The Orchestrator consists of two types of roles.

Note: Starting from the 5.1.0 release, Functional Roles are renamed as Privileges, and Composite Roles are renamed as Roles.

The roles are categorized as follows:

  • Privileges – Privileges are a set of roles relevant to a functionality. A privilege can be tagged to one or more of the following services: SD-WAN, Cloud Web Security, Secure Access, and Global Settings, Multi Cloud, and App Catalog. Users require privileges to carry out business processes. For example, a Customer support role in SD-WAN is a privilege required by an SD-WAN user to carry out various support activities. Every service defines such privileges based on its supported business functionality.
  • Roles – The privileges from various categories can be grouped to form a role. By default, the following roles are available for an Operator user:
    Role SD-WAN Service Cloud Web Security Service Secure Access Service Global Settings Service
    Operator Standard Admin SD-WAN Operator Admin Cloud Web Security Operator Admin Secure Access Operator Admin Global Settings Operator Admin
    Operator Superuser Full Access Full Access Full Access Full Access
    Operator Business SD-WAN Operator Business - - Global Settings Operator Business
    Operator Support SD-WAN Operator Support Cloud Web Security Operator Read Only Secure Access Operator Read Only Global Settings Operator Support

    If required, you can customize the privileges of these roles. For more information, see Service Permissions.

As an Operator, you can view the list of existing standard roles and their corresponding descriptions. You can add, edit, clone, or delete a new role. However, you cannot edit or delete a default role.

To access the Roles tab:
  1. In the Operator portal, click Administration from the top menu.
  2. From the left menu, click User Management, and then click the Roles tab. The following screen appears:
  3. On the Roles screen, you can perform the following activities:
    Option Description
    Add Role Creates a new custom role. For more information, see Add Role.
    Edit Allows you to edit only the custom roles. You cannot edit the default roles. Also, you cannot edit or view the settings of a Superuser.
    Clone Role Creates a new custom role, by cloning the existing settings from the selected role. You cannot clone the settings of a Superuser.
    Delete Role Deletes the selected role. You cannot delete the default roles. You can delete only custom composite roles. Ensure that you have removed all the users associated with the selected role, before deleting the role.
    Download CSV Downloads the details of the user roles into a file in CSV format.
    Note: You can also access the Edit, Clone Role, and Delete Role options from the vertical ellipsis of the selected Role.
  4. Click the Open icon " >>" displayed before the Role link, to view more details about the selected Role, as shown below:
  5. Click the View Role link to view the privileges associated to the selected role for the following services:
    • Global Settings & Administration
    • SD-WAN
    • Cloud Web Security
    • Secure Access
  6. The following are the other options available in the Roles tab:
    Option Description
    Search Enter a search term to search for the matching text across the table. Use the advanced search option to narrow down the search results.
    Columns Click and select the columns to be displayed or hidden on the page.
    Refresh Click to refresh the page to display the most current data.