Wish: Add permission level to modify Non-Meraki VPN peers without giving full Organization privilege


Wish: Add permission level to modify Non-Meraki VPN peers without giving full Organization privilege

I requested this feature a few years ago but I've never seen it come up again.  We have some users that have either read-only to the Organization or only to specific sites.  However, they are unable to manage the non-Meraki VPN without being an Organization level user which is too much access to grant them.


I don't see it too difficult to implement to just add another level of Privilege for just granting permission to that VPN settings section.  It would be even better if there was a way that users could be assigned permission only to modify non-Meraki VPN for the particular network they have rights to but I'm sure that is a more complicated change.

Kind of a big deal

Note that non-Meraki VPNs are global across all networks.  If you change it in one network you change it in every network.

True, it's org-wide, but it would be helpful to delegate this setting to other people without requiring full org access, especially in an MSP environment.


For example for us it would be helpful to let our service desk make changes on the Site-to-Site VPN settings but they don't need full org access. It wouldn't make sense, since they could theoretically create other admin users or mess with the SAML config we use for every managed org etc.


So that feature would be awesome to have in the dashboard. Currently we evaluate to do it via API to be able to delegate this control internally (or maybe even to the customer some day).

Unless you use location tags like we do so that non-Meraki peers only connect to certain locations.  If the system could be setup so that you could assign VPN rights to only add certain tags it would even be better.


IE, Joe Blow can only add/modify VPN routes with the "HQ" tag.  Pie in the sky wish!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.