There are three types of user roles in Cisco Defense Orchestrator (CDO): Super Admin, Admin, and Read-only. A CDO user may have access to more than one tenant. When that user logs in to a tenant, their actions are governed by their role. A user may have a read-only role on one tenant and a Super Admin role on another. When the interface or the documentation refers to a Read-only user, an Admin user, or a Super Admin user we are describing that user's permission level on a particular tenant. We are not describing that user's permission level on all of the tenants they may have access to.
Users with the read-only role can view any page or any setting in CDO. Read-only users can search and filter the contents of any page. They can compare device configurations, view the change log, and see VPN mappings. They will see every warning regarding any setting or object on any page. They can also generate and refresh their own API tokens. Users with the read-only role can contact support through our interface and can export a change log.
Read-only users cannot create, update, configure, or delete anything on any page. They cannot onboard devices. Read-only users can revoke their own token. Once they revoke their token, they cannot recreate it. They can step-through the tasks needed to create something like an object or a policy but they will not be able to save it. Read-only users see the same messages as Admins. If read-only users tried to create and save an object, for example, they would receive the message "Object failed to save. Please correct any invalid values and try again." when, in fact, they cannot save any object.
A user assigned the read-only role sees this blue banner on every page: and they are identified by their role in the User Management table.
User assigned the Admin role have complete access to all aspects of CDO. They can create, read, update, and delete any object or policy in CDO and configure any setting. They can onboard devices. Admin users cannot create CDO user records. Admin users are identified by their role in the User Management table.
Super Admin Role
Users assigned the Super Admin role have complete access to all aspects of CDO. They can create, read, update, and delete any object or policy in CDO and configure any setting. They can onboard devices. In addition, they can create user records and change user roles. Super Admin users are identified by their role in the User Management table.
Note: Though Super Admins can create a CDO user record, that user record is not all that is needed for a user to log in to your tenant. The user also needs an account with the identity provider used by your tenant. If you use Cisco's OneLogin as the IdP, you must contact CDO support to have that IdP account created. See Relationship Between the Identity Provider and Defense Orchestrator Accounts for more information.