Role-based access control (RBAC) regulates access to Citrix SD-WAN Orchestrator service resources based on the roles assigned to individual users. RBAC allows users to access only the data that their role demands and restricts any other data.
A role defines the permissions to view and perform various activities on the Citrix SD-WAN Orchestrator service. Roles can be assigned at Provider and Customer level. Users can be assigned a role from the list of predefined roles or custom roles.
If a customer has Citrix Secure Internet Access subscription along with Citrix SD-WAN subscription, then the Administration > User Setting is common between Citrix Secure Internet Access and Citrix SD-WAN Orchestrator service. Provider-Master-Admin-All or Customer-Master-Admin role defined for Citrix SD-WAN can assign Citrix SD-WAN access level role (pre-defined or custom role) for other admin users. Similarly Customer-Master-Admin role defined for Citrix Secure Internet Access service can assign Citrix SIA level role (pre-defined or custom role) to other admin users.
New users can be added on Citrix Cloud. Navigate to Identity and Access Management > Administration tab and select Citrix Identity from the Select an identity provider drop-down list.
While adding users at the provider level, you can set “Full access” or “Custom access”. Users with “Full access” get Provider-Master-Admin-All role on Citrix SD-WAN Orchestrator service. If you choose “Custom access” you are prompted to select the access level again. Users with “Customer Admin: Full Access” get Provider-Master-Admin-All role. Users with “Customer: Read Only Access” get Provider-Master-Admin-ReadOnly-All role on Citrix SD-WAN Orchestrator service.
While adding users at the customer level, you can set “Full access” or “Custom access”. Users with “Full access” get Customer-Master-Admin role on Citrix SD-WAN Orchestrator service. If you choose “Custom access” you are prompted to select the access level again. Users with “Customer Admin: Full Access” get Customer-Master-Admin role. Users with “Customer: Read Only Access” get Customer-Master-ReadOnly-Admin role.
The following table lists the predefined provider roles.
|Provider-Master-Admin-All||An administrator who can manage the provider and all of its customer information|
|Provider-Master-Admin-Tenant||An administrator who can manage the provider and a subset of its customer information|
|Provider-Master-ReadOnly-All||An administrator who can only view provider and customer information|
|Provider-Network-Admin||An administrator who can only view and edit the network related information|
|Provider-Security-Admin||An administrator who can only view and edit the security related information|
The Provider-Master-Admin-All role can perform the following:
- Assign roles to users in Provider and Customer network
- Manage access to customers for all other admin roles
- Edit or delete assigned roles
- Create custom roles
The following table lists the predefined customer roles.
|Customer-Master-Admin||A customer administrator who can view and edit customer information|
|Customer-Master-ReadOnly-Admin||A customer administrator who can only view customer information|
|Customer-Network-Admin||A customer administrator who can only view and edit network related information|
|Customer-Security-Admin||A customer administrator who can only view and edit security related information|
The Customer-Master-Admin role can perform the following:
- Assign customer roles
- Edit or delete assigned roles within the customer network
- Create custom roles
Customers can view the list of provider roles who have access to their network under Administration > User Settings. Customer-Master-Admin can assign a customer role to an existing provider role. Once a customer role is assigned to an existing provider role, the customer role takes precedence and overrides the provider role.
The Customer Master-Admin cannot delete or override Provider-Master-Admin-All, Provider-Master-Admin-Tenant, and Provider-Master-ReadOnly roles.
For troubleshooting purposes, Providers and Customers can assign support roles and provide Support Team members the ability to view and edit their information.
Support roles have a validity period that is defined while assigning the role. The default validity period is for two weeks from the date the role is assigned. After the validity period expires, the support user loses access to Provider/Customer information. However, the support user details continue to appear under the Administration > User Settings. Based on the need, the Provider/Customer administrator can either delete or extend the validity of the support role.
You can assign support roles under Administration > User Settings.
|Provider-Support-ReadWrite||A support team member who can view and edit the provider information|
|Provider-Support-ReadOnly||A support team member who can only view the provider information|
|Customer-Support-ReadWrite||A support team member who can view and edit the customer information|
|Customer-Support-ReadOnly||A support team member who can only view the customer information|
Change user roles
If a user is an administrator for more than one customer or provider, then the user is assigned with multiple roles. In such scenarios, the user can change the role and switch to the desired account for which the user is an administrator.
To change the role, click Change Role option at the top right portion of the screen. Select a role, and click Confirm.