Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Restricting access to cameras for Network Admins

Solved
Dunky
A model citizen
‎Jan 19 2024 7:05 AM
‎Jan 19 2024 7:05 AM

Restricting access to cameras for Network Admins

We have a number of network admin users that have full organization access, and some that have Organization Read Only Access.

I have been asked to look into preventing some of these users from being able to see the MV Cameras (without moving the the cameras out into a separate network).

This is to comply with GDPR.

Can anyone advise on how I achieve this.  We use SAML (SSO via Azure).

 

Thanks in advance.

0 Kudos
Subscribe
1 Accepted Solution
In response to Dunky
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 23 2024 11:57 AM
‎Jan 23 2024 11:57 AM

It might be worthwhile looking at third-party solutions like Boundless Digital.  They allow much more granular access to the Meraki Dashboard.

https://www.boundlessdigital.com/network-management/meraki-automation/role-based-access-control/ 

View solution in original post

Subscribe
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 19 2024 7:31 AM
‎Jan 19 2024 7:31 AM

Maybe yes.

 

Restricting Access to Cameras - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 19 2024 8:22 PM
‎Jan 19 2024 8:22 PM

Not sure it's possible if these are combined networks. If an admin has network level access or org level access that applies to all nodes in the network. So there's no way to enforce a deny for cameras only unless I'm overlooking something in my evaluation of dashboard or my testing.

 

I think you'd need to break the cameras out into there own networks to achieve this.

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 21 2024 11:58 AM
‎Jan 21 2024 11:58 AM

Going sideways - does the access auditing not resolve the core issue - of identifying you has accessed what private information?  Sure they can still get to it - but it creates an audit trail of them doing it.

https://documentation.meraki.com/MV/Processing_Video/Video_Access_Log 

 

ps. For one company I ended up creating a new org just for the cameras to resolve access concerns.

0 Kudos
Subscribe
In response to PhilipDAth
Dunky
A model citizen
‎Jan 23 2024 6:40 AM
‎Jan 23 2024 6:40 AM

Thanks @PhilipDAth & @Ryan_Miles 

Breaking out the cameras into a separate network, or even organization seems a bizarre approach to address what in my opinion is a fundamental issue with access rights not being granular enough.

I wouldn't have thought it unreasonable to be able to prevent some network admins from being able to access video.  If say 2 roles were passed across via SAML, the 1st being Full access to network XYZ and the 2nd being a camera/sensor role that denies access to footage on cameras in network XYZ, then the result should be the user being able to access all the network settings for the camera, but just not able to see the image itself (dashboard and vision Portal).

0 Kudos
Subscribe
In response to Dunky
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 23 2024 8:05 AM
‎Jan 23 2024 8:05 AM

Just tested again and perhaps it is possible. Although it would be nice if the UI was better/different.

 

  • I created a new role in my IDP called Network_Admins;No_Video
  • In the Meraki dashboard I created a SAML role for Network_Admins with full access to a network
  • I created a Camera role with no camera permissions to anything

 

Logging in allows me access to all parts of the network except cameras. I can see the list of cameras, but clicking on them results in a View failed to load error. This is where I wish it would instead say camera access denied rather than looking like a broken webpage.

 

And this all only makes sense I suppose if the SAML admin is a network admin. Because if they have org level permissions they could simply edit the no video camera role giving themselves access.

 

Again I would recommend testing this all out and seeing if the behavior is the same for you.

Subscribe
In response to Dunky
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 23 2024 11:57 AM
‎Jan 23 2024 11:57 AM

It might be worthwhile looking at third-party solutions like Boundless Digital.  They allow much more granular access to the Meraki Dashboard.

https://www.boundlessdigital.com/network-management/meraki-automation/role-based-access-control/ 

Subscribe
In response to PhilipDAth
Dunky
A model citizen
‎Jan 24 2024 2:07 AM
‎Jan 24 2024 2:07 AM

Thanks Philip, that looks like a great solution.

I will investigate pricing and look into a trial to confirm it will achieve what we need.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.