Managing Dashboard Administrators and Permissions (Modernized View)
Overview
This document explains the updated Dashboard administrators page. It covers the permission levels within the dashboard and how to manage administrative users. These users can log in to the dashboard and administer Cisco Meraki networks and devices. For managing users who access a client VPN or wireless network, refer to the article on Managing User Accounts using Meraki Authentication.
Managing Administrators
The new Administrators table simplifies managing Dashboard administrators and their access. It offers tools to view, filter, and act on admin accounts.
Searching and Filtering Administrators
The administrators table allows you to easily search and filter admins by key attributes, such as status, scope, role, and last activity. You can also sort columns to organize information effectively and customize or rearrange columns to fit your specific needs.
Bulk Administrator Actions
To efficiently manage multiple administrators, you can select one or more admins from the table and perform the following bulk actions:
-
Remove Admin: Click the "Remove Admin" button to remove selected administrators from the organization or network.
-
Force Logout: Click the "Force Logout" button to log administrators out of their active Dashboard sessions.
-
Unlock Admins: Click the "Unlock" button to unlock administrators currently locked out of their Dashboard accounts.
Administrator profile
Administrator Profile provides a comprehensive view of an administrator's account details and settings. This includes their role and scope assignments, API key status, two-factor authentication (2FA) status, and authentication method.
Administrators with Full Access roles can also perform management actions on other admins directly from the Administrator Profile, such as modifying role and scope assignments, unlocking the account, forcing a logout, or removing the administrator.
This feature simplifies the management of access control. For instance, if a network administrator's account is locked due to multiple failed login attempts, a Full Access admin can quickly unlock the account and review security settings, such as 2FA status and API key usage, directly from the Admin Profile. This ensures minimal disruption to critical network operations.
Adding a New Administrator
To add a new admin, click on the “+ Add admin” button on the Administrators page.
Enter Admin Information
Enter the first name, last name, and email address of the administrator. You can add multiple administrators by clicking on the “Add admin” button. Permissions in the “Assign role and scope” step will be applied to all admins that are added in this step.
Assign Role and Scope
Assign a role to the administrator based on the access you want them to have on Dashboard. All roles are listed in the roles section of this document.
Assign a scope to the administrator. If you choose an organization-level role, the organization is preselected as your scope. For a network-level role, you can select the required networks to apply the role.
Roles
View all available roles for your organization or network in the "Roles" tab.
Full Access
-
(Organization scope): Highest level of access. This gives full administrative access to all networks and organization settings.
-
(Network scope): Network level access gives full administrative access to selected networks.
Observer
-
(Organization scope): Read-only administrative access to the organization without the ability to make any changes.
-
(Network scope): Access to most aspects of a network, including Configure sections without the ability to make any changes.
End Customer
-
(Organization scope): End customer (formerly Enterprise Admin) can control aspects of their specific organization without access to Firmware Upgrades, Licensing, SP Branding, SP Admin Users and other service provider-focused features.
SM Device Manager
-
(Network scope): The Systems Manager role is limited by the devices it can manage and the features accessible within its Systems Manager network.
SSID Manager
-
(Network scope): SSID managers can modify SSID settings and view client analytics.
Switch Port Manager
-
(Network scope): Read-only access to the network combined with access to configuration changes on selected switch ports.
Client Monitor
-
(Network scope): Monitors and analyzes network client activity and location data to optimize connectivity, troubleshoot issues, and enhance client experience.
Camera Footage & Sensor
-
(Network scope): Camera and sensor access includes four different camera footage access levels and three different sensor information access levels.
Limited Access Roles Assignment
SSID Manager
SSID manager can modify SSID settings and view client analytics. This role can only be assigned in Wireless-only networks.
Note: This feature is only available to Service Providers and must be enabled by Meraki Support.
-
Choose the networks to grant access in the scope selection. This role is specifically applicable to wireless networks only.
-
After selecting the networks and clicking on next, you will see the SSIDs that administrators will have write access to. To change the enabled/disabled state of these SSIDs, visit the Wireless>SSIDs page on the individual networks.
-
Review the changes and confirm.
Switch Port Manager
Access can be assigned at the switch port level to allow for lower-tier technicians or external contractors to make basic changes to the network, such as cycling a port. This is done by tagging individual switch ports and assigning a Switch port manager role to an administrator in combination with those tags as a scope.
Adding port tags
-
Navigate to Switching > Monitor > Switch Ports.
-
Click the checkbox next to any switch ports that should be tagged.
-
Click Tag.
-
In the Add box, select an existing tag.
Or, create a new tag by entering the name and clicking Add option.
Note: Tags should not have spaces.
-
-
Once the desired tags appear in the box as bubbles, click Add.
-
The selected ports will now be tagged as desired.
Note: The "Tags" column can be added to the table using the + button on the right side of the header column.
Assigning Switch port manager role
1. Click on the “Switch port manager” radio button under “Network”. Select “Allow packet capture” is applicable.
2. In the scope selector, select the networks that administrators can access. Combined and switching-only networks will be available for selection.
3. In the scope component selector, select specific port tags that administrators can access.
4. Review the changes and confirm.
Camera Footage & Sensor
-
Click on the “Camera footage and sensor” radio button under “Network”. The card will automatically open, allowing you to select levels of access you wish to grant to camera footage and sensors.
2. In the scope selector, select the networks that administrators have access. Only combined and camera-only networks will be available for selection.
3. In the scope component selector, select whether you want to grant access to all cameras in the selected network(s), individual cameras or cameras by tag.
4. As preferred, select individual cameras or cameras by tag in the next step.
5. Review the changes and confirm.
SM Device Manager
SM Device manager role is restricted by both the scope of devices they can manage and features they can access within their Systems Manager network.
Client monitor
The Client monitor role is restricted to viewing a subset of the Monitor section in the Dashboard, with no ability to make changes. These admins can access summary reports but are not permitted to schedule report emails directly from the dashboard.
With the Guest Ambassador add-on feature, Client monitor admins are only able to see the list of Meraki authentication users, add users, update existing users, and authorize/deauthorize users on an SSID or client VPN. Ambassadors can also remove wireless users if they are an ambassador on all networks. The existence of network templates anywhere in a dashboard organization prevents guest ambassadors from deleting wireless users.
-
Click on the “Client monitor” radio button under “Network”. The card will automatically open, allowing you to select the “Guest ambassador” add-on feature if applicable.
2. In the scope selector, select the networks they should have access to.
3. Review the changes and confirm.
Admin Management Best Practices
By policy, Cisco Meraki’s support team does not make dashboard configuration changes on behalf of the customer. Dashboard administrators must make their own configuration and account changes on the Meraki dashboard. Just as Cisco Meraki will not make any configuration changes, they can not make any adjustments to organization or network permissions; all changes to the dashboard administration must be made by an existing org admin on that dashboard account. Please refer to section 5.2 of our End Customer Agreement for details.
You (not Cisco) are solely responsible for maintaining administrative control over Your Dashboard account.
This policy is designed to protect the owners of the network from malicious intent. As such, it is strongly recommended to follow these best practices when determining org administration to ensure the security of your dashboard network:
-
Dashboard organizations should always have at least two Full access admins on the organization level.
-
This is best practice in case one account is locked out or if access to that account's email address is lost
-
-
Be cautious in selecting an appropriate Full access admin for your organization, as the Full access (organization level) role has the highest level of control in the dashboard organization
-
The active owner of the Cisco Meraki hardware and licenses should be Full access admins in the organization.
-
-
Ensure that the username/email address of the Full access admin is associated with a domain under your control
-
Helps when separating relationships with previous org admins for account recovery purposes
-
Allows control of the email alias of the org admin
-
-
Use two-factor authentication and store backup authentication keys in a safe place
-
For example, DUO Mobile can be used as a two-factor auth solution with the dashboard
-
-
Consultants should be granted limited access as needed
-
Most likely, for technical configuration changes, offering temporary access as a network admin is the best option
-
If the consultant requires higher level admin permissions, be sure to revoke all permissions once the necessary changes have been implemented; ideally, the hardware/license owner should be the only org admin
-
-
If the current Full access organization-level admin is leaving the company, it is strongly recommended to revoke and/or reassign their account permissions early in the off-boarding process
-
Treat an organization Full access administrator like a domain admin for Active Directory or the primary contact for domain name registration; only the person in this role has the ability to promote other users to this role
Access Precedence
Access in the dashboard is additive, and a user will be granted rights on a page based on their highest level of applicable assigned permissions. Thus, an admin with read-only rights at the organization level (Observer role), but a Full Access role in a particular network will effectively have full access to that network: they will be able to make and save changes to that network.
This is similarly applied with tags. If a user has read-only and full access to a network based on different tags, the user will be given full access.