A role is a function assigned to a user that defines the tasks that the user can perform within CSO. Each user can be assigned one or more roles depending on the tasks that the user is expected to perform.
User roles enable you to classify users based on the privileges to perform tasks on CSO objects. Roles assigned to a user determine the tasks and actions that the user can perform.
This topic contains the following sections:
Types of Roles
There are two types of roles: predefined roles and custom roles.
Predefined roles—System-defined roles with a set of predefined access privileges assigned to a user to perform tasks within the CSO application. Predefined roles are created in the system during CSO installation. For more information about predefined roles, see Role-Based Access Control Overview.
Custom roles—Object-based user-defined roles with a set of access privileges assigned to a user to perform tasks within the CSO application. Objects include menu and submenu items (for example, Resources, Devices, Images, and POPs) in the CSO application, from which you can create, edit, clone, and delete objects.
Custom roles can be created by:
An SP administrator, OpCo administrator, or a tenant administrator.
A service provider user with the Create Role privilege. This user can create custom roles for service provider, tenant, and OpCo users.
A tenant user with the Create Role privilege. This user can create custom roles for tenant users.
An OpCo user with the Create Role privilege. This user can create custom roles for both OpCo and tenant users.
You can create custom roles and assign access privileges to each role by using the Roles page (Administration > Roles).
You can assign one or more roles to a user when you create or edit a user account. Each role can have one or more access privileges.
A role scope defines the capabilities of the user under a scope (service provider, OpCo, and tenant).
A service provider administrator can assign service provider, OPCo, and tenant roles to service provider, OpCo, and tenant users.
An OpCo administrator can assign OpCo and tenant roles to OpCo users and tenant roles to tenant users.
A tenant administrator can assign tenant roles only to tenant users.
A role can have the following scopes:
Service provider—Represents a provider that offers services to other service providers and customers. A service provider could be a global service provider that provides services to its operating companies in different geographical locations. The operating companies act as service providers and provide services to their tenants. An SP administrator with access privileges can view and access resources across operating companies.
Tenant—Represents a customer that can view, configure, and manage tenant sites through Customer Portal.
Operating company—An operating company (OpCo) is a service provider that manages its tenants and provides services to them. Tenants managed by one OpCo are isolated from tenants of another OpCo. An OpCo can manage all activities related to its own tenants. For more information, see Operating Companies Overview.
The following access privileges and actions can be assigned to a user role to access objects (Dashboard, Device Templates, Tenants, and so on) in CSO. For example, a user can be given only read, create, update privileges to device objects and only the delete privilege to security alerts objects.
Other actions (for example, for the device templates object, other actions such as cloning and editing the device template are supported).
Relationship Between Users, Roles, and Access Privileges
Figure 1 shows the relationship between users, user roles, and access privileges. A user can have one or more roles and each role can have one or more access privileges.
Benefits of Roles in CSO
Provide a well-defined separation of responsibility and visibility.
Provide granular-level access control on CSO objects within each navigation menu. Roles enable you to control which system users can access CSO objects based on certain business and operational needs.