Granular RBAC

Updated: April 24, 2026

Want to summarize with AI?

Introduces granular RBAC features, discussing advanced permission settings and highlighting the benefits of template-specific role assignments for enhanced security.

Granular RBAC for templates

When setting user group permissions, use the template permissions defined in this section. This approach allows you to provide an RBAC user with specific access to various types of templates and control which device configurations they can apply.

From Cisco vManage Release 20.7.1, you can use these template permissions:


Permission	Description
CLI Add-On Template	Provides access to the CLI add-on feature template.
Device CLI Template	Provides access to the device CLI template.
SIG Template	Provides access to the SIG feature template and SIG credential template.
Other Feature Templates	Provides access to all feature templates except the SIG feature template, SIG credential template, and CLI add-on feature template.
Feature Profile	Provides access to all feature profiles.
Config Group	Provides access to all configuration groups.

Expand each feature profile to specify granular RBAC. After you set the permissions for the user group, verify that you can access the required feature profiles under Templates > Configuration Groups.

Single-tenant and multi-tenant scenarios

You can use granular RBAC for feature templates in single-tenant and multi-tenant Cisco SD-WAN Manager scenarios.

You can create user groups to assign specific permissions to a tenant's various teams, enabling teams to manage only specific network services without granting permission to use device CLI templates.

Avoid granting tenants the permission to apply device CLI templates because they can override any other template or device configuration. For example, create a user group for a tenant's security operations group. Grant them read/write access only to the SIG Template option to enable them to manage security configurations.

Benefits of granular RBAC

From Cisco vManage Release 20.7.1, the permissions configured for co-management in Cisco Catalyst SD-WAN allow for very detailed and specific control over who can access and modify network configurations. They are useful when using Cisco Catalyst SD-WAN with tenants, enabling you to provide a tenant access to specific types of templates. This setup lets tenants manage their own network configuration tasks within their own VPN.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.