Defining Administrators and Privileges – Building the Dashboard
For organizations with multiple administrators that require access to the Dashboard, Meraki has designed the Dashboard such that an organization can designate various administrative roles with different permission levels (from the Organization > Administrators page). This allows administrative rights to be scoped on a per-account basis to allow for full organization read/write access, a mix of read-only and write access at either the organization level or per-network level, or special permission roles such as Camera-only or Monitor-only administrators. These special permission roles have uniquely restricted access to Dashboard networks, which will be briefly discussed in comparison to standard administrators later in this section.
Pro Tip
All organizations should maintain control of at least two full organization administrator accounts to prevent accidental loss of access to the organization in the event of an account lockout.
At the organization level, accounts can be assigned one of the following levels of organization privilege:
• Full organization-level access, which allows full read/write access to the entire organization.
• Read-only access, which provides full visibility to every page and configuration in the Dashboard but restricts the ability to make or save any changes within the organization.
• None, which both hides all pages located under the Organization tab and the Navigation tab itself and restricts the account to only the network-level permissions explicitly specified.
In addition to, or in place of, the organization-level permissions, administrator accounts can also have per-network permissions applied to them. This allows for accounts to be restricted to view or modify only a specific subset of networks within the organization based on the permissions assigned to that administrator for each network. Per-network permissions allow for Full access, Read-only access, or Monitor-only access to be configured for each network or network group specified.
Any networks that are not included in the permissions assigned to an administrator account are not shown in the Dashboard for that user. This allows for very granular permissions assignments within each organization in the Dashboard, helping to provide maximum security and control while ensuring that each account has the necessary visibility and access to complete their responsibilities.
Pro Tip
Full organization read/write access supersedes any network-level access configured for the same account. Accounts configured with Read-only organization-level access can still be given write access to individual networks within the organization. Remember to follow the least privilege philosophy when designating roles.