cisco.dnac.user_role_workflow_manager module -- Resource module for managing users and roles in Cisco Catalyst Center.

Note

This module is part of the cisco.dnac collection (version 6.20.0).

To install it, use: ansible-galaxy collection install cisco.dnac. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: cisco.dnac.user_role_workflow_manager.

New in cisco.dnac 6.17.0

Synopsis

  • Manages operations to create, update, and delete users and roles in Cisco Catalyst Center.

  • Provides APIs to create, update, and delete users and roles.

Requirements

The below requirements are needed on the host that executes this module.

  • dnacentersdk >= 2.7.2

  • python >= 3.9.19

Parameters

Parameter

Comments

config

dictionary / required

A dictionary containing the configuration details for users or roles.

role_details

list / elements=dictionary

Manages the configuration details for roles.

assurance

string

Ensure consistent service levels with complete visibility across all aspects of the network.

Choices:

monitoring_and_troubleshooting

string

Monitor and manage network health, troubleshoot issues, and perform remediation.

Includes proactive network monitoring and AI-driven insights.

Choices:

monitoring_settings

string

Configure and manage health thresholds for the network, clients, and applications.

Requires at least 'read' permission for Monitoring and Troubleshooting.

Choices:

overall

string

troubleshooting_tools

string

Create and manage sensor tests.

Schedule on-demand forensic packet captures (Intelligent Capture) for troubleshooting clients.

Requires at least 'read' permission for Monitoring and Troubleshooting.

Choices:

description

string

A brief description of the role's purpose and scope.

network_analytics

string

Manage components related to network analytics.

data_access

string

Enable access to query engine APIs.

Manage functions such as global search, rogue management, and aWIPS.

Setting this to 'deny' affects Search and Assurance functionality.

Choices:

overall

string

network_design

string

Set up the network hierarchy, update the software image repository, and configure network profiles and settings for managing sites and network devices.

advanced_network_settings

string

Update network settings, including global device credentials, authentication and policy servers, certificates, trustpool, cloud access keys, stealthwatch, umbrella, and data anonymization.

Export the device inventory and its credentials.

Requires at least 'read' permission on Network Settings.

Choices:

image_repository

string

Manage software images and facilitate upgrades and updates on physical and virtual network entities

Choices:

network_hierarchy

string

Define and create a network hierarchy of sites, buildings, floors, and areas based on geographic location.

network_profiles

string

Create network profiles for routing, switching, and wireless. Assign profiles to sites.

Includes roles such as template editor, tagging, model config editor, and authentication template.

To create SSIDs, 'write' permission on network settings is required.

Choices:

network_settings

string

Manage common site-wide network settings such as AAA, NTP, DHCP, DNS, Syslog, SNMP, and Telemetry.

Users in this role can add an SFTP server and adjust the Network Resync Interval found under Systems > Settings.

To create wireless profiles, 'write' permission on Network Profiles is required.

Choices:

overall

string

virtual_network

string

Manage virtual networks (VNs). Segment physical networks into multiple logical networks for traffic isolation and controlled inter-VN communication.

Choices:

network_provision

string

Configure, upgrade, provision, and manage network devices.

compliance

string

exo

string

Scan the network for End of Life, End of Sales, or End of Support information for hardware and software.

Choices:

image_update

string

Upgrade software images on devices that do not match the Golden Image settings after a complete upgrade lifecycle.

Choices:

inventory_management

list / elements=dictionary

Discover, add, replace, or delete devices while managing device attributes and configuration properties.

To replace a device, 'write' permission is required for pnp under network provision.

device_configuration

string

discovery

string

network_device

string

Add devices from inventory, view device details, and perform device-level actions.

Choices:

overall

string

port_management

string

topology

string

Display the network device and link connectivity.

Manage device roles, tag devices, customize the display, and save custom topology layouts.

To view the SD-Access Fabric window, at least 'read' permission on "Network Provision > Inventory Management > Topology" is required.

Choices:

license

string

Unified view of software and network assets related to license usage and compliance.

Also controls permissions for cisco.com and Smart accounts.

Choices:

network_telemetry

string

Enable or disable the collection of application telemetry from devices.

Configure telemetry settings for the assigned site.

Configure additional settings such as wireless service assurance and controller certificates.

To enable or disable network telemetry, 'write' permission on Provision is required.

Choices:

overall

string

pnp

string

Automatically onboard new devices, assign them to sites, and configure them with site-specific settings.

Choices:

provision

string

Provision devices with site-specific settings and network policies.

Includes roles such as Fabric, Application Policy, Application Visibility, Cloud, Site-to-Site VPN, Network/Application Telemetry, Stealthwatch, Sync Start vs Run Configuration, and Umbrella provisioning.

On the main dashboards for rogue and aWIPS, certain actions, including rogue containment, can be enabled or disabled.

To provision devices, 'write' permission on Network Design and Network Provision is required.

Choices:

network_services

string

Configure additional capabilities on the network beyond basic network connectivity and access.

Default: :ansible-option-default:`"read"`

app_hosting

string

Deploy, manage, and monitor virtualized and container-based applications running on network devices.

Choices:

bonjour

string

Enable the Wide Area Bonjour service to facilitate policy-based service discovery across the network.

Choices:

overall

string

stealthwatch

string

Configure network elements to send data to Cisco Stealthwatch for threat detection and mitigation, including encrypted traffic.

To provision Stealthwatch, 'write' permission is required for the following components.

Network Design > Network Settings.

Network Provision > Provision.

Network Services > Stealthwatch.

Network Design > Advanced Settings.

Choices:

umbrella

string

Configure network elements to use Cisco Umbrella as a first line of defense against cybersecurity threats.

To provision Umbrella, 'write' permission is required for the following components.

Network Design > Network Settings.

Network Provision > Provision.

Network Provision > Scheduler.

Network Services > Umbrella.

Choices:

platform

string

Open platform for accessible, intent-based workflows, data exchange, notifications, and third-party app integrations.

Default: :ansible-option-default:`"deny"`

apis

string

Access Cisco Catalyst Center through REST APIs to drive value.

Choices:

bundles

string

Enhance productivity by configuring and activating preconfigured bundles for ITSM integration.

Choices:

events

string

Subscribe to near real-time notifications for network and system events of interest.

Configure email and syslog logs in System > Settings > Destinations.

Choices:

overall

string

reports

string

Generate reports using predefined templates for all aspects of the network.

Generate reports for rogue devices and aWIPS.

Configure webhooks in System > Settings > Destinations.

Choices:

role_name

string

The name of the role to be managed.

security

string

Manage and control secure access to the network.

Default: :ansible-option-default:`"read"`

group_based_policy

string

Manage group-based policies for networks that enforce segmentation and access control based on Cisco security group tags.

This role includes Endpoint Analytics.

Choices:

ip_based_access_control

string

Manage IP-based access control lists that enforce network segmentation based on IP addresses.

Choices:

overall

string

security_advisories

string

Scan the network for security advisories. Review and understand the impact of published Cisco security advisories.

Choices:

system

string

Centralized administration of Cisco Catalyst Center, including configuration management, network connectivity, software upgrades, and more.

Default: :ansible-option-default:`"read"`

machine_reasoning

string

Configure automatic updates to the machine reasoning knowledge base to rapidly identify security vulnerabilities and improve automated issue analysis.

Choices:

overall

string

system_management

string

Manage core system functionality and connectivity settings, user roles, and external authentication.

This role includes Cisco Credentials, Integrity Verification, Device EULA, HA, Integration Settings, Disaster Recovery, Debugging Logs, Telemetry Collection, System EULA, IPAM, vManage Servers, Cisco AI Analytics, Backup & Restore, and Data Platform.

Choices:

utilities

string

One-stop-shop productivity resource for the most commonly used troubleshooting tools and services.

audit_log

string

Detailed log of changes made via UI or API interface to network devices or Cisco Catalyst Center.

Choices:

event_viewer

string

View network device and client events for troubleshooting.

Choices:

network_reasoner

string

Allow the Cisco support team to remotely troubleshoot the network devices managed by Cisco Catalyst Center.

Enables an engineer from the Cisco Technical Assistance Center (TAC) to connect remotely to a customer's Cisco Catalyst Center setup for troubleshooting.

Choices:

overall

string

remote_device_support

string

Allow Cisco support team to remotely troubleshoot any network devices managed by Cisco Catalyst Center.

Choices:

scheduler

string

Run, schedule, and monitor network tasks and activities such as deploying policies, provisioning, or upgrading the network, integrated with other back-end services.

Choices:

string

Search for various objects in Cisco Catalyst Center, including sites, network devices, clients, applications, policies, settings, tags, menu items, and more.

Choices:

user_details

list / elements=dictionary

Manages the configuration details for user accounts.

email

string

The email address of the user (e.g., syedkhadeerahmed@example.com).

Used to retrieve user data if the 'username' is forgotten.

Required for user deletion if the 'username' is forgotten.

first_name

string

The first name of the user.

last_name

string

The last name of the user.

password

string

The password for the user account, which must adhere to specified complexity requirements.

Must contain at least one special character, one capital letter, one lowercase letter, and a minimum length of 8 characters.

Required for creating a new user account.

password_update

string

Indicates whether the password should be updated.

Set to `true` to trigger a password update.

Required if a password change is necessary; must be explicitly set to `true` to initiate the update process.

If no update is needed, omit this parameter or set it to `false`.

Ensure this parameter is correctly set to avoid unnecessary updates or errors.

role_list

list / elements=string

A list of role names to be assigned to the user. If no role is specified, the default role will be "OBSERVER-ROLE".

The role names must match with those defined in the Cisco Catalyst Center.

The default roles present in the Cisco Catalyst Center are "SUPER-ADMIN-ROLE", "NETWORK-ADMIN-ROLE", "OBSERVER-ROLE".

SUPER-ADMIN-ROLE grants Full access, including user management.

NETWORK-ADMIN-ROLE grants Full network access, no system functions.

OBSERVER-ROLE grants view-only access, no configuration or control functions.

username

string

The 'username' associated with the user account.

Required for user create, update and delete operations.

config_verify

boolean

Set to True to verify the Cisco Catalyst Center after applying the playbook config.

Choices:

dnac_api_task_timeout

integer

Defines the timeout in seconds for API calls to retrieve task details. If the task details are not received within this period, the process will end, and a timeout notification will be logged.

Default: :ansible-option-default:`1200`

dnac_debug

boolean

Indicates whether debugging is enabled in the Cisco Catalyst Center SDK.

Choices:

dnac_host

string / required

The hostname of the Cisco Catalyst Center.

dnac_log

boolean

Flag to enable/disable playbook execution logging.

When true and dnac_log_file_path is provided, - Create the log file at the execution location with the specified name.

When true and dnac_log_file_path is not provided, - Create the log file at the execution location with the name 'dnac.log'.

When false, - Logging is disabled.

If the log file doesn't exist, - It is created in append or write mode based on the "dnac_log_append" flag.

If the log file exists, - It is overwritten or appended based on the "dnac_log_append" flag.

Choices:

dnac_log_append

boolean

Determines the mode of the file. Set to True for 'append' mode. Set to False for 'write' mode.

Choices:

dnac_log_file_path

string

Governs logging. Logs are recorded if dnac_log is True.

If path is not specified, - When 'dnac_log_append' is True, 'dnac.log' is generated in the current Ansible directory; logs are appended. - When 'dnac_log_append' is False, 'dnac.log' is generated; logs are overwritten.

If path is specified, - When 'dnac_log_append' is True, the file opens in append mode. - When 'dnac_log_append' is False, the file opens in write (w) mode. - In shared file scenarios, without append mode, content is overwritten after each module execution. - For a shared log file, set append to False for the 1st module (to overwrite); for subsequent modules, set append to True.

Default: :ansible-option-default:`"dnac.log"`

dnac_log_level

string

Sets the threshold for log level. Messages with a level equal to or higher than this will be logged. Levels are listed in order of severity [CRITICAL, ERROR, WARNING, INFO, DEBUG].

CRITICAL indicates serious errors halting the program. Displays only CRITICAL messages.

ERROR indicates problems preventing a function. Displays ERROR and CRITICAL messages.

WARNING indicates potential future issues. Displays WARNING, ERROR, CRITICAL messages.

INFO tracks normal operation. Displays INFO, WARNING, ERROR, CRITICAL messages.

DEBUG provides detailed diagnostic info. Displays all log messages.

Default: :ansible-option-default:`"WARNING"`

dnac_password

string

The password for authentication at the Cisco Catalyst Center.

dnac_port

string

Specifies the port number associated with the Cisco Catalyst Center.

Default: :ansible-option-default:`"443"`

dnac_task_poll_interval

integer

Specifies the interval in seconds between successive calls to the API to retrieve task details.

Default: :ansible-option-default:`2`

dnac_username

aliases: user

string

The username for authentication at the Cisco Catalyst Center.

Default: :ansible-option-default:`"admin"`

dnac_verify

boolean

Flag to enable or disable SSL certificate verification.

Choices:

dnac_version

string

Specifies the version of the Cisco Catalyst Center that the SDK should use.

Default: :ansible-option-default:`"2.2.3.3"`

state

string

The state of Cisco Catalyst Center after module completion.

Choices:

validate_response_schema

boolean

Flag for Cisco Catalyst Center SDK to enable the validation of request bodies against a JSON schema.

Choices:

Notes

Note

  • SDK Methods used - user_and_roles.UserandRoles.get_user_api - user_and_roles.UserandRoles.add_user_api - user_and_roles.UserandRoles.update_user_api - user_and_roles.UserandRoles.delete_user_api

  • Paths used - get /dna/system/api/v1/user - post /dna/system/api/v1/user - put /dna/system/api/v1/user - delete /dna/system/api/v1/user/{userId}

  • Does not support check_mode

  • The plugin runs on the control node and does not use any ansible connection plugins instead embedded connection manager from Cisco Catalyst Center SDK

  • The parameters starting with dnac_ are used by the Cisco Catalyst Center Python SDK to establish the connection

Examples

---
- name: Create a user
  cisco.dnac.user_role_workflow_manager:
    dnac_host: "{{ dnac_host }}"
    dnac_username: "{{ dnac_username }}"
    dnac_password: "{{ dnac_password }}"
    dnac_verify: "{{ dnac_verify }}"
    dnac_port: "{{ dnac_port }}"
    dnac_version: "{{ dnac_version }}"
    dnac_debug: "{{ dnac_debug }}"
    dnac_log: True
    dnac_log_level: DEBUG
    config_verify: True
    dnac_api_task_timeout: 1000
    dnac_task_poll_interval: 1
    state: merged
    config:
      user_details:
        - username: "ajithandrewj"
          first_name: "ajith"
          last_name: "andrew"
          email: "ajith.andrew@example.com"
          password: "Example@0101"
          role_list: ["SUPER-ADMIN-ROLE"]

- name: Update a user for first name, last name, email, and role list
  cisco.dnac.user_role_workflow_manager:
    dnac_host: "{{ dnac_host }}"
    dnac_username: "{{ dnac_username }}"
    dnac_password: "{{ dnac_password }}"
    dnac_verify: "{{ dnac_verify }}"
    dnac_port: "{{ dnac_port }}"
    dnac_version: "{{ dnac_version }}"
    dnac_debug: "{{ dnac_debug }}"
    dnac_log: True
    dnac_log_level: DEBUG
    config_verify: True
    dnac_api_task_timeout: 1000
    dnac_task_poll_interval: 1
    state: merged
    config:
      user_details:
        - username: "ajithandrewj"
          first_name: "ajith"
          last_name: "andrew"
          email: "ajith.andrew@example.com"
          role_list: ["SUPER-ADMIN-ROLE"]

- name: Update a user for role list
  cisco.dnac.user_role_workflow_manager:
    dnac_host: "{{ dnac_host }}"
    dnac_username: "{{ dnac_username }}"
    dnac_password: "{{ dnac_password }}"
    dnac_verify: "{{ dnac_verify }}"
    dnac_port: "{{ dnac_port }}"
    dnac_version: "{{ dnac_version }}"
    dnac_debug: "{{ dnac_debug }}"
    dnac_log: True
    dnac_log_level: DEBUG
    config_verify: True
    dnac_api_task_timeout: 1000
    dnac_task_poll_interval: 1
    state: merged
    config:
      user_details:
        - username: "ajithandrewj"
          role_list: ["NETWORK-ADMIN-ROLE"]

- name: Update the user password
  cisco.dnac.user_role_workflow_manager:
    dnac_host: "{{ dnac_host }}"
    dnac_username: "{{ dnac_username }}"
    dnac_password: "{{ dnac_password }}"
    dnac_verify: "{{ dnac_verify }}"
    dnac_port: "{{ dnac_port }}"
    dnac_version: "{{ dnac_version }}"
    dnac_debug: "{{ dnac_debug }}"
    dnac_log: True
    dnac_log_level: DEBUG
    config_verify: True
    dnac_api_task_timeout: 1000
    dnac_task_poll_interval: 1
    state: merged
    config:
      user_details:
        - username: "ajithandrewj"
          password: "Example@010101"
          password_update: True

- name: Delete a user using username or email address
  cisco.dnac.user_role_workflow_manager:
    dnac_host: "{{ dnac_host }}"
    dnac_username: "{{ dnac_username }}"
    dnac_password: "{{ dnac_password }}"
    dnac_verify: "{{ dnac_verify }}"
    dnac_port: "{{ dnac_port }}"
    dnac_version: "{{ dnac_version }}"
    dnac_debug: "{{ dnac_debug }}"
    dnac_log: True
    dnac_log_level: DEBUG
    config_verify: True
    dnac_api_task_timeout: 1000
    dnac_task_poll_interval: 1
    state: deleted
    config:
      user_details:
        username: "ajithandrewj"

- name: Create a role with all params
  cisco.dnac.user_role_workflow_manager:
    dnac_host: "{{ dnac_host }}"
    dnac_username: "{{ dnac_username }}"
    dnac_password: "{{ dnac_password }}"
    dnac_verify: "{{ dnac_verify }}"
    dnac_port: "{{ dnac_port }}"
    dnac_version: "{{ dnac_version }}"
    dnac_debug: "{{ dnac_debug }}"
    dnac_log: True
    dnac_log_level: DEBUG
    config_verify: True
    config:
      role_details:
        - role_name: "role_name"
          description: "role_description"
          assurance:
            - monitoring_and_troubleshooting: "write"
              monitoring_settings: "read"
              troubleshooting_tools: "deny"
          network_analytics:
            - data_access: "write"
          network_design:
            - advanced_network_settings: "deny"
              image_repository: "deny"
              network_hierarchy: "deny"
              network_profiles: "write"
              network_settings: "write"
              virtual_network: "read"
          network_provision:
            - compliance: "deny"
              eox: "read"
              image_update: "write"
              inventory_management:
                - device_configuration: "write"
                  discovery: "deny"
                  network_device: "read"
                  port_management: "write"
                  topology: "write"
              license: "write"
              network_telemetry: "write"
              pnp: "deny"
              provision: "read"
          network_services:
            - app_hosting: "deny"
              bonjour: "write"
              stealthwatch: "read"
              umbrella: "deny"
          platform:
            - apis: "write"
              bundles: "write"
              events: "write"
              reports: "read"
          security:
            - group_based_policy: "read"
              ip_based_access_control: "write"
              security_advisories: "write"
          system:
            - machine_reasoning: "read"
              system_management: "write"
          utilities:
            - audit_log: "read"
              event_viewer: "deny"
              network_reasoner: "write"
              remote_device_support: "read"
              scheduler: "read"
              search: "write"

- name: Create a role for assurance
  cisco.dnac.user_role_workflow_manager:
    dnac_host: "{{ dnac_host }}"
    dnac_username: "{{ dnac_username }}"
    dnac_password: "{{ dnac_password }}"
    dnac_verify: "{{ dnac_verify }}"
    dnac_port: "{{ dnac_port }}"
    dnac_version: "{{ dnac_version }}"
    dnac_debug: "{{ dnac_debug }}"
    dnac_log: True
    dnac_log_level: DEBUG
    config_verify: True
    config:
      role_details:
        - role_name: "role_name"
          description: "role_description"
          assurance:
            - overall: "write"
              monitoring_and_troubleshooting: "read"

- name: Create a role for network provision
  cisco.dnac.user_role_workflow_manager:
    dnac_host: "{{ dnac_host }}"
    dnac_username: "{{ dnac_username }}"
    dnac_password: "{{ dnac_password }}"
    dnac_verify: "{{ dnac_verify }}"
    dnac_port: "{{ dnac_port }}"
    dnac_version: "{{ dnac_version }}"
    dnac_debug: "{{ dnac_debug }}"
    dnac_log: True
    dnac_log_level: DEBUG
    config_verify: True
    config:
      role_details:
        - role_name: "role_name"
          description: "role_description"
          network_provision:
            - compliance: "deny"
              image_update: "write"
              inventory_management:
                - overall: "read"
                  device_configuration: "write"
              license: "write"
              network_telemetry: "write"
              pnp: "deny"
              provision: "read"

- name: Update a role for assurance and platform
  cisco.dnac.user_role_workflow_manager:
    dnac_host: "{{ dnac_host }}"
    dnac_username: "{{ dnac_username }}"
    dnac_password: "{{ dnac_password }}"
    dnac_verify: "{{ dnac_verify }}"
    dnac_port: "{{ dnac_port }}"
    dnac_version: "{{ dnac_version }}"
    dnac_debug: "{{ dnac_debug }}"
    dnac_log: True
    dnac_log_level: DEBUG
    config_verify: True
    config:
      role_details:
        - role_name: "role_name"
          assurance:
            - overall: "deny"
          platform:
            - apis: "write"
              bundles: "write"
              events: "write"
              reports: "read"

- name: Delete a role
  cisco.dnac.user_role_workflow_manager:
    dnac_host: "{{ dnac_host }}"
    dnac_username: "{{ dnac_username }}"
    dnac_password: "{{ dnac_password }}"
    dnac_verify: "{{ dnac_verify }}"
    dnac_port: "{{ dnac_port }}"
    dnac_version: "{{ dnac_version }}"
    dnac_debug: "{{ dnac_debug }}"
    dnac_log: True
    dnac_log_level: DEBUG
    config_verify: True
    dnac_api_task_timeout: 1000
    dnac_task_poll_interval: 1
    state: deleted
    config:
      role_details:
        - rolename: "role_name"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

response_1

dictionary

A dictionary with details of the API execution from Cisco Catalyst Center.

Returned: always

Sample: :ansible-rv-sample-value:`{"response": {"message": "string", "userId": "string"}}`

response_10

dictionary

A dictionary with details of the API execution and error information.

Returned: always

Sample: :ansible-rv-sample-value:`{"response": {"msg": "Error during creating, updating or deleting the role."}}`

response_11

dictionary

A dictionary indicating role not found during delete operation.

Returned: always

Sample: :ansible-rv-sample-value:`{"response": {"msg": "Role not found."}}`

response_2

dictionary

A dictionary with details of the API execution from Cisco Catalyst Center.

Returned: always

Sample: :ansible-rv-sample-value:`{"response": {"message": "string"}}`

response_3

dictionary

A dictionary with details of the API execution from Cisco Catalyst Center.

Returned: always

Sample: :ansible-rv-sample-value:`{"response": {"message": "string"}}`

response_4

dictionary

response_5

dictionary

A dictionary with details of the API execution and error information.

Returned: always

Sample: :ansible-rv-sample-value:`{"response": {"msg": "Error during creating, updating or deleting the user."}}`

response_6

dictionary

A dictionary indicating user not found during delete operation.

Returned: always

Sample: :ansible-rv-sample-value:`{"response": {"msg": "User not found."}}`

response_7

dictionary

A dictionary with details of the API execution from Cisco Catalyst Center.

Returned: always

Sample: :ansible-rv-sample-value:`{"response": {"message": "string", "roleid": "string"}}`

response_8

dictionary

A dictionary with details of the API execution from Cisco Catalyst Center.

Returned: always

Sample: :ansible-rv-sample-value:`{"response": {"message": "string", "roleId": "string"}}`

response_9

dictionary

A dictionary with details of the API execution from Cisco Catalyst Center.

Returned: always

Sample: :ansible-rv-sample-value:`{"response": {"message": "string"}}`

Authors

  • Ajith Andrew J (@ajithandrewj)

  • Syed Khadeer Ahmed (@syed-khadeerahmed)

  • Rangaprabhu Deenadayalu (@rangaprabha-d)

  • Madhan Sankaranarayanan (@madhansansel)