Cisco Security Cloud Control: Network Devices with Generic SSH Access Management

PDF

Cisco Security Cloud Control: Network Devices with Generic SSH Access Management

Understand user roles in Security Cloud Control Firewall Management

Want to summarize with AI?

Log in

Learn how user roles define permissions for each Security Cloud Control Firewall Management organization.


Security Cloud Control Firewall Management assigns roles per user and per organization. If a user has access to more than one tenant, that user can have the same user ID but different roles on different organizations. For example, a user can have the `Read-Only` role on one organization and the `Super Admin` role on another.

When the interface or documentation refers to a `Read-Only` user, `Admin` user, or `Super Admin` user, it describes that user's permission level on a specific organization.


Read-only role

A user assigned the Read-Only role sees this blue banner on every page:

Users with the `Read-Only` role can:

  • View any page or any setting in Security Cloud Control.

  • Search and filter the contents of any page.

  • Compare device configurations, view the change log, and see VPN mappings.

  • View every warning regarding any setting or object on any page.

  • Generate, refresh, and revoke their own API tokens. Note that if a read-only user revokes their own token, they cannot recreate it.

  • Contact support through our interface and can export a change log.

Users with the `Read-Only` role cannot:

  • Create, update, configure, or delete anything on any page.

  • Onboard devices.

  • Step-through the tasks needed to create something like an object or a policy, but not be able to save it.

  • Create Security Cloud Control user records.

  • Change user role.

  • Attach or detach access rules to a policy.


Edit-Only role

Users with the Edit-Only role can:

  • Edit and save device configurations, including but not limited to objects, policies, rulesets, interfaces, VPN, etc.

  • Allow configuration changes that are made through the Read Configuration action.

  • Utilize the Change Request Management action.

Users with the Edit-Only role cannot:

  • Deploy changes to a device or to multiple devices.

  • Discard staged changes or changes that are detected through OOB.

  • Upload AnyConnect Packages, or configure these settings.

  • Schedule or manually start image upgrades for devices.

  • Schedule or manually start a security database upgrade.

  • Manually switch between Snort 2 and Snort 3 versions.

  • Create a template.

  • Change the existing OOB Change settings.

  • Edit System Management settings.

  • Onboard devices.

  • Delete devices.

  • Delete VPN sessions or user sessions.

  • Create Security Cloud Control user records.

  • Change user role.


Deploy-Only role

Users with the Deploy-Only role can:

  • Deploy staged changes to a device, or to multiple devices.

  • Revert or restore configuration changes for ASA devices.

  • Schedule or manually start image upgrades for devices.

  • Schedule or manually start a security database upgrade.

  • Utilize the Change Request Management action.

Users with the `Deploy-Only` role cannot:

  • Manually switch between Snort 2 and Snort 3 versions.

  • Create a template.

  • Change the existing OOB Change settings.

  • Edit System Management settings.

  • Onboard devices.

  • Delete devices.

  • Delete VPN sessions or user sessions.

  • Create, update, configure, or delete anything on any page.

  • Onboard devices.

  • Step-through the tasks needed to create something like an object or a policy, but not be able to save it.

  • Create Security Cloud Control user records.

  • Change user role.

  • Attach or detach access rules to a policy.


VPN Sessions Manager role

The `VPN Sessions Manager` role is intended for administrators who monitor remote access VPN connections, not site-to-site VPN connections.

Users with the VPN Sessions Manager role can:

  • View any page or any setting in Security Cloud Control.

  • Search and filter the contents of any page.

  • Compare device configurations, view the change log, and see RA VPN mappings.

  • View every warning regarding any setting or object on any page.

  • Generate, refresh, and revoke their own API tokens. Note that if a VPN Sessions Manager user revokes their own token, they cannot recreate it.

  • Contact support through our interface and export a change log.

  • Terminate existing RA VPN sessions.

Users with the VPN Sessions Manager role cannot:

  • Create, update, configure, or delete anything on any page.

  • Onboard devices.

  • Step-through the tasks needed to create something like an object or a policy, but not be able to save it.

  • Create Security Cloud Control user records.

  • Change user role.

  • Attach or detach access rules to a policy.


Admin role

Users with the `Admin` role have complete access to most areas of Security Cloud Control Firewall Management.

  • Create, read, update, and delete any object or policy in Security Cloud Control Firewall Management and configure any setting.

  • Onboard devices.

  • View any page or any setting in Security Cloud Control.

  • Search and filter the contents of any page.

  • Compare device configurations, view the change log, and see VPN mappings.

  • View every warning regarding any setting or object on any page.

  • Generate, refresh, and revoke their own API tokens. If their token is revoked, they can contact support through our interface and can export a change log.

Admin users cannot do the following:

  • Create Security Cloud Control user records.

  • Change user role.


Super Admin role

Users with the Super Admin role have complete access to all areas of Security Cloud Control Firewall Management.

Users with the Super Admin role can:

  • Change user roles.

  • Create user records.

  • Create, read, update, and delete any object or policy in Security Cloud Control Firewall Management and configure any setting.

  • Onboard devices.

  • View any page or any setting in Security Cloud Control Firewall Management.

  • Search and filter the contents of any page.

  • Compare device configurations, view the change log, and see VPN mappings.

  • View every warning regarding any setting or object on any page.

  • Generate, refresh, and revoke their own API tokens. If their token is revoked, they can

  • Contact support through our interface and can export a change log.