Login

Cisco Security Cloud Control Administration Guide

About Cisco Security Cloud Control
- Products Managed by Cisco Security Cloud Control
Platform Services for all Products
- Manage Security Devices
- Manage Objects
- Global Search
  - Initiate Full Indexing
  - Perform a Global Search
- Preview and Deploy Configuration Changes for All Devices
- Additional Configuration Assistance
- Integrate Identity Services Engine with Security Cloud Control
- Organization Notification Settings
- Security Cloud Control Platform Navigator
- Give us your Feedback
Managing Organizations
- Setting a Region for an Organization
- Create an Organization
- Rename an organization
- Switch organizations
- Cisco Support Access to your Organization
  - Enable Cisco Support Access
  - Disable support access
Managing Products and Subscriptions
- Overview of Subscription Process
- Single Product Instance in an Organization
- Claim a Subscription
- Activate a Product Instance
  - Activate an Inactive Product Instance
  - Activate an Externally Managed Product Instance
  - Activation Code to Activate Externally Managed Product Instance
  - Activate a Product Instance with Further Inputs
- View Product Subscription Details
- Deactivate a Product Instance
Onboard Devices to Security Cloud Control
- Secure ASA Onboarding Methods
- Secure Firewall Threat Defense Onboarding Methods
- On-Premises Firewall Management Center Onboarding Methods
- Meraki Security Appliance Onboarding Methods
- Cisco IOS Device Onboarding Methods
- Secure Firewall Chassis Manager Onboarding Methods
- AWS Virtual Private Cloud Onboarding Methods
- Cisco Umbrella Organization Onboarding Methods
Managing Role-Based Access Control
- Role-Based Access Control in an Organization
  - Managing Users
  - Managing Groups
  - Managing Roles
- Invite a User
- Import Users
- View or Find Users
- Edit a User Name
- Assign Roles to a User
- Add a User to Groups
- Assign Roles to Existing Users
- Remove Role Assignments
- Create a Custom Role
- Edit a Custom Role
- Delete a Custom Role
- Custom Role for Cisco Secure Workload
- Reset Multifactor Authentication Settings
- Reset User Password
- Disable a User Account
- Restore a User Account
- Remove a User Account
- Create a New Group
- Edit a Group Name
- Add Users to a Group
- Assign Roles to Groups
- Remove users from a group
- Delete a Group
- Manage Role Delegation
- Logging the Events
  - View the Activity Log
Managing Domains
- Overview
- Claim and verify a domain
Managing Identity Provider Group Mapping
- Identity Provider Group Map
- Map Identity Provider Group
- Edit an identity provider group mapping
- Link an External Identity Provider
- Delink an External Identity Provider
Integrating Identity Providers
- Prerequisites
- SAML Response Requirements
- Step 1: Initial setup
- Step 2: Provide Security Cloud SAML metadata to your identity provider
- Step 3: Provide SAML metadata from your IdP to Security Cloud
- Step 4: Test your SAML integration
- Step 5: Activate the integration
- Troubleshooting SAML errors
Identity Service Provider Instructions
- Integrating Auth0 with Security Cloud Sign On
- Integrating Microsoft Entra ID with Security Cloud Sign On
- Integrating Duo with Security Cloud Sign On
- Integrating Google Identity with Security Cloud Sign On
- Integrating Okta with Security Cloud Sign On
- Integrating Ping Identity with Security Cloud Sign On

Platform Secure Firewall Threat Defense Virtual

Activity Manage

Managing Role-Based Access Control Custom Role for Cisco Secure Workload

Last updated: Jul 17, 2025

Custom Role for Cisco Secure Workload

You can create, edit, and delete custom roles for Cisco Secure Workload.

When you create a custom role for Secure Workload, you define the scope-ability pairs for the role. The permission and capability of a role in Secure Workload includes a scope and an ability. Ability defines the allowed actions and scope defines the set of data that the ability applies to. For information on roles in Secure Workload, see Cisco Secure Workload User Guide, SaaS .

The Agent Installer and Tenant Owner roles appear as static in the Role details page. You can't delete or edit these roles.

Follow these steps to create a custom role in Secure Workload.

Procedure

1

In the Security Cloud Control platform menu, choose Platform Services > Platform Management.

2

Choose Access Management > Administrator Access.

3

Click Admin roles.

4

Click Add custom role.

5

In the Role Details section of the Add Custom Role page, do the following.

From the Product drop-down list, choose Secure Workload.

In the Role name field, provide a name for the role.

Ensure that the name of the role is limited to 50 characters. Role names can have alphanumeric characters, hyphens, and underscores. Other characters are not supported.
You can’t have two custom roles with the same name for a given product.

(Optional) Provide a description for the role.
Click Next. This step enables you to specify the capabilities for the role.

6

In the Capability details section of the Add Custom Role page, do the following.

Add the scope-ability pairs for this role

Choose a scope from the App scope drop-down list.
Choose the corresponding ability for the scope from the Ability drop-down list.

Click Add capability to add more scope-ability pairs.
Click Next.

7

In the Summary section, review the details of the custom role.

To proceed with adding the custom role, click Save.

To change the role details, click Back and make the required edits.

To proceed without adding the custom role, click Cancel.

After the custom role is created, it is added to the list of roles on the Roles page.

Previous topic Delete a Custom Role Next topic Reset Multifactor Authentication Settings