Details procedures for assigning roles to users provisioned by identity providers, ensuring seamless integration and centralized access management.
From Cisco vManage Release 20.11.1 you can manage user roles and permissions through the identity provider (IdP) when users authenticate via Okta to log into Cisco SD-WAN Manager.
When a user logs in, SD-WAN Manager retrieves the user's role(s) from the IdP and maps them to user group permissions in SD-WAN Manager. The permissions granted to the user correspond to these mapped user groups.
If a user does not have a role defined in the IdP, a network administrator—who has access to SD-WAN Manager but does not have access to the IdP—can assign the user to a specific local user group within SD-WAN Manager to provide the necessary permissions.
However, if both a role is defined for a user in the IdP and a user group is assigned locally in SD-WAN Manager, the role defined in the IdP will take precedence over the local assignment.
This table summarizes the methods available for assigning specific permissions to a user:
| IdP for SAML SSO |
Roles defined in the IdP |
How user permissions are defined |
|---|---|---|
| Not using an IdP |
Not applicable |
In SD-WAN Manager, assign a user to one or more user groups locally. This provides the user with the corresponding user group permissions. |
| Using an IdP |
IdP has one or more roles defined for the user. |
Define roles for the user through the IdP. SD-WAN Manager provides the user with the user group permissions corresponding to the roles. |
| IdP does not have a role defined for the user. |
Use the Remote User option for adding a user (Administration > Manage Users > Add User). See Add a User. In SD-WAN Manager, assign a user to one or more user groups locally. This provides the user with the corresponding user group permissions. |