Skip to main content

 

Cisco Meraki Documentation

Managing Dashboard Administrators and Permissions (Modernized View)

Overview

This document explains the updated Dashboard administrators page. It covers the permission levels within the dashboard and how to manage administrative users. These users can log in to the dashboard and administer Cisco Meraki networks and devices. For managing users who access a client VPN or wireless network, refer to the article on Managing User Accounts using Meraki Authentication.

Screenshot showing Dashboard administrator page overview

Managing Administrators

The new Administrators table simplifies managing Dashboard administrators and their access. It offers tools to view, filter, and act on admin accounts.

Searching and Filtering Administrators 

The administrators table allows you to easily search and filter admins by key attributes, such as status, scope, role, and last activity. You can also sort columns to organize information effectively and customize or rearrange columns to fit your specific needs.

Bulk Administrator Actions

To efficiently manage multiple administrators, you can select one or more admins from the table and perform the following bulk actions:

  • Remove Admin: Click the "Remove Admin" button to remove selected administrators from the organization or network.

  • Force Logout: Click the "Force Logout" button to log administrators out of their active Dashboard sessions.

  • Unlock Admins: Click the "Unlock" button to unlock administrators currently locked out of their Dashboard accounts.

    Screenshot showing bulk administrator actions

Administrator profile

Administrator Profile provides a comprehensive view of an administrator's account details and settings. This includes their role and scope assignments, API key status, two-factor authentication (2FA) status, and authentication method. 
Administrators with Full Access roles can also perform management actions on other admins directly from the Administrator Profile, such as modifying role and scope assignments, unlocking the account, forcing a logout, or removing the administrator.

This feature simplifies the management of access control. For instance, if a network administrator's account is locked due to multiple failed login attempts, a Full Access admin can quickly unlock the account and review security settings, such as 2FA status and API key usage, directly from the Admin Profile. This ensures minimal disruption to critical network operations.

Screenshot showing administrator profile view

Adding a New Administrator

To add a new admin, click on the “+ Add admin” button on the Administrators page. 

Enter Admin Information

Enter the first name, last name, and email address of the administrator. You can add multiple administrators by clicking on the “Add admin” button. Permissions in the “Assign role and scope” step will be applied to all admins that are added in this step.

Screenshot showing how to add admin information

 

Assign Role and Scope

Assign a role to the administrator based on the access you want them to have on Dashboard. All roles are listed in the roles section of this document.

Screenshot showing how to assign the administrator a role

Assign a scope to the administrator. If you choose an organization-level role, the organization is preselected as your scope. For a network-level role, you can select the required networks to apply the role.

Screenshot showing how to assign the administrator a scope

Review

Review the final changes and save.

Screenshot showing review of the final changes and saving.

Roles

View all available roles for your organization or network in the "Roles" tab.

Full Access 
  • (Organization scope): Highest level of access. This gives full administrative access to all networks and organization settings.

  • (Network scope): Network level access gives full administrative access to selected networks.

Observer
  • (Organization scope): Read-only administrative access to the organization without the ability to make any changes. 

  • (Network scope): Access to most aspects of a network, including Configure sections without the ability to make any changes. 

End Customer 
  • (Organization scope): End customer (formerly Enterprise Admin) can control aspects of their specific organization without access to Firmware Upgrades, Licensing, SP Branding, SP Admin Users and other service provider-focused features.

SM Device Manager
  • (Network scope): The Systems Manager role is limited by the devices it can manage and the features accessible within its Systems Manager network.

SSID Manager 
  • (Network scope): SSID managers can modify SSID settings and view client analytics. 

Switch Port Manager
  • (Network scope): Read-only access to the network combined with access to configuration changes on selected switch ports. 

Client Monitor
  • (Network scope): Monitors and analyzes network client activity and location data to optimize connectivity, troubleshoot issues, and enhance client experience.

Camera Footage & Sensor
  • (Network scope): Camera and sensor access includes four different camera footage access levels and three different sensor information access levels.

Limited Access Roles Assignment

SSID Manager

SSID manager can modify SSID settings and view client analytics. This role can only be assigned in Wireless-only networks.

Note: This feature is only available to Service Providers and must be enabled by Meraki Support.

  1. Click on the “SSID manager” radio button under “Network”.

    Screenshot showing the “SSID manager” radio button under “Network"

  2. Choose the networks to grant access in the scope selection. This role is specifically applicable to wireless networks only.

    Screenshot showing the scope selection for SSID access

  3. After selecting the networks and clicking on next, you will see the SSIDs that administrators will have write access to. To change the enabled/disabled state of these SSIDs, visit the Wireless>SSIDs page on the individual networks.

    Screenshot showing the SSIDs that administrators will have write access to

  4. Review the changes and confirm.

Switch Port Manager

Access can be assigned at the switch port level to allow for lower-tier technicians or external contractors to make basic changes to the network, such as cycling a port. This is done by tagging individual switch ports and assigning a Switch port manager role to an administrator in combination with those tags as a scope.

Adding port tags
  1. Navigate to Switching > Monitor > Switch Ports.
    The Switching > Monitor > Switch Ports navigation menu is shown in the dashboard
     

  2. Click the checkbox next to any switch ports that should be tagged.

    Select the desired switch ports

  3. Click Tag.
    Select tag

  4. In the Add box, select an existing tag.
    Add an existing tag

    Or, create a new tag by entering the name and clicking Add option.

Note: Tags should not have spaces.

  1. Create a new tag
     

  2. Once the desired tags appear in the box as bubbles, click Add.
    Add desired tag

  3. The selected ports will now be tagged as desired.

Note: The "Tags" column can be added to the table using the + button on the right side of the header column.

Tag all the selected ports

Assigning Switch port manager role

 1. Click on the “Switch port manager” radio button under “Network”. Select “Allow packet capture” is applicable.

     Screenshot showing switchport manager

 

2. In the scope selector, select the networks that administrators can access. Combined and switching-only networks will be available for selection.

    Screenshot showing scope selector, selecting network access

3. In the scope component selector, select specific port tags that administrators can access.

    In the scope component selector, select specific port tags for access

4. Review the changes and confirm.

Camera Footage & Sensor

  1. Click on the “Camera footage and sensor” radio button under “Network”. The card will automatically open, allowing you to select levels of access you wish to grant to camera footage and sensors. 

     Click on the “Camera footage and sensor” radio button

2. In the scope selector, select the networks that administrators have access. Only combined and camera-only networks will be available for selection.

    In the scope selector, select the camera networks for access

3. In the scope component selector, select whether you want to grant access to all cameras in the selected network(s), individual cameras or cameras by tag.

   Screenshot showing camera scope component selector

4. As preferred, select individual cameras or cameras by tag in the next step.

   select individual cameras or cameras by tag

5. Review the changes and confirm.

SM Device Manager

SM Device manager role is restricted by both the scope of devices they can manage and features they can access within their Systems Manager network.

  1. Click on the “SM device manager” radio button under “Network”.

    Screenshot showing SM device manager

  2. In the scope selector, select the networks that administrators can access.

    In the scope selector, select the networks for access.

  3. After selecting the networks and clicking next, select the device tags that administrators should manage.

     Select the device tags they should be able to manage.

  4. Review the changes and confirm.

Client monitor

The Client monitor role is restricted to viewing a subset of the Monitor section in the Dashboard, with no ability to make changes. These admins can access summary reports but are not permitted to schedule report emails directly from the dashboard.

With the Guest Ambassador add-on feature, Client monitor admins are only able to see the list of Meraki authentication users, add users, update existing users, and authorize/deauthorize users on an SSID or client VPN. Ambassadors can also remove wireless users if they are an ambassador on all networks. The existence of network templates anywhere in a dashboard organization prevents guest ambassadors from deleting wireless users.

  1. Click on the “Client monitor” radio button under “Network”. The card will automatically open, allowing you to select the “Guest ambassador” add-on feature if applicable.

    Click on the “Client monitor” radio button under “Network”.

2. In the scope selector, select the networks they should have access to. 

    In the scope selector, select the networks for access. 

3. Review the changes and confirm.

Admin Management Best Practices

By policy, Cisco Meraki’s support team does not make dashboard configuration changes on behalf of the customer. Dashboard administrators must make their own configuration and account changes on the Meraki dashboard. Just as Cisco Meraki will not make any configuration changes, they can not make any adjustments to organization or network permissions; all changes to the dashboard administration must be made by an existing org admin on that dashboard account. Please refer to section 5.2 of our End Customer Agreement for details.

You (not Cisco) are solely responsible for maintaining administrative control over Your Dashboard account.

This policy is designed to protect the owners of the network from malicious intent. As such, it is strongly recommended to follow these best practices when determining org administration to ensure the security of your dashboard network:

  • Dashboard organizations should always have at least two Full access admins on the organization level.

    • This is best practice in case one account is locked out or if access to that account's email address is lost

  • Be cautious in selecting an appropriate Full access admin for your organization, as the Full access (organization level) role has the highest level of control in the dashboard organization

    • The active owner of the Cisco Meraki hardware and licenses should be Full access admins in the organization.

  • Ensure that the username/email address of the Full access admin is associated with a domain under your control

    • Helps when separating relationships with previous org admins for account recovery purposes

    • Allows control of the email alias of the org admin

  • Use two-factor authentication and store backup authentication keys in a safe place

    • For example, DUO Mobile can be used as a two-factor auth solution with the dashboard

  • Consultants should be granted limited access as needed

    • Most likely, for technical configuration changes, offering temporary access as a network admin is the best option

    • If the consultant requires higher level admin permissions, be sure to revoke all permissions once the necessary changes have been implemented; ideally, the hardware/license owner should be the only org admin

  • If the current Full access organization-level admin is leaving the company, it is strongly recommended to revoke and/or reassign their account permissions early in the off-boarding process

  • Treat an organization Full access administrator like a domain admin for Active Directory or the primary contact for domain name registration; only the person in this role has the ability to promote other users to this role

Access Precedence

Access in the dashboard is additive, and a user will be granted rights on a page based on their highest level of applicable assigned permissions. Thus, an admin with read-only rights at the organization level (Observer role), but a Full Access role in a particular network will effectively have full access to that network: they will be able to make and save changes to that network.

This is similarly applied with tags. If a user has read-only and full access to a network based on different tags, the user will be given full access.