The Orchestrator consists of two types of roles.

Note: Starting from the 5.1.0 release, Functional Roles are renamed as Privileges, and Composite Roles are renamed as Roles.

The roles are categorized as follows:

  • Privileges – Privileges are a set of roles relevant to a service. A privilege can be tagged to one or more of the following services: SD-WAN, Cloud Web Security, Secure Access, Global Settings, Multi Cloud, and App Catalog. Users require privileges to carry out business processes. For example, a Customer support role in SD-WAN is a privilege required by an SD-WAN user to carry out various support activities. Every service defines such privileges based on its supported business functionality.
  • Roles – The privileges from various categories can be grouped to form a role. By default, the following roles are available for a Partner administrator:
    Role SD-WAN Service Cloud Web Security Service Secure Access Service Global Settings Service
    Partner Standard Admin SD-WAN Partner Admin Cloud Web Security Partner Admin Secure Access Partner Admin Global Settings Partner Admin
    Partner Security Admin SD-WAN Security Partner Admin Cloud Web Security Partner Admin Secure Access Partner Admin Global Settings Partner Admin
    Partner Network Admin SD-WAN Partner Admin Cloud Web Security Partner Read Only Secure Access Partner Read Only Global Settings Partner Admin
    Partner Superuser Full Access Full Access Full Access Full Access
    Partner Business Specialist SD-WAN Partner Business - - Global Settings Partner Business
    Partner Customer Support SD-WAN Partner Support Cloud Web Security Partner Read Only Secure Access Partner Read Only Global Settings Partner Support

    If required, you can customize the privileges of these roles. For more information, see Service Permissions.

As a Partner, you can view the list of existing roles and their corresponding descriptions. You can add a new role, clone an existing role, edit or delete a custom role. You cannot edit or delete a default role.

To access the Roles tab:
  1. Login to the SASE Orchestrator as a Partner.
  2. Click Administration from the top menu.
  3. From the left menu, click User Management, and then click the Roles tab. The following screen appears:
  4. On the Roles screen, you can perform the following activities:
    Option Description
    Add Role Creates a new custom role. For more information, see Add Role.
    Edit Allows you to edit only the custom roles. You cannot edit the default roles. Also, you cannot edit or view the settings of a Superuser.
    Clone Role Creates a new custom role, by cloning the existing settings from the selected role. You cannot clone the settings of a Superuser.
    Delete Role Deletes the selected role. You cannot delete the default roles. You can delete only custom composite roles. Ensure that you have removed all the users associated with the selected role, before deleting the role.
    Download CSV Downloads the details of the user roles into a file in CSV format.
    Note: You can also access the Edit, Clone Role, and Delete Role options from the vertical ellipsis of the selected Role.
  5. Click the Open icon " >>" displayed before the Role link, to view more details about the selected Role, as shown below:
  6. Click the View Role link to view the privileges associated to the selected role for the following services:
    • Global Settings & Administration
    • SD-WAN
    • Cloud Web Security
    • Secure Access
  7. The following are the other options available in the Roles tab:
    Option Description
    Search Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
    Columns Click and select the columns to be displayed or hidden on the page.
    Refresh Click to refresh the page to display the most current data.