Adding and Managing Custom Roles

You can create custom roles to manage administrator access using role‑based access control (RBAC). Custom roles let you assign permission levels, such as Read Only, Create, Edit, or Delete across different technology categories to support controlled access and delegation. System‑defined roles are available by default.

Before creating a custom role, review Understanding Administrator Roles and Privileges for details about administrator roles, and RBAC and ABAC Support to understand how roles, users, and groups (single sign‑on (SSO) or privilege groups) interact.

Create a custom role as follows:

  1. Click Manage My Account to go to the tenant portal for your account.

    You can access Manage My Account from the top-right corner of most MSP portal pages.

    The RUCKUS One web interface is displayed.
  2. On the navigation bar, select Administration > Account Management > Users & Privileges.
  3. Click the Roles sub-tab.
    The following information is displayed:
    • Name: Displays the name of the role.
    • Description: Displays a description of the role.
    • Role Type: Displays whether the role is system-defined or custom. System-defined roles are preconfigured and cannot be modified. Custom roles are user-defined and editable (depending on the assigned privileges).
  4. Click Add Role.
    The Add Admin Role page is displayed.
  5. Enter the role name and a short description for the role on the General page.
    Note: You cannot create a custom role with the same name as a system-defined role.
  6. Click Next.
    The Permissions page is displayed with the following types of permissions: Global Permissions and Advanced Permissions.
    • Global Permissions apply broadly across the system and include the following categories:
      • Wi-Fi: Controls access to wireless infrastructure and services, including venues, access points, SSIDs, client visibility, identity services, and Wi‑Fi–related network control features.
      • Wired: Controls access to wired infrastructure and services, including switches, wired network profiles, PON components, wired clients, and related network control and portal features.
      • Gateways: Controls access to gateway and edge services, including RUCKUS Edge, RUCKUS WAN Gateway, IoT controllers, and gateway‑level network control capabilities.
      • AI: Controls access to analytics, assurance, insights, reporting, and data visualization features that provide network intelligence and operational insights.
      • Admin: Controls access to administrative functions, including account management, licensing, system configuration, timeline, and other platform‑level administrative settings.
      • Templates: Controls access to configuration template operations, including create, update, delete, apply, view drift status, sync changes, enforce, and clone, based on the assigned permission level.
        Note: Templates in RUCKUS One are managed using Global Permissions and are not configured through Advanced Permissions.
      • MSP: Controls access to managed service provider (MSP) functionality, including tenant‑level administration and cross‑tenant operations, and is visible only to MSP administrators.
        Note: The MSP functionality is visible only to MSP administrators, allowing them to configure granular access control for MSP-EC tenants.
    • Advanced Permissions provide more granular, scope‑based controls and include the following sub‑tabs:
      • Wi-Fi
      • Wired
      • Gateways
      • AI
      • Admin
      • MSP

      The permission categories in each tab mirror the sections of the main navigation menu on the left side of the RUCKUS One web interface, helping administrators align access control with functional areas of the application.

    Note: If no permissions are explicitly configured at either the Global Permissions or Advanced Permissions level, Read Only access is enforced by default.
    Note: Permissions granted through roles are applied subject to assigned scopes. Even when a permission is enabled, access may be restricted by scope limitations, such as a tenant or venue scope.
  7. (Optional) Click the Global Permissions tab and assign the following permissions for the required high‑level categories:
    • Read Only (set by default): View access only.
    • Create: Permission to create new configurations.
      Note: The Create permission for Templates includes Create Template, Apply Template, and Clone Template.
    • Edit: Permission to modify existing configurations.
      Note: The Edit permission for Templates includes Update Template, Sync Drift Report, and Enforce Template.
    • Delete: Permission to remove configurations.
    Note:

    Refer to Management Scope for Permissions for details on supported and unsupported functionality scopes.

  8. (Optional) Select the Advanced Permissions tab to manage role permissions for specific features and functionalities within each category. By default, the Wi-Fi sub-tab is displayed. To configure granular access controls, complete the following steps:
    1. Click a category sub‑tab (for example, Wi-Fi, Wired, Gateways, AI, or Admin) to access specific functionalities.
    2. Within the selected category, click the icon next to a feature group (for example, Venue in the Wi-Fi category) to view its individual features.
    3. For each feature, select one or more of the following permission levels: Read Only, Create, Edit, or Delete.
      Note:
      • Default selections in the Advanced Permissions tab depend on the choices made in the Global Permissions tab, but you can change them. Permissions set in the Advanced Permissions tab override those set at the global level.
      • If you see a hyphen () instead of a checkmark () for a specific category action (Create, Edit, or Delete), the indicator shows that the permission for that action is not granted uniformly at the Advanced Permissions level for that category. You can click the hyphen to grant the permission globally, but this may still result in partial inheritance of permissions at the Advanced Permissions level. RUCKUS recommends checking the Advanced Permissions for the category and modifying them as necessary.
      • Selecting a permission at the parent feature‑group level automatically applies it to all child features.
      • Some features support only a subset of permissions. Unsupported actions remain Read Only.
      • Feature visibility does not guarantee action availability. Available actions depend on role permissions and assigned scopes.
    4. Configure permissions individually for each feature within the expanded functional area.
    5. Repeat these steps for all required category sub‑tabs and their associated features.
    6. After completing the permission configuration, click Next to proceed to the Summary step.
  9. Click Next.
    The Summary page is displayed, providing details about the administrator role and permissions. Verify this information.
  10. Click Add.
    The newly created custom role is added to the list of roles in the Roles sub-tab. A notification is displayed on the Activities page, accessible from the icon at the top-right corner of the RUCKUS One web interface.
  11. In the Roles sub‑tab, select the radio button alongside the name of the role to display the following options:
    • Edit
    • Delete
      Note: Only custom roles can be edited or deleted. Built‑in roles cannot be modified or removed.
      Note: Changes to role permissions take effect immediately for all assigned users.

      A notification appears on the Activities page whenever a role is edited or deleted.

  12. (Optional) Click Edit to modify the role's General details or Permissions.
    The Edit Admin Role: <Role Name> page is displayed. Modify the information as required:
    1. Click General to modify the role name or description.
    2. Click Permissions to modify Global Permissions or Advanced Permissions.
    3. Click Apply.
  13. (Optional) Click Delete to delete a role.
    A confirmation pop-up message is displayed.
    1. Review the message.
    2. Click Delete Role.