===============
Default groups
===============

SD-WAN ships with a number of default authorization groups that
help to quickly set up permissions.

Default groups can be updated and deleted as necessary, but this may
prevent SD-WAN upgrades from adapting permissions on default
groups when permissions are added for new features.

.. note::
    As of version 6.5, only the `Administrator <default-groups.html#administrator>`__ group is
    created by default.

.. note::
    Most default groups don't include view permissions on commonly accessed
    resources. A user in the group "Bond admin," for example, can't view
    aggregators unless they are also a member of the View group. In most
    cases, a user should be a member of the View group as well as any groups
    granting them additional permissions.

    The Administrator and "Restricted admin" groups do include view
    permissions on all resources, so members of those groups don't need to
    be in the View group.


Administrator
--------------

Administrators are the masters, the ones that can do anything.
Membership in this group should be limited to trusted, high-level users
in the root space. However, if a user in a child space is added to this
group, the user will still only be allowed to view and manage objects in
his or her space.

See also the "Restricted admin" group.

Bond admin
-----------

Can view and manage bonds, legs, connected IPs and other related
objects, QoS profiles, and perform bond and leg speed tuning. Can view
and change bonder usernames and passwords and space node setup options.

Branding admin
---------------

Can manage space branding and tech support contact options.

Leg admin
----------

Can update legs, perform bond and leg speed tuning, and manage mobile
broadband provider profiles. Cannot add or delete legs.

Management admin
-----------------

Can view and update management server settings (aggregator failover
timeouts, email server settings, etc.)

Network admin
--------------

Can view and manage routing groups, group IP allocations, aggregators,
and private WAN routers. Can view and change agg and private WAN router
usernames and passwords and space node setup options.

Private WAN admin
------------------

Can view and manage all private WAN options for spaces.

Restricted admin
-----------------

Like Administrator, but does not have permission to create or update
spaces or to update space private WAN options.

See also the Administrator group.

Space admin
------------

Can view and manage spaces, branding options, and delegated IP
allocations.

User admin
-----------

Can view and manage authorization groups and user accounts.

View
-----

Can view all resources except authorization groups, user accounts, and
management server settings. This is the recommended group for read-only
users.
