Understanding Multiple Roles per User

Multiple Roles Per User

In addition to creating multiple user roles, administrators can assign up to ten roles to a single user. This article will cover how intersecting roles work in various scenarios.

Examples for Understanding Overlapping Roles

System Admin Role + Custom Role = Admin

An Admin user has the greatest amount of permissions and has access to all assets so adding a custom role does not limit permissions or access to certain assets. This user may be assigned an API key with Admin permission.

System Write Role + Custom Role

A System Write Role user has all of the permissions and access as an Admin and therefore, adding a custom role will not limit the permissions or access to certain assets. The difference between Admin and Write System Roles is outlined in our Role Permissions article. This user may be assigned an API key with write permission.

System Write Role + System Read-Only Role

A user with two system roles will assume the greatest permissions among roles, will have access to all assets, and may be assigned an API key which reflects this.

System Read Only Role + Custom Role

A System Read Only User has read permissions over all assets. When adding a custom role with write permissions you can specify the risk meters you want to allow the user to have write access over when creating the custom role. For all assets that fall outside of the specific risk meters, the user will still only have read access. If the Custom Role provides write access over "All Assets" this combination will completely override the System Read Only Role in the UI only, and the user will have an API key with read -only access.

Custom Role + Custom Role 

Important: Permissions are additive over only the assets that all roles have in common. Where multiple roles share access to the same Risk Meters/assets, the greatest permissions apply to all. Where they do not share access to Risk Meters/assets, only the specific custom role permissions apply. This user will not have an API key.

Here is a simple example looking only at the question of whether the user obtains write permissions over all the assets in each role they are assigned.




Conflicts When Editing Assets

If a user with multiple roles attempts to edit a group of assets, and they do not have the permission to do so, they will see the following message:

"You do not have permission to affect all of the selected assets. Please contact your Cisco Vulnerability Management Admin if you believe you should have additional permission."



Assigning Multiple Roles to a User

For a more in depth article on user management, please refer to our article on Role Based Access Control. To assign multiple roles to a single user, administrators can navigate to Settings → Users → Edit user and select up to ten roles from the drop down list.




Now, from the User list under the Settings menu, anyone with multiple roles will show at least more than one role in the Role column. 


If you click on a User's name to open up the User Details page, you will see the permissions they have. Hovering over "Partial" will display the differences between roles.

Screen Shot 2022-03-14 at 12.59.02 PM.png

To see which risk meters, applications, and users are assigned to a role, click on the role name to open up the Role Detail Page.



API Use with Multiple User Roles

API Keys

Important: Only users with System Roles may be assigned an API key. A user can have only one API key. A user with a Custom role and a System role may be assigned an API key that reflects theirSystem Role permission. If the user is assigned two System Roles, their API key will have the permissions of the highest System Role.


API Endpoints

  1. The List User and Show User endpoints' responses list an array of roles and role_ids.

  2. Use the Create User and Update User endpoints with the roles and role_ids parameters for multiple roles.


  • Even when only one role is being assigned, plural options will show up with arrays.
  • All of the user's "roles" or "role_ids" should be provided in the arrays including the existing ones and the new ones, any existing "roles" or "role_ids" that are not included in the arrays will be unassigned from the user.

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request



Please sign in to leave a comment.