Home
Support
Product Support
Routers
Cisco SD-WAN
Configuration Guides

Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

What two factors determine a user's system access in Role-Based Access Control?
What are the five categories of role-based access privileges?
Can you modify or delete system default roles?

View all Saved Content

PDF

Is this content helpful?

Helpful Unhelpful

Suggestions for Improvement

Thank you for your feedback. Your response has been recorded.

Ask about this content

Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

What two factors determine a user's system access in Role-Based Access Control?
What are the five categories of role-based access privileges?
Can you modify or delete system default roles?

Expand all sections

About this content

Users and Access

Users and access
Account lockout
User sessions
Ciscotac user access

Password Management

Hardened passwords
Type 6 passwords

Authentication

Authentication
Authentication order
Authentication fallback mechanism
Duo Multi-factor authentication
RADIUS authentication
SSH authentication
IEEE 802.1X authentication
Authentication, Authorization, and Accounting
Posture assessment support

Role-Based Access Control

Role-Based Access Control
Restrictions for configuring RBAC
RBAC by VPN
RBAC with AAA
User authorization rules for operational and configuration commands
RBAC by scope
Granular RBAC
RBAC for policies
Configure RBAC for CFlowd policy
Assigning roles to users defined by identity providers
Configure RBAC
Prerequisites for Application Catalog features
Manage user group permissions
Configure Users
Configure user sessions
Configure VPN segments
Configure VPN groups
Verify granular RBAC permissions
Monitor devices for VPN groups

Configure RBAC

Updated: April 24, 2026

Want to summarize with AI?

On this page

Configure scope

Configure roles

Copy custom role

Edit custom role

Delete a role

Provides comprehensive guidance on configuring Role-Based Access Control, including defining scopes, creating and editing roles, copying custom roles, and deleting roles to enforce security.

Configure scope

Procedure

	1.	From the Cisco SD-WAN Manager menu, choose Administration > Users and Access. By default Scope menu is selected. The table displays the list of scopes configured in the device.
	2.	Click Add Scope.
	3.	Enter Scope Name and Description.
	4.	Click Add Nodes.
	5.	Choose the required nodes and click Save. You can click Edit Nodes to update the existing nodes in the list.
	6.	(Optional) In the Associations pane, click Add Users to associate users. In the Add Users pop-up window, choose the users that you want to add. Click Save. The selected users are associated to a scope.
	7.	(Optional) In the Configurations tab, click Add Configurations to add configurations. Choose the available configurations from the following tabs: Configuration Group Device Template Feature Template Feature Profile Security Policy Localized Policy
	8.	Click Save.

A new scope with nodes, users and required configurations is created.

Configure roles

Procedure

	1.	From the Cisco SD-WAN Manager menu, choose Administration > Users and Access.
	2.	Click Roles. The table displays the list of roles configured in the device.
	3.	Click Add Role.
	4.	Enter Custom Role Name in the Add Custom Role page.
	5.	Select the Deny, Read, or Write check box against the feature or sub feature that you want to assign a role.
	6.	Click Add.

You can view the new role in the table in the Roles page.

Copy custom role

To create a copy of a custom role, use these steps.

Procedure

	1.	In the list of roles, for the role you wish to copy, click ..., and click Copy. The Copy Custom Role page is displayed.
	2.	Enter Custom Role Name.
	3.	Select the Deny, Read, or Write check box against the feature or sub feature that you want to update for a role.
	4.	Click Copy.

You can view the new role in the table in the Roles page.

Edit custom role

Procedure

	1.	In the list of roles, for the role you wish to copy, click ..., and click Edit. The Edit Custom Role page is displayed.
	2.	Select the Deny, Read, or Write check box against the feature or sub feature that you want to update for a role. Note Starting from Cisco Catalyst SD-WAN Manager Release 20.18.1, the permissions for a role and its descendents may differ in the Deny/Read/Write table. Therefore, do not assume the parent role as the entire role for the sub-tree under it. If you have a role with write permissions for Configuration Groups but deny or read permission for deploy, a Change device variables button appears instead of Deploy button. This button allows you to modify device-specific values during the deploy process, without initiating the deployment.
	3.	Click Update.

You can view the updated role in the table in the Roles page.

Delete a role

You can delete a role when it is no longer needed. For example, you might delete a role that you created for a specific project when that project ends.

Procedure

	1.	Choose the role you wish to delete, click ..., and click delete. The Warning page is displayed.
	2.	To confirm the deletion of the role, click Delete.

This deletes the role.

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.