Roles
You can restrict access to features and data using role-based access control (RBAC) model.
-
User - someone with login access to Cisco Secure Workload.
-
Role - user created set of capabilities that is assigned to a user.
-
Capability - scope + ability pair
-
Ability - collections of actions
-
Action - low-level user action such as “change workspace name”
A user can have any number of roles. Roles can have any number of capabilities. For example, the “HR Search Engineer” role could have two capabilities: “Read on the HR Scope” to give visibility and context and “Execute on “HR:Search” capability to allow the engineers assigned this role to make specific changes that are related to their applications.
Use the Users page to assign users to the different roles. Roles have several capabilities and you can assign users to any number of roles.
System roles are defined to allow users to get started more quickly. They define different levels of access to all Scopes, that is, all data on the system. These system roles are defined below.
Role |
Description |
---|---|
Agent Installer |
Provide the ability to manage agents life cycle including install, monitor, upgrade, and convert, but cannot delete agents and access agent config profile. |
Abilities and Capabilities
Roles are made up of capabilities which include a scope and an ability. These define the allowed actions and the set of data that they apply to. For example, the (HR, Read) capability should be read and interpreted as “Read ability on the HR scope”. This capability would allow access to the HR scope and all its children.
Ability |
Description |
---|---|
Installer |
Install, monitor, and upgrade software agents. |
Audit |
Global appliance data read support and access to change logs. |
Read |
Read all data including flows, application, and inventory filters. |
Write |
Make changes to applications and inventory filters. |
Execute |
Perform Automatically discover policies run and publish policies for analysis. |
Enforce |
Enforce policies that are defined in application workspaces that are associated with the given scope. |
Important |
Abilities are inherited, for example, the Execute ability allows all the Read, Write, and Execute actions. |
Important |
Abilities apply to the scope and all the scope’s children. |
Menu Access by Role
The menu items that you see and use on the navigation pane depend on the assigned role:
Menu |
Option |
Tenant Owner |
Agent Installer |
---|---|---|---|
Overview |
Overview |
Yes |
No |
Menu |
Option |
Tenant Owner |
Agent Installer |
---|---|---|---|
Organize |
Scopes and Inventory |
Yes |
No |
Organize |
Use Uploaded Labels |
Yes |
No |
Organize |
Inventory Filters |
Yes |
No |
Menu |
Option |
Tenant Owner |
Agent Installer |
---|---|---|---|
Defend |
Segmentation |
Yes |
No |
Defend |
Enforcement Status |
Yes |
No |
Defend |
Policy Templates |
Yes |
No |
Defend |
Forensic Rules |
Yes |
No |
Menu |
Option |
Tenant Owner |
Agent Installer |
---|---|---|---|
Investigate |
Traffic |
Yes |
No |
Alerts |
Yes |
No |
|
Vulnerabilities |
Yes |
No |
|
Forensics |
Yes |
No |
Menu |
Option |
Tenant Owner |
Agent Installer |
---|---|---|---|
Reporting |
Reporting Dashboard |
Yes |
No |
Menu |
Option |
Tenant Owner |
Agent Installer |
---|---|---|---|
Manage |
Agents |
Yes |
Yes |
Manage |
Alerts Configs |
Yes |
No |
Manage |
Change Logs |
Yes |
No |
Manage |
Connectors |
Yes |
No |
Manage |
External Orchestrators |
Yes |
No |
Manage |
Secure Connector |
Yes |
No |
Manage |
Virtual Appliances |
Yes |
No |
Manage |
Users |
Yes |
No |
Manage |
Roles |
Yes |
No |
Manage |
Collection Rules |
Yes |
No |
Manage |
Session Configuration |
Yes |
No |
Manage |
Usage Analytics |
Yes |
No |
Manage |
Data Tap Admin |
Yes |
No |
Create a Role
Before you begin
You must already have a Site Admin or Customer Support user role.
-
In the navigation bar on the left, click
. -
Click Create New Role. The Roles panel appears.
Creating a role using the Create Role Wizard is three-step process.
Procedure
Step 1 |
|
Step 2 |
|
Step 3 |
|
Edit a Role
This section explains how Site Admins and Customer Support users can edit roles.
Before you begin
You must be Site Admin or Customer Support User.
-
In the navigation bar on the left, click
. -
In the row of the role to edit, click the Edit button in the right-hand column. The Roles panel appears.
Editing a role using the Edit Role Wizard is three-step process.
Procedure
Step 1 |
|
||
Step 2 |
|
||
Step 3 |
|