Configure role-based access control
Role-based access control (RBAC) regulates access to SD-WAN Orchestrator resources based on the roles assigned to individual users.
RBAC allows users to access only the data that their role demands and restricts any other data.
A role defines the permissions to view and perform various activities on the SD-WAN Orchestrator. Roles can be assigned at Provider and Customer level. Users can be assigned a role from the list of predefined roles.
New users can be added using the Identity and Access Management option on Citrix Cloud. While adding users, you can set “Full access” or “Custom access”. Users with “Full access” get Provider-Master-Admin-All role on SD-WAN Orchestrator. If you choose “Custom access” you are prompted to select the access level again. Users with “Customer Admin: Full Access” get Provider-Master-Admin-All role. Users with “Customer: Read Only Access” get Provider-Master-Admin-ReadOnly-All role on SD-WAN Orchestrator.
The Provider-Master-Admin-All role can perform the following:
- Assign roles to users in Provider and Customer network
- Manage access to customers for all other admin roles
- Edit or delete assigned roles
The following table lists the predefined provider roles.
|Provider-Master-Admin-All||An administrator who can manage the provider and all of its customer information|
|Provider-Master-Admin-Tenant||An administrator who can manage the provider and a subset of its customer information|
|Provider-Master-ReadOnly-All||An administrator who can only view provider and customer information|
New users can be added using the Identity and Access Management option on Citrix Cloud. While adding users, you can set “Full access” or “Custom access”. Users with “Full access” get Customer-Master-Admin role on SD-WAN Orchestrator. If you choose “Custom access” you are prompted to select the access level again. Users with “Customer Admin: Full Access” get Customer-Master-Admin role. Users with “Customer: Read Only Access” get Customer-Master-ReadOnly-Admin role.
The Customer-Master-Admin role can perform the following:
- Assign customer roles
- Edit or delete assigned roles within the customer network
The following table lists the predefined customer roles.
|Customer-Master-Admin||A customer administrator who can view and edit customer information|
|Customer-Master-ReadOnly-Admin||A customer administrator who can only view customer information|
Customers can view the list of provider roles who have access to their network under Administration > User Settings. Customer-Master-Admin can assign a customer role to an existing provider role. Once a customer role is assigned to an existing provider role, the customer role takes precedence and overrides the provider role.
The Customer Master-Admin cannot delete or override Provider-Master-Admin-All, Provider-Master-Admin-Tenant, and Provider-Master-ReadOnly roles.
For troubleshooting purposes, Providers and Customers can assign support roles and provide Support Team members the ability to view and edit their information.
Support roles have a validity period that is defined while assigning the role. The default validity period is for two weeks from the date the role is assigned. After the validity period expires, the support user loses access to Provider/Customer information. However, the support user details continue to appear under the Administration > User Settings. Based on the need, the Provider/Customer administrator can either delete or extend the validity of the support role.
You can assign support roles under Administration > User Settings.
|Provider-Support-ReadWrite||A support team member who can view and edit the provider information|
|Provider-Support-ReadOnly||A support team member who can only view the provider information|
|Customer-Support-ReadWrite||A support team member who can view and edit the customer information|
|Customer-Support-ReadOnly||A support team member who can only view the customer information|
Change user roles
If a user is an administrator for more than one customer or provider, then the user is assigned with multiple roles. In such scenarios, the user can change the role and switch to the desired account for which the user is an administrator.
To change the role, click Change Role option at the top right portion of the screen. Select a role, and click Confirm.