The Umbrella Documentation Hub

Welcome to the Umbrella documentation hub. Here you'll find access to all of our Cisco Umbrella user guides.

Get Started    

Add a Custom User Role

Create a custom user role that is configured with unique Umbrella dashboard access permissions, so that when you add a user to the Umbrella dashboard you can give that user very specific Umbrella dashboard access.



  1. Navigate to Admin > User Roles and click Add.
  1. Give the role a descriptive name, optionally add a description for this role, and then select the access Permissions you want to grant the new role.

Permissions are:

  • Policy—When you select Policy, Deployments, Destinations Lists, and Block Page Settings are selected. This allows for the management of all identities, policy settings, and block page settings, which includes the ability to add, delete and modify policies, and apply those policies to identities. This role is restricted from managing other users within the dashboard, adding or modifying roles, or any of the other Admin features.
  • Deployments—Allows for the management—create, modify, rename, and delete—of identities and configurations as listed at Deployments > Core Identities and Deployments > Configuration except for Network Devices. The role cannot download Mobile Devices configuration, Chromebook configuration download, add or remove tags from Roaming Computer, and cannot assign a policy to a newly created identity. This role is ideal for provisioning new devices under Umbrella as part of initially bringing computers online to your network.
  • Destination Lists—Allows for the management of destination lists, which gives the role the ability to add or delete destinations in destination lists.
    Including either the Global Allow List or the Global Block List enables this role to allow or block a destination for the entire organization.
  • Block Page Settings —Allows for the management of all Block Page Settings (but not the full policy), which gives the role the ability to change a block page's appearance, add, modify or delete a block page user or add, modify or delete a block page bypass code. However, if selected on its own, it cannot add a user account to be assigned to the block page user. For more information, see How to configure the Block Page Bypass (BPB) user role.
  • Reports—Allows for the management of Reports, which gives the role the ability to create reports, run reports, and export reports. In addition, the Reports role includes the Investigate role. If you select only the Reports role, you can only access the Reports and Investigate sections of the dashboard.
  • Investigate—Allows for the management of Investigate, which includes the Investigate Smart Search and Pattern Search. If your subscription includes the Umbrella Investigate API, you can list the Investigate API access tokens. The Investigate custom user role can not create or delete an Investigate API access token.


If a role can provision identities, but not manage policies, ensure that your "catch-all" policies are ordered correctly according to the policy execution arrow (which points downward in the policy section). For example, if a user with the Identities role only provisioned a new roaming computer, that roaming computer would receive the Default Policy unless All Roaming Clients was selected for a policy higher up the hierarchy.

  1. Click Save.
    Once created, you can assign this role to a user. For more information about creating user accounts, see Add a New Account.

Once you've configured the user with a role, their dashboard is automatically limited to only the elements they've been assigned. This can mean their dashboard is different than what you may be used to, as elements may be missing—areas of the dashboard that a user role is not granted access to are not greyed out; instead, they are not displayed.

Add a New User < Add a Custom User Role > Manage Your Logs

Updated 5 months ago

Add a Custom User Role

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.