Role-Based Access Control (Cisco IOS XE Catalyst SD-WAN Release 17.12.x and Earlier)

Table 1. Feature History

Feature Name

Release Information

Description

Role-Based Access Control By Resource Group

Cisco IOS XE Catalyst SD-WAN Release 17.5.1a

Cisco vManage Release 20.5.1

This feature introduces role-based access control (RBAC) based on sites or resource groups. It is a method of authorizing system access for users based on a combination of user groups and resource groups.

For large Cisco Catalyst SD-WAN deployments across multiple geographical locations, this feature helps you to split the network administration among different regional administrators.

RBAC for Policies

Cisco IOS XE Catalyst SD-WAN Release 17.6.1a

Cisco vManage Release 20.6.1

This feature allows you to create users and user groups with required read and write permissions for Cisco SD-WAN Manager policies. RBAC for policies provides users with the access to all the details of policies to help maximize the operational efficiency. It makes it easier to meet configuration requirements and guarantees that authorized users on the system are only given access to what they need.

Co-Management: Granular Role-Based Access Control for Feature Templates

Cisco vManage Release 20.7.1

This feature introduces greater granularity in assigning RBAC permissions for template use. This enables you to give a tenant self-management of network configuration tasks. Network administrators and managed service providers can use this feature to assign permissions to their end customers.

Co-Management: Improved Granular Configuration Task Permissions

Cisco vManage Release 20.9.1

To enable a user to self-manage specific configuration tasks, you can assign the user permissions to perform specific configuration tasks while excluding other tasks.

This feature introduces numerous new permission options, enabling fine granularity in determining which configuration task permissions to provide to a user. .

RBAC for Security Operations and Network Operations Default User Groups

Cisco vManage Release 20.9.1

This feature provides the following default user groups:

  • network_operations user group for non-security policies

  • security_operations user group for security policies

RBAC for policies allows you to create users and user groups with the required read and write permissions for security and non-security policies. Users can perform configuration and monitoring actions only for the authorized policy type.

Co-Management: Improved Granular Configuration for Resource group features

Cisco vManage Release 20.11.1

To enable a user to self-manage specific configuration tasks, you can assign the user permissions to perform specific configuration tasks while excluding other tasks.

This feature introduces new permission options for the following configuration groups and feature profiles.

  • AppQoE under other feature profile

  • GPS under transport feature profile

  • Cisco VPN Interface GRE under WAN/LAN profile.

  • Cisco VPN Interface IPsec under WAN profile.

  • Cisco Multicast under LAN profile.

  • UCSE under other feature profile.

  • IPv4 Tracker and Tracker Group under transport and service feature profiles.

  • IPv6 DIA Tracker and Tracker Group, under transport feature profile.

Assigning Roles Locally for SSO-Authenticated Users

Cisco vManage Release 20.11.1

If you are using an identity provider, such as Okta, for security assertion markup language (SAML)-based single sign-on (SSO), then in most use cases, you define user roles through the identity provider. This feature enables you to assign user groups locally in Cisco SD-WAN Manager, in case no roles are defined for the user by the identity provider.

Information About RBAC

Role-Based Access Control by VPN

Role-based access control (RBAC) is the process of restricting user access to network configurations and resources. In RBAC, users are assigned roles depending on the resources they need access to. The RBAC by VPN feature helps you to manage and control access to your network based on the VPNs. It involves setting permissions and privileges to enable access to authorized users.

RBAC by VPN

Role-based access by VPN allows a network administrator to define VPN groups with one or more network segments. The network administrator can associate a user with a VPN group that restricts user access to devices in the network and features of Cisco SD-WAN Manager.

RBAC by VPN provides the following restricted access to users configured with a VPN group:

  • Access to VPN Dashboard

  • Monitor devices, network, and application status via VPN dashboard

  • VPN dashboard information restricted to devices with segments in the VPN group

  • Monitor option restricted to devices with segments in the VPN group

  • Interface monitoring on each device restricted to interfaces of segments in the VPN group

VPN Dashboard Overview

Users configured with VPN group can access only the VPN Dashboard, and it is read-only access. User with Admin access can create the VPN groups and has access to both Admin Dashboard and VPN Dashboard(s). Admin user can access these dashboards by choosing Dashboard from the Cisco SD-WAN Manager menu.

Role-Based Access with AAA

The Cisco Catalyst SD-WAN AAA software implements role-based access to control the authorization permissions for users on Cisco IOS XE Catalyst SD-WAN devices. Role-based access consists of three components:

  • Users are those who are allowed to log in to a Cisco IOS XE Catalyst SD-WAN device.

  • User groups are collections of users.

  • Privileges are associated with each group. They define the commands that the group's users are authorized to issue.

Users and User Groups

All users who are permitted to perform operations on a Cisco IOS XE Catalyst SD-WAN device must have a login account. For the login account, you configure a username and a password on the device itself. These allow the user to log in to that device. A username and password must be configured on each device that a user is allowed to access.

The Cisco Catalyst SD-WAN software provides one standard username, admin, which is a user who has full administrative privileges, similar to a UNIX superuser. By default, the admin username password is admin. You cannot delete or modify this username, but you can and should change the default password.

User groups pool together users who have common roles, or privileges, on the Cisco IOS XE Catalyst SD-WAN device. As part of configuring the login account information, you specify which user group or groups that user is a member of. You do not need to specify a group for the admin user, because this user is automatically in the user group netadmin​ and is permitted to perform all operations on the Cisco IOS XE Catalyst SD-WAN device.

The user group itself is where you configure the privileges associated with that group. These privileges correspond to the specific commands that the user is permitted to execute, effectively defining the role-based access to the Cisco Catalyst SD-WAN software elements.

The Cisco Catalyst SD-WAN software provides the following standard user groups:

  • basic: The basic group is a configurable group and can be used for any users and privilege levels. This group is designed to include users who have permission to both view and modify information on the device.

  • operator: The operator group is also a configurable group and can be used for any users and privilege levels. This group is designed to include users who have permission only to view information.

  • netadmin: The netadmin group is a non-configurable group. By default, this group includes the admin user. You can add other users to this group. Users in this group are permitted to perform all operations on the device.

  • Minimum supported release: Cisco vManage Release 20.9.1

    network_operations: The network_operations group is a non-configurable group. Users in this group can perform all non-security-policy operations on the device and only view security policy information. For example, users can create or modify template configurations, manage disaster recovery, and create non-security policies such as application aware routing policy or CFlowD policy.

  • Minimum supported release: Cisco vManage Release 20.9.1

    security_operations: The security_operations group is a non-configurable group. Users in this group can perform all security operations on the device and only view non-security-policy information. For example, users can manage umbrella keys, licensing, IPS signatures auto update, TLS/SSL proxy settings, and so on.

Users of the network_operations group are authorized to apply policies to a device, revoke applied policies, and edit device templates. Users of the security_operations group require network_operations users to intervene on day-0 to deploy security policy on a device and on day-N to remove a deployed security policy. However, after a security policy is deployed on a device, security_operations users can modify the security policy without needing the network_operations users to intervene.


Note


Only admin users can view running and local configuration. Users associated with predefined operator user group do not have access to the running and local configurations. The predefined user group operator has only read access for the template configuration. If you need only a subset of admin user privileges, then you need to create a new user group with the selected features from the features list with both read and write access and associate the group with the custom user.

Privileges for Role-Based Access

Role-based access privileges are arranged into five categories, which are called tasks:

  • Interface—Privileges for controlling the interfaces on the Cisco IOS XE Catalyst SD-WAN device.

  • Policy—Privileges for controlling control plane policy, OMP, and data plane policy.

  • Routing—Privileges for controlling the routing protocols, including BFD, BGP, OMP, and OSPF.

  • Security—Privileges for controlling the security of the device, including installing software and certificates. Only users belonging to the netadmin group can install software on the system.

  • System—General systemwide privileges.

The tables in the following sections detail the AAA authorization rules for users and user groups. These authorization rules apply to commands issued from the CLI and to those issued from Netconf.

User Authorization Rules for Operational Commands

The user authorization rules for operational commands are based simply on the username. Any user who is allowed to log in to the Cisco IOS XE Catalyst SD-WAN device can execute most operational commands. However, only the admin user can issue commands that affect the fundamental operation of the device, such as installing and upgrading the software and shutting down the device.

Note that any user can issue the config command to enter configuration mode, and once in configuration mode, they are allowed to issue any general configuration command. Also, any user is allowed to configure their password by issuing the system aaa user self password password command and then committing that configuration change. For the actual commands that configure device operation, authorization is defined according to user group membership. See User Group Authorization Rules for Configuration Commands.

The following tables lists the AAA authorization rules for general CLI commands. All the commands are operational commands except as noted. Also, some commands available to the "admin" user are available only if that user is in the "netadmin" user group.

CLI Command

Any User

Admin User

clear history

X

X

commit confirm

X

X

complete-on-space

X

X

config

X

X

exit

X

X

file

X

X

help

X

X

[no] history

X

X

idle-timeout

X

X

job

X

X

logout

X (users in netadmin group only)

monitor

X

X

nslookup

X

X

paginate

X

X

ping

X (users in netadmin group only)

X (users in netadmin group only)

poweroff

X(users in netadmin group only)

prompt1

X

X

prompt2

X

X

quit

X

X

reboot

X (users in netadmin group only)

request aaa request admin-tech request firmware request interface-reset request nms request reset request software

X (users in netadmin group only)

request execute request download request upload

X

X

request (everything else)

X

rollback (configuration mode command)

X (users in netadmin group only)

screen-length

X

X

screen-width

X

X

show cli

X

X

show configuration commit list

X

X

show history

X

X

show jobs

X

X

show parser dump

X

X

show running-config

X

X

show users

X

X

system aaa user self password password (configuration mode command) (Note: A user cannot delete themselves)

tcpdump

X

X

timestamp

X

X

tools ip-route

X

X

tools netstat

X

X

tools nping

X

X

traceroute

X

X

vshell

X

(The availability of vshell command is unavailable to all users that are not in netadmin group in Cisco vManage Release 20.9.5.)

X

(The vshell AAA authorized access is limited only to users that are in netadmin group.)

User Group Authorization Rules for Operational Commands

The following table lists the user group authorization roles for operational commands.

Operational Command

Interface

Policy

Routing

Security

System

clear app

X

clear app-route

X

clear arp

clear bfd

X

X

clear bgp

X

X

clear bridge

X

clear cellular

X

clear control

X

clear crash

X

clear dhcp

X

clear dns

X

clear igmp

X

clear installed-certificates

X

clear interface

X

clear ip

X

clear notification

X

clear omp

X

clear orchestrator

X

clear ospf

X

clear pim

X

clear policy

X

clear pppoe

X

clear system

X

clear tunnel

X

clear wlan

X

clear ztp

X

X

clock

X

debug bgp

X

debug cellular

X

debug cflowd

X

debug chmgr

X

debug config-mgr

X

debug dhcp-client

X

debug dhcp-helper

X

debug dhcp-server

X

debug fpm

X

debug ftm

X

debug igmp

X

debug netconf

X

debug omp

X

debug ospf

X

debug pim

X

debug resolver

X

debug snmp

X

debug sysmgr

X

debug transport

X

debug ttm

X

debug vdaemon

X

X

debug vrrp

X

debug wlan

X

request certificate

X

request control-tunnel

X

request controller

X

request controller-upload

X

request csr

X

request device

X

request device-upload

X

request on-vbond-controller

X

request port-hop

X

request root-cert-chain

X

request security

X

request vedge

X

request vedge-upload

X

request vsmart-upload

X

show aaa

X

show app

X

show app-route

X

show arp

X

show bfd

X

X

show bgp

X

show boot-partition

X

show bridge

X

show cellular

X

show certificate

X

show clock

X

show control

X

X

show crash

X

show debugs—same as debug commands

show dhcp

X

show external-nat

X

X

show hardware

X

show igmp

X

show interface

X

show ip

X

X

show ipsec

X

show licenses

X

show logging

X

show multicast

X

show nms-server

X

show notification

X

show ntp

X

show omp

X

X

X

show orchestrator

X

show ospf

X

show pim

X

show policer

X

show policy

X

show ppp

X

show pppoe

X

show reboot

X

show security-info

X

show software

X

show system

X

show transport

X

show tunnel

X

show uptime

X

show users

X

show version

X

show vrrp

X

show wlan

X

show ztp

X

User Group Authorization Rules for Configuration Commands

The following table lists the user group authorization rules for configuration commands.

Configuration Command

Interface

Policy

Routing

Security

System

apply-policy

X

banner

X

bfd

X

X

bridge

X

omp

X

X

X

policy

X

security

X

X

snmp

X

system

X

vpn interface

X

vpn ip 

X

vpn router

X

vpn service

X

vpn (everything else, including creating, deleting, and naming)

X

wlan

X

RBAC By Resource Group Overview

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.5.1a and Cisco vManage Release 20.5.1

RBAC by resource groups is a method of restricting or authorizing system access for users based on user groups and resource groups. A user group defines the privileges of a user in the system and the resource group defines the organizations (domains) to which a user is allowed access. Because users are not directly assigned privileges, management of individual user privileges is simply a matter of assigning the appropriate user and resource groups.

For large Cisco Catalyst SD-WAN deployments across multiple geographical locations, you can split the network administration among different regional adminstrators.

Based on the user groups and resources groups to which network administrators are assigned, we can broadly classify them as Global Administrators and Regional Administrators. Global administrators have access to resources in every resource group and have full read-write privileges for all the features. Regional Administrators group have full read-write privileges for all the features, but the resources they can access is controlled by the resource groups to which they are assigned.

Global Admin

User accounts in the global resource group have access to all resources. A global admin is responsible for overseeing the entire network, but not involved in the operations of the individual devices on a daily basis. The global admin can assign devices to their corresponding regions, assign the regional admin accounts, manage the controllers, maintain sharable and centralized configurations, and when necessary, operate on the individual devices.

Any user in a single tenant setup with netadmin privileges and also part of global resource group is considered as global admin. Default admin user on Cisco SD-WAN Manager is also a global-admin, and that user can assign more global-admins. Global resource group encompasses all the WAN edges, controllers in the single view.

Global admin can switch to view only a specific resource group and can create templates. Local resource group admins, also called regional admins can clone the global templates and reuse them within their resource groups.

Regional Admin

The regional admins are responsible for day-to-day operations (configuration, monitoring, onboarding, and so on) for devices in their corresponding regions. They should not have access to or visibility into devices outside of their region. The following user groups can be created:

  • resource group admin – full read/write access to devices in the corresponding resource group, can troubleshoot, monitor, attach or detach templates for the WAN edges in their group

  • resource group operator – read-only access to WAN edges within their resource group

  • resource group basic – basic access

Resource group admins can create new templates and attach or detach to the WAN edges in their group. They can also copy global templates and re-use them.

Resource group decides which resources the user has access to. However, the level of access is controlled by the existing user group.

  • If user is in resource_group_a and user group resource_group_admin, they have full read/write access to all resources in resource_group_a.

  • If user is in resource_group_a and user group resource_group_operator, they have read only access to all resources in resource_group_a.

  • If user is in resource_group_a and user group resource_group_basic, they have read only access to interface and system resources in resource_group_a.

Global Resource Group

Global group is a special system pre-defined resource group that has different access control rules.

  • Users within this group are considered as global-admins, who can have full access to all resources (devices, templates and policies) in the system and they can manage the resource groups and assign resources and users to groups.

  • All other users have read-only access to resources within this group.

  • The system default admin account (or tenantadmin account in a multi-tenant setup) is always in this group. This privilege cannot be changed. However, the admin account may add/remove other user accounts to or from this group.

IdP (SSO)-Managed Group

An identity provider (IdP) is a service that stores and verifies user identity. IdPs typically work with single sign-on (SSO) providers to authenticate users. If a user is authenticated with a SSO service of an IdP, the group information is also provided and managed by the IDP. An IdP passes the information about the user, including the user name and all the group names, where the user belongs to. Cisco SD-WAN Manager matches the group names with the group names stored in the database to further distinguish if a particular group name passed from IdP is for user group or resource group or VPN group.

Multi-Tenancy Support

With Cisco Catalyst SD-WAN multitenancy, a service provider can manage multiple customers, called tenants, from Cisco SD-WAN Manager. The tenants share Cisco SD-WAN Manager instances, Cisco SD-WAN Validator, and Cisco SD-WAN Controller. The domain name of the service provider has subdomains for each tenant. Cisco SD-WAN Manager is deployed and configured by the service provider. The provider enables multitenancy and creates a Cisco SD-WAN Manager cluster to serve tenants. Only the provider can access a Cisco SD-WAN Manager instance through the SSH terminal.

Provider has the following features:

  • resource group is not applicable as the provider manages only the controllers.

  • when provider provisions a new tenant, the default user account for the tenant is tenantadmin.

  • other user accounts created by the provider are included in the default global resource group.

  • when a provider creates a template for a tenant, the template is included in to the global resource group.

RBAC for Policies Overview

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.6.1a and Cisco vManage Release 20.6.1

RBAC for policies allows a user or user group to have selective Read and Write (RW) access to Cisco SD-WAN Manager policies. For example,

  • A user with RW access for Cflowd policy can only configure Cflowd policy, but cannot configure application-aware routing policy.

  • A user with RW access for application aware routing policy can only configure application-aware routing policy, but cannot configure other policies.

This feature is only supported for centralized and localized policies, but not supported for security policies.

Information About Granular RBAC for Templates

Minimum supported release: Cisco vManage Release 20.7.1

When setting user group permissions, you can use the following template permissions to provide an RBAC user with a specific degree of access to different types of templates. This gives you control over the types of device configurations that an RBAC user can apply.

Permission

Description

CLI Add-On Template

Provides access to the CLI add-on feature template.

Device CLI Template

Provides access to the device CLI template.

SIG Template

Provides access to the SIG feature template and SIG credential template.

Other Feature Templates

Provides access to all feature templates except the SIG feature template, SIG credential template, and CLI add-on feature template.

Feature Profile

Provides access to all feature profiles.

Config Group

Provides access to all the configuration groups.

You can specify granular RBAC for each feature profile by expanding it. With the set permissions to the usergroup, ensure that you are able to access required feature profiles from Templates > Configuration Groups.

Single-Tenant and Multi-Tenant Scenarios

You can use granular RBAC for feature templates in single-tenant and multi-tenant Cisco SD-WAN Manager scenarios.

You can create user groups to assign specific permissions to a tenant's various teams, enabling teams to manage only specific network services without granting permission to use device CLI templates. It might be undesirable to give a tenant permission to apply device CLI templates, as the device CLI template can override any other template or device configuration.

For example, you can create a user group for a tenant's security operations group, giving them read/write access only to the SIG Template option, which would enable the security operations group to work on security configuration.

Information About Granular Configuration Task Permissions

From Cisco vManage Release 20.9.1, numerous user permission options are available, providing you fine granularity when assigning a user with permissions to manage specific configuration tasks related to configuration groups and feature profiles.

Information About Assigning Roles Locally to a User Defined by an Identity Provider

Minimum release: Cisco vManage Release 20.11.1

When you define users in an identity provider, such as Okta, for SAML SSO, one attribute that you can define for each user is the role.

When a user logs in to a Cisco SD-WAN Manager instance, Cisco SD-WAN Manager retrieves information about the user from the identity provider, including the user’s role or roles. The roles defined in the identity provider map to user group permissions in Cisco SD-WAN Manager. Based on the roles of the user, Cisco SD-WAN Manager provides the user with the permissions defined by the corresponding user group.

You can assign roles locally (not depending on the identify provider) for a user profile that does not have a role defined in the identity provider.

If you have defined roles for a user through the identity provider and have also assigned user groups locally for the same user, the roles defined through the identity provider take priority.

The following table summarizes the ways to provide a user with specific permissions:

Using or Not Using an Identity Provider for SAML SSO

Roles Defined in the Identity Provider

How User Permissions Are Defined

Not using an identity provider

Not applicable

In Cisco SD-WAN Manager, assign a user to one or more user groups locally. This provides the user with the corresponding user group permissions.

Using an identity provider

Identity provider has one or more roles defined for the user.

Define roles for the user through the identity provider. Cisco SD-WAN Manager provides the user with the user group permissions corresponding to the roles.

Identity provider does not have a role defined for the user.

Use the Remote User option when adding a user (Administration > Manage Users > Add User). See Add a User.

In Cisco SD-WAN Manager, assign a user to one or more user groups locally. This provides the user with the corresponding user group permissions.

Benefits of RBAC

Benefits of Granular RBAC for Feature Templates

Minimum supported release: Cisco vManage Release 20.7.1

The permissions that you add for co-management are useful for providing detailed control over access to network configuration. They are useful when using Cisco Catalyst SD-WAN with tenants, enabling you to provide a tenant access to specific types of templates. This enables you to give the tenant self-management of network configuration tasks within the tenant's VPN.

For information about the permissions added for co-management, see Information About Granular RBAC for Templates.

Restrictions for RBAC

Restrictions for Granular RBAC for Feature Templates

Minimum supported release: Cisco vManage Release 20.7.1

  • To use any of the template restriction options that are provided for RBAC for co-management, provide permissions for the Template Configuration option. If a specific user role does not have any permissions assigned in the Template Configuration option, the Templates menu does not appear for the user in Cisco SD-WAN Manager. See Manage Users.

  • To enable an RBAC user to apply templates to devices, provide Write permission to the Template Deploy option.

Use Cases for RBAC

Use Cases for Assigning Roles Locally to a User Defined by an Identity Provider

Minimum release: Cisco vManage Release 20.11.1

An organization uses the identity provider, Okta, to authenticate users logging in to Cisco SD-WAN Manager.

A user defined through the identity provider has not been assigned any roles. A network administrator with access to Cisco SD-WAN Manager, but no access to the identity provider, can locally assign the user to a specific user group to provide the user with specific permissions.

Configure RBAC

Manage Users

From the Cisco SD-WAN Manager menu, choose Administration > Manage Users to add, edit, view, or delete users and user groups.

Please note the following:

  • Only a user logged in as the admin user or a user who has Manage Users write permission can add, edit, or delete users and user groups from Cisco SD-WAN Manager.

  • Each user group can have read or write permission for the features listed in this section. Write permission includes Read permission.

  • All user groups, regardless of the read or write permissions selected, can view the information displayed in the Cisco SD-WAN Manager Dashboard.

Table 2. User Group Permissions for Different Device Types

Permissions

See This Section

User group permissions related to Cisco IOS XE Catalyst SD-WAN device configuration.

User Group Permissions: Cisco IOS XE Catalyst SD-WAN Devices

User group permissions related to Cisco Catalyst Wireless Gateway device configuration.

User Group Permissions: Cisco Catalyst Wireless Gateway Devices

User Group Permissions: Cisco IOS XE Catalyst SD-WAN device

Table 3. User Group Permissions: Cisco IOS XE Catalyst SD-WAN devices

Feature

Read Permission

Write Permission

Alarms

Set alarm filters and view the alarms generated on the devices on the Monitor > Logs > Alarms page.

Cisco vManage Release 20.6.x and earlier: Set alarm filters and view the alarms generated on the devices on the Monitor > Alarms page.

No additional permissions.

Audit Log

Set audit log filters and view a log of all the activities on the devices on the Monitor > Logs > Alarms page and the Monitor > Logs > Audit Log page.

Cisco vManage Release 20.6.x and earlier: Set audit log filters and view a log of all the activities on the devices on the Monitor > Alarms page and the Monitor > Audit Log page.

No additional permissions.

Certificates

View a list of the devices in the overlay network under Configuration > Certificates > WAN Edge List.

View a certificate signing request (CSR) and certificate on the Configuration > Certificates > Controllers window.

Note

 

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, the Controllers tab is renamed as the Control Components tab to stay consistent with Cisco Catalyst SD-WAN rebranding.

Validate and invalidate a device, stage a device, and send the serial number of valid controller devices to the Cisco Catalyst SD-WAN Validator on the Configuration > Certificates > WAN Edge List window.

Generate a CSR, install a signed certificate, reset the RSA key pair, and invalidate a controller device on the Configuration > Certificates > Controllers window.

Note

 

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, the Controllers tab is renamed as the Control Components tab to stay consistent with Cisco Catalyst SD-WAN rebranding.

CLI Add-On Template

(Minimum supported release: Cisco vManage Release 20.7.1)

View the CLI add-on feature template on the Configuration > Templates window.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, delete, and copy a CLI add-on feature template on the Configuration > Templates window.

Note

 

These operations require write permission for Template Configuration.

Note

 

For information about this option, see Information About Granular RBAC for Feature Templates

Cloud OnRamp

View the cloud applications on theConfiguration > Cloud OnRamp for SaaS and Configuration > Cloud OnRamp for IaaS window.

No additional permissions.

Cluster

View information about the services running on Cisco SD-WAN Manager, a list of devices connected to a Cisco SD-WAN Manager server, and the services that are available and running on all the Cisco SD-WAN Manager servers in the cluster on the Administration > Cluster Management window.

Change the IP address of the current Cisco SD-WAN Manager, add a Cisco SD-WAN Manager server to the cluster, configure the statistics database, edit, and remove a Cisco SD-WAN Manager server from the cluster on the Administration > Cluster Management window.

Colocation

View the cloud applications on the Configuration > Cloud OnRamp for Colocation window.

No additional permissions.

Config Group > Device > Deploy

(Minimum supported release: Cisco vManage Release 20.9.1)

This permission does not provide any functionality.

Deploy a configuration onto Cisco IOS XE Catalyst SD-WAN devices.

Note

 

To edit an existing feature configuration requires write permission for Template Configuration.

For more details on deploying devices, see Deploy Devices.

Device CLI Template

(Minimum supported release: Cisco vManage Release 20.7.1)

View the device CLI template on the Configuration > Templates window.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, delete, and copy a device CLI template on the Configuration > Templates window.

Note

 

These operations require write permission for Template Configuration.

Note

 

For information about this option, see Information About Granular RBAC for Feature Templates

Device Inventory

View the running and local configuration of devices, a log of template activities, and the status of attaching configuration templates to devices on the Configuration > Devices > WAN Edge List window.

View the running and local configuration of the devices and the status of attaching configuration templates to controller devices on the Configuration > Devices > Controllers window.

Note

 

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, the Controllers tab is renamed as the Control Components tab to stay consistent with Cisco Catalyst SD-WAN rebranding.

Upload a device's authorized serial number file to Cisco SD-WAN Manager, toggle a device from Cisco SD-WAN Manager configuration mode to CLI mode, copy a device configuration, and delete the device from the network on the Configuration > Devices > WAN Edge List window.

Add and delete controller devices from the overlay network, and edit the IP address and login credentials of a controller device on the Configuration > Devices > Controllers window.

Note

 

Starting from Cisco IOS XE Catalyst SD-WAN Release 17.13.1a, the Controllers tab is renamed as the Control Components tab to stay consistent with Cisco Catalyst SD-WAN rebranding.

Device Monitoring

View the geographic location of the devices on the Monitor > Geography window.

View events that have occurred on the devices on the Monitor > Logs > Events page.

Cisco vManage Release 20.6.x and earlier: View events that have occurred on the devices on the Monitor > Events page.

View a list of devices in the network, along with device status summary, SD-WAN Application Intelligence Engine (SAIE) and Cflowd flow information, transport location (TLOC) loss, latency, and jitter information, control and tunnel connections, system status, and events on the Monitor > Devices page (only when a device is selected).

Note

 

In Cisco vManage Release 20.7.x and earlier releases, the SAIE flow is called the deep packet inspection (DPI) flow.

Cisco vManage Release 20.6.x and earlier: Device information is available in the Monitor > Network page.

Ping a device, run a traceroute, and analyze the traffic path for an IP packet on the Monitor > Devices page (only when a device is selected).

Note

 

These operations require read and write permissions for Device Monitoring.

Device Reboot

View the list of devices on which the reboot operation can be performed on the Maintenance > Device Reboot window.

Reboot one or more devices on the Maintenance > Device Reboot window.

Disaster Recovery

View information about active and standby clusters running on Cisco SD-WAN Manager on the Administration > Disaster Recovery window.

No additional permissions.

Events

View the geographic location of the devices on the Monitor > Logs > Events page.

View the geographic location of the devices on the Monitor > Events page.

Ping a device, run a traceroute, and analyze the traffic path for an IP packet on the Monitor > Logs > Events page (only when a device is selected).

Feature Profile > Other > Thousandeyes

(Minimum supported release: Cisco vManage Release 20.9.1)

View the ThousandEyes settings on the Configuration > Templates > (View configuration group) page, in the Other Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the ThousandEyes settings on the Configuration > Templates > (Add or edit configuration group) page, in the Other Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Service > Dhcp

(Minimum supported release: Cisco vManage Release 20.9.1)

View the DHCP settings on the Configuration > Templates > (View configuration group) page, in the Service Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the DHCP settings on the Configuration > Templates > (Add or edit configuration group) page, in the Service Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Service > Lan/Vpn

(Minimum supported release: Cisco vManage Release 20.9.1)

View the LAN/VPN settings on the Configuration > Templates > (View configuration group) page, in the Service Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the LAN/VPN settings on the Configuration > Templates > (Add or edit configuration group) page, in the Service Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Service > Lan/Vpn/Interface/Ethernet

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Ethernet Interface settings on the Configuration > Templates > (View configuration group) page, in the Service Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Ethernet Interface settings on the Configuration > Templates > (Add or edit configuration group) page, in the Service Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Service > Lan/Vpn/Interface/Svi

(Minimum supported release: Cisco vManage Release 20.9.1)

View the SVI Interface settings on the Configuration > Templates > (View configuration group) page, in the Service Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the SVI Interface settings on the Configuration > Templates > (Add or edit configuration group) page, in the Service Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Service > Routing/Bgp

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Routing/BGP settings on the Configuration > Templates > (View configuration group) page, in the Service Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Routing/BGP settings on the Configuration > Templates > (Add or edit configuration group) page, in the Service Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Service > Routing/Ospf

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Routing/OSPF settings on the Configuration > Templates > (View configuration group) page, in the Service Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Routing/OSPF settings on the Configuration > Templates > (Add or edit configuration group) page, in the Service Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Service > Switchport

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Switchport settings on the Configuration > Templates > (View configuration group) page, in the Service Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Switchport settings on the Configuration > Templates > (Add or edit configuration group) page, in the Service Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Service > Wirelesslan

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Wireless LAN settings on the Configuration > Templates > (View configuration group) page, in the Service Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Wireless LAN settings on the Configuration > Templates > (Add or edit configuration group) page, in the Service Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > System > Interface/Ethernet > Aaa

(Minimum supported release: Cisco vManage Release 20.9.1)

View the AAA settings on the Configuration > Templates > (View configuration group) page, in the System Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the AAA settings on the Configuration > Templates > (Add or edit configuration group) page, in the System Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > System > Interface/Ethernet > Banner

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Banner settings on the Configuration > Templates > (View configuration group) page, in the System Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Banner settings on the Configuration > Templates > (Add or edit configuration group) page, in the System Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > System > Basic

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Basic settings on the Configuration > Templates > (View configuration group) page, in the System Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Basic settings on the Configuration > Templates > (Add or edit configuration group) page, in the System Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > System > Bfd

(Minimum supported release: Cisco vManage Release 20.9.1)

View the BFD settings on the Configuration > Templates > (View configuration group) page, in the System Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the BFD settings on the Configuration > Templates > (Add or edit configuration group) page, in the System Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > System > Global

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Global settings on the Configuration > Templates > (View configuration group) page, in the System Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Global settings on the Configuration > Templates > (Add or edit configuration group) page, in the System Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > System > Logging

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Logging settings on the Configuration > Templates > (View configuration group) page, in the System Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Logging settings on the Configuration > Templates > (Add or edit configuration group) page, in the System Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > System > Ntp

(Minimum supported release: Cisco vManage Release 20.9.1)

View the NTP settings on the Configuration > Templates > (View configuration group) page, in the System Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the NTP settings on the Configuration > Templates > (Add or edit configuration group) page, in the System Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > System > Omp

(Minimum supported release: Cisco vManage Release 20.9.1)

View the OMP settings on the Configuration > Templates > (View configuration group) page, in the System Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the OMP settings on the Configuration > Templates > (Add or edit configuration group) page, in the System Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > System > Snmp

(Minimum supported release: Cisco vManage Release 20.9.1)

View the SNMP settings on the Configuration > Templates > (View configuration group) page, in the System Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the SNMP settings on the Configuration > Templates > (Add or edit configuration group) page, in the System Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > Cellular Controller

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Cellular Controller settings on the Configuration > Templates > (View a configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Cellular Controller settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > Cellular Profile

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Cellular Profile settings on the Configuration > Templates > (View a configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Cellular Profile settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > Management/Vpn

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Management VPN settings on the Configuration > Templates > (View configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Management VPN settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > Management/Vpn/Interface/Ethernet

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Management Ethernet Interface settings on the Configuration > Templates > (View configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Management VPN and Management Internet Interface settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > Routing/Bgp

(Minimum supported release: Cisco vManage Release 20.9.1)

View the BGP Routing settings on the Configuration > Templates > (View configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the BGP Routing settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > Tracker

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Tracker settings on the Configuration > Templates > (View configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Tracker settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > Wan/Vpn

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Wan/Vpn settings on the Configuration > Templates > (View configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Wan/Vpn settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > Wan/Vpn/Interface/Cellular

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Wan/Vpn/Interface/Cellular settings on the Configuration > Templates > (View configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Wan/Vpn/Interface/Cellular settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > Wan/Vpn/Interface/Ethernet

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Wan/Vpn/Interface/Ethernet settings on the Configuration > Templates > (View configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Wan/Vpn/Interface/Ethernet settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Integration Management

View information about controllers running on Cisco SD-WAN Manager, on the Administration > Integration Management window.

No additional permissions.

License Management

View license information of devices running on Cisco SD-WAN Manager, on the Administration > License Management window.

On the Administration > License Management page, configure use of a Cisco Smart Account, choose licenses to manage, and synchronize license information between Cisco SD-WAN Manager and the license server.

Interface

View information about the interfaces on a device on the Monitor > Devices > Interface page.

Cisco vManage Release 20.6.x and earlier: View information about the interfaces on a device on the Monitor > Network > Interface page

Edit Chart Options to select the type of data to display, and edit the time period for which to display data on the Monitor > Devices > Interface page.

Application Monitoring

(Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.12.1)

View the application health of the devices on the Monitor > Applications window.

View the application health of the devices on the Monitor > Applications window.

Manage Users

View users and user groups on the Administration > Manage Users window.

Add, edit, and delete users and user groups from Cisco SD-WAN Manager, and edit user group privileges on the Administration > Manage Users window.

Other Feature Templates

(Minimum supported release: Cisco vManage Release 20.7.1)

View all feature templates except the SIG feature template, SIG credential template, and CLI add-on feature template on the Configuration > Templates window.

Note

 

This operation requires read permission for Template Configuration.

Note

 

To check the mutual authentication option, you need read permission for certificates. (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.12.1)

Create, edit, delete, and copy all feature templates except the SIG feature template, SIG credential template, and CLI add-on feature template on the Configuration > Templates window.

Note

 

These operations require write permission for Template Configuration.

Note

 

For information about this option, see Information About Granular RBAC for Feature Templates

Note

 

To check the mutual authentication option, you need write permission for certificates. (Minimum supported release: Cisco Catalyst SD-WAN Manager Release 20.12.1)

Policy

View the common policies for all Cisco Catalyst SD-WAN Controllers or devices in the network on the Configuration > Policies window.

Create, edit, and delete the common policies for all Cisco Catalyst SD-WAN Controllers or devices in the network on the Configuration > Policies window.

Policy Configuration

View the list of policies created and details about them on the Configuration > Policies window.

Create, edit, and delete the common policies for all theCisco Catalyst SD-WAN Controllers and devices in the network on the Configuration > Policies window.

Policy Deploy

View the current status of the Cisco Catalyst SD-WAN Controllers to which a policy is being applied on the Configuration > Policies window.

Activate and deactivate the common policies for all Cisco SD-WAN Manager servers in the network on the Configuration > Policies window.

RBAC VPN

View the VPN groups and segments based on roles on the Monitor > VPN page.

Cisco vManage Release 20.6.x and earlier: View the VPN groups and segments based on roles on the Dashboard > VPN Dashboard page.

Add, edit, and delete VPNs and VPN groups from Cisco SD-WAN Manager, and edit VPN group privileges on the Administration > VPN Groups window.

Routing

View real-time routing information for a device on the Monitor > Devices > Real-Time page.

Cisco vManage Release 20.6.x and earlier: View real-time routing information for a device on the Monitor > Network > Real-Time page.

Add command filters to speed up the display of information on the Monitor > Devices > Real-Time page.

Security

View the current status of the Cisco Catalyst SD-WAN Controllers to which a security policy is being applied on the Configuration > Security window.

Activate and deactivate the security policies for all Cisco SD-WAN Manager servers in the network on the Configuration > Security window.

Security Policy Configuration

Activate and deactivate the common policies for all Cisco SD-WAN Manager servers in the network on the Configuration > Security > Add Security Policy window.

Activate and deactivate the security policies for all Cisco SD-WAN Manager servers in the network on the Configuration > Security > Add Security Policy window.

Session Management

View user sessions on the Administration > Manage Users > User Sessions window.

Add, edit, and delete users and user groups from Cisco SD-WAN Manager, and edit user sessions on the Administration > Manage Users > User Sessions window.

Settings

View the organization name, Cisco Catalyst SD-WAN Validator DNS or IP address, certificate authorization settings, software version enforced on a device, custom banner on the Cisco SD-WAN Manager login page, and the current settings for collecting statistics on the Administration > Settings window.

Edit the organization name, Cisco Catalyst SD-WAN Validator DNS or IP address, certificate authorization settings, software version enforced on a device, custom banner on the Cisco SD-WAN Manager login page, current settings for collecting statistics, generate a certificate signing request (CSR) for a web server certificate, and install a certificate on the Administration > Settings window.

SIG Template

(Minimum supported release: Cisco vManage Release 20.7.1)

View the SIG feature template and SIG credential template on the Configuration > Templates window.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, delete, and copy a SIG feature template and SIG credential template on the Configuration > Templates window.

Note

 

These operations require write permission for Template Configuration.

Note

 

For information about this option, see Information About Granular RBAC for Feature Templates

SIG Tunnels

(Minimum supported release: Cisco vManage Release 17.12)

View information about the SIG tunnels on the Monitor > Tunnels > SIG Tunnels page.

View information about the SIG tunnels on the Monitor > Tunnels > SIG Tunnels page.

Software Upgrade

View a list of devices,the custom banner on Cisco SD-WAN Manager on which a software upgrade can be performed, and the current software version running on a device on the Maintenance > Software Upgrade window.

Upload new software images on devices, upgrade, activate, and delete a software image on a device, and set a software image to be the default image on devices on the Maintenance > Software Upgrade window.

System

View system-wide parameters configured using Cisco SD-WAN Manager templates on the Configuration > Templates > Device Templates window.

Note

 

In Cisco vManage Release 20.7.x and earlier releases, Device Templates is called Device.

Configure system-wide parameters using Cisco SD-WAN Manager templates on the Configuration > Templates > Device Templates window.

Note

 

In Cisco vManage Release 20.7.x and earlier releases, Device Templates is called Device.

Template Configuration

View feature and device templates on the Configuration > Templates window.

Create, edit, delete, and copy a feature or device template on the Configuration > Templates window.

Note

 

Beginning with Cisco vManage Release 20.7.1, to create, edit, or delete a template that is already attached to a device, the user requires write permission for the Template Deploy option.

Template Deploy

View the devices attached to a device template on the Configuration > Templates window.

Attach a device to a device template on the Configuration > Templates window.

Tools

Use the admin tech command to collect the system status information for a device on the Tools > Operational Commands window.

Use the admin tech command to collect the system status information for a device, and use the interface reset command to shut down and then restart an interface on a device in a single operation on the Tools > Operational Commands window.

Rediscover the network to locate new devices and synchronize them with Cisco SD-WAN Manager on the Tools > Operational Commands window.

Establish an SSH session to the devices and issue CLI commands on the Tools > Operational Commands window.

vAnalytics

Launch Cisco SD-WAN Analytics on > vAnalytics window.

No additional permissions.

Workflows

Launch workflow library from > Workflows window.

No additional permissions.

Config Group > Device > Deploy

(Minimum supported release: Cisco vManage Release 20.11.1)

View the devices associated to a configuration group on the Configuration > Templates > Edit Configuration Group > Associated Devices window.

Deploy a configuration onto Cisco IOS XE Catalyst SD-WAN devices.

Note

 

To edit an existing feature configuration requires write permission for Template Configuration.

For more details on deploying devices, see Deploy Devices.

Feature Profile > Transport > IPv4 Tracker and Tracker Group

(Minimum supported release: Cisco vManage Release 20.11.1)

View the IPv4 Tracker and Tracker Group settings on the Configuration > Templates > (View configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the IPv4 Tracker and Tracker Group settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > IPv6 Tracker and Tracker Group

(Minimum supported release: Cisco vManage Release 20.11.1)

View the IPv6 Tracker and Tracker Group settings on the Configuration > Templates > (View configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the IPv6 Tracker and Tracker Group settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Transport > Gps

(Minimum supported release: Cisco vManage Release 20.11.1)

View the GPS settings on the Configuration > Templates > (View configuration group) page, in the Transport & Management Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Gps settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Transport & Management Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Other > APPQoE

(Minimum supported release: Cisco vManage Release 20.11.1)

View the APPQoE settings on the Configuration > Templates > (View configuration group) page, in the Other section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the APPQoE settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Other section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Other > UCSE

(Minimum supported release: Cisco vManage Release 20.11.1)

View the UCSE settings on the Configuration > Templates > (View configuration group) page, in the Other section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the UCSE settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Other section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Wan Profile > Cisco VPN Interface IPSec

(Minimum supported release: Cisco vManage Release 20.11.1)

View the Cisco VPN Interface IPSec settings on the Configuration > Templates > (View configuration group) page, in the Wan Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Cisco VPN Interface IPSec settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Wan Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Wan/Lan Profile > Cisco VPN Interface GRE

(Minimum supported release: Cisco vManage Release 20.11.1)

View the Cisco VPN Interface GRE settings on the Configuration > Templates > (View configuration group) page, in the Wan/Lan Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Cisco VPN Interface GRE settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Wan/Lan Profile section.

Note

 

These operations require write permission for Template Configuration.

Feature Profile > Lan Profile > Cisco Multicast

(Minimum supported release: Cisco vManage Release 20.11.1)

View the Cisco Multicast settings on the Configuration > Templates > (View configuration group) page, in the Lan Profile section.

Note

 

This operation requires read permission for Template Configuration.

Create, edit, and delete the Cisco Multicast settings on the Configuration > Templates > (Add or edit a configuration group) page, in the Lan Profile section.

Note

 

These operations require write permission for Template Configuration.


Note


To create Service, System and Tranport feature profiles using configuration groups, you need to provide read and write permissions on the following features to access each configuration group.

  • Feature Profile > System

  • Feature Profile > System > AAA

  • Feature Profile > System > BFD

  • Feature Profile > System > Banner

  • Feature Profile > System > Basic

  • Feature Profile > System > Logging

  • Feature Profile > System > NTP

  • Feature Profile > System > OMP

  • Feature Profile > System > SNMP

  • Feature Profile > Service

  • Feature Profile > Service > BFD

  • Feature Profile > Service > LAN/VPN

  • Feature Profile > Service > LAN/VPN/Interface/Ethernet

  • Feature Profile > Service > Routing/BGP

  • Feature Profile > Service > Routing/OSPF

  • Feature Profile > Service > Routing/DHCP

  • Feature Profile > Service > Routing/Multicast

  • Feature Profile > Transport

  • Feature Profile > Transport > Routing/BGP

  • Feature Profile > Transport > WAN/VPN

  • Feature Profile > Transport > WAN/VPN/Interface/Ethernet

For more details on configuring features using Configuration Groups, see Feature Management.


User Group Permissions: Cisco Catalyst Wireless Gateway Devices

Table 4. User Group Permissions: Cisco Catalyst Wireless Gateway Devices

Feature

Read Permission

Write Permission

Feature Profile > Teleworker > Basic

(Minimum supported release: Cisco vManage Release 20.9.1)

View the basic settings on the Configuration > Templates > (View mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires read permission for Template Configuration.

Configure tthe basic settings on the Configuration > Templates > (Add or edit mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires write permission for Template Configuration.

Feature Profile > Teleworker > Cellular

(Minimum supported release: Cisco vManage Release 20.9.1)

View the cellular network settings on the Configuration > Templates > (View mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires read permission for Template Configuration.

Configure the cellular network settings on the Configuration > Templates > (Add or edit mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires write permission for Template Configuration.

Feature Profile > Teleworker > Ethernet

(Minimum supported release: Cisco vManage Release 20.9.1)

View the ethernet settings on the Configuration > Templates > (View mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires read permission for Template Configuration.

Configure the ethernet settings on the Configuration > Templates > (Add or edit mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires write permission for Template Configuration.

Feature Profile > Teleworker > NetworkProtocol

(Minimum supported release: Cisco vManage Release 20.9.1)

View the network protocol settings on the Configuration > Templates > (View mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires read permission for Template Configuration.

Configure the network protocol settings on the Configuration > Templates > (Add or edit mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires write permission for Template Configuration.

Feature Profile > Teleworker > SecurityPolicy

(Minimum supported release: Cisco vManage Release 20.9.1)

View the security policy settings on the Configuration > Templates > (View mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires read permission for Template Configuration.

Configure the security policy settings on the Configuration > Templates > (Add or edit mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires write permission for Template Configuration.

Feature Profile > Teleworker > Vpn

(Minimum supported release: Cisco vManage Release 20.9.1)

View the VPN settings on the Configuration > Templates > (View mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires read permission for Template Configuration.

Configure the VPN settings on the Configuration > Templates > (Add or edit mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires write permission for Template Configuration.

Feature Profile > Teleworker > Wifi

(Minimum supported release: Cisco vManage Release 20.9.1)

View the Wi-Fi settings on the Configuration > Templates > (View mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires read permission for Template Configuration.

Configure the Wi-Fi settings on the Configuration > Templates > (Add or edit mobility configuration group) page, in the Global Profile section.

Note

 

This operation requires write permission for Template Configuration.

RBAC User Group in a Multitenant Environment

The following is the list of user group permissions for role-based access control (RBAC) in a multitenant environment:

  • R stands for read permission.

  • W stands for write permission.

Table 5. RBAC User Group in Multitenant Environment

Feature

Provider Admin

Provider Operator

Tenant Admin

Tenant Operator

Cloud OnRamp

RW

R

RW

R

Colocation

RW

R

RW

R

RBAC VPN

RW

R

RW

R

Security

RW

R

RW

R

Security Policy Configuration

RW

R

RW

R

vAnalytics

RW

R

RW

R

Add a User

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users.

  2. By default Users is selected. The table displays the list of users configured in the device.

  3. To edit, delete, or change password for an existing user, click and click Edit, Delete, or Change Password respectively.

  4. To add a new user, click Add User.

  5. Add Full Name, Username, Password, and Confirm Password details.

  6. If you are using an identity provider, such as Okta, for security assertion markup language (SAML)-based single sign-on (SSO), then in most use cases, you define user roles through the identity provider. If no roles are defined for the user through the identity provider, you can enable the Remote User option and assign user groups locally in Cisco SD-WAN Manager. Assigning user groups locally provides an alternate method for assigning the user with permissions.

    If you enable this option, enter an email address for the user.

    If you have defined roles for a user through the identity provider and have also assigned user groups locally for the same user, the roles defined through the identity provider take priority.


    Note


    This option is available from Cisco vManage Release 20.11.1.


  7. In the User Groups drop-down list, select the user group where you want to add a user.

  8. In the Resource Group drop-down list, select the resource group.


    Note


    This field is available from Cisco IOS XE Catalyst SD-WAN Release 17.5.1a.


  9. Click Add.

Delete a User

If a user no longer needs access to devices, you can delete the user. Deleting a user does not log out the user if the user is logged in.

To delete a user:

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users.

  2. For the user you wish to delete, click ..., and click Delete.

  3. To confirm the deletion of the user, click OK.

Edit User Details

You can update login information for a user, and add or remove a user from a user group. If you edit the details of a user who is logged in, the changes take effect after the user logs out.

To edit user details:

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users.

  2. For the user you wish to edit, click ..., and click Edit.

  3. Edit the user details.

    You can also add or remove the user from user groups.

  4. Click Update.

Change a User Password

You can update passwords for users, as needed. We recommend that you use strong passwords.

Before You Begin

If you are changing the password for an admin user, detach device templates from all Cisco SD-WAN Manager instances in the cluster before you perform this procedure. You can reattach the device templates after you complete this procedure.

To change a password for a user:

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users.

  2. For the user you wish to change the password, click ... and click Change Password.

  3. Enter the new password, and then confirm it.


    Note


    Note that the user, if logged in, is logged out.


  4. Click Done.

Check Users Logged In to a Device Using SSH Sessions

  1. From the Cisco SD-WAN Manager menu, choose Monitor > Devices.

    Cisco vManage Release 20.6.x and earlier: From the Cisco SD-WAN Manager menu, choose Monitor > Network.

  2. Select the device you want to use under the Hostname column.

  3. Click Real Time.

  4. From Device Options, choose AAA users for Cisco IOS XE Catalyst SD-WAN devices.

    A list of users logged in to this device is displayed.

Check Users Logged In to a Device Using HTTP Sessions

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users.

  2. Click User Sessions.

    A list of all the active HTTP sessions within Cisco SD-WAN Manager is displayed, including, username, domain, source IP address, and so on.

Manage a User Group

Users are placed in groups, which define the specific configuration and operational commands that the users are authorized to view and modify. A single user can be in one or more groups. Cisco Catalyst SD-WAN software provides standard user groups, and you can create custom user groups, as needed:

  • basic: Includes users who have permission to view interface and system information.

  • netadmin: Includes the admin user, by default, who can perform all operations on the Cisco SD-WAN Manager. You can add other users to this group.

  • operator: Includes users who have permission only to view information.

  • Minimum supported release: Cisco vManage Release 20.9.1

    network_operations: Includes users who can perform non-security operations on Cisco SD-WAN Manager, such as viewing and modifying non-security policies, attaching and detaching device templates, and monitoring non-security data.

  • Minimum supported release: Cisco vManage Release 20.9.1

    security_operations: Includes users who can perform security operations on Cisco SD-WAN Manager, such as viewing and modifying security policies, and monitoring security data.

Note: All user groups, regardless of the read or write permissions selected, can view the information displayed on the Cisco SD-WAN Manager Dashboard screen.

Delete a User Group

You can delete a user group when it is no longer needed. For example, you might delete a user group that you created for a specific project when that project ends.

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users.

  2. Click User Groups.

  3. Click the name of the user group you wish to delete.


    Note


    You cannot delete any of the default user groups—basic, netadmin, operator, network_operations, and security_operations.


  4. Click Trash icon.

  5. To confirm the deletion of the user group, click OK.

Edit User Group Privileges

You can edit group privileges for an existing user group. This procedure lets you change configured feature read and write permissions for the user group needed.

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users.

  2. Click User Groups.

  3. Select the name of the user group whose privileges you wish to edit.


    Note


    You cannot edit privileges for the any of the default user groups—basic, netadmin, operator, network_operations, and security_operations.


  4. Click Edit, and edit privileges as needed.

  5. Click Save.

If an admin user changes the privileges of a user by changing their group, and if that user is currently logged in to the device, the user is logged out and must log back in again.

Create User Groups

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users.

  2. Click User Groups.

  3. Click Add User Group.

  4. Enter User Group Name.

  5. Select the Read or Write check box against feature that you want to assign to a user group.

  6. Click Add.

  7. You can view the new user group in the left navigation path. Click Edit to edit the existing read or write rules.

  8. Click Save.

Configure and Manage VPN Segments

To configure VPN Segments:

  1. From the Cisco SD-WAN Manager menu, choose Administration > VPN Segments. A web page displays the list of segments that are configured.

  2. To edit or delete an existing segment, click , and click Edit or Delete.

  3. To add new segment, click Add Segment.

  4. Enter the name of the segment in the Segment Name field.

  5. Enter the number of VPNs you want to configure in VPN Number field.

  6. To add a new segment, click Add.

Configure and Manage VPN Groups

To configure VPN Groups:

  1. From the Cisco SD-WAN Manager menu, choose Administration > VPN Groups. A web page displays the list of segments that are configured.

  2. To edit or delete a VPN group, click , and click Edit or Delete.

  3. To view the existing VPN in the dashboard, click , and click View Dashboard. The VPN Dashboard displays the device details of the VPN device configured.

  4. To add new VPN group, click Add Group.

  5. From Create VPN Group, enter VPN group name in the VPN Group Name field.

  6. Enter a brief description of the VPN in the Description field.

  7. Check Enable User Group access check box and enter the user group name.

  8. From Assign Segment, click Add Segment drop-down list to add new or existing segment to the VPN group.

  9. Enter the Segment Name and VPN Number in the respective fields.

  10. To add the configure VPN group to a device, click Add.

Managing Resource Groups

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.5.1a and Cisco vManage Release 20.5.1

To configure Resource Groups:

  1. From the Cisco SD-WAN Manager menu, choose Administration > Resource Groups. The table dispalys a list of resource groups that are configured in Cisco SD-WAN Manager.

  2. To edit or delete a resource group, click ..., and click Edit or Delete.

  3. To add new resource group, click Add Resource Group.

  4. Enter Resource Group Name and the Description.

  5. Under Site ID, enter Range or Select ID(S) from the drop-down list to include in the resource group.

  6. To add the resource group to a device, click Add.

To add Users:

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users. The Manage Users screen appears.

  2. By default Users is selected. The table displays the list of users configured in the device.

  3. To edit, delete, or change password for an existing user, click ..., and click Edit, Delete, or Change Password respectively.

  4. To add a new user, click Add User.

  5. Add Full Name, Username, Password, and Confirm Password details.

  6. From the User Groups drop-down list, select the user group where you want to add a user.

  7. From the Resource Group drop-down list, select the resource group.


    Note


    This field is available from Cisco IOS XE Catalyst SD-WAN Release 17.5.1a.


  8. Click Add.

Workflow to Configure RBAC for Policies

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.6.1a and Cisco vManage Release 20.6.1

To configure RBAC for policies, use the following workflow:

  1. Create user groups with required Read or Write (R/W) access to selected control or data policies. For details on creating user groups, refer Create User Groups .

  2. Create users and assign them to required user groups. Refer Create Users.

  3. Create or modify or view policy configurations as required. For information about configuring policies, see Configure Centralized Policies Using Cisco SD-WAN Manager.

Modify Policy Configurations

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.6.1a and Cisco vManage Release 20.6.1

  1. Login to Cisco SD-WAN Manager with the new user details.

  2. You can modify or update the configurations based on the requirement.

When you login to Cisco SD-WAN Manager with new user details, you can view only the user group components that are assigned to you. For more details on configuring policies, see Cisco Catalyst SD-WAN Policies Configuration Guide

Assign Users to Configure RBAC for Policies

Minimum supported releases: Cisco IOS XE Catalyst SD-WAN Release 17.6.1a and Cisco vManage Release 20.6.1

To Assign User to Create or Modify a CFlowd Data Policy

To create a CFlowd user group:

  1. From Cisco SD-WAN Manager, choose Administration > Manage Users.

  2. Click User Groups and Add User Group.

  3. Enter User Group Name.

    For example, cflowd-policy-only.

  4. Check the Read or Write check box against the CFlowD Policy feature that you want to assign to a user group.

  5. Click Add.

  6. You can view the new user group in the left navigation path. Click Edit to edit the existing read or write rules.

  7. Click Save.

To create a CFlowd user:

  1. In Cisco SD-WAN Manager, choose Administration > Manage Users.

  2. Click Users.

  3. Click Add User.

  4. In the Add New User page, enter Full Name, Username, Password, and Confirm Password details.

  5. Choose cflowd-policy-only from the User Groups drop-down.

    Allow the Resource Group to select the default resource group.

  6. Click Add. You can view the new user in the Users window.

  7. To edit the existing read or write rules for a user, click Edit.

To modify a Cflowd policy:

  1. Login to Cisco SD-WAN Manager with the new user credentials.

    You can view access only to CFlowd Policies as your login is assigend to cflowd-policy-only user group.

  2. You can create, modify, or update the configurations based on the requirement.

Configure Granular RBAC for Feature Templates

Minimum supported release: Cisco vManage Release 20.7.1

To configure specific template access, create a user group and assign the read and write permissions using the permission types described in Information About RBAC for Co-Management. The permission options for limiting template access appear with the other permission options that you choose when adding a user group.

For information about granular RBAC for feature templates, see Information About Granular RBAC for Templates.

For information about adding a user group, see Create User Groups.

For a list of permission types and descriptions, see Manage Users.

Configure RBAC Using the CLI

Configure Users Using CLI

You can use the CLI to configure user credentials on each device. This way, you can create additional users and give them access to specific devices. The credentials that you create for a user by using the CLI can be different from the Cisco SD-WAN Manager credentials for the user. In addition, you can create different credentials for a user on each device. All Cisco IOS XE Catalyst SD-WAN device users with the netadmin privilege can create a new user.

To create a user account, configure the username and password, and place the user in a group:

This example, shows the addition of user, Bob, to an existing group:

Device(config)# system aaa user bob group basic

This example, shows the addition of user, Alice, to a new group test-group:

Device(config)# system aaa user test-group
Device(config)# system aaa user alice group test-group

The Username can be 1 to 128 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, hyphens (-), underscores (_), and periods (.). The name cannot contain any uppercase letters. Because some usernames are reserved, you cannot configure them. For a list of reserved usernames, see the aaa configuration command in the Cisco Catalyst SD-WAN Command Reference Guide.

The Password is the password for a user. Each username must have a password, and users are allowed to change their own password. The CLI immediately encrypts the string and does not display a readable version of the password. When a user logs in to a Cisco IOS XE Catalyst SD-WAN device, they have five chances to enter the correct password. After the fifth incorrect attempt, the user is locked out of the device, and must wait for 15 minutes before attempting to log in again.


Note


Enclose any user passwords that contain the special character ! in double quotation marks (“ “). If a double quotation is not included for the entire password, the config database (?) treats the special character as a space and ignores the rest of the password.

For example, if the password is C!sc0, use “C!sc0”.


Group name is the name of a standard Cisco Catalyst SD-WAN group (basic, netadmin, or operator) or of a group configured with the usergroup command (discussed below). If an admin user changes the permission of a user by changing their group, and if that user is currently logged in to the device, the user is logged out and must log back in again.

The factory-default password for the admin username is admin. We strongly recommend that you modify this password the first time you configure a Cisco IOS XE Catalyst SD-WAN device:

Device(config)# username admin password $9$3/IL3/UF2F2F3E$J9NKBeKlWrq9ExmHk6F5VAiDMOFQfD.QPAmMxDdxz.c

Configure the password as an ASCII string. The CLI immediately encrypts the string and does not display a readable version of the password, for example:

Device# show run | sec username
username admin privilege 15 secret 9 $9$3F2M2l2G2/UM3U$TGe2kqoIibdIRDEj4cOVKbVFP/o4vnlFAwWnmzx1rRE
username appnav privilege 15 secret 9 $9$3l2L2V.F2VIM1k$p3MBAyBtGxKf/yBGnUSHQ1g/ae1QhfIbieg28buJJGI
username eft secret 9 $9$3FMJ3/UD2VEL2E$d.kE4.an41v7wEhrQc6k5wIfE9M9WkNAJxUvbbempS.
username lab privilege 15 secret 9 $9$3l.J3FUD2F.E2.$/AiVn9PmLCpgr6ExVrE7dH979Wu8nbdtAfbzUtfysg.
username test secret 9 $9$1l2J3l6D3/QL3k$7PZOXJAJOI1os5UI763G3XcpVhXlqcwJ.qEmgmx4X9g
username vbonagir privilege 15 secret 9 $9$3/2K2UwF2lQF3U$VbdQ5bq18590rRthF/NnNnOsw.dw1/EViMTFZ5.ctus
Device#

If you are using RADIUS to perform AAA authentication, you can configure a specific RADIUS server to verify the password:

Device(config)#  radius server tag

The tag is a string that you defined with the radius server tag command, as described in the Cisco Catalyst SD-WAN Command Reference Guide.

Creating Groups Using CLI

The Cisco Catalyst SD-WAN software provides default user groups: basic, netadmin, operator, network_operations, and security_operations. The username admin is automatically placed in the netadmin usergroup.

If needed, you can create additional custom groups and configure privilege roles that the group members have. To create a custom group with specific authorization, configure the group name and privileges:

Device(config)# aaa authentication login user1 group radius enable
Device(config)# aaa authentication login user2 group radius enable
Device(config)# aaa authentication login user3 group radius enable
Device(config)#

group-name can be 1 to 128 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, hyphens (-), underscores (_), and periods (.). The name cannot contain any uppercase letters Some group names are reserved, so you cannot configure them. For a list of them, see the aaa configuration command.

If a remote RADIUS or TACACS+ server validates authentication but does not specify a user group, the user is placed into the user group basic. If a remote server validates authentication and specifies a user group (say, X) using VSA Cisco SD-WAN-Group-Name, the user is placed into that user group only. However, if that user is also configured locally and belongs to a user group (say, Y), the user is placed into both the groups (X and Y).

In the task option, list the privilege roles that the group members have. The role can be one or more of the following: interface, policy, routing, security, and system.

Verify RBAC

Verify Granular RBAC Permissions

Minimum supported release: Cisco vManage Release 20.7.1

Use this procedure to verify the permissions that you have configured for a user group.

  1. From the Cisco SD-WAN Manager menu, choose Administration > Manage Users.

  2. Click User Groups.

  3. In the pane that displays the user groups, select a user group to display the read and write permissions assigned to the user group.

  4. Scroll to the permissions that control template access to verify your configuration for the user group.

Monitor RBAC

Monitor devices for VPN Groups

To monitor devices:

  1. From the Cisco SD-WAN Manager menu, choose Monitor > Network.

  2. Click WAN - Edge.

  3. Select the VPN Group and VPN Segment for which you want to monitor the network.

    A web page displays the list of VPN groups and segments that are configured to a device.