Multiple Roles Per User
In addition to creating multiple user roles, administrators can assign up to ten roles to a single user. This article will cover how intersecting roles work in various scenarios.
Examples for Understanding Overlapping Roles
System Admin Role + Custom Role = Admin
An Admin user has the greatest amount of permissions and has access to all assets so adding a custom role does not limit permissions or access to certain assets. This user may be assigned an API key with Admin permission.
System Write Role + Custom Roll
A System Write Role user has all of the permissions and access as an Admin and therefore, adding a custom role will not limit the permissions or access to certain assets. The difference between Admin and Write System Roles is outlined in our Role Permissions article. This user may be assigned an API key with write permission.
System Write Role + System Read-Only Role
A user with two system roles will assume the greatest permissions among roles, will have access to all assets, and may be assigned an API key which reflects this.
System Read Only Role + Custom Role
A System Read Only User has read permissions over all assets. When adding a custom role with write permissions you can specify the risk meters you want to allow the user to have write access over when creating the custom role. For all assets that fall outside of the specific risk meters, the user will still only have read access. If the Custom Role provides write access over "All Assets" this combination will completely override the System Read Only Role in the UI only, and the user will have an API key with read -only access.
Custom Role + Custom Role
Important: Permissions are additive over only the assets that all roles have in common. Where multiple roles share access to the same Risk Meters/assets, the greatest permissions apply to all. Where they do not share access to Risk Meters/assets, only the specific custom role permissions apply. This user will not have an API key.
Here is a simple example looking only at the question of whether the user obtains write permissions over all the assets in each role they are assigned.
Conflicts When Editing Assets
If a user with multiple roles attempts to edit a group of assets, and they do not have the permission to do so, they will see the following message:
"You do not have permission to affect all of the selected assets. Please contact your Cisco Vulnerability Management Admin if you believe you should have additional permission."
Assigning Multiple Roles to a User
For a more in depth article on user management, please refer to our article on Role Based Access Control. To assign multiple roles to a single user, administrators can navigate to Settings → Users → Edit user and select up to ten roles from the drop down list.
Now, from the User list under the Settings menu, anyone with multiple roles will show at least more than one role in the Role column.
If you click on a User's name to open up the User Details page, you will see the permissions they have. Hovering over "Partial" will display the differences between roles.
To see which risk meters, applications, and users are assigned to a role, click on the role name to open up the Role Detail Page.
API Use with Multiple User Roles
API Keys
Important: Only users with System Roles may be assigned an API key. A user can have only one API key. A user with a Custom role and a System role may be assigned an API key that reflects theirSystem Role permission. If the user is assigned two System Roles, their API key will have the permissions of the highest System Role.
API Endpoints
-
The
List User
andShow User
endpoints' responses list an array ofroles
androle_ids
. -
Use the
Create User
andUpdate User
endpoints with theroles
androle_ids
parameters for multiple roles.
Important:
- Even when only one role is being assigned, plural options will show up with arrays.
- All of the user's "roles" or "role_ids" should be provided in the arrays including the existing ones and the new ones, any existing "roles" or "role_ids" that are not included in the arrays will be unassigned from the user.
Comments
Please sign in to leave a comment.