Service Permissions allow an Administrator to granularly define actions (Read, Create, Update, and Delete) assigned to each Privilege (such as Cloud Security Service and Customer Segment configuration) within a Privilege Bundle.

Note: Starting from the 5.1.0 release, Role Customization is renamed to Service Permissions.

You can customize only the permissions and not the roles. When you customize a permission, the changes would impact the roles associated with it. For more information, see Roles.

Only an Operator Superuser can activate the Service Permissions for an Enterprise Superuser. If the Service Permissions option is not available for you, contact your Operator.

The Service Permissions are applied to the privileges as follows:
  • The customizations done at the Enterprise level override the Partner or Operator level customizations.
  • The customizations done at the Partner level override the Operator level customizations.
  • Only when there are no customizations done at the Partner level or Enterprise level, the customizations made by the Operator are applied globally across all users in the Orchestrator.
Note: For information on user privileges, see List of User Privileges.
To access the Service Permissions tab:
  1. In the Enterprise portal, on the Global Navigation bar, expand the Enterprise Applications drop-down menu.
  2. Select Global Settings service.
  3. From the left menu, click User Management, and then click the Service Permissions tab. The following screen appears:
  4. On the Service Permissions screen, you can perform the following activities:
    Option Description
    Service Select the service from the drop-down menu. The available services are:
    • All
    • Global Settings
    • SD-WAN
    • Cloud Web Security
    • Secure Access
    • Edge Network Intelligence
    • Private Mobile Network

    Custom service permissions, if any, associated with the selected service are displayed. By default, all of the custom service permissions are displayed.

    New Permission Allows you to create a new permission. For more information, see New Permission.
    Edit Allows you to edit the settings of the selected permission. You can also click the link to the Permission Name to edit the settings.
    Clone Allows you to create a copy of the selected permission.
    Publish Permission Applies the customization available in the selected package to the existing permission. This option modifies the privileges only at the current level. If there are customizations available at the Operator level or a lower level for the same role, then the lower level takes precedence.
    More Allows you to select from the following additional options:
    • Delete: Deletes the selected permission. You cannot delete a permission if it is already in use.
      Note: A permission can only be deleted if it is in a draft mode. The Delete option is deactivated for a published permission. If you want to delete a published permission, you must reset the permission to system default, which changes it to draft mode and activates the Delete option for the permission.
    • Download JSON: Downloads the list of permissions into a file in JSON format.
    • Upload Permission: Allows you to upload a JSON file of a customized permission.
    • Reset to System Default: Allows you to reset the current published permissions to default settings. Only the permissions applied to the privileges in the current level (Operator, Partner, or Enterprise) of the SASE Orchestrator are reset to the default settings. If Operators or Customers have customized their privileges in the Partner or Enterprise level in the Orchestrator, those settings remain the same.
  5. The following are the other options available in the Service Permissions tab:
    Option Description
    Columns Click and select the columns to be displayed or hidden on the page.
    Note: The Role Associated column displays the Roles using the same Privilege Bundle.
    Refresh Click to refresh the page to display the most current data.
Note:
  • The Orchestrator does not support customization of multiple privilege bundles.
  • Service Permissions are version dependent, and a service permission created on an Orchestrator using an earlier software release will not be compatible with an Orchestrator using a later release. For example, a service permission created on an Orchestrator that is running Release 3.4.x does not work properly if the Orchestrator is upgraded to a 4.x Release. Also, a service permission created on an Orchestrator running Release 3.4.x does not work properly when the Orchestrator is upgraded to 4.x.x Release. In such cases, the user must review and recreate the service permission for the newer release to ensure proper enforcement of all roles.