The Cisco SD-WAN AAA software implements role-based access to control the authorization permissions for users on Cisco vEdge devices. Role-based access consists of three components:

• Users are those who are allowed to log in to a Cisco vEdge device.

• User groups are collections of users.

• Privileges are associated with each group. They define the commands that the group's users are authorized to issue.

Users and User Groups

All users who are permitted to perform operations on a Cisco vEdge device must have a login account. For the login account, you configure a username and a password on the device itself. These allow the user to log in to that device. A username and password must be configured on each device that a user is allowed to access.

The Cisco SD-WAN software provides one standard username, admin, which is a user who has full administrative privileges, similar to a UNIX superuser. By default, the admin username password is admin. You cannot delete or modify this username, but you can and should change the default password.

User groups pool together users who have common roles, or privileges, on the Cisco vEdge device. As part of configuring the login account information, you specify which user group or groups that user is a member of. You do not need to specify a group for the admin user, because this user is automatically in the user group netadmin​ and is permitted to perform all operations on the Cisco vEdge device.

The user group itself is where you configure the privileges associated with that group. These privileges correspond to the specific commands that the user is permitted to execute, effectively defining the role-based access to the Cisco SD-WAN software elements.

The Cisco SD-WAN software provides the following standard user groups:

• basic: The basic group is a configurable group and can be used for any users and privilege levels. This group is designed to include users who have permission to both view and modify information on the device.

• operator: The operator group is also a configurable group and can be used for any users and privilege levels. This group is designed to include users who have permission only to view information.

• netadmin: The netadmin group is a non-configurable group. By default, this group includes the admin user. You can add other users to this group. Users in this group are permitted to perform all operations on the device.

• Minimum supported release: Cisco vManage Release 20.9.1

  network_operations: The network_operations group is a non-configurable group. Users in this group can perform all non-security-policy operations on the device and only view security policy information. For example, users can create or modify template configurations, manage disaster recovery, and create non-security policies such as application aware routing policy or CFlowD policy.

• Minimum supported release: Cisco vManage Release 20.9.1

  security_operations: The security_operations group is a non-configurable group. Users in this group can perform all security operations on the device and only view non-security-policy information. For example, users can manage umbrella keys, licensing, IPS signatures auto update, TLS/SSL proxy settings, and so on.

Users of the network_operations group are authorized to apply policies to a device, revoke applied policies, and edit device templates. Users of the security_operations group require network_operations users to intervene on day-0 to deploy security policy on a device and on day-N to remove a deployed security policy. However, after a security policy is deployed on a device, security_operations users can modify the security policy without needing the network_operations users to intervene.

Note

Only admin users can view running and local configuration. Users associated with predefined operator user group do not have access to the running and local configurations. The predefined user group operator has only read access for the template configuration. If you need only a subset of admin user privileges, then you need to create a new user group with the selected features from the features list with both read and write access and associate the group with the custom user.

Privileges for Role-Based Access

Role-based access privileges are arranged into five categories, which are called tasks:

• Interface—Privileges for controlling the interfaces on the Cisco vEdge device.

• Policy—Privileges for controlling control plane policy, OMP, and data plane policy.

• Routing—Privileges for controlling the routing protocols, including BFD, BGP, OMP, and OSPF.

• Security—Privileges for controlling the security of the device, including installing software and certificates. Only users belonging to the netadmin group can install software on the system.

• System—General systemwide privileges.

The tables in the following sections detail the AAA authorization rules for users and user groups. These authorization rules apply to commands issued from the CLI and to those issued from Netconf.

User Authorization Rules for Operational Commands

The user authorization rules for operational commands are based simply on the username. Any user who is allowed to log in to the Cisco vEdge device can execute most operational commands. However, only the admin user can issue commands that affect the fundamental operation of the device, such as installing and upgrading the software and shutting down the device.

Note that any user can issue the config command to enter configuration mode, and once in configuration mode, they are allowed to issue any general configuration command. Also, any user is allowed to configure their password by issuing the system aaa user self password password command and then committing that configuration change. For the actual commands that configure device operation, authorization is defined according to user group membership. See User Group Authorization Rules for Configuration Commands.

The following tables lists the AAA authorization rules for general CLI commands. All the commands are operational commands except as noted. Also, some commands available to the "admin" user are available only if that user is in the "netadmin" user group.

User Group Authorization Rules for Operational Commands

The following table lists the user group authorization roles for operational commands.

User Group Authorization Rules for Configuration Commands

The following table lists the user group authorization rules for configuration commands.

Global Admin

User accounts in the global resource group have access to all resources. A global admin is responsible for overseeing the entire network, but not involved in the operations of the individual devices on a daily basis. The global admin can assign devices to their corresponding regions, assign the regional admin accounts, manage the controllers, maintain sharable and centralized configurations, and when necessary, operate on the individual devices.

Any user in a single tenant setup with netadmin privileges and also part of global resource group is considered as global admin. Default admin user on Cisco vManage is also a global-admin, and that user can assign more global-admins. Global resource group encompasses all the WAN edges, controllers in the single view.

Global admin can switch to view only a specific resource group and can create templates. Local resource group admins, also called regional admins can clone the global templates and reuse them within their resource groups.

Regional Admin

The regional admins are responsible for day-to-day operations (configuration, monitoring, onboarding, and so on) for devices in their corresponding regions. They should not have access to or visibility into devices outside of their region. The following user groups can be created:

• resource group admin – full read/write access to devices in the corresponding resource group, can troubleshoot, monitor, attach or detach templates for the WAN edges in their group

• resource group operator – read-only access to WAN edges within their resource group

• resource group basic – basic access

Resource group admins can create new templates and attach or detach to the WAN edges in their group. They can also copy global templates and re-use them.

Resource group decides which resources the user has access to. However, the level of access is controlled by the existing user group.

• If user is in resource_group_a and user group resource_group_admin, they have full read/write access to all resources in resource_group_a.

• If user is in resource_group_a and user group resource_group_operator, they have read only access to all resources in resource_group_a.

• If user is in resource_group_a and user group resource_group_basic, they have read only access to interface and system resources in resource_group_a.

Global Resource Group

Global group is a special system pre-defined resource group that has different access control rules.

• Users within this group are considered as global-admins, who can have full access to all resources (devices, templates and policies) in the system and they can manage the resource groups and assign resources and users to groups.

• All other users have read-only access to resources within this group.

• The system default admin account (or tenantadmin account in a multi-tenant setup) is always in this group. This privilege cannot be changed. However, the admin account may add/remove other user accounts to or from this group.

IdP (SSO)-Managed Group

An identity provider (IdP) is a service that stores and verifies user identity. IdPs typically work with single sign-on (SSO) providers to authenticate users. If a user is authenticated with a SSO service of an IdP, the group information is also provided and managed by the IDP. An IdP passes the information about the user, including the user name and all the group names, where the user belongs to. Cisco vManage matches the group names with the group names stored in the database to further distinguish if a particular group name passed from IdP is for user group or resource group or VPN group.

Multi-Tenancy Support

With Cisco SD-WAN multitenancy, a service provider can manage multiple customers, called tenants, from Cisco vManage. The tenants share Cisco vManage instances, Cisco vBond Orchestrators, and Cisco vSmart Controllers. The domain name of the service provider has subdomains for each tenant. Cisco vManage is deployed and configured by the service provider. The provider enables multitenancy and creates a Cisco vManage cluster to serve tenants. Only the provider can access a Cisco vManage instance through the SSH terminal.

Provider has the following features:

• resource group is not applicable as the provider manages only the controllers.

• when provider provisions a new tenant, the default user account for the tenant is tenantadmin.

• other user accounts created by the provider are included in the default global resource group.

• when a provider creates a template for a tenant, the template is included in to the global resource group.

Single-Tenant and Multi-Tenant Scenarios

You can use granular RBAC for feature templates in single-tenant and multi-tenant Cisco vManage scenarios.

You can create user groups to assign specific permissions to a tenant's various teams, enabling teams to manage only specific network services without granting permission to use device CLI templates. It might be undesirable to give a tenant permission to apply device CLI templates, as the device CLI template can override any other template or device configuration.

For example, you can create a user group for a tenant's security operations group, giving them read/write access only to the SIG Template option, which would enable the security operations group to work on security configuration.

From the Cisco vManage menu, choose Administration > Manage Users to add, edit, view, or delete users and user groups.

Please note the following:

• Only a user logged in as the admin user or a user who has Manage Users write permission can add, edit, or delete users and user groups from Cisco vManage.

• Each user group can have read or write permission for the features listed in this section. Write permission includes Read permission.

• All user groups, regardless of the read or write permissions selected, can view the information displayed in the Cisco vManage Dashboard.

Users are placed in groups, which define the specific configuration and operational commands that the users are authorized to view and modify. A single user can be in one or more groups. Cisco SD-WAN software provides standard user groups, and you can create custom user groups, as needed:

• basic: Includes users who have permission to view interface and system information.

• netadmin: Includes the admin user, by default, who can perform all operations on the Cisco vManage. You can add other users to this group.

• operator: Includes users who have permission only to view information.

• Minimum supported release: Cisco vManage Release 20.9.1

  network_operations: Includes users who can perform non-security operations on Cisco vManage, such as viewing and modifying non-security policies, attaching and detaching device templates, and monitoring non-security data.

• Minimum supported release: Cisco vManage Release 20.9.1

  security_operations: Includes users who can perform security operations on Cisco vManage, such as viewing and modifying security policies, and monitoring security data.

Note: All user groups, regardless of the read or write permissions selected, can view the information displayed on the Cisco vManage Dashboard screen.

Delete a User Group

You can delete a user group when it is no longer needed. For example, you might delete a user group that you created for a specific project when that project ends.

1. From the Cisco vManage menu, choose Administration > Manage Users.

2. Click User Groups.

3. Click the name of the user group you wish to delete.

   Note	You cannot delete any of the default user groups—basic, netadmin, operator, network_operations, and security_operations.

4. Click Trash icon.

5. To confirm the deletion of the user group, click OK.

Edit User Group Privileges

You can edit group privileges for an existing user group. This procedure lets you change configured feature read and write permissions for the user group needed.

1. From the Cisco vManage menu, choose Administration > Manage Users.

2. Click User Groups.

3. Select the name of the user group whose privileges you wish to edit.

   Note	You cannot edit privileges for the any of the default user groups—basic, netadmin, operator, network_operations, and security_operations.

4. Click Edit, and edit privileges as needed.

5. Click Save.

If an admin user changes the privileges of a user by changing their group, and if that user is currently logged in to the device, the user is logged out and must log back in again.

To add Users:

1. From the Cisco vManage menu, choose Administration > Manage Users. The Manage Users screen appears.

2. By default Users is selected. The table displays the list of users configured in the device.

3. To edit, delete, or change password for an existing user, click ..., and click Edit, Delete, or Change Password respectively.

4. To add a new user, click Add User.

5. Add Full Name, Username, Password, and Confirm Password details.

6. From the User Groups drop-down list, select the user group where you want to add a user.

7. From the Resource Group drop-down list, select the resource group.

   Note	This field is available from Cisco SD-WAN Release 20.5.1.

8. Click Add.

You can use the CLI to configure user credentials on each device. This way, you can create additional users and give them access to specific devices. The credentials that you create for a user by using the CLI can be different from the Cisco vManage credentials for the user. In addition, you can create different credentials for a user on each device. All users with the netadmin privilege can create a new user.

To create a user account, configure the username and password, and place the user in a group:

vEdge(config)# system aaa
vEdge(config)# user username password  password
vEdge(config-aaa)# group group-name

The Username can be 1 to 128 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, hyphens (-), underscores (_), and periods (.). The name cannot contain any uppercase letters. Because some usernames are reserved, you cannot configure them. For a list of reserved usernames, see the aaa configuration command in the Cisco SD-WAN Command Reference Guide.

The Password is the password for a user. Each username must have a password, and users are allowed to change their own password. The CLI immediately encrypts the string and does not display a readable version of the password. When a user logs in to a Cisco vEdge device , they have five chances to enter the correct password. After the fifth incorrect attempt, the user is locked out of the device, and must wait for 15 minutes before attempting to log in again.

Note

Enclose any user passwords that contain the special character ! in double quotation marks (“ “). If a double quotation is not included for the entire password, the config database (?) treats the special character as a space and ignores the rest of the password. For example, if the password is C!sc0, use “C!sc0”.

Group name is the name of a standard Cisco SD-WAN group (basic, netadmin, or operator) or of a group configured with the usergroup command (discussed below). If an admin user changes the permission of a user by changing their group, and if that user is currently logged in to the device, the user is logged out and must log back in again.

The factory-default password for the admin username is admin. We strongly recommend that you modify this password the first time you configure a Cisco vEdge device :

vEdge(config)# system aaa admin password  password

Configure the password as an ASCII string. The CLI immediately encrypts the string and does not display a readable version of the password, for example:

vEdge(config-user-admin)# show config
system
 aaa
  user admin
   password $1$xULc8yYH$k71cTjvKESmeIGgImNDaC.
  !
  user eve
   password $1$8z3q4qoU$F6DMBr9vPBF0s/sl45ax5.
   group    basic
  !
 !
!

If you are using RADIUS to perform AAA authentication, you can configure a specific RADIUS server to verify the password:

vEdge(config)# system aaa radius-servers tag

The tag is a string that you defined with the radius server tag command, as described in the Cisco SD-WAN Command Reference Guide.

The Cisco SD-WAN software provides default user groups: basic, netadmin, operator, network_operations, and security_operations. The username admin is automatically placed in the netadmin usergroup.

If needed, you can create additional custom groups and configure privilege roles that the group members have. To create a custom group with specific authorization, configure the group name and privileges:

vEdge(config)# system  aaa usergroup group-name task privilege 

group-name can be 1 to 128 characters long, and it must start with a letter. The name can contain only lowercase letters, the digits 0 through 9, hyphens (-), underscores (_), and periods (.). The name cannot contain any uppercase letters Some group names are reserved, so you cannot configure them. For a list of them, see the aaa configuration command.

If a remote RADIUS or TACACS+ server validates authentication but does not specify a user group, the user is placed into the user group basic. If a remote server validates authentication and specifies a user group (say, X) using VSA Cisco SD-WAN-Group-Name, the user is placed into that user group only. However, if that user is also configured locally and belongs to a user group (say, Y), the user is placed into both the groups (X and Y).

In the task option, list the privilege roles that the group members have. The role can be one or more of the following: interface, policy, routing, security, and system.

In the following example, the basic user group has full access to the system and interface portions of the configuration and operational commands, and the operator user group can use all operational commands but can make no modifications to the configuration:

vEdge# show running-config system aaa
system
 aaa
  usergroup basic
   task system read write
   task interface read write
  !
  usergroup operator
   task system read
   task interface read
   task policy read
   task routing read
   task security read
  !
  user admin
   password $1$tokPB7tf$vchR2JI9Sw1/dqgkqup9S.
  !
 !
!