Meraki

Community

Restricting access to cameras for Network Admins

Solved
Dunky
Head in the Cloud
‎Jan 19 2024 7:05 AM
‎Jan 19 2024 7:05 AM

Restricting access to cameras for Network Admins

We have a number of network admin users that have full organization access, and some that have Organization Read Only Access.

I have been asked to look into preventing some of these users from being able to see the MV Cameras (without moving the the cameras out into a separate network).

This is to comply with GDPR.

Can anyone advise on how I achieve this.  We use SAML (SSO via Azure).

 

Thanks in advance.

0 Kudos
1 Accepted Solution
In response to Dunky
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 23 2024 11:57 AM
‎Jan 23 2024 11:57 AM

It might be worthwhile looking at third-party solutions like Boundless Digital.  They allow much more granular access to the Meraki Dashboard.

https://www.boundlessdigital.com/network-management/meraki-automation/role-based-access-control/ 

View solution in original post

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jan 19 2024 7:31 AM
‎Jan 19 2024 7:31 AM

Maybe yes.

 

Restricting Access to Cameras - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 19 2024 8:22 PM
‎Jan 19 2024 8:22 PM

Not sure it's possible if these are combined networks. If an admin has network level access or org level access that applies to all nodes in the network. So there's no way to enforce a deny for cameras only unless I'm overlooking something in my evaluation of dashboard or my testing.

 

I think you'd need to break the cameras out into there own networks to achieve this.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 21 2024 11:58 AM
‎Jan 21 2024 11:58 AM

Going sideways - does the access auditing not resolve the core issue - of identifying you has accessed what private information?  Sure they can still get to it - but it creates an audit trail of them doing it.

https://documentation.meraki.com/MV/Processing_Video/Video_Access_Log 

 

ps. For one company I ended up creating a new org just for the cameras to resolve access concerns.

0 Kudos
In response to PhilipDAth
Dunky
Head in the Cloud
‎Jan 23 2024 6:40 AM
‎Jan 23 2024 6:40 AM

Thanks @PhilipDAth & @Ryan_Miles 

Breaking out the cameras into a separate network, or even organization seems a bizarre approach to address what in my opinion is a fundamental issue with access rights not being granular enough.

I wouldn't have thought it unreasonable to be able to prevent some network admins from being able to access video.  If say 2 roles were passed across via SAML, the 1st being Full access to network XYZ and the 2nd being a camera/sensor role that denies access to footage on cameras in network XYZ, then the result should be the user being able to access all the network settings for the camera, but just not able to see the image itself (dashboard and vision Portal).

0 Kudos
In response to Dunky
Ryan_Miles
Meraki Employee
Meraki Employee
‎Jan 23 2024 8:05 AM
‎Jan 23 2024 8:05 AM

Just tested again and perhaps it is possible. Although it would be nice if the UI was better/different.

 

  • I created a new role in my IDP called Network_Admins;No_Video
  • In the Meraki dashboard I created a SAML role for Network_Admins with full access to a network
  • I created a Camera role with no camera permissions to anything

 

Logging in allows me access to all parts of the network except cameras. I can see the list of cameras, but clicking on them results in a View failed to load error. This is where I wish it would instead say camera access denied rather than looking like a broken webpage.

 

And this all only makes sense I suppose if the SAML admin is a network admin. Because if they have org level permissions they could simply edit the no video camera role giving themselves access.

 

Again I would recommend testing this all out and seeing if the behavior is the same for you.

Ryan

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Dunky
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 23 2024 11:57 AM
‎Jan 23 2024 11:57 AM

It might be worthwhile looking at third-party solutions like Boundless Digital.  They allow much more granular access to the Meraki Dashboard.

https://www.boundlessdigital.com/network-management/meraki-automation/role-based-access-control/ 

In response to PhilipDAth
Dunky
Head in the Cloud
‎Jan 24 2024 2:07 AM
‎Jan 24 2024 2:07 AM

Thanks Philip, that looks like a great solution.

I will investigate pricing and look into a trial to confirm it will achieve what we need.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.