Meraki

Community

Wish: Add permission level to modify Non-Meraki VPN peers without giving full Organization privilege

Convergint
Conversationalist
‎Apr 10 2018 10:07 PM
‎Apr 10 2018 10:07 PM

Wish: Add permission level to modify Non-Meraki VPN peers without giving full Organization privilege

I requested this feature a few years ago but I've never seen it come up again.  We have some users that have either read-only to the Organization or only to specific sites.  However, they are unable to manage the non-Meraki VPN without being an Organization level user which is too much access to grant them.

 

I don't see it too difficult to implement to just add another level of Privilege for just granting permission to that VPN settings section.  It would be even better if there was a way that users could be assigned permission only to modify non-Meraki VPN for the particular network they have rights to but I'm sure that is a more complicated change.

0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 10 2018 10:32 PM
‎Apr 10 2018 10:32 PM

Note that non-Meraki VPNs are global across all networks.  If you change it in one network you change it in every network.

0 Kudos
In response to PhilipDAth
hoempf
Getting noticed
‎Apr 11 2018 1:38 AM
‎Apr 11 2018 1:38 AM

True, it's org-wide, but it would be helpful to delegate this setting to other people without requiring full org access, especially in an MSP environment.

 

For example for us it would be helpful to let our service desk make changes on the Site-to-Site VPN settings but they don't need full org access. It wouldn't make sense, since they could theoretically create other admin users or mess with the SAML config we use for every managed org etc.

 

So that feature would be awesome to have in the dashboard. Currently we evaluate to do it via API to be able to delegate this control internally (or maybe even to the customer some day).

0 Kudos
In response to PhilipDAth
Convergint
Conversationalist
‎Apr 11 2018 9:36 AM
‎Apr 11 2018 9:36 AM

Unless you use location tags like we do so that non-Meraki peers only connect to certain locations.  If the system could be setup so that you could assign VPN rights to only add certain tags it would even be better.

 

IE, Joe Blow can only add/modify VPN routes with the "HQ" tag.  Pie in the sky wish!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.