Setting Up Role-Based Access Control (RBAC) in Cato

Introduction

Managing who can access what—and with how much privilege—is a cornerstone of secure operations in any IT environment. With Cato Networks, Role-Based Access Control (RBAC) allows IT teams to enforce least-privilege access across administrators, service providers, and auditors, ensuring operational security and compliance.

This guide walks through the RBAC implementation steps in the updated Cato Management Application (CMA), outlines real-world use cases, and offers tips for structuring access based on team roles.
 

What You’ll Learn

• Where and how to configure user roles in the updated CMA interface
• Available RBAC roles and permission tiers
• Best practices for assigning roles based on responsibility
• Steps for inviting and managing user accounts
• Real-world scenarios for enforcing least-privilege access
   

Navigating to Role Settings in the CMA

In the latest version of Cato’s Management Application:

1. Go to Accounts >Roles and Permissions
2. Select the Role Name tab
3. Click on New or select an existing Role to modify permissions**

Here, you’ll see a dropdown for selecting predefined roles or customizing access.

Predefined Roles in Cato’s RBAC Model

As of the latest release, Cato supports the following built-in roles:

• Account Admin – Full access to all configuration, analytics, and policies.
• Security Admin – Manage firewall rules, security policies, and incident response.
• Network Admin – Configure network rules, topology, and WAN interfaces.
• Viewer – Read-only access across dashboards and logs.
• Custom Role – Manually selected permissions for fine-grained access.

Each role determines what tabs, data, and actions are visible and executable.

Assigning Access Based on Team Responsibilities

Use the following table to align user roles with IT roles:
 

Real-World Job-to-Be-Done Example

Let’s say you manage an internal IT team for a regional office. You want your Tier 2 engineer to troubleshoot firewall rules but not modify WAN configurations.

Steps:

1. Go to Administration > User Management
2. Click Invite User > Assign Custom Role
3. Enable permissions under Security Policies, disable Network Settings
4. Send invitation with email + optional 2FA enforcement

This setup allows engineers to remain effective without overexposing critical infrastructure settings.

Tips for Managing Roles Effectively

• Review access quarterly: Especially for contractors or temporary staff
• Use MFA for all roles: Even read-only accounts
• Log all user actions: Available under Monitoring > Audit Trail
• Use naming conventions: E.g., [Region]-[Role]-[Name] for clarity
• Avoid giving Account Admin unless absolutely necessary

RBAC ensures only the right people have access to the right controls—no more, no less. Start structuring access today in your Cato CMA.

FAQ Summary

Can I create a fully custom role in Cato?

Yes, you can toggle individual permissions for a Custom Role during user creation.
 

Does Cato support role changes after user creation?

Yes. You can edit user roles anytime via the User Management tab.
 

Are RBAC logs available for auditing?

Yes, all user actions are logged in the Audit Trail for review.
 

Can roles be assigned per site or region?

Not directly. But you can control access scope via Custom Role and filtering policies.
 

Is MFA enforced per role?

MFA is user-based. You can enforce it during account setup regardless of role.