Managing User Roles
The system uses the following functionalities to manage user roles:
Adding New User Roles
CloudVision Portal enables you to create new roles as needed to ensure that you are able to efficiently manage CVP user permissions. When you create a new role, you specify the read and write permissions for each CVP module.
Once a role has been created, it is automatically added to the list of Available roles, and you can assign it to users that should have the permissions defined in the role. When you assign the role to a user, they inherit the read and write permissions defined in the role.
Complete the following steps to create new roles:
Modifying User Roles
CloudVision Portal provides the functionality required to change the permissions of an existing role. This enables you to efficiently change the permissions of all users that are assigned the role. After you modify the role, all users assigned the role inherit the read and write permissions defined in the new version of the role.
Complete the following steps to modify an existing role:
Removing User Roles
Complete these steps to remove a user role:
Roles Mapping from SAML to CloudVision
Creating an attribute for your SAML provider allows you to pass CloudVision roles from the corresponding identity provider to CloudVision. This allows CloudVision user accounts to be automatically created with these roles when a new user logs in with that provider.
To use this feature, the Allow Roles Mapping with Providers toggle must be enabled in General Settings. Roles mapping can be set up for a new or existing SAML identity provider. You will need to configure attributes in the identity provider and then add the corresponding provider to CloudVision or edit the provider if it is already connected to CloudVision.
Mapping Roles
To map roles from a SAML provider, you need to configure a custom attribute for CloudVision roles and enter the details in Providers.
- Register CloudVision with a SAML provider or reconfigure an existing SAML provider.
- Create a custom field that lists CloudVision roles in the SAML provider’s
user profiles.Tip: User profiles contain information such as first name, last name, email, phone number, and other fields.Note: CloudVision role names must be entered exactly as they appear in CloudVision, for instance network-operator, network-admin, no-access.
- Assign a role to a user in the SAML provider.Note: To enable mapping provider roles to CloudVision roles, extra steps are required to create a custom attribute. The created attribute name can be anything, but cv_roles is a recommended default. CloudVision requires the Roles Attribute Name to be an array of strings.
- Enable the Allow Roles Mapping with Providers toggle in General Settings.
- Add the SAML provider to CloudVision or edit the provider if it has already been added.
- In Providers, enter the attribute name that was created for the SAML
provider in the Roles Attribute Name field and fill in the
Username Attribute Name field.
The Username Attribute Name allows you to map usernames from the SAML provider to CloudVision by specifying how the provider identifies the username in the SAML assertion. For most providers, this will be user or username.
New users signing in with that identity provider will have their CloudVision user account automatically created and the roles defined in the corresponding SAML provider automatically assigned to them.
Action Execution Permission
The role permission, Action Execution, is available to control the execution of custom actions when they are run in isolation, such as via Studio Autofill actions and standalone executions in the Action editor. A custom action is a user-created action that has either been installed via a package or has been created using python script and arguments.
The Action Management and Action Execution permissions must be set to Read & Write for a user to modify and execute a custom action via standalone execution or using the Studio Autofill actions.
Enabling Action Execution Permission
To enable the Action Execution permission,
- Navigate to Settings > Roles
-
Select a role.
-
Under Provisioning, select a permission level for Action Execution.
There are three permissions:- No Access: The user will not be able to execute custom actions in isolation
- Read Only: The user will be able to access details of previous executions and their associated logs via rAPIs.
- Read and Write: The user will be able to execute custom actions executed in isolation .
- Click Save.Users assigned with the selected role will have their permissions updated.