We have 90 locations, each is its own network with an MX, MS’s and MR’s. We have a team that is half desktop support and half network support. I want to be able to give them the ability to move VLAN ports on the switches but not the ability to alter the configuration of the MX.
I attempted to do this with SAML and target based access privileges using the TAGS but it appears the TAGS only work at the network level not the device level.
Is there a way to give this team access to only the switch configuration and not the entire sites network?
We did this is an option but it's likely an option of last resort as with 90 networks it will become an administrative overhead and it does not appear to roll up into the SAML roles so it would mean compounding the identity island issue.