Managing User Roles

Adding New User Roles

CloudVision Portal enables you to create new roles as needed to ensure that you are able to efficiently manage CVP user permissions. When you create a new role, you specify the read and write permissions for each CVP module.

Once a role has been created, it is automatically added to the list of Available roles, and you can assign it to users that should have the permissions defined in the role. When you assign the role to a user, they inherit the read and write permissions defined in the role.

Complete the following steps to create new roles:

  1. Navigate to the Access Control page.
  2. Under Access Control in the left menu, click Roles.

    The Roles page lists all current roles.

    Figure 1. Roles Page
  3. Click + New Role at the upper right corner of the Roles page.

    The system pops-up the New Role window.

    Figure 2. New Role Pop-Up Window
  4. Provide the required information in corresponding fields.
  5. Click Save.

    The new role is saved to the CVP database and is available to be assigned to users.

    Note: The roles created can be assigned to locally created users or by the external AAA server to its known users.

Modifying User Roles

CloudVision Portal provides the functionality required to change the permissions of an existing role. This enables you to efficiently change the permissions of all users that are assigned the role. After you modify the role, all users assigned the role inherit the read and write permissions defined in the new version of the role.

Complete the following steps to modify an existing role:

  1. Navigate to the Access Control page.
  2. Under in the left menu, click Roles.
  3. In the Roles page, click the edit icon available next to the corresponding role name.

    The system pops-up the Edit Role window displaying all information related to the corresponding role.

    Figure 3. Edit Role Pop-Up Window
  4. Modify the required Information.
  5. Click Save.

    The new version of the role is saved to the CVP database.

    Note: All users assigned the role inherit the read and write permissions defined in the new version of the role.

    Related topics:

Removing User Roles

Complete these steps to remove a user role:

  1. Navigate to the Access Control page.
  2. Under Access Control in the left menu, click Roles.

    The Roles page lists all current user roles.

  3. Select the required user roles for removal.
  4. Click Remove Role/Remove Roles at the upper right corner of the Roles page.

    The system prompts to confirm removal.

    Figure 4. Remove User Role
  5. Click Delete.

    The system deletes selected user roles.

    Note: A role assigned to user(s) cannot be deleted.

    Related topics:

Roles Mapping from SAML to CloudVision

Creating an attribute for your SAML provider allows you to pass CloudVision roles from the corresponding identity provider to CloudVision. This allows CloudVision user accounts to be automatically created with these roles when a new user logs in with that provider.

To use this feature, the Allow Roles Mapping with Providers toggle must be enabled in General Settings. Roles mapping can be set up for a new or existing SAML identity provider. You will need to configure attributes in the identity provider and then add the corresponding provider to CloudVision or edit the provider if it is already connected to CloudVision.

Mapping Roles

To map roles from a SAML provider, you need to configure a custom attribute for CloudVision roles and enter the details in Providers.

  1. Register CloudVision with a SAML provider or reconfigure an existing SAML provider.
  2. Create a custom field that lists CloudVision roles in the SAML provider’s user profiles.
    Tip: User profiles contain information such as first name, last name, email, phone number, and other fields.
    Note: CloudVision role names must be entered exactly as they appear in CloudVision, for instance network-operator, network-admin, no-access.
  3. Assign a role to a user in the SAML provider.
    Note: To enable mapping provider roles to CloudVision roles, extra steps are required to create a custom attribute. The created attribute name can be anything, but cv_roles is a recommended default. CloudVision requires the Roles Attribute Name to be an array of strings.
  4. Enable the Allow Roles Mapping with Providers toggle in General Settings.
  5. Add the SAML provider to CloudVision or edit the provider if it has already been added.
  6. In Providers, enter the attribute name that was created for the SAML provider in the Roles Attribute Name field and fill in the Username Attribute Name field.

    The Username Attribute Name allows you to map usernames from the SAML provider to CloudVision by specifying how the provider identifies the username in the SAML assertion. For most providers, this will be user or username.

Note: When mapping roles from Launchpad to CloudVision, you will also need to enter an Organization Attribute Name.

New users signing in with that identity provider will have their CloudVision user account automatically created and the roles defined in the corresponding SAML provider automatically assigned to them.

Mapping Roles from a SAML provider

To map roles from a SAML provider, you need configure a custom attribute for CloudVision roles and enter the details in Providers.


Action Execution Permission

The role permission, Action Execution, is available to control the execution of custom actions when they are run in isolation, such as via Studio Autofill actions and standalone executions in the Action editor. A custom action is a user-created action that has either been installed via a package or has been created using python script and arguments.

The Action Management and Action Execution permissions must be set to Read & Write for a user to modify and execute a custom action via standalone execution or using the Studio Autofill actions.

Note: Due to existing role-based access control permissions for Change Control and Studios, the Action Execution Permission does not limit any functionality in those workflows.

Enabling Action Execution Permission

To enable the Action Execution permission,

  1. Navigate to Settings > Roles
  2. Select a role.

  3. Under Provisioning, select a permission level for Action Execution.

    There are three permissions:
    • No Access: The user will not be able to execute custom actions in isolation
    • Read Only: The user will be able to access details of previous executions and their associated logs via rAPIs.
    • Read and Write: The user will be able to execute custom actions executed in isolation .
  4. Click Save.Users assigned with the selected role will have their permissions updated.
Note: If Action Execution is set to Read and Write or Read Only, Action Management must also be set to at least Read Only.