Meraki

Community

PCI audit The following list of Meraki Dashboard administrators is current and accurate.

meraki-user
Here to help
‎Nov 14 2024 9:03 AM
‎Nov 14 2024 9:03 AM

PCI audit The following list of Meraki Dashboard administrators is current and accurate.

PCI audit shows a failure on "The following list of Meraki Dashboard administrators is current and accurate." It is citing administrator accounts that have been deleted. Where is it seeing them, if they have been deleted? How can the list of administrators in the system be an inaccurate list?

 

 

5 Replies 5
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 15 2024 2:50 AM
‎Nov 15 2024 2:50 AM

Pretty sure this is referring to SAML login and is expected behaviour.   The listed accounts have been used historically to access the dashboard, so will still be visible there, even though they've been deleted at the IdP end.   While they are listed, they will not be able to login.
I believe such associations can be removed by toggling the enable / disable on that SSO.

0 Kudos
In response to GreenMan
bwebb
New here
‎Mar 3 2025 1:27 PM
‎Mar 3 2025 1:27 PM

Why would this be expected behavior?  What happens when multiple organizations are managed by a single entity like an MSSP?  The MSSP has to go into every organization and disable/reenable their SSO instance for every client whenever an employee is removed?  What if an individual flips this between reports?  They can wipe the listed account's access?  That doesn't sound like a compliant report.

 

This can't be by design...this has to be a failure to address an obvious compliance reporting issue or how can Meraki PCI reports be relied upon to present accurate information?  Even if there were a way to mark out individual users as removed and a timer during which they would no longer show on reports...anything.  If I am missing something please let me know but saying it is expected behavior is very concerning.

0 Kudos
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Mar 4 2025 7:08 AM
‎Mar 4 2025 7:08 AM

The IdP is checked when an admin logs in, regardless.   If the user in question has been disabled at the IdP end, they won't gain access to the Meraki Dashboard.   It's not my area of in-depth expertise, but it seems pretty impractical to me for Dashboard to maintain a 100% sync with every single configured IdP.  Would forcing a sync before running a particular compliance check be particularly onerous?   If you have particular concerns, you're probably best advised to pick them up directly via your Meraki account team.

0 Kudos
meraki-user
Here to help
‎Mar 5 2025 10:52 AM
‎Mar 5 2025 10:52 AM

Forcing a sync sounds great. Is there any documentation on how this can be done?

0 Kudos
In response to meraki-user
GreenMan
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Mar 13 2025 10:04 AM
‎Mar 13 2025 10:04 AM

Disable and enable the SSO in question   (Org > Settings > Authentication)

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.