Multiple Roles Per User
In addition to creating multiple user roles, administrators can assign up to ten roles to a single user. This article will cover how intersecting roles work in various scenarios.
Examples for Understanding Overlapping Roles
System Administrator Role + Custom Role = Administrator
An Administrator user has the greatest amount of permissions and has access to all assets so adding a custom role does not limit permissions or access to certain assets. You can assign this user an API key with Administrator permissions.
System Write Role + Custom Role
A System Write Role user has all of the permissions and access as an Administrator and therefore, adding a custom role will not limit the permissions or access to certain assets. For more details about the difference between the Administrator and Write System roles, refer to the Role Permissions article. You can assign this user an API key with write permissions.
System Write Role + System Read-Only Role
A user with two system roles will assume the greatest permissions among roles, will have access to all assets, and you can assign them an API key that reflects this.
System Read-Only Role + Custom Role
A System Read-Only User has read permissions for all assets. When you add a custom role with write permissions, you can specify the risk meters you want to allow the user to have write access to. For all assets that fall outside of the specific risk meters, the user will have only read access. If the Custom Role provides write access over "All Assets", this combination will override the System Read-Only role in the UI only, and the user will have an API key with read-only access.
Custom Role + Custom Role
Important: Permissions are additive over only the assets that all roles have in common. In cases where multiple roles share access to the same Risk Meters/assets, the greatest permissions apply to all. Where they do not share access to Risk Meters/assets, only the specific custom role permissions apply. This user will not have an API key.
Here is a example that looks only at the question of whether the user obtains write permissions over all the assets in each role they are assigned.
Conflicts When Editing Assets
If a user with multiple roles attempts to edit a group of assets, and they do not have the permission to do so, they will see the following message:
"You do not have permission to affect all of the selected assets. Please contact your Cisco Vulnerability Management Admin if you believe you should have additional permission."
Assign Multiple Roles to a User
For a more in depth article on user management, please refer to our article on Role Based Access Control. Follow these steps to assign multiple roles to a single user.
1. In Cisco Vulnerability Management, hover over the gear icon in the upper right-hand corner of the page and click Users.
2. Click the user that you want to edit.
3. In the Roles drop-down list, select up to ten roles to assign to the user.
4. Click Update User.
In the User list, all of the user's roles display in the Role(s) column.
View Roles for a User
Click on a user's name to open up the User Details page, where you will see the permissions they have. Hover over "Partial" to display the differences between roles.
View Role Details
To see which risk meters, applications, and users are assigned to a role, click on the role name to open up the Role Detail Page.
API Use with Multiple User Roles
API Keys
Important: You can assign only users with System Roles an API key. A user can have only one API key. You can assign a user with a Custom Role and a System Role an API key that reflects their System Role permission. If the user is assigned two System Roles, their API key will have the permissions of the highest System Role.
API Endpoints
-
The
List User
andShow User
endpoints' responses list an array ofroles
androle_ids
. -
Use the
Create User
andUpdate User
endpoints with theroles
androle_ids
parameters for multiple roles.
Important:
- Even when you are assigning only one role, plural options will displaywith arrays.
- All of the user's "roles" or "role_ids" should be provided in the arrays including the existing ones and the new ones. Any existing "roles" or "role_ids" that are not included in the arrays will be unassigned from the user.
Comments
Please sign in to leave a comment.