There are three types of user roles in Cisco Defense Orchestrator (CDO): Super Admin, Admin, and Read-only. User roles are configured for each user on each tenant. If a CDO user has access to more than one tenant, they may have the same user ID but different roles on different tenants. A user may have a read-only role on one tenant and a Super Admin role on another. When the interface or the documentation refers to a Read-only user, an Admin user, or a Super Admin user we are describing that user's permission level on a particular tenant.
Users with the read-only role can view any page or any setting in CDO. Read-only users can search and filter the contents of any page. They can compare device configurations, view the change log, and see VPN mappings. They will see every warning regarding any setting or object on any page. They can also generate and refresh their own API tokens. Users with the read-only role can contact support through our interface and can export a change log.
Read-only users cannot create, update, configure, or delete anything on any page. They cannot onboard devices. Read-only users can revoke their own token. Once they revoke their token, they cannot recreate it. They can step-through the tasks needed to create something like an object or a policy but they will not be able to save it. Read-only users see the same messages as Admins. If read-only users tried to create and save an object, for example, they would receive the message "Object failed to save. Please correct any invalid values and try again." when, in fact, they cannot save any object.
A user assigned the read-only role sees this blue banner on every page: and they are identified by their role in the User Management table.
User assigned the Admin role have complete access to all aspects of CDO. They can create, read, update, and delete any object or policy in CDO and configure any setting. They can onboard devices. Admin users cannot create CDO user records. Admin users are identified by their role in the User Management table.
Super Admin Role
Users assigned the Super Admin role have complete access to all aspects of CDO. They can create, read, update, and delete any object or policy in CDO and configure any setting. They can onboard devices. In addition, they can create user records and change user roles. Super Admin users are identified by their role in the User Management table.
Note: Though Super Admins can create a CDO user record, that user record is not all that is needed for a user to log in to your tenant. The user also needs an account with the identity provider used by your tenant. Unless your enterprise has its own single sign-on identity provider, your identity provider is Cisco Secure Sign-on. Users can self-register for their Cisco Secure Sign-On account; see Initial Login to CDO for more information.