印刷

VeloCloud SASE 6.4 - Global Settings Guide - User Management 印刷

User Management

The User Management feature allows you to manage users, their roles, service permissions (formerly known as Role Customization), and authentication.

As an Enterprise Superuser, follow the below steps to access the User Management screen:

  1. In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
  2. Select Global Settings service.
  3. From the left menu, select User Management. The following screen is displayed:
    Figure 1. Global Settings > User Management

    The User Management window displays four tabs: Users, Roles, Service Permissions, and Authentication.

    For more information on each of these tabs, see:

Users

You can view the existing Admin users. Only Enterprise Superusers can create new Admin users with different roles, and configure API tokens for each Admin user.

To access the Users tab:

  1. In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
  2. Select Global Settings service.
  3. From the left menu, select User Management. The Users tab is displayed by default.
    Figure 2. User Management > Users
  4. On the Users screen, you can perform the following activities:
    Table 1. Users Option Descriptions
    Option Description
    New User Creates a new Admin user. For additional information, see Add New User.
    Modify Allows you to modify the properties of the selected Admin user. You can also select the link to the username to modify the properties.
    Delete Deletes the selected user. You cannot delete the default users.
    Download Select this option to download the details of all the users into a file in a CSV format.
    Password Select this option and choose to either enforce the new password policy or reset the already enforced policy, for the selected user. You can modify the password policies by navigating to the Authentication tab.
  5. The following are the other options available in the Users tab:
    Table 2. Users tab Option Descriptions
    Option Description
    Search Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
    Show or Hide Columns Select the columns to be displayed or hidden on the page.
    Refresh Select to refresh the page to display the most current data.

Add New User

Standard Administrator Superusers and Standard Administrators can create new Admin users. The SSH username is automatically created for the user. To add a new user, perform the following steps:
Note: These steps are valid for all customers, though customers created in a 5.2.0 Orchestrator where they are not assigned to a Partner have certain limitations. These limitations are outlined in an Important note at the end of the article.
  1. In the Enterprise portal, go to Enterprise Applications > Global Settings .
  2. From the left menu, select User Management, and then select the Users tab.
  3. Select New User.
    Figure 3. User Management > New User
  4. Enter the following details for the new user:
    Note: The Next button is activated only when you enter all the mandatory details in each section.
    Table 3. New User Option Descriptions
    Option Description
    General information Enter the required personal details of the user.
    Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
    Role Select a role that you want to assign to the user. For information on roles, see the topic Roles.
    Edge Access Choose one of the following options:
    • Basic: Allows you to perform certain basic debug operations such as ping, tcpdump, pcap, remote diagnostics, and so on.
    • Privileged: Grants you the root-level access to perform all basic debug operations along with Edge actions such as restart, deactivate, reboot, hard reset, and shutdown. In addition, you can access Linux shell.
    The default value is Basic.
  5. Select the Add another user check box if you wish to create another user, and then select Add User. The new user appears in the User Management > Users page. Select the link to the user to view or modify the details. As an Enterprise Administrator, you can manage the Roles, Service Permissions, and API Tokens for the Enterprise users.
    Note: Enterprise Administrator should manually delete inactive Identity Provider (IdP) users from the Orchestrator to prevent unauthorized access via API Token.
    Important: Customers created on a Release 5.2.0 Orchestrator who are not assigned to a Partner are automatically configured for Single Sign On (SSO) using Cloud Services Platform (CSP) as the Identity Provider (IdP). As a result:
    • New administrators are created by an administrator with a Superuser role through the CSP portal.
    • There is one exception to this: the customer is permitted one administrator account with Native authentication (username/password) to allow them to access their portal in the event there is an issue with CSP authentication.
    • For additional information about using CSP as an IdP in SD-WAN, see the topic Configure CSP for Single Sign On.
    • For additional information about adding new users on the Cloud Services Platform, see the topic Using Arista Cloud Services Console- Identity and Access Management.

API Tokens

You can access the Orchestrator APIs using tokens instead of session-based authentication. As an Enterprise Superuser, you can manage the API tokens. You can create multiple API tokens for a user.
Note:
  • For Enterprise Read Only users and MSP Business Specialist users, token-based authentication is not activated.
  • Enterprise Superuser should manually delete inactive Identity Provider (IdP) users from the Orchestrator to prevent unauthorized access via API Token.

The users can create, revoke, and download the tokens based on their roles.

To manage the API tokens:

  1. In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
  2. Select Global Settings service.
  3. Navigate to User Management > Users .
  4. Select a user and select Modify or select the link to the username. Go to the API Tokens section.
    Figure 4. Modifying API Tokens
  5. Select New API Token.
    Figure 5. New API Token Tab
  6. In the New Token window, enter a Name and Description for the token, and then choose the Lifetime from the drop-down menu.
  7. Select Save. The new token is displayed in the API Tokens table. Initially, the status of the token is displayed as Pending. Once you download it, the status changes to Enabled.
  8. To download the token, select the token, and then select Download API Token.
  9. To deactivate a token, select the token, and then select Revoke API Token. The status of the token is displayed as Revoked.
  10. Select CSV to download the complete list of API tokens in a .csv file format.
  11. When the Lifetime of the token is over, the status changes to Expired.
    Note: Only the user who is associated with a token can download it and after downloading, the ID of the token alone is displayed. You can download a token only once. After downloading the token, the user can send it as part of the Authorization Header of the request to access the Orchestrator API.
    The following example shows a sample snippet of the code to access an API. 
    curl -k -H "Authorization: Token <Token>"
-X POST https://vco/portal/
-d '{ "id": 1, "jsonrpc": "2.0", "method": "enterprise/getEnterpriseUsers", "params": { "enterpriseId": 1 }}'
    The following are the other options available in the API Tokens section:
    Table 4. API Tokens Option Descriptions
    Option Description
    Search Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
    Columns Selectthe columns to be displayed or hidden on the page.
    Refresh Select to refresh the page to display the most current data.

Roles

The Orchestrator consists of two types of roles.

Note: Starting from the 5.1.0 release, Functional Roles are renamed as Privileges, and Composite Roles are renamed as Roles.
The roles are categorized as follows:
  • Privileges – Privileges are a set of roles relevant to a functionality. A privilege can be tagged to one or more of the following services: SD-WAN and Global Settings. Users require privileges to carry out business processes. For example, a Customer support role in SD-WAN is a privilege required by an SD-WAN user to carry out various support activities. Every service defines such privileges based on its supported business functionality.
  • Roles – The privileges from various categories can be grouped to form a role. By default, the following roles are available for a Customer:
    Table 5. Role Services
    Role SD-WAN Service Global Settings Service
    Enterprise Standard Admin SD-WAN Enterprise Admin Global Settings Enterprise Admin
    Enterprise Superuser SD-WAN Enterprise Superuser Global Settings Enterprise Superuser
    Enterprise Support SD-WAN Enterprise Support Global Settings Enterprise Support
    Enterprise Read Only User SD-WAN Enterprise Read Only Global Settings Enterprise Read Only
    Enterprise Security Admin SD-WAN Security Enterprise Admin Global Settings Enterprise Admin
    Enterprise Security Read Only SD-WAN Security Enterprise Read Only Global Settings Enterprise Read Only
    Enterprise Network Admin SD-WAN Enterprise Admin Global Settings Enterprise Admin

    If required, you can customize the privileges of these roles. For additional information, see Service Permissions.

As a Customer, you can view the list of existing standard roles and their corresponding descriptions. You can add, edit, clone, or delete a new role. However, you cannot edit or delete a default role.

To access the Roles tab:
  1. In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
  2. Select Global Settings service.
  3. From the left menu, select User Management, and then select the Roles tab. The following screen appears:
    Figure 6. User Management > Roles
  4. On the Roles screen, you can perform the following activities:
    Table 6. Roles Option Descriptions
    Option Description
    Add Role Creates a new custom role. For more information, see Add Role.
    Edit Allows you to edit only the custom roles. You cannot edit the default roles. Also, you cannot edit or view the settings of a Superuser.
    Clone Role Creates a new custom role, by cloning the existing settings from the selected role. You cannot clone the settings of a Superuser.
    Delete Role Deletes the selected role. You cannot delete the default roles. You can delete only custom composite roles. Ensure that you have removed all the users associated with the selected role, before deleting the role.
    Download CSV Downloads the details of the user roles into a file in CSV format.
    Note: You can also access the Edit, Clone Role, and Delete Role options from the vertical ellipsis of the selected Role.
  5. Select the Open icon " >>" displayed before the Role link, to view more details about the selected Role, as shown below:
    Figure 7. Role Details
  6. Select the View Role link to view the privileges associated to the selected role for the activated services.
    Note: By default, only Global Settings & Administration service is activated for a Customer. Only an Operator can activate an additional service.
  7. The following are the other options available in the Roles tab:
    Table 7. Roles Other Option Descriptions
    Option Description
    Search Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
    Columns Select the columns to be displayed or hidden on the page.
    Refresh Select to refresh the page to display the most current data.

Add Role

To add a new role for a Customer, perform the following steps:
  1. In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
  2. Select Global Settings service.
  3. From the left menu, select User Management, and then select the Roles tab.
  4. Select Add Role.
    Figure 8. Adding Role
  5. Enter the following details for the new custom role:
    Table 8. New Custom Role Option Descriptions
    Option Description
    Role Details
    Role Name Enter a name for the new role.
    Role Description Enter a description for the role.
    Template Optionally, select an existing role as template from the drop-down list. The privileges of the selected template are assigned to the new role.
    Role Creation
    Global Settings & Administration These privileges provide access to user management and global settings that are shared across all services. Choosing one of the privileges is mandatory. By default, Global Settings Enterprise Read Only is selected.
    SD-WAN These privileges provide the Enterprise Administrator with different levels of access around SD-WAN configuration, monitoring, and diagnostics. You can optionally choose an SD-WAN privilege. The default value is No Privileges.
    Note: The Role Creation section displays the privileges only for which the Customer has licenses.
  6. Select Save Changes.
    The new custom role appears in the User Management > Roles page. Select the link to the custom role to view the settings.

Service Permissions

Service Permissions allow an Administrator to granularly define actions (Read, Create, Update, and Delete) assigned to each Privilege (such as Cloud Security Service and Customer Segment configuration) within a Privilege Bundle.

Note:
  • Starting from the 5.1.0 release, Role Customization is renamed as Service Permissions.
  • To activate this feature, an Operator must navigate to Global Settings > Customer Configuration > Additional Configuration > Feature Access , and then check the Role Customization check box.

Roles can be customized by changing the service permissions held by each role. You can customize both, default roles and new roles. Roles are created based on the selected default role. Operator, Partner, and Enterprise roles are defined separately. So, there are default roles for each level, such as Operator Superuser, Partner Standard Admin, and Enterprise Support.

When customizing a role, you must select both, the user level and the role. Typically, Operator roles have more privileges by default, than Partners or Enterprise Customers. When creating a user, you must assign a role to the user. Any change to that specific role's privileges is immediately applied to all users assigned to that role. Role customizations only apply to one role at a time. For example, changes to Operator Standard Admin roles do not get applied to Enterprise Standard Admin roles.

For additional information, see the topic Roles.

The Service Permissions are applied to the privileges as follows:
  • The customizations done at the Enterprise level override the Partner or Operator level customizations.
  • The customizations done at the Partner level override the Operator level customizations.
  • Only when there are no customizations done at the Partner level or Enterprise level, the customizations made by the Operator are applied globally across all users in the Orchestrator.
Note: For information on user privileges, see the topic List of User Privileges.
To access the Service Permissions tab:
  1. In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
  2. Select Global Settings service.
  3. From the left menu, select User Management, and then select the Service Permissions tab. The following screen appears:
    Figure 9. User Management > Service Permissions
  4. On the Service Permissions screen, you can perform the following activities:
    Table 9. Service Permissions Option Descriptions
    Option Description
    Service Select the service from the drop-down menu. The available services are:
    • All
    • Global Settings
    • SD-WAN

    Each service comprises of a set of related permissions grouped together. Custom service permissions, if any, associated with the selected service are displayed. By default, all of the custom service permissions are displayed.
    New Permission Allows you to create a new set of privileges. The newly created permission is displayed in the table. For more information, see the topic New Permission.
    Edit Allows you to edit the settings of the selected permission. You can also select the link to the Permission Name to edit the settings.
    Clone Allows you to create a copy of the selected permission.
    Publish Permission Applies the customization available in the selected package to the existing permission. This option modifies the privileges only at the current level. If there are customizations available at the Operator level or a lower level for the same role, then the lower level takes precedence. For example, customizations defined by an Enterprise Superuser take precedence over customizations defined by an Operator Superuser.
    More Allows you to select from the following additional options:
    • Delete: Deletes the selected permission. You cannot delete a permission if it is already in use.
      Note: A permission can only be deleted if it is in a draft mode. The Delete option is deactivated for a published permission. If you want to delete a published permission, you must reset the permission to system default, which changes it to draft mode and activates the Delete option for the permission.
    • Download JSON: Downloads the list of permissions into a file in JSON format.
    • Upload Permission: Allows you to upload a JSON file of a customized permission.
    • Unpublish Permissions: Allows you to unpublish the selected permission changing it to a 'Draft' state. You can modify the permission and save it again, which changes it to "Published" state.
  5. The table displays the following columns:
    Table 10. Displayed Service Permissions Option Descriptions
    Option Description
    Permission Name Displays the newly created permission.
    Service Displays the service of the new permission.
    Scope Displays the scope of the new permission.
    Role Associated Displays the associated roles using the same Privilege Bundle.
    Last Modified Displays the date and time when the permission was last modified.
    Published Displays either "Published" or "Draft" depending on the state of the permission.
  6. The following are the other options available in the Service Permissions tab:
    Table 11. Additional Service Permissions Option Descriptions
    Option Description
    Columns Select and select the columns to be displayed or hidden on the page.
    Refresh Select to refresh the page to display the most current data.
Note:
  • The Orchestrator does not support customization of multiple privilege bundles.
  • Service Permissions are version dependent, and a service permission created on an Orchestrator using an earlier software release will not be compatible with an Orchestrator using a later release. For example, a service permission created on an Orchestrator that is running Release 3.4.x does not work properly if the Orchestrator is upgraded to a 4.x Release. Also, a service permission created on an Orchestrator running Release 3.4.x does not work properly when the Orchestrator is upgraded to 4.x.x Release. In such cases, the user must review and recreate the service permission for the newer release to ensure proper enforcement of all roles.

New Permission

You can customize the privileges and apply them to the existing permission in the Orchestrator.

To add a new permission, perform the following steps:

  1. In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
  2. Select Global Settings service.
  3. From the left menu, select User Management, and then select the Service Permissions tab.
  4. Select New Permission. The following screen appears:
    Figure 10. New Service Permissions
  5. Enter the following details to create a new permission:
    Table 12. New Permission Option Descriptions
    Option Description
    Name Enter an appropriate name for the permission.
    Note: The permission name must be unique within the Orchestrator it is hosted upon.
    Description Enter a description. This field is optional.
    Service Select a service from the drop-down menu. The available services are:
    • Global Settings
    • SD-WAN
    Privilege Bundle Select a privilege bundle from the drop-down menu. The privileges are populated depending on the selected Service.
    Privileges Displays the list of privileges based on the selected Privilege Bundle. You can edit only those privileges that are eligible for customization.

    To activate or deactivate a specific privilege, select or deselect the corresponding check box, in the Privileges table. The available check boxes are Read, Create, Update, and Delete.

    Starting from the Release 6.4.0, a green icon is displayed whenever a privilege is modified. This icon is displayed next to the modified check box and the privilege name.

    Some privileges do not support selection of an independent action. In this case, if you select any one action check box, all the other check boxes get selected too. A tool tip is provided for such privileges. Also, the Read action check box does not allow independent selection. When selected, all the other check boxes for that particular privilege also get automatically selected.

    Note: You can edit only those privileges that are eligible for customization.
  6. Slide the Show Only Modified toggle button, located at the top right of the privileges table, to view only the modified privileges.
  7. Select Reset Privileges to reset all the changes.
  8. Select Download CSV to download the list of all privileges, their description, and associated actions, into a file in a CSV format. You can choose from the below options:
    Table 13. Download CSV Privileges
    Default Privileges Downloads the original privileges ignoring all the current modifications.
    Modified Privileges Downloads only the privileges that were modified.
    Current Privileges Downloads all the current privileges.
    Note: If you select Reset Privileges, and then select Download CSV, the Default Privileges and Current Privileges options, both display the same list.
  9. Select Save to save the new permission. Select Save and Apply to save and publish the permission.
    Note: The Save and Save and Apply buttons are activated only after you modify the permissions.
    The new permission is displayed on the Service Permissions page. If you create another permission using the same scope and service, the privilege displays the last modified settings by default.

List of User Privileges

This section lists all the user privileges available in the Enterprise portal.

Below is a table listing the user privileges. The columns in the table indicate the following:
  • Allow Privilege – Do the privileges have allow access?
  • Deny Privilege – Do the privileges have deny access?
  • Customizable – Is the privilege available for customization in the Service Permissions tab along with the Create, Read, Update, Delete customizations?
Note: The features that can be completely customized by an Enterprise Superuser have been listed in a separate table at the end of this topic.
Table 14. Permission Information
Navigation Path in the Enterprise Portal Name of the Tab Elements in the Tab Name of the Privilege Description Allow Privilege Deny Privilege Customizable
Monitor > Edges > Select Edge Overview            
      Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
    Top Applications

Top Categories

Top Operating Systems

Top Sources

 Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
View Flow Stats Grants ability to view collected flow statistics Yes Yes Yes
  Sources   Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
      View Edge Sources Grants ability to view Monitor Edge Sources tab Yes Yes Yes
    Devices View User Identifiable Flow Stats Grants ability to view potentially user identifiable flow source attributes Yes Yes Yes
      Create Client Device Controls visibility to unique identifiers (IP or MAC address) of LAN-side client devices Yes No No
      Read Client Device
    Change Hostname Update Client Device
      Delete Client Device
      Manage Client Device
    Operating Systems Create Client User Controls visibility to potentially Personal Identifiable Information(PII) in flow statistics Yes No No
      Read Client User
      Update Client User
      Delete Client User
      Manage Client User
  Applications Sources Destinations   Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
    View Flow Stats Grants ability to view collected flow statistics Yes Yes Yes
  Events from this Edge   Read Customer Event Grants ability to view customer level events Yes No No
  Remote Actions   Read Remote Actions Grants access to view and execute remote actions No Yes Yes
  Remote Actions Generate Diagnostic Bundle Remote Diagnostics   Read Diagnostics Controls creation of and access to diagnostics bundles, both Edge and Gateway. Combine with Edge and Gateway privileges to control access to each type individually Yes Yes Yes
  Generate Diagnostic Bundle   Create Diagnostic Bundle   No Yes Yes
  Remote Diagnostics   Read Remote Diagnostics Privilege granting access to view and execute remote diagnostics No Yes Yes
Monitor Edges   Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
    Edge Cluster Read Edge Cluster Controls the ability to create and configure Edge Clusters No Yes Yes
  Network Services   Read Network Service Grants ability to view and manage services with the Network Services configuration block Yes No No
    Non SD-WAN Destinations via Gateway Non SD-WAN Destinations via Edge Read Customer Event Grants ability to view customer level events Yes No No
   
    Non SD-WAN Destinations via Gateway Non SD-WAN Destinations via Edge Read Non SD-WAN Destination via Gateway Grants ability to view and manage Non SD-WAN Destinations via Gateway and Non SD-WAN Destinations via Edge No Yes Yes
   
    BGP Gateway Neighbor State Read Network Service Grants ability to view and manage services with the Network Services configuration block Yes No No
    BGP Edge Neighbor State Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
    Edge VNFs Read VNF Network Service Grants ability to manage VNF Network Services No Yes Yes
    Edge Cluster Read Edge Cluster Controls the ability to create and configure Edge Clusters No Yes Yes
  Routing   Read Network Addressing Grants ability to view and manage address block configuration in the legacy Network profile mode Yes No No
      Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
      View Customer Routing Grants ability to view the customer Routing Yes No No
  Alerts   Create Customer Alert Grants ability to view and manage customer alert configuration and generated alerts Yes No No
      Read Customer Alert Yes Yes
      Update Customer Alert
      Delete Customer Alert No No
      Manage Customer Alert
  Events   Create Customer Event Grants ability to view customer level events Yes No No
      Read Customer Event
      Update Customer Event
      Delete Customer Event
      Manage Customer Event
  Reports   Update Customer Grants ability to view and manage Customers, from the Partner or Operator level Yes Yes Yes
      Read Customer No No
  Firewall Firewall Logging View Firewall Logs Grants ability to view collected firewall logs Yes Yes Yes
      Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
      Read Customer Event Grants ability to view customer level events Yes No No
Configure > Edge > Select Edge Edge Overview   Edge Overview Controls ability to view or modify Edge overview page No Yes Yes
  Properties Create Edge Overview Properties Controls ability to view or change items within the properties section of the Edge overview page No Yes Yes
    Read Edge Overview Properties No No
    Update Edge Overview Properties Yes Yes
    Delete Edge Overview Properties
  Name Read Edge Overview Properties Name Controls ability to view or change Edge name on the Edge overview page No Yes Yes
    Update Edge Overview Properties Name
  Description Read Edge Overview Properties Description Controls ability to view or change Edge description on the Edge overview page No Yes Yes
    Update Edge Overview Properties Description
  Enable Alerts Read Edge Overview Properties Enable Alerts Controls ability to view or change Edge alert configuration on the Edge overview page No Yes Yes
    Update Edge Overview Properties Enable Alerts
  Authentication Mode Read Edge Overview Properties Auth Mode Controls ability to view or change Edge PKI configuration on the Edge overview page No Yes Yes
    Update Edge Overview Properties Auth Mode
    Read Customer PKI Grants ability to view and manage enterprise PKI settings Yes No No
    Update Customer PKI
  Serial Number Read Edge Overview Properties Serial Number Controls ability to view or change Edge serial number, prior to activation, on the Edge overview page No Yes Yes
    Update Edge Overview Properties Serial Number
  Generate New Activation Key Read Edge Overview Properties Activation Expiration Controls ability to view or change the activation key expiration period on the Edge overview page No Yes Yes
    Update Edge Overview Properties Activation Expiration
  Send Activation Email button Create Edge Overview Properties Activation Email Controls ability to generate an activation email on the Edge overview page No Yes Yes
    Read Edge Overview Properties Activation Email
  Local Credentials Read Overview Properties Local Credentials Grants ability to view and configure Edge local credentials No Yes Yes
    Update Overview Properties Local Credentials
  View Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
    Update Edge
    Read Customer Keys Grants ability to view and manage enterprise security keys such as Edge administrator credentials and IPSEC keys Yes Yes Yes
    Update Customer Keys
  License Read License Grants ability to view and manage Edge licensing Yes Yes Yes
    Update License
  Profile Create Edge Overview Profile Controls visibility and control of Edges assigned profile on the Edge overview page No Yes Yes
    Read Edge Overview Profile No No
    Update Edge Overview Profile Yes Yes
    Delete Edge Overview Profile
  RMA Reactivation Create Edge Grants ability to view and manage Edge objects and their properties in general Yes Yes Yes
Device            
  Authentication Settings Create Edge Device Authentication Settings Controls ability to view or change Edge Device Authentication Settings No Yes Yes
    Read Edge Device Authentication Settings
    Update Edge Device Authentication Settings
    Delete Edge Device Authentication Settings
  DNS Settings Update Edge Device DNS Settings Controls ability to view or change Edge Device DNS Settings No Yes Yes
  Netflow Settings Create Edge Device Netflow Settings Controls ability to view or change Edge Device Netflow Settings No Yes Yes
    Read Edge Device Netflow Settings
    Update Edge Device Netflow Settings
    Delete Edge Device Netflow Settings
  LAN-Side NAT Rules Update Edge Device LAN-Side NAT Rules Controls ability to view or change Edge Device LAN-Side NAT Rules No Yes Yes
  Voice Quality Monitoring Settings Read Edge Device VQM Settings Controls ability to view or change Edge Device VQM Settings No Yes Yes
    Update Edge Device VQM Settings
  Syslog Settings Read Edge Device Syslog Settings Controls ability to view or change Edge Device Syslog Settings No Yes Yes
    Update Edge Device Syslog Settings
  Static Route Settings Update Edge Device Static Route Settings Controls ability to view or change Edge Device Static Route Settings No Yes Yes
  ICMP Probes Read Edge Device ICMP Probes Controls ability to view or change Edge Device ICMP Probes No Yes Yes
    Update Edge Device ICMP Probes
  ICMP Responders Read Edge Device ICMP Responders Controls ability to view or change Edge Device ICMP Responders No Yes Yes
    Update Edge Device ICMP Responders
  VRRP Settings Update Edge Device VRRP Settings Controls ability to view or change Edge Device VRRP Settings No Yes Yes
  Cloud VPN Read Edge Device Cloud VPN Controls ability to view or change Edge Device Cloud VPN No Yes Yes
    Update Edge Device Cloud VPN
  BFD Rules Update Edge Device BFD Rules Controls ability to view or change Edge Device BFD Rules No Yes Yes
  BGP Settings Read Edge Device BGP Settings Controls ability to view or change Edge Device BGP Settings No Yes Yes
    Update Edge Device BGP Settings
  Multicast Settings Read Edge Device Multicast Settings Controls ability to view or change Edge Device Multicast Settings No Yes Yes
    Update Edge Device Multicast Settings
  Cloud Security Service Read Edge Device Cloud Security Service Controls ability to view or change Edge Device Cloud Security Service No Yes Yes
    Update Edge Device Cloud Security Service
  Gateway Handoff Assignment Update Edge Device Gateway Handoff Assignment Controls ability to view or change Edge Device Gateway Handoff Assignment No Yes Yes
  High Availability Create Edge Device High Availability Controls ability to view or change Edge Device High Availability No Yes Yes
    Read Edge Device High Availability
    Update Edge Device High Availability
    Delete Edge Device High Availability
    Enable HA Standby Pair Grants ability to configure standby HA No Yes Yes
    Enable HA Cluster Grants ability to configure HA Clustering No Yes Yes
    Enable HA VRRP Pair Grants ability to configure VRRP HA No Yes Yes
  Configure VLAN Read Edge Device Settings Controls ability to view or change Edge Device Settings No Yes Yes
  Management IP Read Edge Device Management IP Controls ability to view or change Edge Device Management IP No Yes Yes
    Update Edge Device Management IP
  Device Settings Create Edge Device Settings Controls ability to view or change Edge Device Settings No Yes Yes
    Read Edge Device Settings
    Update Edge Device Settings
    Delete Edge Device Settings
  Interface Settings Update Edge Device Interface Settings Controls ability to view or change Edge Device Interface Settings No Yes Yes
  WAN Settings Update Edge Device WAN Settings Controls ability to view or change Edge Device WAN Settings No Yes Yes
  Security VNF Update Edge Device Security VNF Controls ability to view or change Edge Device Security VNF No Yes Yes
  Wi-Fi Radio Settings Create Edge Device Wi-Fi Settings Controls ability to view or change Edge Device Wi-Fi Settings No Yes Yes
    Read Edge Device Wi-Fi Settings
    Update Edge Device Wi-Fi Settings
    Delete Edge Device Wi-Fi Settings
  Multi-Source QoS Read Edge Device Cloud VPN QoS Settings Controls ability to view or change Edge Device Cloud VPN QoS Settings No Yes Yes
    Update Edge Device Cloud VPN QoS Settings
  TACACS Settings Create Network Service Grants ability to view and manage services with the Network Services configuration block Yes Yes Yes
    Read Network Service No No
    Update Network Service Yes Yes
    Delete Network Service
    Create Customer Keys Grants ability to view and manage enterprise security keys such as Edge administrator credentials and IPSEC keys Yes Yes Yes
    Read Customer Keys
    Update Customer Keys
    Delete Customer Keys
    Manage Customer Keys No No
  L2 Settings Update Edge Device L2 Settings Controls ability to view or change Edge Device L2 Settings No Yes Yes
  SNMP Settings Create Edge Device SNMP Settings Controls ability to view or change Edge Device SNMP Settings No Yes Yes
    Read Edge Device SNMP Settings
    Update Edge Device SNMP Settings
    Delete Edge Device SNMP Settings
  NTP Read Edge Device NTP Settings Controls ability to view or change Edge Device NTP Settings No Yes Yes
    Update Edge Device NTP Settings
  Visibility Mode Update Edge Device Config Visibility Mode Controls ability to view or change Edge Device Config Visibility Mode No Yes Yes
  Analytics Settings Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
    Update Edge
Business Policy   Edge Business Policy Controls ability to view or change Edge business policy page No Yes Yes
  SD-WAN Overlay Rate Limit Read Edge Business Policy Rate Limit Controls the ability to read and update the rate limiting business policy feature No Yes Yes
    Update Edge Business Policy Rate Limit
  SD-WAN Overlay Rate Limit SD-WAN Traffic Class and Weight Mapping Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
  Read Customer Profile Grants ability to view and edit enterprise configuration profiles Yes Yes Yes
Firewall   Edge Firewall Controls ability to view or change Edge firewall page No Yes Yes
  Firewall Logging Syslog Forwarding Stateful Firewall Configure Edge Firewall Logging Grants ability to configure Edges level firewall logging No Yes Yes
    Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
  Syslog Forwarding View Syslog Forwarding Grants ability to see Syslog forwarding No Yes Yes
    Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
  Stateful Firewall Settings Network & Flood Protection Settings Edge Access Create Edge Firewall Edge Access Privilege granting or denying visibility and control of an Edges Stateful Firewall Settings, Network & Flood Protection Settings and Edge Access on the Edge firewall page No Yes Yes
  Read Edge Firewall Edge Access
  Update Edge Firewall Edge Access
  Delete Edge Firewall Edge Access
Events from this Edge   Read Customer Event Grants ability to view customer level events Yes No No
Remote Actions   Read Remote Actions Privilege granting access to view and execute remote actions No Yes Yes
Remote Actions Generate Diagnostic Bundle Remote Diagnostics   Read Diagnostics Controls creation of and access to diagnostics bundles, both Edge and Gateway. Combine with Edge and Gateway privileges to control access to each type individually Yes Yes Yes
Generate Diagnostic Bundle   Create Diagnostic Bundle   No Yes Yes
Remote Diagnostics   Read Remote Diagnostics Grants access to view and execute remote diagnostics No Yes Yes
Configure > Profiles > Select Profile Profile Overview   Profile Overview Controls ability to view or change profile overview page No Yes Yes
  Description Create Profile Overview Description Controls ability to view or change Profile Overview Description No Yes Yes
    Read Profile Overview Description No No
    Update Profile Overview Description Yes Yes
    Delete Profile Overview Description
  Local Credentials Read Overview Properties Local Credentials Grants ability to view and configure Edge local credentials No Yes Yes
    Update Overview Properties Local Credentials
Device            
  Authentication Settings Create Profile Device Authentication Settings Controls ability to view or change Profile Device Authentication Settings No Yes Yes
    Read Profile Device Authentication Settings
    Update Profile Device Authentication Settings
    Delete Profile Device Authentication Settings
  DNS Settings Update Profile Device DNS Settings Controls ability to view or change Profile Device DNS Settings No Yes Yes
  Netflow Settings Create Profile Device Netflow Settings Controls ability to view or change Profile Device Netflow Settings No Yes Yes
    Read Profile Device Netflow Settings
    Update Profile Device Netflow Settings
    Delete Profile Device Netflow Settings
  LAN-Side NAT Rules Update Profile Device LAN-Side NAT Rules Controls ability to view or change Profile Device LAN-Side NAT Rules No Yes Yes
  Voice Quality Monitoring Settings Read Profile Device VQM Settings Controls ability to view or change Profile Device VQM Settings No Yes Yes
    Update Profile Device VQM Settings
  Syslog Settings Read Profile Device Syslog Settings Controls ability to view or change Profile Device Syslog Settings No Yes Yes
    Update Profile Device Syslog Settings
  Cloud VPN Read Profile Device Cloud VPN Controls ability to view or change Profile Device Cloud VPN No Yes Yes
    Update Profile Device Cloud VPN
  BFD Rules Update Profile Device BFD Rules Controls ability to view or change Profile Device BFD Rules No Yes Yes
  OSPF Areas Read Profile Device OSPF Settings Controls ability to view or change Profile Device OSPF Settings No Yes Yes
    Update Profile Device OSPF Settings
  BGP Settings Read Profile Device BGP Settings Controls ability to view or change Profile Device BGP Settings No Yes Yes
    Update Profile Device BGP Settings
  Multicast Settings Read Profile Device Multicast Settings Controls ability to view or change Profile Device Multicast Settings No Yes Yes
    Update Profile Device Multicast Settings
  Cloud Security Service Read Profile Device Cloud Security Service Controls ability to view or change Profile Device Cloud Security Service No Yes Yes
    Update Profile Device Cloud Security Service
  Gateway Handoff Assignment Update Profile Device Gateway Handoff Assignment Controls ability to view or change Profile Device Gateway Handoff Assignment No Yes Yes
  Configure VLAN Read Profile Device Settings Controls ability to view or change Profile Device Settings No Yes Yes
  Management IP Read Profile Device Management IP Controls ability to view or change Profile Device Management IP No Yes Yes
    Update Profile Device Management IP
  Device Settings Create Profile Device Settings Controls ability to view or change Profile Device Settings No Yes Yes
    Read Profile Device Settings
    Update Profile Device Settings
    Delete Profile Device Settings
  Interface Settings Update Profile Device Interface Settings Controls ability to view or change Profile Device Interface Settings No Yes Yes
  Wi-Fi Radio Settings Create Profile Device Wi-Fi Settings Controls ability to view or change Profile Device Wi-Fi Settings No Yes Yes
    Read Profile Device Wi-Fi Settings
    Update Profile Device Wi-Fi Settings
    Delete Profile Device Wi-Fi Settings
  L2 Settings Update Profile Device L2 Settings Controls ability to view or change Profile Device L2 Settings No Yes Yes
  Multi-Source QoS Read Profile Device Cloud VPN QoS Settings Controls ability to view or change Profile Device Cloud VPN QoS Settings No Yes Yes
    Update Profile Device Cloud VPN QoS Settings
  SNMP Settings Create Profile Device SNMP Settings Controls ability to view or change Profile Device SNMP Settings No Yes Yes
    Read Profile Device SNMP Settings
    Update Profile Device SNMP Settings
    Delete Profile Device SNMP Settings
  NTP Read Profile Device NTP Settings Controls ability to view or change Profile Device NTP Settings No Yes Yes
    Update Profile Device NTP Settings
  Visibility Mode Update Profile Device Config Visibility Mode Controls ability to view or change Profile Device Config Visibility Mode No Yes Yes
  Analytics Settings Read Profile Device Analytics Settings Controls ability to view or change Profile Device Analytics Settings No Yes Yes
    Update Profile Device Analytics Settings
    Create Profile Device Network Settings Controls ability to view or change Profile Device Network Settings No Yes Yes
    Read Profile Device Network Settings
    Update Profile Device Network Settings
    Delete Profile Device Network Settings
Business Policy   Profile Business Policy Controls ability to view or change profile business policy page No Yes Yes
  SD-WAN Overlay Rate Limit Read Profile Business Policy Rate Limit Controls the ability to read and update the rate limiting business policy feature No Yes Yes
    Update Profile Business Policy Rate Limit
Firewall   Profile Firewall Controls ability to view or change profile firewall page No Yes Yes
  Firewall Logging Syslog Forwarding Stateful Firewall Configure Profile Firewall Logging Grants ability to configure profile level firewall logging No Yes Yes
    Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
    Read Edge Grants ability to view and manage Edge objects and their properties in general Yes No No
  Stateful Firewall Settings Network & Flood Protection Settings Edge Access Create Edge Firewall Edge Access Controls visibility and control of Stateful Firewall Settings, Network & Flood Protection Settings, and Edge Access on the profile firewall page No Yes Yes
  Read Edge Firewall Edge Access No No
  Update Edge Firewall Edge Access Yes Yes
  Delete Edge Firewall Edge Access
Configure Edges   Create Edge Grants ability to view and manage Edge objects and their properties in general Yes Yes Yes
      Read Edge No No
      Update Edge
      Delete Edge Yes Yes
      Manage Edge No No
      Read Customer Profile Grants ability to view and edit enterprise configuration profiles Yes Yes Yes
  New Edge > Authentication Create Customer PKI Grants ability to view and manage enterprise PKI settings Yes No No
  Select Edge/Edges > Local Credentials Read Overview Properties Local Credentials Grants ability to view and configure Edge local credentials No Yes Yes
      Update Overview Properties Local Credentials
  Select Edge/Edges > Assign Profile Assign Edge Profile Grants ability to assign profiles to Edges No Yes Yes
  Select Edge/Edges > Update Pre-Notifications Update Edge Overview Properties Enable Alerts Controls ability to view or change Edge alert configuration on the Edge overview page No Yes Yes
  Select Edge/Edges > Assign Edge License
  Select Edge/Edges > Update Customer Alerts
    Edge Cluster Read Edge Cluster Grants ability to view Edge clusters No Yes Yes
    Create Cloud Edge Create DMZ Gateway Grants ability to create DMZ Gateways No Yes Yes
  Profiles   Create Customer Profile Grants ability to view and edit enterprise configuration profiles Yes Yes Yes
      Read Customer Profile
      Update Customer Profile
      Delete Customer Profile
      Manage Customer Profile No No
    Duplicate Profile Duplicate Customer Profile Grants ability to edit duplicate customer level profiles No Yes Yes
      Create Profile Grants access to view and manage profiles at any level No Yes Yes
      Read Profile
      Update Profile
      Delete Profile
  Object Groups   Create Object Group Grants ability to manage Object Group Yes Yes Yes
      Read Object Group
      Update Object Group
      Delete Object Group
      Manage Object Group No No
      Read Customer Profile Grants ability to view and edit enterprise configuration profiles Yes Yes Yes
  Segments/Networks   Create Network Addressing Grants ability to view and manage address block configuration in the legacy Network profile mode Yes Yes Yes
      Read Network Addressing No No
      Update Network Addressing Yes Yes
      Delete Network Addressing
      Manage Network Addressing No No
      Create Customer Segment Grants ability to view and manage the creation of segments and their assignment to configuration profiles No Yes Yes
      Read Customer Segment
      Update Customer Segment
      Delete Customer Segment
               
  Overlay Flow Control   Create Overlay Flow Control Grants ability to view and manage data and configuration presented on the Overlay Flow Control page No Yes Yes
      Read Overlay Flow Control
      Update Overlay Flow Control
      Delete Overlay Flow Control
      Read Customer Profile Grants ability to view and edit enterprise configuration profiles Yes Yes Yes
      Update Customer Profile
  Network Services   Create Network Service Grants ability to view and manage services with the Network Services configuration block Yes Yes Yes
      Read Network Service No No
      Update Network Service Yes Yes
      Delete Network Service
      Manage Network Service No No
      Create Customer Keys Grants ability to view and manage enterprise security keys such as Edge administrator credentials and IPSEC keys Yes Yes Yes
      Read Customer Keys
      Update Customer Keys
      Read Customer Profile Grants ability to view and edit enterprise configuration profiles Yes Yes Yes
    Edge Cluster Create Edge Cluster Controls the ability to create and configure Edge Clusters No Yes Yes
      Read Edge Cluster
      Update Edge Cluster
      Delete Edge Cluster
    Cloud VPN Hubs Create VPN Hub Network Service Grants ability to manage VPN Hubs as Network Services No Yes Yes
      Read VPN Hub Network Service
      Update VPN Hub Network Service
      Delete VPN Hub Network Service
    Non SD-WAN Destinations via Gateway Non SD-WAN Destinations via Edge Create Non SD-WAN Destination via Gateway Grants ability to view and manage Non SD-WAN Destinations via Gateway and Non SD-WAN Destinations via Edge No Yes Yes
    Read Non SD-WAN Destination via Gateway
    Update Non SD-WAN Destination via Gateway
    Delete Non SD-WAN Destination via Gateway
    Cloud Security Service Create Cloud Security Service Controls creation and configuration of third party cloud security services to which the traffic can be steered by business policy No Yes Yes
      Read Cloud Security Service
      Update Cloud Security Service
      Delete Cloud Security Service
    VNFs Create VNF Network Service Grants ability to manage VNF Network Services No Yes Yes
      Read VNF Network Service
      Update VNF Network Service
      Delete VNF Network Service
    VNF Licenses Create VNF License Network Service Grants ability to manage VNF licenses with Network Services No Yes Yes
      Read VNF License Network Service
      Update VNF License Network Service
      Delete VNF License Network Service
    DNS Services Create DNS Network Service Controls the ability to create and configure DNS services for use in profiles No Yes Yes
      Read DNS Network Service
      Update DNS Network Service
      Delete DNS Network Service
    Private Network Names Create Private Network Name Network Service Grants ability to manage Private Network Name with Network Services No Yes Yes
      Read Private Network Name Network Service
      Update Private Network Name Network Service
      Delete Private Network Name Network Service
    Authentication Services Create Authentication Service Controls the creation and configuration of hosted 802.1x service providing LAN-side user authentication No Yes Yes
      Read Authentication Service
      Update Authentication Service
      Delete Authentication Service
    TACACS Services Create Network Service Grants ability to view and manage services with the Network Services configuration block Yes Yes Yes
      Read Network Service No No
      Update Network Service Yes Yes
      Delete Network Service
      Create Customer Keys Grants ability to view and manage enterprise security keys such as Edge administrator credentials and IPSEC keys Yes Yes Yes
      Read Customer Keys
      Update Customer Keys
      Delete Customer Keys
      Manage Customer Keys No No
    Cloud Subscriptions Create Cloud Subscription Service Grants ability to view and manage the configuration of access to IAAS providers, such as Azure, AWS and Google Cloud No Yes Yes
      Read Cloud Subscription Service
      Update Cloud Subscription Service
      Delete Cloud Subscription Service
  Alerts & Notifications   Read Customer Alert Notification Grants ability to view and manage customer alert configuration No Yes Yes
      Create Customer Alert Grants ability to view and manage customer alert configuration and generated alerts Yes No No
      Read Customer Alert Yes Yes
      Update Customer Alert
      Delete Customer Alert No No
      Manage Customer Alert
    SMS Alert Update Customer SMS Alert Grants ability to configure SMS alerts at the customer level No Yes Yes
  Customer   Update Enterprise Grants ability to view and manage Customers, from the Partner or Operator level Yes Yes Yes
    Other Settings Read User Agreement Privilege granting access to configure the customer user agreement feature Yes No No
      Update User Agreement
Test & Troubleshoot     Read Diagnostics Controls creation of and access to diagnostics bundles, both Edge and Gateway. Combine with Edge and Gateway privileges to control access to each type individually Yes Yes Yes
  Remote Diagnostics   Create Remote Diagnostics Grants access to view and execute remote diagnostics No No No
      Read Remote Diagnostics Yes Yes
      Update Remote Diagnostics No No
      Delete Remote Diagnostics
      Manage Remote Diagnostics Yes Yes
    Gateway Remote Cloud Traffic Routing   No Yes Yes
    Reset USB Modem Remote Reset USB Modem Grants ability to execute the Edge USB modem reset remote action No Yes Yes
    Scan for nearby Wi-Fi Remote Scan for Wi-Fi Access Points Grants ability to execute the Edge Wi-Fi scan remote action No Yes Yes
    VPN Test Remote VPN Test Grants ability to execute the Edge VPN test remote action No Yes Yes
  Remote Actions   Create Remote Actions Grants access to view and execute remote actions No Yes Yes
      Read Remote Actions
      Update Remote Actions
      Delete Remote Actions
    Select Edge > Shutdown button Shutdown Edge Grants ability to execute the Edge shutdown remote action No Yes Yes
    Select Edge > Deactivate button Deactivate Edge Grants ability to execute the deactivate Edge remote action No Yes Yes
  Diagnostic Bundles/Packet Capture 404 resource not found page Create Diagnostics Controls creation of and access to diagnostics bundles, both Edge and Gateway. Combine with Edge and Gateway privileges to control access to each type individually Yes Yes Yes
      Read Diagnostics
      Update Diagnostics
      Delete Diagnostics
      Manage Diagnostics No No
    Request Diagnostic Bundle Create Diagnostic Bundle Grants ability to view and request Diagnostic bundles as part of remote diagnostics functionality No Yes Yes
  Diagnostic Bundles/Packet Capture 404 resource not found page Read Diagnostic Bundle
      Update Diagnostic Bundle
    Delete Diagnostic Bundle Delete Diagnostic Bundle
    Request PCAP Bundle Create PCAP Bundle Grants ability to view and request PCAP bundles as part of remote diagnostics functionality No Yes Yes
  Diagnostic Bundles/Packet Capture 404 resource not found page Read PCAP Bundle
      Update PCAP Bundle No No
      Delete PCAP Bundle Yes Yes
  Diagnostic Bundles/Packet Capture 404 resource not found page Manage PCAP Bundle
    Download Diagnostic Bundle Download Edge Diagnostics Grants ability to download Edge Diagnostics No Yes Yes
Administration              
  System Settings   Read Customer Delegation Grants ability to view and manage the delegation of privileges from the customer to Partners or the Operator Yes Yes Yes
  General Information > General Information Read Customer General Information Controls visibility and control of Customer General Information on the System Settings General Information page No Yes Yes
      Update Customer General Information
    Default Edge Authentication Read Customer PKI Grants ability to view and manage enterprise PKI settings Yes No No
      Update Customer PKI
    Edge Configuration Read Customer Edge Settings Controls visibility and control of Customer Edge Settings on the System Settings General Information page No Yes Yes
      Update Customer Edge Settings
    Privacy Settings Read Customer Privacy Settings Controls visibility and control of Customer Privacy Settings on the System Settings General Information page No Yes Yes
      Update Customer Privacy Settings
    Privacy Settings > Enforce PCI Update Customer User Grants ability to view and manage Customer administrators Yes Yes Yes
    Contact Information Read System Settings Contact Info Controls visibility and control of System Settings Contact Info on the System Settings General Information page No Yes Yes
      Update System Settings Contact Info
  Authentication   Create Customer Authentication Grants ability to view and manage customer authentication mode, for example SSO, Radius or Native Yes Yes Yes
      Read Customer Authentication
      Update Customer Authentication
      Delete Customer Authentication
      Manage Customer Authentication
    API Tokens Read Customer Token Grants ability to view and manage authentication tokens at the Customer level Yes No No
      Update Customer Token
  Administrators   Create Customer User Grants ability to view and manage Customer administrators Yes Yes Yes
      Read Customer User
      Update Customer User
      Delete Customer User
      Manage Customer User No No
  Select Enterprise User > API Tokens Create Customer Token Grants ability to view and manage authentication tokens at the Customer level Yes No No
      Read Customer Token
      Update Customer Token
      Delete Customer Token
      Manage Customer Token
  Service Permissions   Create Service Permissions Package Grants access to manage Service Permissions packages Yes No No
      Read Service Permissions Package
      Update Service Permissions Package
      Delete Service Permissions Package
      Manage Service Permissions Package
  Edge Licensing   Create License Grants ability to view and manage Edge licensing Yes No No
      Read License Yes Yes
      Update License
      Delete License No No
      Manage License
               
VeloCloud Support Access Role     Create Customer Delegation Grants ability to view and manage the delegation of privileges from the customer to Partners or the Operator Yes Yes Yes
      Read Customer Delegation
      Update Customer Delegation
      Delete Customer Delegation
      Manage Customer Delegation No No

When the corresponding user privilege is denied, the Orchestrator window displays the 404 resource not found error.

Below table provides a list of customizable feature privileges:
Table 15. Customizable Feature Privileges
Navigation Path in the Enterprise Portal Name of the Tab Name of the Privilege Description
Configure > Edges > Select Edges Overview Assign Edge Profile Grants ability to assign a Profile to Edges
Configure > Edges > Select Edges Firewall Configure Edge Firewall Logging Grants ability to configure Edge level firewall logging
Configure > Profiles > Select Profile Firewall Configure Profile Firewall Logging Grants ability to configure Profile level firewall logging
Diagnostics > Remote Actions Select Edge > Deactivate Deactivate Edge Grants ability to reset the device configuration to its factory default state
Global Settings > Enterprise Settings > Information Privacy Settings > SD-WAN PC Enforce PCI Compliance Deny PCI Operations Denies access to sensitive Customer data including PCAPs, etc. on the Edges and Gateways, for all users
Diagnostics > Diagnostic Bundles Select Edge > Download Bundle Download Edge Diagnostics Grants ability to download Edge Diagnostics
s Gateway Management > Diagnostic Bundles Select Gateway > Download Bundle Download Gateway Diagnostics Grants ability to download Gateway Diagnostics
Configure > Profiles Duplicate Duplicate Customer Profile Grants ability to edit duplicate customer level Profiles
Configure > Segments/ Configure > Profiles/ Configure > Edges Segments drop-down menu Edit Tab Segments Grants ability to edit within the Segments tab
Configure > Edges > Select Edge Device Enable HA Cluster Grants ability to configure HA Clustering
Configure > Edges > Select Edge Device Enable HA Active/Standby Pair Grants ability to configure active/standby HA
Configure > Edges > Select Edge Device Enable HA VRRP Pair Grants ability to configure VRRP HA
Diagnostics > Remote Diagnostics Clear ARP Cache Remote Clear ARP Cache Grants ability to clear the ARP cache for a given interface
Diagnostics > Remote Diagnostics > Gateway Cloud Traffic Routing (drop-down menu) Remote Cloud Traffic Routing Grants ability to route cloud traffic remotely
Diagnostics > Remote Diagnostics DNS/DHCP Service Restart Remote DNS/DHCP Restart Grants ability to restart the DNS/DHCP service
Diagnostics > Remote Diagnostics Flush Flows Remote Flush Flows Grants ability to flush the Flow table, causing user traffic to be re-classified
Diagnostics > Remote Diagnostics Flush NAT Remote Flush NAT Grants ability to flush the NAT table
Diagnostics > Remote Diagnostics > LTE SIM Switchover LTE Switch SIM Slot
Note: This is for 610-LTE and 710 5G devices only.
 Remote LTE Switch SIM Slot Grants ability to activate the SIM Switchover feature. After the test is successful, you can check the status from Monitor > Edges > Overview tab
Diagnostics > Remote Diagnostics List Paths Remote List Paths Grants ability to view the list of active paths between local WAN links and each peer
Diagnostics > Remote Diagnostics List current IKE Child SAs Remote List current IKE Child SAs Grants ability to use filters to view the exact Child SAs you want to see
Diagnostics > Remote Diagnostics List current IKE SAs Remote List Current IKE SAs Grants ability to use filters to view the exact SAs you want to see
Diagnostics > Remote Diagnostics MIBs for Edge Remote MIBS for Edge Grants ability to dump Edge MIBs
Diagnostics > Remote Diagnostics NAT Table Dump Remote NAT Table Dump Grants ability to view the contents of the NAT table
Diagnostics > Remote Diagnostics Select Edge > Rebalance Hub Cluster Remote Rebalance Hub Cluster Grants ability to either redistribute Spokes in Hub Cluster or redistribute Spokes excluding this Hub
Diagnostics > Remote Diagnostics Select Edge (with SFP module) > Reset SFP Firmware Configuration Remote Reset SFP Firmware Configuration Grants ability to reset the SFP Firmware Configuration
Diagnostics > Remote Actions Reset USB Modem Remote Reset USB Modem Grants ability to execute the Edge USB modem reset remote action
Diagnostics > Remote Diagnostics Scan for Wi-Fi Access Points Remote Scan for Wi-Fi Access Points Grants ability to scan the Wi-Fi functionality for the VeloCloud Edge
Diagnostics > Remote Diagnostics System Information Remote System Information Grants ability to view system information such as system load, recent WAN stability statistics, monitoring services
Diagnostics > Remote Diagnostics VPN Test Remote VPN Test Grants ability to execute the Edge VPN test remote action
Diagnostics > Remote Diagnostics WAN Link Bandwidth Test Remote WAN link Bandwidth Test Grants ability to re-test the bandwidth of a WAN link
Diagnostics > Remote Actions Select Edge > Shutdown Shutdown Edge Grants ability to execute the Edge shutdown remote action
Service Settings > Alerts & Notifications Notifications > Email/SMS Update Customer SMS Alert Grants ability to configure SMS alerts at the customer level
Monitor > Edges > Select Edge Top Sources View Edge Sources Grants ability to view Monitor Edge Sources tab
Monitor > Firewall Firewall Logging View Firewall Logs Grants ability to view collected firewall logs
Monitor > Edges > Select Edge Top Sources View Flow Stats Grants ability to view collected flow statistics
Monitor > Firewall Logs Firewall Logs View Profile Firewall Logging Grants ability to view the details of firewall logs originating from Arista VeloCloud Edges
Configure > Profiles Firewall View Stateful Firewall Grants ability to view collected flow statistics
Configure > Profiles Firewall tab > Configure Firewall > Syslog Forwarding View Syslog Forwarding Grants ability to view logs that are forwarded to a configured syslog collector
Operator portal > Gateway Management Gateways View Tab Gateway List Grants ability to view the Gateway list tab
Operator portal > Administration Operator Profiles View Tab Operator Profile Grants ability to view and configure settings within the Operator Profile menu tab
Monitor > Edges > Select Edge Top Sources View User Identifiable Flow Stats Grants ability to view potentially user identifiable flow source attributes

Authentication

The Authentication feature allows you to set the authentication mode for an Enterprise user and view the existing API tokens.

To access the Authentication tab:

  1. In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
  2. Select Global Settings service.
  3. From the left menu, select User Management, and then select the Authentication tab. The following screen appears:
    Figure 11. Global Settings - Authentication
  4. API Tokens:
    • You can access the Orchestrator APIs using token-based authentication, irrespective of the authentication mode. You can view the API tokens issued to the Enterprise users. If required, you can revoke the API tokens.
    • By default, the API Tokens are activated. If you want to deactivate them, contact your Operator.
      Note: Enterprise Administrator should manually delete inactive Identity Provider (IdP) users from the Orchestrator to prevent unauthorized access via API Token.
    • The following are the options available in this section:
      Table 16. API Tokens Option Descriptions
      Option Description
      Search Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
      Revoke API Token Select the token and select this option to revoke it. Only an Operator Super User or the user associated with an API token can revoke the token.
      CSV Select this option to download the complete list of API tokens in a .csv file format.
      Columns Select the columns to be displayed or hidden on the page.
      Refresh Select to refresh the page to display the most current data.

    For information on creating and downloading API tokens, see API Tokens.

  5. Enterprise Authentication:
    1. Select one of the following Authentication modes:
      • Local: This is the default option and does not require any additional configuration.
    2. Single Sign-On: Single Sign-On (SSO) is a session and user authentication service that allows users to log in to multiple applications and websites with one set of credentials. Integrating an SSO service with Orchestrator enables Orchestrator to authenticate users from OpenID Connect (OIDC)-based Identity Providers (IdPs).

      For information on how to configure Single Sign On for Enterprise User, see Enterprise Settings.

      To enable Single Sign On (SSO) for Orchestrator, you must enter the Orchestrator application details into the Identity Provider (IdP). Global Settings- Enterprise Authentication each of the following links for step-by-step instructions to configure the following supported IdPs:
      You can configure the following options when you select the Authentication Mode as Single Sign-on.
      Figure 12. Global Settings - Enterprise Authentication
      Table 17. Enterprise Authentication Option Descriptions
      Option Description
      Identity Provider Template From the drop-down menu, select your preferred Identity Provider (IdP) that you have configured for Single Sign On. This pre-populates fields specific to your IdP.
      Note: You can also manually configure your own IdPs by selecting Others from the drop-down menu.
      OIDC well-known config URL Enter the OpenID Connect (OIDC) configuration URL for your IdP. For example, the URL format for Okta will be: https://{oauth-provider-url}/.well-known/openid-configuration.
      Issuer This field is auto-populated based on your selected IdP.
      Authorization Endpoint This field is auto-populated based on your selected IdP.
      Token Endpoint This field is auto-populated based on your selected IdP.
      JSON Web KeySet URI This field is auto-populated based on your selected IdP.
      User Information Endpoint This field is auto-populated based on your selected IdP.
      Client ID Enter the client identifier provided by your IdP.
      Client Secret Enter the client secret code provided by your IdP, that is used by the client to exchange an authorization code for a token.
      Scopes This field is auto-populated based on your selected IdP.
      Role Type Select one of the following two options:
      • Use default role
      • Use identity provider roles
      Role Attribute Enter the name of the attribute set in the IdP to return roles.
      Enterprise Role Map Map the IdP-provided roles to each of the Enterprise user roles.

      Select Update to save the entered values. The SSO authentication setup is complete in the Orchestrator.

  6. User Authentication: You can choose to activate or deactivate Two factor authentication feature for the user.
    Table 18. User Authentication Option Descriptions
    Option Description
    Two factor authentication Slide the toggle button to activate this feature for all users. Select the Make Required check box to make this authentication mandatory for all users.
    Self service password reset Slide the toggle button to allow users to change their passwords using the link on the Login screen. Select the Require two factor authentication for password reset check box to make this authentication mandatory for all users.
    Note: This feature can be activated only for those users whose mobile phone numbers are associated with their user accounts.
  7. Password Policy: Starting from the Release 6.4.0, Enterprise Superusers can set their own password policies directly from the Authentication screen. This section appears when the Authentication Mode is set to Local.
    Figure 13. Global Settings - Password Policy
    1. Configure the following parameters:
      Table 19. Password Policy Option Descriptions
      Option Description
      Password Strength
      Password length Specify the minimum and maximum length of the password. The minimum length value must be in the range from 1 to 8, whereas the maximum length value must be in the range from 16 to 32. The default values are 8 and 32 respectively.
      Require uppercase Slide the toggle button to activate this parameter. If activated, the password must contain at least one uppercase letter.
      Require lowercase Slide the toggle button to activate this parameter. If activated, the password must contain at least one lowercase letter.
      Require numbers Slide the toggle button to activate this parameter. If activated, the password must contain at least one number.
      Require special characters Slide the toggle button to activate this parameter. If activated, the password must contain at least one special character. Hover the mouse on the information icon to view the valid special characters.
      Exclude common passwords Slide the toggle button to activate this parameter. If activated, users are not allowed to use the most commonly used passwords.
      Disallow username in password Slide the toggle button to activate this parameter. If activated, username cannot be set as the password.
      Enforce character validation Select this check box to ensure that the password meets the following criteria for strength and security:
      • Max repeat characters: Enter the maximum number of characters that can be repeated in the password. The accepted range is from 1 to 8. The default value is 1.
      • Max sequences: Enter the maximum number of consecutive characters or sequences that can be allowed in the password. The accepted range is from 0 to 10. The default value is 1.
      Password Expiration Select the Force Password Expiration check box and set the duration after which users must change their passwords. The accepted range is from 1 to 365. The default value is 30.
      Password History Select the Enforce Password History check box and enter a value that determines the number of previously created passwords that cannot be reused as the new password. This enhances the overall security. The accepted range is from 1 to 100. The default value is 5.
      Note: Only Enterprise Superusers can modify these settings. Enterprise Standard Admins can view this section, but cannot modify anything.
    2. Select Update to save the new settings.
    3. Select Discard to reset the settings.
    4. Users who are already logged in are not affected by this update. To enforce the new password policy, an Enterprise Superuser must perform the following steps:
      1. Navigate to User Management > Users , and select a user.
      2. Select Password > Enforce Policy , and then select Yes, Enforce. This forces the selected user to change their password as per the new password policy. Current user sessions are not terminated.

      The Password Modified column on the Users screen, displays the date and time when the user has modified the password.

  8. Session Limits: The following options are available in this section. After configuring the options, select Update to save the selected values.
    Table 20. Session Limits Option Descriptions
    Option Description
    Concurrent logins Allows you to set a limit on concurrent logins per user. By default, Unlimited is selected, indicating that unlimited concurrent logins are allowed for the user.
    Session limits for each role Allows you to set a limit on the number of concurrent sessions based on user role. By default, Unlimited is selected, indicating that unlimited sessions are allowed for the role.
    Note: The roles that are already created by the Enterprise in the Roles tab, are displayed in this section.
    Note: To view this section, an Operator user must navigate to Orchestrator > System Properties , and set the value of the system property session.options.enableSessionTracking to True.

Configure Azure Active Directory for Single Sign On

Ensure you have an Azure AD account to sign in.

To set up an OpenID Connect (OIDC)-based application in Microsoft Azure Active Directory (Azure AD) for Single Sign On (SSO), perform the following steps:

  1. Log in to your Microsoft Azure account as an Admin user. The Microsoft Azure home screen appears.
  2. To create a new application:
    1. Search and select the Azure Active Directory service.
      Figure 14. Microsoft Azure
    2. Go to App registration > New registration . The Register an application screen appears.
      Figure 15. Register an Application
    3. In the Name field, enter the name for your Orchestrator application.
    4. In the Redirect URL field, enter the redirect URL that your Orchestrator application uses as the callback endpoint.
      In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback.
    5. Select Register.
      Your Orchestrator application is registered and displayed in the All applications and Owned applications tabs. Make sure to note down the Client ID/Application ID to be used during the SSO configuration in Orchestrator.
    6. Select Endpoints and copy the well-known OIDC configuration URL to be used during the SSO configuration in Orchestrator.
    7. To create a client secret for your Orchestrator application, on the Owned applications tab, select on your Orchestrator application.
    8. Go to Certificates & secrets > New client secret . The Add a client secret screen appears.
      Figure 16. Adding a Client Secret
    9. Provide details such as description and expiry value for the secret and select Add.
      The client secret is created for the application. Note down the new client secret value to be used during the SSO configuration in the Orchestrator.
    10. To configure permissions for your Orchestrator application, select on your Orchestrator application and go to API permissions > Add a permission . The Request API permissions screen appears.
      Figure 17. Adding API Permissions
    11. Select Microsoft Graph and select Application permissions as the type of permission for your application.
    12. Under Select permissions, from the Directory drop-down menu, select Directory.Read.All and from the User drop-down menu, select User.Read.All.
    13. Select Add permissions.
    14. To add and save roles in the manifest, select on your Orchestrator application and from the application Overview screen, select Manifest. A web-based manifest editor opens, allowing you to edit the manifest within the portal. Optionally, you can select Download to edit the manifest locally, and then use Upload to reapply it to your application.
      Figure 18. Viewing the Manifest
    15. In the manifest, search for the appRoles array and add one or more role objects as shown in the following example and select Save.
      Note: The value property from appRoles must be added to the Identity Provider Role Name column of the Role Map table, located in the Authentication tab, in order to map the roles correctly.
      Example: Sample role objects 
      {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Standard Administrator who will have sufficient privilege to manage resource",
            "displayName": "Standard Admin",
            "id": "18fcaa1a-853f-426d-9a25-ddd7ca7145c1",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "standard"
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Super Admin who will have the full privilege on Orchestrator",
            "displayName": "Super Admin",
            "id": "cd1d0438-56c8-4c22-adc5-2dcfbf6dee75",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "superuser"
        }
      Note: Make sure to set id to a newly generated Global Unique Identifier (GUID) value. You can generate GUIDs online using web-based tools (for example, https://www.guidgen.com/), or by running the following commands:
      • Linux/OSX - uuidgen
      • Windows - powershell [guid]::NewGuid()
      Figure 19. Manifest

      Roles are manually set up in the Orchestrator, and must match the ones configured in the Microsoft Azure portal.

      Figure 20. App Roles
  3. To assign groups and users to your Orchestrator application:
    1. Go to Azure Active Directory > Enterprise applications .
    2. Search and select your Orchestrator application.
    3. Select Users and groups and assign users and groups to the application.
    4. Select Submit. You have completed setting up an OIDC-based application in Azure AD for SSO.

Configure Single Sign On in Orchestrator.

Configure Okta for Single Sign On

Ensure you have an Okta account to sign in.

To support OpenID Connect (OIDC)-based Single Sign On (SSO) from Okta, you must first set up an application in Okta. To set up an OIDC-based application in Okta for SSO, perform the following steps:

  1. Log in to your Okta account as an Admin user. The Okta home screen appears.
    Note: If you are in the Developer Console view, then you must switch to the Classic UI view by selecting Classic UI from the Developer Console drop-down list.
  2. To create a new application:
    1. In the upper navigation bar, select Applications > Add Application . The Add Application screen appears.
      Figure 21. Adding an Application to Okta
    2. Select Create New App.
      The Create a New Application Integration dialog box appears.
    3. From the Platform drop-drop menu, select Web.
    4. Select OpenID Connect as the Sign on method and select Create.
      The Create OpenID Connect Integration screen appears.
      Figure 22. Creating an OpenID Connect Integration
    5. Under the General Settings area, in the Application name text box, enter the name for your application.
    6. Under the CONFIGURE OPENID CONNECT area, in the Login redirect URIs text box, enter the redirect URL that your Orchestrator application uses as the callback endpoint.

      In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback.

    7. Select Save. The newly created application page appears.
    8. On the General tab, select Edit and select Refresh Token for Allowed grant types, and select Save. Note down the Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in the Orchestrator.
      Figure 23. Configuring General Settings
    9. Select the Sign On tab and under the OpenID Connect ID Token area, select Edit.
    10. From the Groups claim type drop-down menu, select Expression. By default, Groups claim type is set to Filter.
    11. In the Groups claim expression textbox, enter the claim name that will be used in the token, and an Okta input expression statement that evaluates the token.
    12. Select Save.
      The application is setup in IDP. You can assign user groups and users to your Orchestrator application.
      Figure 24. Configuring Settings
  3. To assign groups and users to your Orchestrator application:
    1. Go to Application > Applications , and select on your Orchestrator application link.
    2. On the Assignments tab, from the Assign drop-down menu, select Assign to Groups or Assign to People. The Assign <Application Name> to Groups or Assign <Application Name> to People dialog box appears.
    3. Select Assign next to available user groups or users you want to assign the Orchestrator application and select Done. The users or user groups assigned to the Orchestrator application is displayed.
      Figure 25. Assigning the Configuration

      You have completed setting up an OIDC-based application in Okta for SSO.

Configure Single Sign On in Orchestrator.

Configure OneLogin for Single Sign On

Ensure you have an OneLogin account to sign in.

To set up an OpenID Connect (OIDC)-based application in OneLogin for Single Sign On (SSO), perform the steps below:

  1. Log in to your OneLogin account as an Admin user. The OneLogin home screen appears.
  2. To create a new application:
    1. In the upper navigation bar, select Apps > Add Apps .
    2. In the Find Applications text box, search for “OpenId Connect” or “oidc” and then select the OpenId Connect (OIDC) app. The Add OpenId Connect (OIDC) screen appears.
      Figure 26. Add OpenID Connect
    3. In the Display Name text box, enter the name for your application and select Save.
    4. On the Configuration tab, enter the Login URL (auto-login URL for SSO) and the Redirect URI that Orchestrator uses as the callback endpoint, and select Save.
      • Login URL- The login URL will be in this format: https://<Orchestrator URL>/<Domain>/ login/doEnterpriseSsoLogin. Where, <Domain> is the domain name of your Enterprise that you must have already set up to enable SSO authentication for the Orchestrator. You can get the Domain name from the Enterprise portal > Administration > System Settings > General Information page.
      • Redirect URI's- The Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback. In the Orchestrator application, at the bottom of the Authentication screen, you can find the redirect URL link.
      Figure 27. Configuring OpenID Connect
    5. On the Parameters tab, under OpenId Connect (OIDC), double select Groups. The Edit Field Groups pop-up appears.
      Figure 28. Editing Field Groups
    6. Configure User Roles with value “--No transform--(Single value output)” to be sent in groups attribute and select Save.
    7. On the SSO tab, from the Application Type drop-down menu, select Web.
    8. From the Authentication Method drop-down menu, select POST as the Token Endpoint and select Save. Note down the Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in the Orchestrator.
      Figure 29. Configuring the Authentication Method
    9. On the Access tab, choose the roles that will be allowed to login and select Save.
      Figure 30. Access
  3. To add roles and users to your Orchestrator application:
    1. Select Users and select a user.
    2. On the Application tab, from the Roles drop-down menu, on the left, select a role to be mapped to the user.
    3. Select Save Users. You have completed setting up an OIDC-based application in OneLogin for SSO.

Configure Single Sign On in Orchestrator.

Configure PingIdentity for Single Sign On

Ensure you have a PingOne account to sign in.
Note: Currently, Orchestrator supports PingOne as the Identity Partner (IDP). However, any PingIdentity product supporting OIDC can be easily configured.

To set up an OpenID Connect (OIDC)-based application in PingIdentity for Single Sign On (SSO), perform the following steps:

  1. Log in to your PingOne account as an Admin user. The PingOne home screen appears.
  2. To create a new application:
    1. In the upper navigation bar, select Applications.
      Figure 31. My Applications
    2. On the My Applications tab, select OIDC and then select Add Application. The Add OIDC Application pop-up window appears.
      Figure 32. Adding an OIDC Application
    3. Provide basic details such as name, short description, and category for the application and select Next.
    4. Under AUTHORIZATION SETTINGS, select Authorization Code as the allowed grant types and select Next. Note down the Discovery URL and Client Credentials (Client ID and Client Secret) to be used during the SSO configuration in the Orchestrator.
    5. Under SSO FLOW AND AUTHENTICATION SETTINGS, provide valid values for Start SSO URL and Redirect URL and select Next.
      In the Orchestrator application, at the bottom of the Configure Authentication screen, you can find the redirect URL link. Ideally, the Orchestrator redirect URL will be in this format: https://<Orchestrator URL>/login/ssologin/openidCallback. The Start SSO URL will be in this format: https://<Orchestrator URL>/<domain name>/login/doEnterpriseSsoLogin.
    6. Under DEFAULT USER PROFILE ATTRIBUTE CONTRACT, select Add Attribute to add additional user profile attributes.
    7. In the Attribute Name text box, enter group_membership and then select the Required check box, and select Next.
      Note: The group_membership attribute is required to retrieve roles from PingOne.
    8. Under CONNECT SCOPES, select the scopes that can be requested for your Orchestrator application during authentication and select Next.
    9. Under Attribute Mapping, map your identity repository attributes to the claims available to your Orchestrator application.
      Note: The minimum required mappings for the integration to work are email, given_name, family_name, phone_number, sub, and group_membership (mapped to memberOf).
    10. Under Group Access, select all user groups that should have access to your Orchestrator application and select Done. The application will be added to your account and will be available in the My Application screen.
    You have completed setting up an OIDC-based application in PingOne for SSO.

Configure Single Sign On in Orchestrator.

..