Orchestrator > Orchestrator Server > Users & Authentication > Role Based Access Control
Role Based Access Control (RBAC) provides a more customized Orchestrator experience. On a per-user basis, you can assign roles that specify access levels for a user, control the menu options available in the Orchestrator UI, and grant or deny access to appliance groups.
Orchestrator provides a set of default roles. You can create new roles or modify an existing role.
|Role||Name of the role.|
|Permission||Overall access level assigned to the selected role (Read-Only or Read & Write).|
|Features||Orchestrator features available to the selected role.|
To add a role:
Click Create Roles. The Roles dialog box opens.
Click Add to create a new role, or click the Edit icon to the left of any existing role.
Enter or modify the role name.
Select a category you want to assign to your user from the following tabs: Monitoring, Configuration, Administration, Orchestrator, Support, or Miscellaneous.
To assign the overall access level for the role, select Read Only or Read & Write.
Select the check box corresponding to the Orchestrator menu options you want to make available to the role.
NOTE: You can Select All or Unselect All.
With appliance access groups, you can restrict appliance access to one or more groups or regions. Complete the following steps to customize appliance access.
On the Role Based Access Control tab, click Create Appliance Access Groups. The Appliance Access Group dialog box opens.
Click Add to create a new group, or click the Edit icon to the left of any existing group.
Add or modify the name of the appliance access group.
Choose how you want to add appliances: Select By Groups or Select By Region. You can manually select groups or regions to include, or use the buttons to select or clear all options.
WARNING: A non-RBAC user or an RBAC user with appliance access and no assigned role has access to the Appliance Manager, CLI Session, and Broadcast CLI. An RBAC user with any role assigned is denied access to the Appliance Manager, CLI Session, and Broadcast CLI.
|User||Appliance Access||Roles?||Menu Options|
|Non-RBAC User||N/A||N/A||Appliance Manager, CLI Session, Broadcast CLI|
|RBAC User||Yes||None assigned||Appliance Manager, CLI Session, Broadcast CLI|
|RBAC User||No||Any||Appliance Manager, CLI Session, and Broadcast CLI are denied|
Complete the following steps to assign roles and appliance access.
On the Role Based Access Control tab, click Assign Roles & Appliance Access Groups.
In the User field, enter the name of an existing Orchestrator user.
In the Appliance field, select the name of an existing Appliance Access Group.
Select the check boxes for one or more roles you want to assign to the user.
The following table defines the roles provided by default in Orchestrator (roles are listed alphabetically).
|ConfigAdmin||Backs up and restores appliance configuration and views the configuration history.|
|Monitor||Provides read-only access to all menu items.|
|OrchestratorAdmin||Enables user to perform Orchestrator operations only, such as settings, tools, user management, and Orchestrator upgrades. Appliance operations are not allowed.|
|SiteAdmin||Enables appliance or site-specific operations, such as configuring appliance-specific policies, ACLs, TCAs, SSL certificates, and upgrades. An appliance cannot be removed from the network or perform global SD-WAN functions such as overlay management or Zscaler orchestration.|
|SiteMonitor||Grants read-only permissions equivalent to SiteAdmin.|
|SiteOperator||Enables appliance or site-specific operations such as configuring appliance-specific policies, ACLs, TCAs, and SSL certificates. An appliance cannot be upgraded or removed from the network, or perform global SD-WAN functions such as overlay management or Zscaler orchestration.|
|SiteUpgradeAdmin||Upgrades appliances and removes them from the network.|
|SuperAdmin||Enables full read-write access to all menu items.|
|Support||Enables access to all support operations.|