Skip to main content

 

Cisco Meraki Documentation

Role-Based Access Control Custom Roles Beta

  1. Last updated
  2. Save as PDF

Note: The Custom Roles experience is currently in beta. At this time, it supports Security & SD-WAN, Switching, and Wireless only. Additional Meraki product families (such as Cameras, Sensors, and others) are not yet supported in this beta version. Support for more products may be introduced in future updates. 

Introduction

Custom roles in the Meraki Dashboard allow organizations to fine-tune administrator permissions with greater granularity across product families such as Security & SD-WAN (MX), Switching (MS), and Wireless (MR). This article walks through the full experience of creating, reviewing, and managing a custom role using the enhanced RBAC (Role-Based Access Control) interface. 

Overview

The Custom Roles feature enables administrators to define tailored access levels that align with organizational needs. Instead of assigning broad, pre-defined roles, customers can fine-tune access by selecting Read-onlyRead & write, or No access for each resource category. 

Typical use cases include: 

  • Granting a network engineer full write access to switching but only read access to security appliances 
  • Restricting wireless access for contractors or auditors 
  • Creating standardized persona-based roles (e.g., “Switching Manager”)

Additive Permissions Model (Beta Behavior) 

In this beta release, permissions are additive. This means that if a user receives multiple roles affecting the same network or product area: 

  • The highest level of access granted by any assigned role becomes the user’s effective permission. 
  • There is no explicit deny in the current beta. 

Example:  If a user receives: 

  • Role A → No access to Wireless in Network X 
  • Role B → Read-only access to Wireless in Network X 

Their resulting permission will be: Read-only access to Wireless in Network X 

An explicit deny function is planned for future iterations but is not available in the beta. 

This model supports flexibility while the feature is evolving and allows admins to compose access through multiple roles safely. 

Getting Started with the Beta Experience

To use Custom Roles, your organization must first opt in to the new RBAC experience through Early Access. 

  1. In the left navigation menu, go to Organization.
  2. Select Early Access.
  3. Locate the Role-Based Access Control feature tile.
  4. Toggle the feature ON to enable the beta for your organization.

Once enabled, the Roles tab under Organization → Administrators will show the updated Custom Roles experience.

Activating the Beta

Step 1. In the Meraki Dashboard, go to Organization > Early Access.

clipboard_e52979e35b004790b730da80d11a8bc61.png

 

Step 2. Scroll to find Role-based Access Control and switch toggle to opt into the beta.

clipboard_e00b8861d3bc2fad6cb2ef25fcdc6c1bf.png

Navigating to the Custom Roles Feature 

The beta features are only accessible through the new version of the Administrators page. Support for the legacy Admin pages experience is not provided.

  1. In the left navigation pane, select Organization > Administrators

  1. Within the Administrators page, switch to the Roles tab. 

  1. The page displays two role groups: 

  • Default roles (Full access, Observer, Switch port manager, SSID Manager, etc.) 
  • Custom roles (roles created by your organization) 

To create a new custom role, click +Create custom role in the upper right corner. 

 

Defining Custom Role Name 

You will be taken to a guided 3-step workflow. Begin by providing: 

  • Role name — choose a descriptive, concise name 
  • Description (optional) — summarize the scope of the role for future reference 

Example: 

  • Role name: MX read, MS write 
  • Description: Read-only access to the security appliances and full access to switching 

Click Next to proceed. 

 

Defining Permissions 

In this step, you choose the permission level for each product family. Each resource category includes all features in the following Dashboard navigation items: 

  • Security & SD-WAN 
  • Switching 
  • Wireless 

For each resource category, select one of the following: 

  • No access (unless combined with other roles that grant access to this resource, user with this role cannot view or manage this product type.)
  • Read only (unless combined with other roles that grant Read & write access to this resource, user with this role can view both Monitor and Configure feature groups for this product type but cannot make changes.)
  • Read & write (user has full view and management capabilities for this product type.)

Example configuration: 

  • Security & SD-WAN: Read only 
  • Switching: Read & write 
  • Wireless: No access 

Click Next once the selections reflect your intended permissions. 

 

Review and Confirmation 

The final step presents a summary of the custom role: 

  • Role name and description 
  • Permissions selected for each resource category 

Review the information carefully. If any adjustments are required, use the Edit links next to each section. 

Once satisfied, click Confirm and add new custom role

 

 

After confirmation, you will see a success message in the top right corner of the screen, and the newly created role now appears under the Custom roles section on the main Roles page. 

 

 

 

Managing Custom Roles 

Custom roles can be edited or deleted at any time—provided the appropriate conditions are met. 

Editing a Custom Role 

  1. Navigate to Organization > Administrators > Roles
  2. Scroll to the Custom roles section. 
  3. Click the three-dot () menu on the role card. 
  4. Select Edit role to reopen the 3-step configuration flow. 

Use this to update permissions or rename the role. 

 

Deleting a Custom Role 

  1. Open the  menu for the desired custom role. 
  2. Select Delete role
  3. A confirmation dialog will appear. 

You may only delete roles that are not currently assigned to any admins or SAML groups. Click Delete role to proceed. 

 

Assigning a Custom Role 

Once custom roles have been created, they can be assigned to new or existing administrators through the standard admin creation and editing workflow.

When adding a new admin:

  1. Navigate to Organization → Administrators.
  2. Click Add new admin, or select an existing admin to edit.
  3. In the Role & Scope section, select Assign role.
  4. A side panel will open, displaying two tabs:
    • Default - built-in system roles
    • Custom - custom roles created during the beta
  5. Select the Custom tab to view all available custom roles.
  6. Choose the role you want to assign by selecting its radio button.
  7. Configure the scope as needed (organization-wide, specific networks, or network tags).
  8. Review and save your changes.

This workflow allows you to assign one or more role-and-scope pairs to the same admin, enabling flexible and layered access - aligned with the beta’s additive permission model.

clipboard_e45899c6c4655219b18398c31ffcafcf1.png

Important Limitations of Beta

To ensure a focused and effective beta program, the following functionalities are not included in this initial release:

  • You cannot assign "no access" to all three product categories (Security Appliances, Switching, and Wireless). At least one product type must have "read" or "read and write" access.
  • Custom role support is not yet available within the Meraki mobile application.
  • Access control for Meraki products beyond MX, MS, and MR is not included. Additional Meraki product families (such as Cameras, Sensors, and others) are not yet supported in this beta version. Support for more products may be introduced in future updates.

Providing Feedback During Beta

Your feedback is invaluable for shaping the final product. We encourage you to share your experiences and suggestions. Please, use the Give Feedback button located on the right side of the screen from either of the Administrators pages within the Dashboard.

clipboard_e7b7bd65cea88775f6cd7f1deb208e4e1.png

Leaving the Beta Program

Organizations can opt out of the Custom Roles beta at any time. Opting out disables access to the beta RBAC experience, including the ability to create new custom roles, while preserving any custom roles created during the beta.

To leave the beta:

  1. In the Dashboard navigation menu, go to Organization.
  2. Select Early Access.
  3. Locate the Role-based access control feature tile.
  4. Toggle the feature OFF.

When opting out, you will see a warning message explaining:

  • All custom roles created during the beta will remain in the organization.
  • Any administrators or SAML groups currently assigned to these roles will continue to have them.
  • Once you opt out, your organization will no longer have access to create additional custom roles until you rejoin the beta (or until the feature becomes GA).

After confirming, the organization will exit the beta program.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
    Stage
    Final
  2. Tags
    This page has no tags.