Skip to main content



Cisco Defense Orchestrator

CDO User Roles

There are two types of users in Cisco Defense Orchestrator (CDO), admin users and read-only users. All users are created by our CDO operations team. Customers cannot create users or set permissions for different users. If you want a read-only user created for your tenant, contact CDO support.

Admin Users

Admin users have complete access to all aspects of CDO. They can create, read, update, and delete any object or policy in CDO and configure any setting. They can onboard devices. Admin users all have the same level of access; there is no admin user hierarchy.

Read-only Users

Read-only users can view any page or any setting in CDO. Read-only users can search and filter the contents of any page. They can compare device configurations, view the change log, and see VPN mappings. They will see every warning regarding any setting or object on any page. They can also generate and refresh their own API tokens. Read-only users can contact support through our interface and can export a change log. 

Read-only users cannot create, update, configure, or delete anything on any page. They cannot onboard devices. Read-only users can revoke their own token. Once they revoke their token, they cannot recreate it. They can step-through the tasks needed to create something like an object or a policy but they will not be able to save it. Read-only users see the same messages as Admins. If read-only users tried to create and save an object, for example, they would receive the message "Object failed to save. Please correct any invalid values and try again." when, in fact, they cannot save any object.

Read-only users see this blue banner on every page: read-only-user-banner.png and they are identified by their role in the User Management table. 

  • Was this article helpful?