Skip to main content

 

Cisco Meraki Documentation

Managing Dashboard Administrators and Permissions (Modernized View)

  1. Last updated
  2. Save as PDF

Overview

This document will go over the updated version of the Dashboard administrators page. This article will cover the different permission levels within the dashboard and how to manage administrative users. These are the users who have access to log in to the dashboard and view/administer Cisco Meraki networks/devices. For information on how to manage users with access to join a client VPN or wireless network, please review the article on Managing User Accounts using Meraki Authentication.

Managing Administrators

The new Administrators table streamlines the management of Dashboard administrators and their access by providing advanced tools for viewing, filtering, and taking action on admin accounts.

Searching and Filtering Administrators 

The administrators table allows you to easily search and filter admins by key attributes, such as status, scope, role, and last activity. You can also sort columns to organize information effectively and customize or rearrange columns to fit your specific needs.

Bulk Administrator Actions

To efficiently manage multiple administrators, you can select one or more admins from the table and perform the following bulk actions:

  • Remove Admin: Click the "Remove Admin" button to remove selected administrators from the organization or network.

  • Force Logout: Use the "Force Logout" button to log administrators out of their active Dashboard sessions.

  • Unlock Admins: Click the "Unlock" button to unlock administrators currently locked out of their Dashboard accounts.

Administrator profile

Administrator Profile provides a comprehensive view of an administrator's account details and settings. This includes their role and scope assignments, API key status, two-factor authentication (2FA) status, and authentication method. 
Administrators with Full Access roles can also perform management actions on other admins directly from the Administrator Profile, such as modifying role and scope assignments, unlocking the account, forcing a logout, or removing the administrator.

This feature simplifies the management of access control. For instance, if a network administrator's account is locked due to multiple failed login attempts, a Full Access admin can quickly unlock the account and review security settings, such as 2FA status and API key usage, directly from the Admin Profile. This ensures minimal disruption to critical network operations.
 

Adding a New Administrator

To add a new admin, click on the “+ Add admin” button on the Administrators page. 

Enter Admin Information

Enter the first name, last name, and email address of the administrator. You can add multiple administrators by clicking on the “Add admin” button. Permissions in the “Assign role and scope” step will be applied to all admins that are added in this step.

Assign Role and Scope

Assign the administrator a role (all roles can be found in the roles section in this document) according to what you want that administrator to have access to on Dashboard.

Assign the administrator a scope - if you selected an organization level role, you will have that organization preselected as your scope; if you selected a network level role, you will have the ability to select which networks to apply that role to.

Review

Review the final changes and save.

 

Roles

You can view all of the roles available to use in your organization or network in the “Roles” tab. 

 

Full Access 

  • (Organization scope): Highest level of access. This gives full administrative access to all networks and organization settings.

  • (Network scope): Network level access gives full administrative access to selected networks.

Observer

  • (Organization scope): Read-only administrative access to the organization without the ability to make any changes. 

  • (Network scope): Access to most aspects of a network, including Configure sections without the ability to make any changes. 

End Customer 

  • (Organization scope): End customer (formerly Enterprise Admin) can control aspects of their specific organization without access to Firmware Upgrades, Licensing, SP Branding, SP Admin Users and other service provider-focused features.

SM Device Manager

  • (Network scope): Systems Manager role is restricted by both the scope of devices they can manage and features they can access within their Systems Manager network. 

SSID Manager 

  • (Network scope): SSID managers can modify SSID settings and view client analytics. 

Switch Port Manager

  • (Network scope): Read-only access to the network combined with access to configuration changes on selected switch ports. 

Client Monitor

  • (Network scope): Monitors and analyzes network client activity and location data to optimize connectivity, troubleshoot issues, and enhance client experience.

Camera Footage & Sensor

  • (Network scope): Camera and sensor access includes four different camera footage access levels and three different sensor information access levels.

 

Limited Access Roles Assignment

SSID Manager

SSID manager can modify SSID settings and view client analytics. This role can only be assigned in Wireless-only networks.

  1. Click on the “SSID manager” radio button under “Network”.

 

  1. In the scope selection, select the networks they should have access to. This role is applicable to Wireless-only networks.

  1. After selecting the networks and clicking on next, you will see the SSIDs that administrators will have write access to. To change the enabled/disabled state of these SSIDs, visit the Wireless>SSIDs page on the individual networks.

  1. Review the changes and confirm.

Switch Port Manager

Access can be assigned at the switch port level to allow for lower-tier technicians or external contractors to make basic changes to the network, such as cycling a port. This is done by tagging individual switch ports and assigning a Switch port manager role to an administrator in combination with those tags as a scope.

Adding port tags

  1. Navigate to Switching > Monitor > Switch Ports.
    The Switching > Monitor > Switch Ports navigation menu is shown in the dashboard
     

  2. Click the checkbox next to any switch ports that should be tagged.
    Select the desired switch ports
     

  3. Click Tag.
    Select tag
     

  4. In the Add box, select an existing tag...
    Add an existing tag

    ...or create a new tag by entering the name and clicking Add option.
    Note: Tags cannot contain spaces.
    Create a new tag
     

  5. Once any desired tags appear in the box as bubbles, click Add.
    Add the desired tag
     

  6. The selected ports will now be tagged as desired.
    Note: The "Tags" column may need to be added to the table using the + button on the right side of the header column.
    Tag all the selected ports

 

Assigning Switch port manager role

 1.Click on the “Switch port manager” radio button under “Network”. Select “Allow packet capture” is applicable.

 

2. In the scope selector, select the networks they should have access to. Only combined and switching-only networks will be available for selection.

 

3. In the scope component selector, select specific port tags they should have access to.

 

 

4. Review the changes and confirm.

Camera Footage & Sensor

  1. Click on the “Camera footage and sensor” radio button under “Network”. The card will automatically open, allowing you to select levels of access you wish to grant to camera footage and sensors. 

 

2. In the scope selector, select the networks they should have access to. Only combined and camera-only networks will be available for selection.

 

3. In the scope component selector, select whether you want to grant access to all cameras in the selected network(s), individual cameras or cameras by tag.

 

4. In preferred, select individual cameras or cameras by tag in the next step.

 

 

5. Review the changes and confirm.

 

SM Device Manager

SM Device manager role is restricted by both the scope of devices they can manage and features they can access within their Systems Manager network.

  1. Click on the “SM device manager” radio button under “Network”.

 

  1. In the scope selector, select the networks they should have access to.

 

 

  1. After selecting the networks and clicking on next, select the device tags they should be able to manage.

  2. Review the changes and confirm.

Client monitor

The Client monitor role is restricted to viewing a subset of the Monitor section in the Dashboard, with no ability to make changes. These admins can access summary reports but are not permitted to schedule report emails directly from the dashboard.

With the Guest Ambassador add-on feature, Client monitor admins are only able to see the list of Meraki authentication users, add users, update existing users, and authorize/deauthorize users on an SSID or client VPN. Ambassadors can also remove wireless users if they are an ambassador on all networks. The existence of network templates anywhere in a dashboard organization prevents guest ambassadors from deleting wireless users.

  1. Click on the “Client monitor” radio button under “Network”. The card will automatically open, allowing you to select the “Guest ambassador” add-on feature if applicable.

 

2. In the scope selector, select the networks they should have access to. 

 

3. Review the changes and confirm.

 

Admin Management Best Practices

By policy, Cisco Meraki’s support team does not make dashboard configuration changes on behalf of the customer. Dashboard administrators must make their own configuration and account changes on the Meraki dashboard. Just as Cisco Meraki will not make any configuration changes, they can not make any adjustments to organization or network permissions; all changes to the dashboard administration must be made by an existing org admin on that dashboard account. Please refer to section 5.2 of our End Customer Agreement for details.

You (not Cisco) are solely responsible for maintaining administrative control over Your Dashboard account.

This policy is designed to protect the owners of the network from malicious intent. As such, it is strongly recommended to follow these best practices when determining org administration to ensure the security of your dashboard network:

  • Dashboard organizations should always have at least two Full access admins on the organization level.

    • This is best practice in case one account is locked out or if access to that account's email address is lost

  • Be cautious in selecting an appropriate Full access admin for your organization, as the Full access (organization level) role has the highest level of control in the dashboard organization

    • The active owner of the Cisco Meraki hardware and licenses should be Full access admins in the organization.

  • Ensure that the username/email address of the Full access admin is associated with a domain under your control

    • Helps when separating relationships with previous org admins for account recovery purposes

    • Allows control of the email alias of the org admin

  • Use two-factor authentication and store backup authentication keys in a safe place

    • For example, DUO Mobile can be used as a two-factor auth solution with the dashboard

  • Consultants should be granted limited access as needed

    • Most likely, for technical configuration changes, offering temporary access as a network admin is the best option

    • If the consultant requires higher level admin permissions, be sure to revoke all permissions once the necessary changes have been implemented; ideally, the hardware/license owner should be the only org admin

  • If the current Full access organization-level admin is leaving the company, it is strongly recommended to revoke and/or reassign their account permissions early in the off-boarding process

  • Treat an organization Full access administrator like a domain admin for Active Directory or the primary contact for domain name registration; only the person in this role has the ability to promote other users to this role

 

Access Precedence

Access in the dashboard is additive, and a user will be granted rights on a page based on their highest level of applicable assigned permissions. Thus, an admin with read-only rights at the organization level (Observer role), but a Full Access role in a particular network will effectively have full access to that network: they will be able to make and save changes to that network.

This is similarly applied with tags. If a user has read-only and full access to a network based on different tags, the user will be given full access.