Management Scope for Permissions

The following table maps global RBAC functionalities to their corresponding advanced scopes, outlining the permitted actions (Create, Edit, Delete, Read Only) for each. This enables fine-grained administrative control across network components and services when creating a custom role.

Table 1. Management Scope for Permissions
Global Permissions - Category	Advanced Permissions - Functional Area and Features	User Permission
Wi-Fi	Venue > Wi-Fi	Permitted venue Wi-Fi operations include: Manage venue Wi-Fi settings Add and remove APs within a venue Activate or deactivate Wi-Fi networks within a venue Enable or disable DHCP services for the venue Note: The following actions are not allowed: Create new Wi-Fi networks Modify mDNS Proxy settings Modify Venue settings, such as floor plans or other core venue configurations Access any settings or scopes outside of the Venue Wi-Fi role
	Venue > Venue Management	Provides full access to create, modify, or remove venue information.
	Venue > Property Management	Provides full access to manage property-level data associated with a venue. Note: Grants read-only access to the resident portal setting. Note: Grants full access to registration messaging templates.
	Venue > Property Management - Units	Provides full access to control creation and management of unit-level data within a venue.
	Wi-Fi > Wi-Fi Networks	Provides full access to manage Wi-Fi networks. Create, update, or delete Wi-Fi networks Note: Activating or deactivating Wi-Fi networks at venues requires Venue > Wi-Fi advanced permissions. Without this, the user cannot perform these actions. Export reports (WLAN Report, Application Report, Wireless Report) Note: The user cannot schedule reports (WLAN Report, Application Report, Wireless Report)
	Wi-Fi > Access Points	Provides only Edit permission on AP configuration. Note: The user cannot add or delete APs. Note: The user cannot add, edit, or delete AP Groups. Note: The user cannot change venue settings.
	Clients > Wireless	Provides full access to manage Wi-Fi clients and guest passes.
	Clients > Identity Management	Provides full access to manage identity and identity groups.
	Network Control (Services) > DPSK DPSK Passphrases Wi-Fi Calling Guest Portal Resident Portal MDNS Proxy DHCP	Provides full access to manage individual network control services. Note: DPSK permissions do not imply DPSK Passphrases permissions; they are managed independently. Note: Each Network Control service must be explicitly selected for access.
	Network Control (Profiles) > Access Control Adaptive Policy Client Isolation Identity Provider MAC Registration List Location Based Service RADIUS Server Rogue AP Detection SNMP Agent Syslog Server Tunneling VLAN Pool Wi-Fi Operator Workflow SoftGRE Profile Directory Server Ipsec Profile Ethernet Port Profile Certificate Authority Certificate Templates	Provides full access to manage individual network control policies and profiles. Note: The user cannot activate or deactivate the Syslog Server profile on venues. Note: Scope mapping is not available for SAML Identity Providers but is available for Hotspot 2.0 Identity Providers. Note: Each Network Control profile or policy must be explicitly selected for access.
Wired	Venue > Switch	Manages Venue Switch settings. Create and edit venues associated with switches. Note: Deleting a venue is not supported. When configuring a venue, the Configure button is available only with Edit permission. The following settings have only Edit permission: General (Configuration Profile, DNS, Syslog Server) AAA (RADIUS, TACACS, Local Users) Provides full access in the Venue Overview > Devices > Switch page. Note: Floor plans are read-only, even when a Venue Switch has full access permission.
	Wired > Switches	Based on the permission level assigned, the following operations are permitted: Add, edit, or remove a switch Add or remove a stack Import from file Configure a CLI session Stack switches Blink LEDs The More Actions option is available for Edit and Delete permissions. Note: If the switch is part of a stack, the Reboot Switch and Delete Switch options appear as Reboot Stack and Delete Stack, respectively. Add, update, or remove LAGs Add, update, or remove VLAN Interfaces and Default VLAN settings. Use tools like Ping, Trace Route, IP Route, and MAC Address Table. Add, update, or remove the Error Disable Recovery setting. Port edits are permitted only with Edit permission. Note: Delete operation is not available for ports. View, restore, download, or delete switch restore and backup configuration. The options available varies depending on the specific permission level assigned. Add, update, or remove DHCP pools. Add, update, or remove Authentication profiles. Add, update, or remove ICX port profiles, MAC OUIs, and LLDP TLVs. Add, update, or remove the Static Route setting only when the associated switch has Edit permission.
	Wired > Wired Network Profile	Provides full access for the profile lifecycle. Add, update, or remove Default VLAN setting.
	Clients > Wired	Provides full access support. Note: Port edits are not permitted under any permission level.
	Network Control (Services) > Web Authority	Provides full access support. Enables configuration of web authentication policies and templates.
	AI (AI Assurance, Business Insight, Reports)	Prepares wired reports. Note: Create, Edit, and Delete permissions for AI Assurance are bundled together. Selecting one automatically selects the other two permissions.
	Administration (Account Management)	Provides full access support to standard admin controls.
Gateways	RUCKUS Edge > Edge Management	Provides full access to manage RUCKUS Edge devices, clusters, configurations, WAN gateway settings, service-level configurations for gateways, and high-quality service policies. Note: Edge and RWG device management is allowed only with venue-level permissions. This means, users cannot manage or assign devices to venues they do not have access to. Note: Each Network Control service, policy, or profile must be explicitly selected for access.
	Network Control (Policies) > HQoS
	Network Control (Services) > DHCP PIN SDLAN MDNS Proxy
	RUCKUS WAN Gateway > RWG
AI	AI Assurance > AI Analytics Network Assurance	Provides access to monitor and manage the network for optimal performance. Note: Create, Edit, and Delete permissions for AI Assurance are bundled together. Selecting one at the global level automatically enables the other two permissions in a partially-enabled state. To fully enable them, configure each individually in the Advanced Permissions tab.
AI	Business Insights > Data Studio Reports	Provides full access support to view and generate business intelligence reports. Note: Create, Edit, and Delete permissions for Business Insights are bundled together. Selecting one at the global level automatically enables the other two permissions in a partially-enabled state. To fully enable them, configure each individually in the Advanced Permissions tab.
Admin	Licensing	Provides full access to manage licenses.
	Account Setup	Provides full access to manage account-level configurations.
	Timeline	Provides full access to manage account activities, events, and admin logs.
	Account Management	Provides full access to manage tenant administration, firmware, the app library, or modify specific entries in the Activities log.
MSP	MSP > MSP and Tech Partners Management	Provides full access to manage MSP and Tech Partners tenants and entitlements. Note: You can add and configure permissions for MSP roles for Tech Partners only. You cannot add MSP roles for Customers.
	MSP > Templates	Provides full access to manage configuration templates.
	MSP > MSP Portal	Provides full access to manage MSP portal settings. Note: Create operation is only supported during first-time login, and only Edit operation thereafter. Note: Delete operation is not supported for any of the MSP functionalities.