Cisco SD-WAN Manager as admin or another netadmin user, SD-WAN Manager presents the provider view and displays the provider dashboard.

You can perform the following functions from the provider view:

  • Provision and manage SD-WAN Manager, SD-WAN Validators, and SD-WAN Controllers.

  • Add, modify, or delete tenants.

  • Monitor the overlay network.

  • Starting from Cisco Catalyst SD-WAN Manager Release 20.16.1, view alarms and events for the sites and devices of its tenants.

Provider-as-tenant view

When a provider user selects a specific tenant from the Select Tenant drop-down list at the top of the provider dashboard, SD-WAN Manager presents the provider-as-tenant view and displays the tenant dashboard for the selected tenant. The provider user has the same view of SD-WAN Manager as a tenant user would when logged in as tenantadmin. From this view, the provider can manage the tenant deployment on behalf of the tenant.

In the provider dashboard, a table of tenants presents a status summary for each tenant. A provider user can also launch the provider-as-tenant view by clicking on a tenant name in this table.


Tenant role

  • The tenant role entitles tenant administrative privileges.

  • A user with the tenant role has the default username tenantadmin.

  • The default password is Cisco#123@Viptela.

    We recommend that you change the default password on first login.

  • The tenantadmin user is part of the user group tenantadmin. Users in this group are permitted to perform all operations on the WAN edge devices of the tenants. You can add additional users to the tenantadmin group.

  • You cannot modify the privileges of the tenantadmin group. On SD-WAN Manager, you can view the privileges of the user group from the Administration > Manage Users > User Groups page.

    For more information about configuring users and user groups, refer to the Cisco Catalyst SD-WAN User Management Guide.

  • A tenant user can log in to SD-WAN Manager using a dedicated URL and the default username tenantadmin.

    For example, the dedicated URL of a tenant could be https://customer1.managed-sp.com for a provider using the domain name https://managed-sp.com. When the user logs in, SD-WAN Manager presents the tenant view and displays the tenant dashboard.

  • If you cannot access the dedicated tenant URL, update the subdomain details in the /etc/hosts file on the local machine. Alternatively, if you use an external DNS server, add a DNS entry for the tenant subdomain.

A tenant user with administrative privileges can perform these functions:

  • Provision and manage tenant routers

  • Monitor overlay network of the tenant

  • Create custom policies on the assigned Cisco SD-WAN Controller

  • Upgrade the software on the tenant routers.

  • Starting from Cisco Catalyst SD-WAN Manager Release 20.16.1, view tenant-specific information of controller connections and OMP statistics in a Cisco Catalyst SD-WAN network.