Cisco Catalyst SD-WAN User Management Guide, Releases 26.x and Later

PDF

RBAC by scope

Updated: April 24, 2026

Want to summarize with AI?

Log in

Explains RBAC by scope, summarizing scoping principles, configuration concepts, and multitenancy support for segmenting user permissions within the network.

RBAC by scope

RBAC by scope is a method of restricting or authorizing system access for users based on user groups and scope.

A user group defines the privileges of a user in the system and the scope defines the organizations (domains) to which a user is allowed access.

Assigning user and scope

Users are not directly assigned privileges, but you can manage individual user privileges by assigning the appropriate user and scope.

For large Cisco Catalyst SD-WAN deployments across multiple geographical locations, you can split the network administration among different regional administrators.

Network administrators can be classified as global administrators or regional administrators, based on the user groups and scope assigned to them:

  • Global administrators have access to all resources in every scope and have complete read-write privileges for all features.

  • Regional administrators also have full read-write privileges for all the features. However, the resources they can access are limited by the scope assigned to them.

Global admin

A global admin is responsible for overseeing the entire network, but is not involved in the operations of the individual devices on a daily basis. User accounts in the global scope have access to all resources.

Any user in a single tenant setup with netadmin privileges who is also part of global scope is considered a global admin. The default admin user on SD-WAN Manager is also a global-admin. The global scope contains all WAN edges and controllers in a single view.

A global admin can:

  • assign devices to their corresponding regions

  • assign regional admin accounts

  • manage controllers

  • maintain sharable and centralized configurations

  • operate on the individual devices when necessary

  • switch to view only a specific scope and can create templates

  • assign more global admins

Local scope admins, also called regional admins can clone global templates and reuse them within their scope.

Regional admin

A regional admin is responsible for day-to-day operations (configuration, monitoring, onboarding, and so on) for devices in the corresponding regions. Regional admins do not have access to or visibility into devices outside of their region. A regional admin can create these user groups:

  • Scope admin – full read/write access to devices in the corresponding scope, can troubleshoot, monitor, attach, or detach templates for the WAN edges in their group

  • Scope operator – read-only access to WAN edges within their scope

  • Scope basic – basic access within their scope

Scope admins can create new templates and attach or detach them from WAN edges in their group. They can also copy and reuse global templates.

The scope determines the resources accessible to a user; however, the level of access is controlled by the existing user group.

  • If a user is in scope scope_a and user group scope_admin, they have full read/write access to all resources in scope_a.

  • If a user is in scope scope_a and user group scope_operator, they have read-only access to all resources in rscope_a.

  • If a user is in scope scope_a and user group scope_basic, they have read-only access to interface and system resources in scope_a.

Global scope

The global group is a special, system-predefined scope with these different access control rules:

  • Users within this group are considered as global-admins, who can have full access to all resources (devices, templates and policies) in the system and they can manage the scope and assign resources and users to groups.

  • All other users have read-only access to resources within this group.

  • The system default admin account (or tenantadmin account in a multitenant setup) is always in this group. This privilege cannot be changed. However, the admin account may add/remove other user accounts to or from this group.

IdP (SSO)-managed group

An identity provider (IdP) is a service that stores and verifies user identity. IdPs typically work with single sign-on (SSO) providers to authenticate users. If a user is authenticated with a SSO service of an IdP, the group information is also provided and managed by the IdP. An IdP passes the information about the user, including the user name and all the group names, where the user belongs to. SD-WAN Manager matches the group names with the group names stored in the database to further distinguish if a particular group name passed from IdP is for user group or scope or VPN group.

Multitenancy support

With Cisco Catalyst SD-WAN multitenancy, a service provider can manage multiple customers, called tenants, from Cisco SD-WAN Manager. The tenants share Cisco SD-WAN Manager instances, Cisco SD-WAN Validator, and Cisco SD-WAN Controller. The domain name of the service provider has subdomains for each tenant. Cisco SD-WAN Manager is deployed and configured by the service provider. The provider enables multitenancy and creates a Cisco SD-WAN Manager cluster to serve tenants. Only the provider can access a Cisco SD-WAN Manager instance through the SSH terminal.

Provider has these features:

  • Scope is not applicable as the provider manages only the controllers.

  • When provider provisions a new tenant, the default user account for the tenant is tenantadmin.

  • Other user accounts created by the provider are included in the default global scope.

  • When a provider creates a template for a tenant, the template is included in the globalscope.