.. _role-management: Role Management ----------------------- .. _21.3-PB1|VOSS-1072|EKB-12791: .. _21.4-PB4|EKB-14772: .. _25.3|VOSS-1575: .. tip:: :ref:`use-action-search-to-navigate-automate` Overview .......... Provider administrators can manage the roles that are available for administrators, operators, and users at lower levels in the hierarchy. .. note:: You cannot change your own role. .. image:: /src/images/role-management.png Edit a role ................ To edit an existing role: #. Log in as provider administrator. #. Go to the **Role Management** page. #. Locate the role you want to change; then, click on the role to open it. #. Update the role settings, as required. .. note:: The following settings are read-only for existing Self Service roles and cannot be modified: * Interface * Access Profile * Menu Layout * dashboard #. Save your changes. .. note:: If hierarchy node types are removed from the **Permitted Hierarchy Types** list while users or Site Defaults reference this node type, the transaction fails with the following message: "Cannot update Role. Some User(s) or Site Defaults exist with the hierarchy rules defined in this role." Add a role ............. To add a new role: 1. Log in as provider administrator. 2. Go to the **Role Management**. 3. Click **Add**. 4. Fill out details and hierarchy rules for the role: .. tabularcolumns:: |p{5cm}|p{10cm}| +-----------------------+---------------------------------------------------------+ | Setting | Description | +=======================+=========================================================+ | Name | Mandatory. The name of the role. | +-----------------------+---------------------------------------------------------+ | Description | Description of the role. | +-----------------------+---------------------------------------------------------+ | Access Profiles | Mandatory. Specifies permissions for resources. | +-----------------------+---------------------------------------------------------+ | Menu Layout | Mandatory. Controls navigation and available actions. | +-----------------------+---------------------------------------------------------+ | | Mandatory. Defines the landing page and widgets shown | | Dashboard | after login. | +-----------------------+---------------------------------------------------------+ | Interface | Defines whether the role applies to the | | | Administration or Self Service interface. | | | | | | When selecting the *Self Service* interface the | | | following fields are auto-populated and change to | | | read-only (disabled) fields: | | | | | | * Interface (with value *Self Service*) | | | * Access Profile (with value | | | *default_selfservice_access_profile*) | | | * Menu Layout (with value *selfservice*) | | | * Dashboard (with value *selfservice_dashboard*) | +-----------------------+---------------------------------------------------------+ | Theme | Controls the visual appearance of the interface. | +-----------------------+---------------------------------------------------------+ | Self Service Links | Provide useful links to Self-service end users. | +-----------------------+---------------------------------------------------------+ | Permitted Hierarchy | Hierarchy types the role you're working with can be | | Types | added under. If no hierarchy types are specified, the | | | role can be added under any (non-sys) hierarchy. | | | | | | Once you add a permitted hierarchy type, the system | | | validates that a user you're creating with | | | this role is at that hierarchy level before it creates | | | that user. If the user does not exist at that hierarchy | | | the transaction fails. | | | | | | Refer to *Permitted Hierarchy Types List Impact* below. | | | | | | When the role is saved, the selected | | | **Hierarchy Type** is added to the | | | **Hierarchies Allowed** list if it is not included. | +-----------------------+---------------------------------------------------------+ 5. Click **Save** to add the role. .. rubric:: Permitted Hierarchy Types List Impact The following areas in the system are impacted by list entries available in the **Hierarchies Allowed List** of a role: * :ref:`authorized-admin-hierarchies` * :ref:`multi-vendor-move` * :ref:`role-based-access-admins` * :ref:`define-filter` * :ref:`move-user-without-services` * :ref:`move-subscriber` * :ref:`site-defaults` Microsoft-only role ..................... Starting with version 21.3-PB1, Automate ships with a Microsoft-only role (``MicrosoftOnlyRole``) and accompanying role-based access control elements, which are predefined for a Microsoft-only user interface experience. These elements include predefined field display policies, dashboards (``MicrosoftOnlyDashboard``), and menus (``MicrosoftOnlyMenu``). Installing these templates provides the baseline for a Microsoft-only version of Automate, and hides non-Microsoft GUI elements, such as the FDPs, menus, and dashboards reflecting functionality used for managing Cisco devices. To use the ``MicrosoftOnlyRole`` in Automate: 1. Log in to Automate as `hscadmin`. #. Go to the **Roles** page. #. Locate **MicrosoftOnlyRole** in the list view. #. Select the role in the list (or click on the role to open it). .. note:: This role ships with a standard access profile and a predefined menu layout and dashboard. #. Click **Export** to export the role to a JSON file, and save the file to your local computer. #. Edit the JSON file to specify the hierarchy where you want to use the role. .. image:: /src/images/ms-only-role_edit.png #. Go to the **Import** page. #. Browse to the location you saved the JSON file, then click **Import**. #. Go to the **Role Management** list view to verify that the role now exists also at the hierarchy you specified. #. At the hierarchy where you wish to assign the role to a user (Provider or Customer), go to the **Admins** page. Choose a user (or add a user), then on the **User Details** tab, from the **Role** field, choose the role (``MicrosoftOnlyRole``) you imported to this level, and save your change.