Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

PDF

Role-Based Access Control

Outlines the implementation and management of Role-Based Access Control, including configuration principles, VPN integration, AAA, scope and policy management, user and group administration, permission assignments, and operational best practices for secure, granular access control.


This table describes the developments of this feature, by release.

Table 1.

Feature Name

Release Information

Feature Description

Co-Management: Granular Role-Based Access Control

Cisco Catalyst SD-WAN Manager Release 20.13.1

This feature introduces Role-Based Access Control (RBAC) based on sites, scope, or roles. It is a method of authorizing system access for users based on a combination of role and scope of a user.

You can create scopes, users, and roles with required read and write permissions for Cisco SD-WAN Manager policies. RBAC prevents unauthorized access and reduces the risk of data breaches and other security incidents.

Canadian French language support on Cisco Catalyst SD-WAN Manager

Cisco Catalyst SD-WAN Manager Release 20.13.1

Added support for using Canadian French for Cisco SD-WAN Manager user interface.

RBAC by scope

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Cisco vManage Release 20.5.1

This feature introduces Role-Based Access Control (RBAC) based on sites or scope. It is a method of authorizing system access for users based on a combination of users and scope.

For large Cisco Catalyst SD-WAN deployments across multiple geographical locations, this feature helps you to split the network administration among different regional administrators.

RBAC for policies

Cisco IOS XE Catalyst SD-WAN Release 17.6.1a

Cisco vManage Release 20.6.1

This feature allows you to create users and user groups with required read and write permissions for Cisco SD-WAN Manager policies. RBAC for policies provides users with the access to all the details of policies to help maximize the operational efficiency. It makes it easier to meet configuration requirements and ensures that authorized users on the system are only given access to what they need.

Co-Management: Granular RBAC for feature templates

Cisco vManage Release 20.7.1

This feature introduces greater granularity in assigning RBAC permissions for template use. This enables you to give a tenant self-management of network configuration tasks. Network administrators and managed service providers can use this feature to assign permissions to their end customers.

Co-Management: Improved granular configuration task permissions

Cisco vManage Release 20.9.1

To enable a user to self-manage specific configuration tasks, you can assign the user permissions to perform specific configuration tasks while excluding other tasks.

This feature introduces numerous new permission options, enabling fine granularity in determining which configuration task permissions to provide to a user.

RBAC for security operations and network operations default user groups

Cisco vManage Release 20.9.1

This feature provides the following default user groups:

  • network_operations user group for non-security policies

  • security_operations user group for security policies

RBAC for policies allows you to create users and user groups with the required read and write permissions for security and non-security policies. Users can perform configuration and monitoring actions only for the authorized policy type.

Co-Management: Improved granular configuration for scope features

Cisco vManage Release 20.11.1

To enable a user to self-manage specific configuration tasks, you can assign the user permissions to perform specific configuration tasks while excluding other tasks.

This feature introduces new permission options for the following configuration groups and feature profiles.

  • AppQoE under other feature profile

  • GPS under transport feature profile

  • Cisco VPN Interface GRE under WAN/LAN profile.

  • Cisco VPN Interface IPsec under WAN profile.

  • Cisco Multicast under LAN profile.

  • UCSE under other feature profile.

  • IPv4 Tracker and Tracker Group under transport and service feature profiles.

  • IPv6 DIA Tracker and Tracker Group, under transport feature profile.

Assigning roles locally for SSO-authenticated users

Cisco vManage Release 20.11.1

If you are using an identity provider, such as Okta, for security assertion markup language (SAML)-based single sign-on (SSO), then in most use cases, you define user roles through the identity provider. This feature enables you to assign users locally in Cisco SD-WAN Manager, in case no roles are defined for the user by the identity provider.