Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
1
Helpful
3
Replies

Use of RBAC and Resource Groups in vManage for RO tennants

AndyCole
Level 1
Level 1

‎05-24-2023 03:17 AM

I'm working with an SD-WAN client who provides a networks across multiple user groups. They want each user to be able to have RO access to their own devices, but not see any of the other users devices or network information, or be able to make any configuration changes to any device. They will need RO access to the troubleshooting tools.

This video on Resource Groups, Cisco SD-WAN: Administrative Security and Compliance through RBAC and Resource Groups - YouTube shows that this is possible, but the demo has an admin in each group, can this user account be RO?

Also, can a user in one group access the troubleshooting tools, but only see information relevant to their group? Will they be able to see IP information for other groups in the IP route table for instance, either via the GUI or the vManage SSH terminal feature?

I'm thinking they may need to go to Multi-tenant, but that would be a major change to the platform, so I'd like to see if other community members have come across such a requirement first.

 

0 Helpful
3 Replies 3

Kanan Huseynli
VIP
VIP

‎05-24-2023 03:13 PM - edited ‎05-24-2023 03:31 PM

Hi,

resource group user can not be in custom user group, hence you have option only "resource_group_operator" (which has most RO access).

KananHuseynli_0-1684965934809.png

However, this user (which is in build-in resource group - "resource_group_operator" ) has no access to SSH tool:

KananHuseynli_2-1684966107104.png

Unfortunately, there is no such granular RBAC and ResourceGroup functionality in SD-WAN (even with 17.11 / 20.11). For all supported you can use below config guide:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/rbac.html#concept_eqv_lry_q4b

P.S I think definitely, one of the sections which needs to be updated.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

AndyCole
Level 1
Level 1
In response to Kanan Huseynli

‎06-01-2023 07:49 AM

Hi Kanyan,

I've now got access to a 20.6.3 lad, and looking at vManage Resource Groups. I'm logged in as an admin, the only default resource group is the global one. I don't see the "resource_group_operator group", should I?

I see what you mean about custom resource groups, if I create one and try to add a user to my custom group, I get an error, so what is the point of custom groups? The documentation is not very clear about this.

What I tried to do was:

1. Create a custom resource group.

2. Create a user with role as operator, select site ID 100 as the sites I want this user to be able to view

3. Add the custom resource group, it worked initially, but seems to have defaulted back to the global resource group. Trying again then results in an error. 

0 Helpful

Kanan Huseynli
VIP
VIP
In response to AndyCole

‎06-01-2023 01:37 PM

Hi,

don't confuse - mix resource group with RBAC group for resource group. Normally you have only one resource group which is global RG. This can be checked in "Settings > Administration > Resource Group".

But there are multiple default user groups, this can be checked in "Settings > Administration > Manage Users and User Group tab".

1) You need to create custom resource group

2) You need to create user

3) While creating user, you need to assign user to resource group and supported user group

4) You can copy or assign previously created global RG feature template and device templates to new RG

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Customers Also Viewed These Support Documents