Information About Role Based Access Control
Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and scope. A role defines the privileges of a user in the system and the locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, management of individual user privileges is simply a matter of assigning the appropriate roles and scopes. A user is granted write access to desired system resources only if the assigned role grants the access privileges and the assigned locale allows access.
User: is the entity that performs different actions in Cisco SD-WAN Manager. A user belongs to a role.
Roles: define the permissions (Read, Write or Deny) allowed for a user for different APIs or functionalities.
Scope: define the set of objects (sites, devices or templates) on which a user can perform actions.
When Read or Write is selected, the user can view and make changes for the selected features. When Read is selected, the user can only view information. When Deny is selected, the user can neither view or make changes to the Cisco IOS XE Catalyst SD-WAN.
System default roles cannot be changed or modified. The Cisco IOS XE Catalyst SD-WAN software provides the following system default roles:
-
basic: The basic role is a system default role and is pre-built-in Cisco SD-WAN Manager. You cannot modify or delete. If you want to modify the role, you must make a copy of it and then modify it as a new customer role.
-
operator: The operator role is also a configurable role and can be used for any users and privilege levels. This role is designed to include users who have permission only to view information.
-
netadmin: The netadmin role is a non-configurable role. By default, this role includes the admin user. You can add other users to this role. Users with this role are permitted to perform all operations on the device.
-
network_operations: The network_operations role is a non-configurable role. Users in this role can perform all non-security-policy operations on the device and only view security policy information. For example, users can create or modify template configurations, manage disaster recovery, and create non-security policies such as an application aware routing policy or Cflowd policy.
-
security_operations: The security_operations role is a non-configurable role. Users in this role can perform all security operations on the device and only view non-security-policy information. For example, users can manage umbrella keys, licensing, IPS signatures auto update, TLS/SSL proxy settings, and so on.
Users of the network_operations role are authorized to apply policies to a device, revoke applied policies, and edit device templates. Users of the security_operations role require network_operations users to intervene on day-0 to deploy a security policy on a device and on day-N to remove a deployed security policy. However, after a security policy is deployed on a device, security_operations users can modify the security policy without needing the network_operations users to intervene.
Note |
Only netadmin users can view the running and local configuration. Users associated with a predefined operator role do not have access to the running and local configurations. The predefined role operator has only read access for the template configuration. If you need only a subset of admin user privileges, then you need to create a new role with the selected features from the features list with both read and write access and associate the role with the custom user. |
Privileges for Role-Based Access
Role-based access privileges are arranged into five categories, which are called tasks:
-
Interface—Privileges for controlling the interfaces on the Cisco IOS XE Catalyst SD-WAN device.
-
Policy—Privileges for controlling the control plane policy, OMP, and data plane policy.
-
Routing—Privileges for controlling the routing protocols, including BFD, BGP, OMP, and OSPF.
-
Security—Privileges for controlling the security of the device, including installing software and certificates. Only users belonging to the netadmin group can install software on the system.
-
System—General system-wide privileges.