Skip to main content

 

 

Cisco Defense Orchestrator

User Roles

There are a variety of user roles in Cisco Defense Orchestrator (CDO): Read-Only, Edit-Only, Deploy-only, Admin, and Super Admin. User roles are configured for each user on each tenant. If a CDO user has access to more than one tenant, they may have the same user ID but different roles on different tenants. A user may have a read-only role on one tenant and a Super Admin role on another. When the interface or the documentation refers to a Read-only user, an Admin user, or a Super Admin user we are describing that user's permission level on a particular tenant.

Read-only Role

A user assigned the Read-Only role sees this blue banner on every page: read-only-user-banner.png.

Users with the Read-Only role can do the following:

  • View any page or any setting in CDO.
  • Search and filter the contents of any page.
  • Compare device configurations, view the change log, and see VPN mappings.
  • View every warning regarding any setting or object on any page.
  • Generate, refresh, and revoke their own API tokens. Note that if a read-only user revokes their own token, they cannot recreate it. 
  • Contact support through our interface and can export a change log.

Read-Only users cannot do the following:

  • Create, update, configure, or delete anything on any page.
  • Onboard devices.
  • Step-through the tasks needed to create something like a policy, but not be able to save it. 
  • Create CDO user records.
  • Change user role.
  • Attach or detach access rules to a policy.

Edit-Only Role

Users with the Edit-Only role can do the following:

  • Edit and save device configurations, including but not limited to objects, policies, rulesets, interfaces, VPN, etc.
  • Allow configuration changes that are made through the Read Configuration action. 
  • Utilize the Change Request Management action.

Edit-Only users cannot do the following:

  • Deploy changes to a device or to multiple devices.
  • Discard staged changes or changes that are detected through OOB.
  • Upload AnyConnect Packages, or configure these settings.
  • Schedule or manually start image upgrades for devices.
  • Schedule or manually start a security database upgrade.
  • Manually switch between Snort 2 and Snort 3 versions.
  • Create a template.
  • Change the existing OOB Change settings.
  • Edit System Management settings.
  • Onboard devices.
  • Delete devices.
  • Delete VPN sessions or user sessions.
  • Create CDO user records.
  • Change user role.

Deploy-Only Role

Users with the Deploy-Only role can do the following:

  • Deploy staged changes to a device, or to multiple devices. 
  • Revert or restore configuration changes for ASA devices.
  • Schedule or manually start image upgrades for devices.
  • Schedule or manually start a security database upgrade.
  • Utilize the Change Request Management action.

Deploy-Only users cannot do the following:

  • Manually switch between Snort 2 and Snort 3 versions.
  • Create a template.
  • Change the existing OOB Change settings.
  • Edit System Management settings.
  • Onboard devices.
  • Delete devices.
  • Delete VPN sessions or user sessions.
  • Create, update, configure, or delete anything on any page.
  • Onboard devices.
  • Step-through the tasks needed to create something like an object or a policy, but not be able to save it. 
  • Create CDO user records.
  • Change user role.
  • Attach or detach access rules to a policy.

VPN Sessions Manager

Users with the VPN Sessions Manager role can do the following:

  • View any page or any setting in CDO.
  • Search and filter the contents of any page.
  • Compare device configurations, view the change log, and see VPN mappings.
  • View every warning regarding any setting or object on any page.
  • Generate, refresh, and revoke their own API tokens. Note that if a VPN Sessions Manager user revokes their own token, they cannot recreate it. 
  • Contact support through our interface and can export a change log. 
  • Terminate existing VPN sessions.

VPN Session Manager users cannot do the following:

  • Create, update, configure, or delete anything on any page.
  • Onboard devices.
  • Step-through the tasks needed to create something like a policy, but not be able to save it. 
  • Create CDO user records.
  • Change user role.
  • Attach or detach access rules to a policy.

Admin Role

Admin users have complete access to most aspects of CDO. Admin users can do the following:

  • Create, read, update, and delete any object or policy in CDO and configure any setting.
  • Onboard devices. 
  • View any page or any setting in CDO.
  • Search and filter the contents of any page.
  • Compare device configurations, view the change log, and see VPN mappings.
  • View every warning regarding any setting or object on any page.
  • Generate, refresh, and revoke their own API tokens. If their token is revoked, they can 
  • Contact support through our interface and can export a change log. 

Admin users cannot do the following:

  • Create CDO user records.
  • Change user role.

Super Admin Role

Super Admin users have complete access to all aspects of CDO. Super Admins can do the following:

  • Change a user role. 
  • Create user records.

Note: Though Super Admins can create a CDO user record, that user record is not all that is needed for a user to log in to your tenant. The user also needs an account with the identity provider used by your tenant. Unless your enterprise has its own single sign-on identity provider, your identity provider is Cisco Secure Sign-on. Users can self-register for their Cisco Secure Sign-On account; see Initial Login to CDO for more information. 

  • Create, read, update, and delete any object or policy in CDO and configure any setting.
  • Onboard devices.
  • View any page or any setting in CDO.
  • Search and filter the contents of any page.
  • Compare device configurations, view the change log, and see VPN mappings.
  • View every warning regarding any setting or object on any page.
  • Generate, refresh, and revoke their own API tokens. If their token is revoked, they can 
  • Contact support through our interface and can export a change log. 

 

Change The Record of the User Role

The user record is the currently recorded role of a user. By looking at the users associated with your tenant, you can determine what role each use has by their record. By changing a user role, you change the user record. User's roles are identified by their role in the User Management table. See User Management for more information.

You must be a Super Admin to change the user record. If your tenant has no Super Admins, contact Defense Orchestrator support.

 

Related Topics

  • Create, read, update, and delete any object or policy in CDO and configure any setting.
  • Onboard devices. 
  • View any page or any setting in CDO.
  • Search and filter the contents of any page.
  • Compare device configurations, view the change log, and see VPN mappings.
  • View every warning regarding any setting or object on any page.
  • Generate, refresh, and revoke their own API tokens. If their token is revoked, they can 
  • Contact support through our interface and can export a change log. 
  • Create CDO user records.
  • Change user role.
  • Change a user role. 
  • Create user records.
  • Create, read, update, and delete any object or policy in CDO and configure any setting.
  • Onboard devices.
  • View any page or any setting in CDO.
  • Search and filter the contents of any page.
  • Compare device configurations, view the change log, and see VPN mappings.
  • View every warning regarding any setting or object on any page.
  • Generate, refresh, and revoke their own API tokens. If their token is revoked, they can 
  • Contact support through our interface and can export a change log. 
  • General Settings
  • User Management
  • Relationship Between the Identity Provider and Defense Orchestrator Accounts