Manage Custom Roles for Tenants

This page provides information and instructions for creating and managing custom roles for Cisco Cloud Observability.

A role is a collection of permissions defining actions a user can perform within the Cisco Observability Platform environment, including tenants, applications such Cisco Cloud Observability, and your subscribed Cisco Observability Platform modules.

Custom roles are a way for fine-tuning user and Service Principal permissions in the FSO Platform environment. They can be used to give users access to specific features or applications or to restrict users from performing certain actions. Custom roles can also be used to control the level of access that users or Service Principals have to data.

Why Are Custom Roles Needed?

We bundle permissions into default roles that cannot be redefined. While these default roles meet the needs of some customers, custom roles provide the following:

more control and fine-tuning of user permissions
roles based on existing permissions in a tenant to control user access, functionality, or both
the ability to assign a special set of permissions to Service Principals and users to make REST API calls

Examples of Custom Role Uses

Let's look at how custom roles could be used for a Cisco Cloud Observability user:

Access Specific Features: The user might only have access to certain dashboards or features.
Restrict Actions: The user may be able to access a dashboard, but not be able to edit it.
Control Data Access: The user might only be able to view a limited data set in a dashboard.
Give Set of Specific Permissions: The user may only have permission to view data (read-only).
Assign Permissions to Make REST API calls. The user may need to use different Service Principal to make calls to different REST APIs.

Overview of Custom Roles

The following table covers the users who can create roles and their permitted operation, and the requirements and methods to create custom roles.

Users Permitted to Create Custom Roles

Requirements to Create Customers Role

Methods to Create Custom Roles

Permitted Operations

Company Administrator

Role name meeting naming requirements
Permissions selected for a role

Create a new role and specify permissions for that role
Copy a default role and add or remove permissions to customize the role
Create a custom role through the Access Management API

Company administrators can do the following on any Observability Platform tenant:

Assign a user to that role
Remove a user from that role
Assign a service principal to that role
Remove a service principal from that role

Tenant Administrator

Tenant Administrators can do the following on one tenant:

Assign a user to that role
Remove a user from that role
Assign a service principal to that role
Remove a service principal from that role

User or Service Principal with Custom Role with Required Permissions

The user or Service Principal with the permissions to create roles can do the following:

Fetch custom roles
Create new roles
Update roles
Delete roles

See the Access Management API.

Default Tenant Roles

These predefined roles allow administrators to define a user's actions in the Observability Platform tenant. They are Observability Platform tenant-specific with default permissions set and are not editable.

Cisco Observability Platform modules can also create roles through Solution Principals. Thus, if you subscribe to modules for Cloud Native Application Observability, you may see other roles in the Account Management Portal.

Role	Permissions	Supported Assignees
Agent	Can post MELT data through the Common Ingestion Service API. Can access other APIs meant for agent consumption.	User Service Principal Agent Principal
Config Manager	Inherits Troubleshooter Tenant role permissions. Has full access to configure alerting, data sources, and other integrations. Cannot perform administrator functions such as adding users to a tenant, modifying another user's access, or creating new service principals.	User Service Principal
Observer (Default)	Only has read-only access, but may not necessarily have access to read privileged information such as access configurations. Users default to this role if you do not select a specific role for them. Has read-only access to metrics, events, logs, and traces (MELT) data. Cannot view configuration details.	User Service Principal
Tenant Administrator	A Tenant Administrator can access everything on a tenant except a public API that is not mapped to a permission.	User
Troubleshooter	Inherits Read Only Tenant role permissions. Can manage health rules. Can respond to system alerts. Can troubleshoot issues.	User Service Principal

Manage Custom Roles

From the Account Management Portal, the Account Owner or Tenant Administrator can create custom roles from scratch or copy a default role and change the permissions, edit existing custom roles, or delete custom roles.

FSO modules can add new roles to an Observability Platform tenant. Administrators can assign these roles to users or Service Principals. Permissions for Cisco Observability Platform modules are not automatically turned on for custom roles.

Navigate to Access Management > Observability Platform tenant Roles.
Select Custom Roles.
Click .
From (1) Enter Role Details, enter the role name and description for the new custom role.
Click Next.
(Optional) From (2) Clone Existing Role, select one or more default roles you want to use as the base permissions for the new custom role.
Click Next.
From (3) Fine-Tune Permissions, add permissions or remove permissions from a cloned role.
Click Save & Close. The process of creating the new custom role may take a few minutes.
Click Finish.

Navigate to Access Management > Observability Platform tenant Roles.
Select Custom Roles.
Click .
From (1) Enter Role Details, enter the role name and description for the new custom role.
Click Next.
(Optional) From (2) Clone Existing Role, select one or more default roles that you want to use as the base permissions for the new custom role.
Click Next.
From (3) Fine-Tune Permissions, add new permissions or remove existing permissions that were added when cloning a role.
Click Save and Next to assign users.
From (4) Assign Users, select one or more users to the custom role.
Click Save & Next.

Navigate to Access Management > Service Principals.
Click one of the existing Service Principals.
This will open the sliding panel with the information about the Service Principal.
Click Assign Role Access.
Click Custom Roles.
Select the custom role that you created.
From the Assign Roles dialog, click Save.
Click Save.
Click ← Back to close the sliding panel.

Navigate to Access Management > Service Principals.
From Service Principals, click .
Enter a name and description for the new Service Principal.
Select the authentication type.
Click Assign Role Access.
Click Custom Roles.
Select the custom role that you created.
Click Save.
Click Create.
From the Rotate Secret dialog, click Download.
Save the credentials for the Service Principal.

If you lose the credentials, you will need to create a new Service Principal.

Navigate to Access Management > Observability Platform tenant Roles.
Select Custom Roles.
From Custom Roles, you can view the custom roles as well as the users and Service Principals assigned to each custom role.

Navigate to Access Management > Observability Platform tenant Roles.
Click Custom Roles.
Select the custom role you want to edit.
Click .
From Custom Role Details, make changes to the name and description.
From PERMISSIONS, add new or remove existing permissions.
From USERS, click + Assign users to assign the custom role to new users
1. From the Assign or remove users dialog, add or remove users.
2. Click Save.
From SERVICE PRINCIPALS, click to add or remove existing Service Principals.
1. From the Assign or remove service principals dialog, add or remove Service Principals.
2. Click Save.
Click Save.
Click ← Back to close the sliding panel.