An administrator’s role defines the permissions to view features and perform various activities in the Citrix Secure Internet Access (CSIA) service.
The following features are included as part of the Citrix Secure Internet Access service:
- Dashboard. Access to top level reports.
- Web Gateway. Access to the Secure Web Gateway Service.
- Reporting & Analytics. Access to more detailed reports.
- Locations & Geo Mapping. Access to the geographical locations of cloud and gateway nodes.
- Node Collection Management. Access to the Node Collection Management feature.
- Licensing. Ability to fetch licensing details for the service.
- User Management. Ability to create custom roles and to assign custom roles to other administrators.
Role-based access control
As with Citrix SD-WAN Orchestrator, access to Citrix Secure Internet Access service resources is managed based on the roles assigned to individual administrators. There are three levels of access that can be assigned to an administrator user of the Citrix Secure Internet Access service: Customer-Master-Admin, Customer-Master-ReadOnly-Admin, and Customer-No-Access.
- The Customer-Master-Admin level is a full access role that allows the administrator to do the following:
- Manage all features of the Citrix Secure Internet Access service.
- Add administrators to the service.
- Delete administrators from the service.
- Assign, edit, and delete roles within the customer network.
- Create custom roles.
- The Customer-Master-ReadOnly-Admin level is a read-only role that allows the administrator only to view Citrix Secure Internet Access service features.
- The Customer-No-Access level denies access to all Citrix Secure Internet Access service features.
For the Citrix Secure Internet Access service, roles are assigned at the Customer level. For the Citrix SD-WAN Orchestrator service, roles are assigned at both the Customer level and at the Provider level. As a result, the Citrix SD-WAN Orchestrator service has both the Customer-Master-Admin role and the Provider-Master-Admin-All role available.
To apply RBAC, you first need to add users as administrators to Citrix Cloud services.
Add new users to Citrix Cloud services
You can add administrators to the Citrix Secure Internet Access service using the Identity and Access Management feature in Citrix Cloud. New administrators can use their existing Citrix account credentials or set up a new account if needed.
To add new administrators, select Identity and Access Management from the menu on the Citrix Cloud home page, and follow the prompts on the user interface. For more information, see Manage Citrix Cloud administrators.
Any new administrator you add is automatically assigned full access to Citrix Cloud services. You can edit which parts of Citrix Cloud an administrator can view and manage on a more granular level.
Edit access for new users
Once you’ve added a new administrator through Citrix Identity and Access Management, you can set the role.
Select Edit Access from the list of actions against the account you created and choose either “Full access” (to Citrix Cloud services) or “Custom access”.
To grant full access to the Citrix Secure Internet Access service, with no customized selection of subfeatures (under Custom Access > General Management), select the high-level Full access option.
Select Custom access if either or both of the following apply:
- You want to regulate access to subfeatures listed under General Management.
- You want to regulate the level of access to the Citrix Secure Internet Access service, specifically.
If you choose Custom access, you need to specify the level of access for Secure Internet Access separately from General Management. This access can be: full access, read-only access, or no access.
A user that is assigned Customer Admin: Full Access has the same access to the Citrix Secure Internet Access service as granted by the high-level Full access option (located above Custom access). Choose Customer Admin: Full Access to grant full access to Citrix Secure Internet Access service features while also choosing different levels of access to the subfeatures under General Management.
Choose one or none of the boxes under Secure Internet Access. If both boxes are selected, the highest level of permission is granted to the administrator, which poses a security risk.
A user that is assigned Customer: Read Only Access can only view the features of the service. If you select neither option, the user has no access to Citrix Secure Internet Access features.
You can’t edit an administrator’s role in the Citrix Secure Internet Access service if they’re denied access in Identity and Access Management. To view and edit an administrator in the Citrix Secure Internet Access service, you must grant them full or read-only access when you first add them.
All later changes to a user’s access must occur in the Citrix Secure Internet Access service user settings. Existing permissions for an administrator that are edited in Identity and Access Management aren’t sent to the Citrix Secure Internet Access service. In some cases, you might need to delete and reinvite the administrator.
Setting user roles
This section describes how you can further define and manage administrator access to features of the Citrix Secure Internet Access service.
Customers that have both a Citrix Secure Internet Access service subscription and a Citrix SD-WAN Orchestrator service subscription share Administration > User Settings.
To edit an existing user’s role as an administrator for the Citrix Secure Internet Access service, navigate to Administration > User Settings. You can assign roles from a list of predefined roles and a list of custom roles. Choose the appropriate role-based access from one of the menus, and then save your selection.
There are three pre-defined roles at the Customer level that are available for the Citrix Secure Internet Access service:
- The Customer-Master-Admin role (default) allows the administrator to view and edit Citrix Secure Internet Access information.
- The Customer-Master-ReadOnly-Admin role allows the administrator to view Citrix Secure Internet Access information, with no editing permissions.
- The Customer-No-Access role denies the administrator access to Citrix Secure Internet Access service features.
You can create custom roles based on varying permissions for individual features of the Citrix Secure Internet Access service.
To create a custom administrator role that can then be assigned to administrators, navigate to Administration > Role Settings. The New Custom Role form allows you to select different levels of access for individual features of the Citrix Secure Internet Access service.
Once you’ve created a custom role, it appears in the list of custom roles in User Settings.
If a user is an administrator for more than one customer, they’re assigned multiple roles in the Citrix Secure Internet Access service and can switch between accounts. In such scenarios, the user can have a different role based each account.
To switch between roles, select Change Role at the top right of the screen, next to the bell icon.
View administrator details
You can view the roles and email addresses of all the administrators. To view administrator details navigate to Administration > Administrators.
Delete an administrator
To delete an administrator from the Citrix Secure Internet Access service, navigate to Administration > Administrators. Select the delete button against the account you want to delete, and then select Save.