cisco.dnac.user_role_workflow_manager module – Resource module for managing users and roles in Cisco Catalyst Center.
Note
This module is part of the cisco.dnac collection (version 6.27.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install cisco.dnac
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: cisco.dnac.user_role_workflow_manager
.
New in cisco.dnac 6.17.0
Synopsis
Manages operations to create, update, and delete users and roles in Cisco Catalyst Center.
Provides APIs to create, update, and delete users and roles.
Requirements
The below requirements are needed on the host that executes this module.
dnacentersdk >= 2.7.2
python >= 3.9.19
Parameters
Parameter |
Comments |
---|---|
A dictionary containing the configuration details for users or roles. |
|
Manages the configuration details for roles. |
|
Ensure consistent service levels with complete visibility across all aspects of the network. Choices:
|
|
Monitor and manage network health, troubleshoot issues, and perform remediation. Includes proactive network monitoring and AI-driven insights. Choices:
|
|
Configure and manage health thresholds for the network, clients, and applications. Requires at least ‘read’ permission for Monitoring and Troubleshooting. Choices:
|
|
Set the same access level for all sub-parameters. Choices:
|
|
Create and manage sensor tests. Schedule on-demand forensic packet captures (Intelligent Capture) for troubleshooting clients. Requires at least ‘read’ permission for Monitoring and Troubleshooting. Choices:
|
|
A brief description of the role’s purpose and scope. |
|
Manage components related to network analytics. |
|
Enable access to query engine APIs. Manage functions such as global search, rogue management, and aWIPS. Setting this to ‘deny’ affects Search and Assurance functionality. Choices:
|
|
Set the same access level for all sub-parameters. Choices:
|
|
Set up the network hierarchy, update the software image repository, and configure network profiles and settings for managing sites and network devices. |
|
Update network settings, including global device credentials, authentication and policy servers, certificates, trustpool, cloud access keys, stealthwatch, umbrella, and data anonymization. Export the device inventory and its credentials. Requires at least ‘read’ permission on Network Settings. Choices:
|
|
Manage software images and facilitate upgrades and updates on physical and virtual network entities Choices:
|
|
Define and create a network hierarchy of sites, buildings, floors, and areas based on geographic location. |
|
Create network profiles for routing, switching, and wireless. Assign profiles to sites. Includes roles such as template editor, tagging, model config editor, and authentication template. To create SSIDs, ‘write’ permission on network settings is required. Choices:
|
|
Manage common site-wide network settings such as AAA, NTP, DHCP, DNS, Syslog, SNMP, and Telemetry. Users in this role can add an SFTP server and adjust the Network Resync Interval found under Systems > Settings. To create wireless profiles, ‘write’ permission on Network Profiles is required. Choices:
|
|
Set the same access level for all sub-parameters. Choices:
|
|
Manage virtual networks (VNs). Segment physical networks into multiple logical networks for traffic isolation and controlled inter-VN communication. Choices:
|
|
Configure, upgrade, provision, and manage network devices. |
|
Manage compliance provisioning. Choices:
|
|
Scan the network for End of Life, End of Sales, or End of Support information for hardware and software. Choices:
|
|
Upgrade software images on devices that do not match the Golden Image settings after a complete upgrade lifecycle. Choices:
|
|
Discover, add, replace, or delete devices while managing device attributes and configuration properties. To replace a device, ‘write’ permission is required for pnp under network provision. |
|
Display the running configuration of a device. Choices:
|
|
Discover new devices on the network. Choices:
|
|
Add devices from inventory, view device details, and perform device-level actions. Choices:
|
|
Provides the same choice for all sub-parameters. Choices:
|
|
Allow port actions on a device. Choices:
|
|
Display the network device and link connectivity. Manage device roles, tag devices, customize the display, and save custom topology layouts. To view the SD-Access Fabric window, at least ‘read’ permission on “Network Provision > Inventory Management > Topology” is required. Choices:
|
|
Unified view of software and network assets related to license usage and compliance. Also controls permissions for cisco.com and Smart accounts. Choices:
|
|
Enable or disable the collection of application telemetry from devices. Configure telemetry settings for the assigned site. Configure additional settings such as wireless service assurance and controller certificates. To enable or disable network telemetry, ‘write’ permission on Provision is required. Choices:
|
|
Provides the same choice for all sub-parameters. Choices:
|
|
Automatically onboard new devices, assign them to sites, and configure them with site-specific settings. Choices:
|
|
Provision devices with site-specific settings and network policies. Includes roles such as Fabric, Application Policy, Application Visibility, Cloud, Site-to-Site VPN, Network/Application Telemetry, Stealthwatch, Sync Start vs Run Configuration, and Umbrella provisioning. On the main dashboards for rogue and aWIPS, certain actions, including rogue containment, can be enabled or disabled. To provision devices, ‘write’ permission on Network Design and Network Provision is required. Choices:
|
|
Configure additional capabilities on the network beyond basic network connectivity and access. Default: |
|
Deploy, manage, and monitor virtualized and container-based applications running on network devices. Choices:
|
|
Enable the Wide Area Bonjour service to facilitate policy-based service discovery across the network. Choices:
|
|
Provides the same choice for all sub-parameters. Choices:
|
|
Configure network elements to send data to Cisco Stealthwatch for threat detection and mitigation, including encrypted traffic. To provision Stealthwatch, ‘write’ permission is required for the following components. Network Design > Network Settings. Network Provision > Provision. Network Services > Stealthwatch. Network Design > Advanced Settings. Choices:
|
|
Configure network elements to use Cisco Umbrella as a first line of defense against cybersecurity threats. To provision Umbrella, ‘write’ permission is required for the following components. Network Design > Network Settings. Network Provision > Provision. Network Provision > Scheduler. Network Services > Umbrella. Choices:
|
|
Open platform for accessible, intent-based workflows, data exchange, notifications, and third-party app integrations. Default: |
|
Access Cisco Catalyst Center through REST APIs to drive value. Choices:
|
|
Enhance productivity by configuring and activating preconfigured bundles for ITSM integration. Choices:
|
|
Subscribe to near real-time notifications for network and system events of interest. Configure email and syslog logs in System > Settings > Destinations. Choices:
|
|
Provides the same choice for all sub-parameters. Choices:
|
|
Generate reports using predefined templates for all aspects of the network. Generate reports for rogue devices and aWIPS. Configure webhooks in System > Settings > Destinations. Choices:
|
|
The name of the role to be managed. |
|
Manage and control secure access to the network. Default: |
|
Manage group-based policies for networks that enforce segmentation and access control based on Cisco security group tags. This role includes Endpoint Analytics. Choices:
|
|
Manage IP-based access control lists that enforce network segmentation based on IP addresses. Choices:
|
|
Provides the same choice for all sub-parameters. Choices:
|
|
Scan the network for security advisories. Review and understand the impact of published Cisco security advisories. Choices:
|
|
Centralized administration of Cisco Catalyst Center, including configuration management, network connectivity, software upgrades, and more. Default: |
|
Configure automatic updates to the machine reasoning knowledge base to rapidly identify security vulnerabilities and improve automated issue analysis. Choices:
|
|
Provides the same choice for all sub-parameters. Choices:
|
|
Manage core system functionality and connectivity settings, user roles, and external authentication. This role includes Cisco Credentials, Integrity Verification, Device EULA, HA, Integration Settings, Disaster Recovery, Debugging Logs, Telemetry Collection, System EULA, IPAM, vManage Servers, Cisco AI Analytics, Backup & Restore, and Data Platform. Choices:
|
|
One-stop-shop productivity resource for the most commonly used troubleshooting tools and services. |
|
Detailed log of changes made via UI or API interface to network devices or Cisco Catalyst Center. Choices:
|
|
View network device and client events for troubleshooting. Choices:
|
|
Allow the Cisco support team to remotely troubleshoot the network devices managed by Cisco Catalyst Center. Enables an engineer from the Cisco Technical Assistance Center (TAC) to connect remotely to a customer’s Cisco Catalyst Center setup for troubleshooting. Choices:
|
|
Provides the same choice for all sub-parameters. Choices:
|
|
Allow Cisco support team to remotely troubleshoot any network devices managed by Cisco Catalyst Center. Choices:
|
|
Run, schedule, and monitor network tasks and activities such as deploying policies, provisioning, or upgrading the network, integrated with other back-end services. Choices:
|
|
Search for various objects in Cisco Catalyst Center, including sites, network devices, clients, applications, policies, settings, tags, menu items, and more. Choices:
|
|
Manages the configuration details for user accounts. |
|
The email address of the user (e.g., syedkhadeerahmed@example.com). Used to retrieve user data if the ‘username’ is forgotten. Required for user deletion if the ‘username’ is forgotten. |
|
The first name of the user. |
|
The last name of the user. |
|
The password for the user account, which must adhere to specified complexity requirements. Must contain at least one special character, one capital letter, one lowercase letter, and a minimum length of 8 characters. Required for creating a new user account. |
|
Indicates whether the password should be updated. Set to `true` to trigger a password update. Required if a password change is necessary; must be explicitly set to `true` to initiate the update process. If no update is needed, omit this parameter or set it to `false`. Ensure this parameter is correctly set to avoid unnecessary updates or errors. |
|
A list of role names to be assigned to the user. If no role is specified, the default role will be “OBSERVER-ROLE”. The role names must match with those defined in the Cisco Catalyst Center. The default roles present in the Cisco Catalyst Center are “SUPER-ADMIN-ROLE”, “NETWORK-ADMIN-ROLE”, “OBSERVER-ROLE”. SUPER-ADMIN-ROLE grants Full access, including user management. NETWORK-ADMIN-ROLE grants Full network access, no system functions. OBSERVER-ROLE grants view-only access, no configuration or control functions. |
|
The ‘username’ associated with the user account. Required for user create, update and delete operations. |
|
Set to True to verify the Cisco Catalyst Center after applying the playbook config. Choices:
|
|
Defines the timeout in seconds for API calls to retrieve task details. If the task details are not received within this period, the process will end, and a timeout notification will be logged. Default: |
|
Indicates whether debugging is enabled in the Cisco Catalyst Center SDK. Choices:
|
|
The hostname of the Cisco Catalyst Center. |
|
Flag to enable/disable playbook execution logging. When true and dnac_log_file_path is provided, - Create the log file at the execution location with the specified name. When true and dnac_log_file_path is not provided, - Create the log file at the execution location with the name ‘dnac.log’. When false, - Logging is disabled. If the log file doesn’t exist, - It is created in append or write mode based on the “dnac_log_append” flag. If the log file exists, - It is overwritten or appended based on the “dnac_log_append” flag. Choices:
|
|
Determines the mode of the file. Set to True for ‘append’ mode. Set to False for ‘write’ mode. Choices:
|
|
Governs logging. Logs are recorded if dnac_log is True. If path is not specified, - When ‘dnac_log_append’ is True, ‘dnac.log’ is generated in the current Ansible directory; logs are appended. - When ‘dnac_log_append’ is False, ‘dnac.log’ is generated; logs are overwritten. If path is specified, - When ‘dnac_log_append’ is True, the file opens in append mode. - When ‘dnac_log_append’ is False, the file opens in write (w) mode. - In shared file scenarios, without append mode, content is overwritten after each module execution. - For a shared log file, set append to False for the 1st module (to overwrite); for subsequent modules, set append to True. Default: |
|
Sets the threshold for log level. Messages with a level equal to or higher than this will be logged. Levels are listed in order of severity [CRITICAL, ERROR, WARNING, INFO, DEBUG]. CRITICAL indicates serious errors halting the program. Displays only CRITICAL messages. ERROR indicates problems preventing a function. Displays ERROR and CRITICAL messages. WARNING indicates potential future issues. Displays WARNING, ERROR, CRITICAL messages. INFO tracks normal operation. Displays INFO, WARNING, ERROR, CRITICAL messages. DEBUG provides detailed diagnostic info. Displays all log messages. Default: |
|
The password for authentication at the Cisco Catalyst Center. |
|
Specifies the port number associated with the Cisco Catalyst Center. Default: |
|
Specifies the interval in seconds between successive calls to the API to retrieve task details. Default: |
|
The username for authentication at the Cisco Catalyst Center. Default: |
|
Flag to enable or disable SSL certificate verification. Choices:
|
|
Specifies the version of the Cisco Catalyst Center that the SDK should use. Default: |
|
The state of Cisco Catalyst Center after module completion. Choices:
|
|
Flag for Cisco Catalyst Center SDK to enable the validation of request bodies against a JSON schema. Choices:
|
Notes
Note
SDK Methods used - user_and_roles.UserandRoles.get_user_api - user_and_roles.UserandRoles.add_user_api - user_and_roles.UserandRoles.update_user_api - user_and_roles.UserandRoles.delete_user_api
Paths used - get /dna/system/api/v1/user - post /dna/system/api/v1/user - put /dna/system/api/v1/user - delete /dna/system/api/v1/user/{userId}
Does not support
check_mode
The plugin runs on the control node and does not use any ansible connection plugins instead embedded connection manager from Cisco Catalyst Center SDK
The parameters starting with dnac_ are used by the Cisco Catalyst Center Python SDK to establish the connection
Examples
---
- name: Create a user
cisco.dnac.user_role_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: True
dnac_log_level: DEBUG
config_verify: True
dnac_api_task_timeout: 1000
dnac_task_poll_interval: 1
state: merged
config:
user_details:
- username: "ajithandrewj"
first_name: "ajith"
last_name: "andrew"
email: "[email protected]"
password: "Example@0101"
role_list: ["SUPER-ADMIN-ROLE"]
- name: Update a user for first name, last name, email, and role list
cisco.dnac.user_role_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: True
dnac_log_level: DEBUG
config_verify: True
dnac_api_task_timeout: 1000
dnac_task_poll_interval: 1
state: merged
config:
user_details:
- username: "ajithandrewj"
first_name: "ajith"
last_name: "andrew"
email: "[email protected]"
role_list: ["SUPER-ADMIN-ROLE"]
- name: Update a user for role list
cisco.dnac.user_role_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: True
dnac_log_level: DEBUG
config_verify: True
dnac_api_task_timeout: 1000
dnac_task_poll_interval: 1
state: merged
config:
user_details:
- username: "ajithandrewj"
role_list: ["NETWORK-ADMIN-ROLE"]
- name: Update the user password
cisco.dnac.user_role_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: True
dnac_log_level: DEBUG
config_verify: True
dnac_api_task_timeout: 1000
dnac_task_poll_interval: 1
state: merged
config:
user_details:
- username: "ajithandrewj"
password: "Example@010101"
password_update: True
- name: Delete a user using username or email address
cisco.dnac.user_role_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: True
dnac_log_level: DEBUG
config_verify: True
dnac_api_task_timeout: 1000
dnac_task_poll_interval: 1
state: deleted
config:
user_details:
username: "ajithandrewj"
- name: Create a role with all params
cisco.dnac.user_role_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: True
dnac_log_level: DEBUG
config_verify: True
config:
role_details:
- role_name: "role_name"
description: "role_description"
assurance:
- monitoring_and_troubleshooting: "write"
monitoring_settings: "read"
troubleshooting_tools: "deny"
network_analytics:
- data_access: "write"
network_design:
- advanced_network_settings: "deny"
image_repository: "deny"
network_hierarchy: "deny"
network_profiles: "write"
network_settings: "write"
virtual_network: "read"
network_provision:
- compliance: "deny"
eox: "read"
image_update: "write"
inventory_management:
- device_configuration: "write"
discovery: "deny"
network_device: "read"
port_management: "write"
topology: "write"
license: "write"
network_telemetry: "write"
pnp: "deny"
provision: "read"
network_services:
- app_hosting: "deny"
bonjour: "write"
stealthwatch: "read"
umbrella: "deny"
platform:
- apis: "write"
bundles: "write"
events: "write"
reports: "read"
security:
- group_based_policy: "read"
ip_based_access_control: "write"
security_advisories: "write"
system:
- machine_reasoning: "read"
system_management: "write"
utilities:
- audit_log: "read"
event_viewer: "deny"
network_reasoner: "write"
remote_device_support: "read"
scheduler: "read"
search: "write"
- name: Create a role for assurance
cisco.dnac.user_role_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: True
dnac_log_level: DEBUG
config_verify: True
config:
role_details:
- role_name: "role_name"
description: "role_description"
assurance:
- overall: "write"
monitoring_and_troubleshooting: "read"
- name: Create a role for network provision
cisco.dnac.user_role_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: True
dnac_log_level: DEBUG
config_verify: True
config:
role_details:
- role_name: "role_name"
description: "role_description"
network_provision:
- compliance: "deny"
image_update: "write"
inventory_management:
- overall: "read"
device_configuration: "write"
license: "write"
network_telemetry: "write"
pnp: "deny"
provision: "read"
- name: Update a role for assurance and platform
cisco.dnac.user_role_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: True
dnac_log_level: DEBUG
config_verify: True
config:
role_details:
- role_name: "role_name"
assurance:
- overall: "deny"
platform:
- apis: "write"
bundles: "write"
events: "write"
reports: "read"
- name: Delete a role
cisco.dnac.user_role_workflow_manager:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: True
dnac_log_level: DEBUG
config_verify: True
dnac_api_task_timeout: 1000
dnac_task_poll_interval: 1
state: deleted
config:
role_details:
- rolename: "role_name"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
A dictionary with details of the API execution from Cisco Catalyst Center. Returned: always Sample: |
|
A dictionary with details of the API execution and error information. Returned: always Sample: |
|
A dictionary indicating role not found during delete operation. Returned: always Sample: |
|
A dictionary with details of the API execution from Cisco Catalyst Center. Returned: always Sample: |
|
A dictionary with details of the API execution from Cisco Catalyst Center. Returned: always Sample: |
|
A dictionary with existing user details indicating no update needed. Returned: always Sample: |
|
A dictionary with details of the API execution and error information. Returned: always Sample: |
|
A dictionary indicating user not found during delete operation. Returned: always Sample: |
|
A dictionary with details of the API execution from Cisco Catalyst Center. Returned: always Sample: |
|
A dictionary with details of the API execution from Cisco Catalyst Center. Returned: always Sample: |
|
A dictionary with details of the API execution from Cisco Catalyst Center. Returned: always Sample: |