Skip to main content

 

 

Cisco Defense Orchestrator

User Roles

There are three types of user roles in Cisco Defense Orchestrator (CDO): Super Admin, Admin, and Read-only. User roles are configured for each user on each tenant. If a CDO user has access to more than one tenant, they may have the same user ID but different roles on different tenants. A user may have a read-only role on one tenant and a Super Admin role on another. When the interface or the documentation refers to a Read-only user, an Admin user, or a Super Admin user we are describing that user's permission level on a particular tenant.

Read-only Role

A user assigned the Read-Only role sees this blue banner on every page: read-only-user-banner.png.

Users with the Read-Only role can do the following:

  • View any page or any setting in CDO.
  • Search and filter the contents of any page.
  • Compare device configurations, view the change log, and see VPN mappings.
  • View every warning regarding any setting or object on any page.
  • Generate, refresh, and revoke their own API tokens. Note that if a read-only user revokes their own token, they cannot recreate it. 
  • Contact support through our interface and can export a change log. 

Note:  Read-Only users see the same messages as Admins. If read-only users tried to create and save an object, for example, they would receive the message "Object failed to save. Please correct any invalid values and try again." when, in fact, they cannot save any object.

Read-Only users cannot do the following:

  • Create, update, configure, or delete anything on any page.
  • Onboard devices.
  • Step-through the tasks needed to create something like an object or a policy, but not be able to save it. 
  • Create CDO user records.
  • Change user role.

Admin Role

Admin users have complete access to most aspects of CDO. Admin users can do the following:

  • Create, read, update, and delete any object or policy in CDO and configure any setting.
  • Onboard devices. 
  • View any page or any setting in CDO.
  • Search and filter the contents of any page.
  • Compare device configurations, view the change log, and see VPN mappings.
  • View every warning regarding any setting or object on any page.
  • Generate, refresh, and revoke their own API tokens. If their token is revoked, they can 
  • Contact support through our interface and can export a change log. 

Admin users cannot do the following:

  • Create CDO user records.
  • Change user role.

Super Admin Role

Super Admin users have complete access to all aspects of CDO. Super Admins can do the following:

  • Change a user role. 
  • Create user records.

Note: Though Super Admins can create a CDO user record, that user record is not all that is needed for a user to log in to your tenant. The user also needs an account with the identity provider used by your tenant. Unless your enterprise has its own single sign-on identity provider, your identity provider is Cisco Secure Sign-on. Users can self-register for their Cisco Secure Sign-On account; see Initial Login to CDO for more information. 

  • Create, read, update, and delete any object or policy in CDO and configure any setting.
  • Onboard devices.
  • View any page or any setting in CDO.
  • Search and filter the contents of any page.
  • Compare device configurations, view the change log, and see VPN mappings.
  • View every warning regarding any setting or object on any page.
  • Generate, refresh, and revoke their own API tokens. If their token is revoked, they can 
  • Contact support through our interface and can export a change log. 

 

Change The Record of the User Role

The user record is the currently recorded role of a user. By looking at the users associated with your tenant, you can determine what role each use has by their record. By changing a user role, you change the user record. User's roles are identified by their role in the User Management table. See User Management for more information.

You must be a Super Admin to change the user record. If your tenant has no Super Admins, contact Defense Orchestrator support.

 

Related Topics