Configuring Administrator Roles for Managing a Service Configuration

About Privileges

You can grant privileges to the roles that you configure in the Application Policy Infrastructure Controller (APIC). Privileges determine what tasks a role is allowed to perform. You can grant the following privileges to the administrator roles:

Privilege

Description

nw-svc-policy

The network service policy privilege enables you to do the following:

  • Create a service graph template
  • Attach a service graph template to an application endpoint group (EPG) and a contract
  • Monitor a service graph

nw-svc-device

The network service device privilege enables you to do the following:

  • Create a device
  • Create a concrete device
  • Create a device context

Note
Only the infrastructure administrator can upload a device package to the APIC.

Configuring a Role for Device Management

To enable a role to manage devices, you must grant the following privilege to that role:

  • nw-svc-device

Configuring a Role for Service Graph Template Management

To enable a role to manage service graph templatess, you must grant the following privilege to that role:

  • nw-svc-policy

Configuring a Role for Uploading Device Package

A device package can be uploaded only with the APIC infra admin privilege. Infra admin uploads the device packages. All other tenant administrators have read-only access to the device package. Tenant administrators can access and use various functions available from the device package.

Configuring a Role for Exporting Devices

Devices can be exported to enable sharing of devices among tenants. A tenant with the role nw-device can create a device. If the tenant that owns the device wants to share these with another tenant, the sharing requires the nw-svc-devshare privilege.

The nw-svc-devshare privilege allows a tenant to be able to export devices.


Note

To be able to use imported devices, other tenants that have imported devices need to have the nw-svc-policy privilege.