Cisco
Login
Search
Software Secure Workload
Activity Configure

Setup System Configurations in Secure Workload Roles Abilities and Capabilities

Last updated: Jun 09, 2025

Abilities and Capabilities

Roles are made up of capabilities which include a scope and an ability. These define the allowed actions and the set of data that they apply to. For example, the (HR, Read) capability should be read and interpreted as “Read ability on the HR scope”. This capability would allow access to the HR scope and all its children.

Ability

Description

Installer

Install, monitor, and upgrade software agents.

Audit

Global appliance data read support and access to change logs.

Read

Read all data including flows, application, and inventory filters.

Write

Make changes to applications and inventory filters.

Execute

Perform Automatically discover policies run and publish policies for analysis.

Enforce

Enforce policies that are defined in application workspaces that are associated with the given scope.

SecOps Read

Read all flows, alerts, vulnerabilities, and forensics events for the assigned scope.

 

Abilities are inherited, for example, the Execute ability allows all the Read, Write, and Execute actions.

 

Abilities apply to the scope and all the scope’s children.

Component-specific Abilities and Capabilities

The following table describes the abilities and capabilities specific to a component.

Table 1. Component-specific abilities and capabilities

Component Name

Installer

Read

Audit

Write

Execute

Enforce

Owner

Security Dashboard

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Scopes and Inventory

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Label Management

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Inventory Filters

Not Applicable

Read-only

Read-only

Yes

Yes

Yes

Yes
Segmentation

Not Applicable

Read-only

Read-only

Add policies, but cannot publish/enforce them or manage alerts

Add/publish policies, but cannot enforce or manage alerts

Yes

Yes

Enforcement Status

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Policy Templates

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Forensic Rules

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Traffic

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Alerts

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Vulnerabilities

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Forensics

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Reporting Dashboard

Not Applicable

Yes

Yes

Yes

Yes

Yes

Yes

Agent Install

Yes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent Upgrade

Yes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent convert to enforcement

Yes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent Configure

Read-only

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent Monitor

Yes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent Distribution

Yes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Agent list

Only applicable to the deletion of agents and the generation of tokens for service protection

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Alert Conifg

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Vitual Appliances

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Connectors

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Secure Connector

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

External Orchestrators

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

Kubernetes

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Roles

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Users

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Licenses

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Change Logs

Not Applicable

Not Applicable

No

Not Applicable

Not Applicable

Not Applicable

Yes

Session Configuration

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Data Tap Admin

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

Collection Rules

Not Applicable

Read-only

Read-only

Read-only

Read-only

Read-only

Yes

IP Addresses

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Not Applicable

Yes

API Key Capabilities

software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download

  • sensor_mangement

  • flow_inventory_query

  • user_role_scope_management

  • user_data_upload

  • app_policy_management

  • external_integration

  • software_download
Previous topic Roles Next topic Menu Access by Role