Outlines the implementation and management of Role-Based Access Control, including configuration principles, VPN integration, AAA, scope and policy management, user and group administration, permission assignments, and operational best practices for secure, granular access control.
This table describes the developments of this feature, by release.
| Feature Name |
Release Information |
Feature Description |
|---|---|---|
| Co-Management: Granular Role-Based Access Control |
Cisco Catalyst SD-WAN Manager Release 20.13.1 |
This feature introduces Role-Based Access Control (RBAC) based on sites, scope, or roles. It is a method of authorizing system access for users based on a combination of role and scope of a user. You can create scopes, users, and roles with required read and write permissions for Cisco SD-WAN Manager policies. RBAC prevents unauthorized access and reduces the risk of data breaches and other security incidents. |
| Canadian French language support on Cisco Catalyst SD-WAN Manager |
Cisco Catalyst SD-WAN Manager Release 20.13.1 | Added support for using Canadian French for Cisco SD-WAN Manager user interface. |
| RBAC by scope |
Cisco IOS XE Catalyst SD-WAN Release 17.5.1a Cisco vManage Release 20.5.1 |
This feature introduces Role-Based Access Control (RBAC) based on sites or scope. It is a method of authorizing system access for users based on a combination of users and scope. For large Cisco Catalyst SD-WAN deployments across multiple geographical locations, this feature helps you to split the network administration among different regional administrators. |
| RBAC for policies |
Cisco IOS XE Catalyst SD-WAN Release 17.6.1a Cisco vManage Release 20.6.1 |
This feature allows you to create users and user groups with required read and write permissions for Cisco SD-WAN Manager policies. RBAC for policies provides users with the access to all the details of policies to help maximize the operational efficiency. It makes it easier to meet configuration requirements and ensures that authorized users on the system are only given access to what they need. |
| Co-Management: Granular RBAC for feature templates |
Cisco vManage Release 20.7.1 |
This feature introduces greater granularity in assigning RBAC permissions for template use. This enables you to give a tenant self-management of network configuration tasks. Network administrators and managed service providers can use this feature to assign permissions to their end customers. |
| Co-Management: Improved granular configuration task permissions |
Cisco vManage Release 20.9.1 |
To enable a user to self-manage specific configuration tasks, you can assign the user permissions to perform specific configuration tasks while excluding other tasks. This feature introduces numerous new permission options, enabling fine granularity in determining which configuration task permissions to provide to a user. |
| RBAC for security operations and network operations default user groups |
Cisco vManage Release 20.9.1 |
This feature provides the following default user groups:
RBAC for policies allows you to create users and user groups with the required read and write permissions for security and non-security policies. Users can perform configuration and monitoring actions only for the authorized policy type. |
| Co-Management: Improved granular configuration for scope features |
Cisco vManage Release 20.11.1 |
To enable a user to self-manage specific configuration tasks, you can assign the user permissions to perform specific configuration tasks while excluding other tasks. This feature introduces new permission options for the following configuration groups and feature profiles.
|
| Assigning roles locally for SSO-authenticated users |
Cisco vManage Release 20.11.1 |
If you are using an identity provider, such as Okta, for security assertion markup language (SAML)-based single sign-on (SSO), then in most use cases, you define user roles through the identity provider. This feature enables you to assign users locally in Cisco SD-WAN Manager, in case no roles are defined for the user by the identity provider. |
Role-Based Access Control
Details the primary concept of Role-Based Access Control, explaining its objectives, features, and the benefits of adopting role-based methodologies for access management.
Restrictions for configuring RBAC
Explains restrictions and prerequisites for implementing Role-Based Access Control, describing limitations, supported configurations, and important considerations to ensure compliant deployment.
RBAC by VPN
Describes Role-Based Access Control integration with VPNs, outlining concepts and practices for managing user access across virtual network segments.
RBAC with AAA
Details the interplay between Role-Based Access Control and AAA, highlighting how authorization, authentication, and accounting integrate to provide comprehensive access control.
User authorization rules for operational and configuration commands
Outlines user authorization rules, clarifying permission structures for operational and configuration command access within Role-Based Access Control.
RBAC by scope
Explains RBAC by scope, summarizing scoping principles, configuration concepts, and multitenancy support for segmenting user permissions within the network.
Granular RBAC
Introduces granular RBAC features, discussing advanced permission settings and highlighting the benefits of template-specific role assignments for enhanced security.
RBAC for policies
Guides users through managing RBAC for policies, covering concepts, configuration steps, and methods for modifying policy assignments to achieve granular access control.
Configure RBAC for CFlowd policy
Provides step-by-step instructions for configuring RBAC for CFlowd policies, including creating user groups, defining policy users, and modifying CFlowd policy access.
Assigning roles to users defined by identity providers
Details procedures for assigning roles to users provisioned by identity providers, ensuring seamless integration and centralized access management.
Configure RBAC
Provides comprehensive guidance on configuring Role-Based Access Control, including defining scopes, creating and editing roles, copying custom roles, and deleting roles to enforce security.
Prerequisites for Application Catalog features
Outlines prerequisite requirements for leveraging Application Catalog features, ensuring RBAC configurations meet necessary conditions for application enablement.
Manage user group permissions
Describes methods for managing user group permissions across device types, detailing permission structures for both Cisco IOS XE Catalyst SD-WAN devices and Cisco Catalyst Wireless Gateway devices.
Configure Users
Provides instructions for user management tasks, including adding, editing, copying, and deleting users, managing user locks, changing passwords, and monitoring user sessions.
Configure user sessions
Explains how to configure user sessions, ensuring effective session management to maintain access control compliance and operational security.
Configure VPN segments
Details procedures for configuring VPN segments as part of access control strategies, supporting logical network separation and granular role assignments.
Configure VPN groups
Outlines configuration steps for VPN groups, enabling collective access management and permission allocation for user sets.
Verify granular RBAC permissions
Provides verification procedures for granular RBAC permissions, ensuring correct permission assignments and operational integrity for role-based access models.
Monitor devices for VPN groups
Explains methods to monitor device status and activity for VPN groups, supporting ongoing oversight and compliance for managed network segments.