User Roles

Web Interface User Roles

There are a variety of user roles in Cisco Defense Orchestrator (CDO): Read-Only, Edit-Only, Deploy-only, Admin, and Super Admin. User roles are configured for each user on each tenant. If a CDO user has access to more than one tenant, they may have the same user ID but different roles on different tenants. A user may have a read-only role on one tenant and a Super Admin role on another. When the interface or the documentation refers to a Read-only user, Deploy Only, Edit Only, an Admin user, or a Super Admin user we are describing that user's permission level on a particular tenant. Note that you cannot create user roles in the cloud-delivered Firewall Management Center because it uses CDO user roles.

Read Only

Read Only users can view all device configurations but not change them.

Deploy Only

Deploy Only users can audit queued changes made to device configurations and deploy them but cannot change them.

Edit Only

Edit Only users can make changes to all device configurations but cannot deploy them to devices.

Super Admin and Admin

Super Admin and Admin users can access everything in the product. The difference between Super Admin and Admin users is that Super Admins can create accounts for other users on a tenant and modify existing user roles, while admins cannnot.

To know more about user roles in CDO, see User Roles.

The following table maps the user roles in On-Prem Firewall Management Center to their equivalent roles in the cloud-delivered Firewall Management Center in CDO.
Tip

We recommend that you read through the table only if you are familiar with the user roles in On-Prem Firewall Management Center.

Secure Firewall Management Center and Cloud-delivered Firewall Management Center User Role Mapping

On-Prem Firewall Management Center User Role

Equivalent Cloud-delivered Firewall Management Center User Role

Capabilities

Access Admin, Discovery Admin, Intrusion Admin, Maintenance User

Edit Only

You can search, filter, or view the following:

  • Access control policies and associated features

  • Intrusion policies

  • Intrusion rules

  • Network discovery rules

  • Custom detectors

  • Correlation policies

  • Objects

  • Rulesets

  • Interfaces

  • VPN configurations

  • Monitoring- and maintenance-related settings

You can back up or restore a device but cannot deploy policies to the devices.

Administrator

Super Admin

You can access all features of the cloud-delivered Firewall Management Center and perform tasks, including create, read, modify, or delete policies or objects and deploy those changes to the devices. You can also edit user roles or create user records in CDO.

Network Admin

Admin

You can access all features of the cloud-delivered Firewall Management Center and perform tasks, including create, read, modify, or delete policies or objects and deploy those changes to the devices. However, you cannot edit user roles or create user records in CDO.

Security Analyst, Security Analyst (Read Only)

Read Only

You can view device information, policies, objects, and their related settings but cannot do the following:

  • Create or edit objects

  • Create or edit policies

  • Modify device configurations

  • Backup or restore devices

Security Approver

Deploy Only

You can view most settings and deploy staged changes to devices but cannot create or modify objects or policies.