Catalyst SD-WAN has supported Role Based Access Control (RBAC) for a long time. It has been possible to use predefined roles or create custom roles and defining what areas the user should have access to. However, before 20.13 it was not possible to define a scope. In large companies it’s quite common that one group manages one set of devices, for example all the sites in EU, all the sites in the US, etc. There may also be multiple business units within the company which may share some infrastructure but operate autonomously from each other where a BU should only have access to its own set of devices. As of 20.13, it is not possible to define scope when using RBAC in Catalyst SD-WAN.
There is another feature, called Network Hierarchy that is somewhat related to RBAC. When onboarding devices, you assign a Site ID to the device. The site is then assigned a name in the format of SITE_SiteID, for example SITE_10 when using a Site ID of 10. By default all sites belong to the global node as can be seen below:
Note that it says Auto-Generated site. It is possible to edit the site by clicking the pencil icon. Let’s rename this site to AMS as in Amsterdam and SITE_20 to NY as in New York:
Then let’s configure two areas, one for EU sites and one for US sites. This is done by clicking the three dots next to the Global node and then selecting Add Node. Let’s add the EU area first:
Behave as SD-WAN Region is related to the Multi Region Fabric (MRF) feature. We don’t need MRF right now. The area added is a child to the parent Global.
Then the US area is added. The two areas can now be seen in the list:
To assign a site to an area, click the three dots next to the site and choose Edit Site. Then change the parent to be for example EU instead of Global:
The sites have now been added to their respective area:
When this is done, it’s possible to define scopes as part of RBAC. To define a scope, go to Configuration -> Users and Access. Then click Add Scope. Give the scope a name and then click Add Nodes. This is where the magic happens. From this list you can select sites or areas as part of the scope:
The scopes have been added:
Then go to Users and click Add User. I’m defining a user that should only have access to EU sites:
I login with this user and get the following dashboard:
Note that no controllers are listed and that only two of the four WAN Edges in my lab are listed.When going to Configuration -> Devices, there are only two devices:
The EU admin now only has access to the AMS devices that belong to EU but not the NY ones that belong to US. There you have it! RBAC with scope.
With the addition of scopes in Catalyst SD-WAN, it’s now possible to do more granular RBAC and provide different people in the organization access to only parts of your infrastructure. I hope you enjoyed the post and see you in the next one.