Installation and Configuration Guide for Cisco Services Ready Engine Virtualization 1.0
Configuring Users, Roles, and Permissions
Downloads: This chapterpdf (PDF - 287.0KB) The complete bookPDF (PDF - 4.28MB) | Feedback

Configuring Users, Roles, and Permissions

Table Of Contents

Configuring Users, Roles, and Permissions

Users, Roles, Privileges, and Permissions Overview

Basic Workflow for Configuring Users, Roles, and Permissions

Working with Users

Creating Users

Viewing Existing Users

Updating User Account Information

Deleting Users

Working with User Groups

Creating User Groups

Viewing Existing User Groups

Updating User Group Information

Deleting User Groups

Working with Roles

Creating Roles

Viewing Existing Roles

Updating Existing Role Information

Adding Privileges to an Existing Role

Removing Privileges from an Existing Role

Adding a Privilege Group to an Existing Role

Removing a Privilege Group from an Existing Role

Viewing System Pre-defined Privileges

Viewing Privileges

Viewing Group Privileges

Deleting Roles

Working with Permissions

Assigning a Role to a User

Removing a Role from a User

Assigning a Role to a User Group

Removing a Role from a User Group

Basic Workflow Option 1 Example


Configuring Users, Roles, and Permissions


By default, the Cisco SRE-V software comes with two predefined roles: esx-admins role and vm-users role. Besides the default esx-admins and vm-users roles, you can use the Cisco SRE-V commands provided in this chapter to configure additional users, roles, and provide permissions to those users to access virtual machines.

This chapter provides the Cisco SRE-V commands to configure users, roles, and permissions. It contains the following sections:

Users, Roles, Privileges, and Permissions Overview

Basic Workflow for Configuring Users, Roles, and Permissions

Working with Users

Working with User Groups

Working with Roles

Working with Permissions

Basic Workflow Option 1 Example

Users, Roles, Privileges, and Permissions Overview

A user is the person who is authorized to log into the VMware vSphere HypervisorTM. When you assign roles and permissions to users or groups, you control the objects that the users can access in the vSphere environment, and the actions that they can perform on those objects.

The VMware vSphere HypervisorTM determines the level of access for a user based on the permissions assigned to that user. The user name, password, and permissions combination is the mechanism by which the VMware vSphere HypervisorTM authenticates the user for access, and authorizes the user to perform activities.

To control which users or user groups can access particular vSphere objects, the VMware vSphere HypervisorTM uses sets of pre-established privileges or roles. A role, and a user or group that are assigned to an inventory object, constitutes a permission.

By default, the Cisco SRE-V software comes with two predefined roles: esx-admins role and vm-users role. Each role has certain privileges assigned to it. Users with the esx-admins role have the privilege to manage the VMware vSphere HypervisorTM. Users with the vm-users role have the privilege to manage virtual machines.

Besides the default esx-admins and vm-users roles, you can use the Cisco SRE-V commands provided in this chapter to configure additional users, roles, and provide permissions to those users to access virtual machines.


Note The default pre-configured username for the esx-admins role is esx-admin and the password is change_it. We highly recommend that you change the default password after the first reboot.


Related Topics

Basic Workflow for Configuring Users, Roles, and Permissions

Working with Users

Working with User Groups

Working with Roles

Working with Permissions

Basic Workflow for Configuring Users, Roles, and Permissions

Basic Workflow Option 1

1. Create a user. See the "Creating Users" section.

2. Create a role. See the "Creating Roles" section.

3. Add privileges to the role. See the "Adding Privileges to an Existing Role" section.

4. Assign the role to the user. When you assign a role, you provide the user with the permission to access virtual machines with the privileges that apply to the specified role. See the "Assigning a Role to a User" section.

For all of the commands used in the basic workflow option 1, see the "Basic Workflow Option 1 Example" section.

Basic Workflow Option 2

1. Create users. See the "Creating Users" section.

2. Create user groups. See the "Creating User Groups" section.

3. Assign users to user groups. See the "Updating User Group Information" section.

4. Create roles. See the "Creating Roles" section.

5. Add privileges to the roles. See the "Adding Privileges to an Existing Role" section.

6. Assign the roles to the user groups. See the "Adding a Privilege Group to an Existing Role" section.

Working with Users

To create, view, or delete users; or to update user account information, see the following sections:

Creating Users

Viewing Existing Users

Updating User Account Information

Deleting Users

Creating Users

A user is the person who is authorized to log into the VMware vSphere HypervisorTM. To create a user, use the following command:

user create username password password [fullname full name]

SUMMARY STEPS

From the Console Manager interface, enter:

1. user create username password password [fullname full name]

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3.

 
Command or Action
Purpose

Step 1 

user create username password password [fullname full name]

Example:

SRE-Module# user create jsmith password xQaTEhbU fullname "JohnSmith"

Creates a new user account.

username—Unique string used to log into the VMware vSphere HypervisorTM. Maximum string length: 16 alphanumeric characters. This login username is case sensitive and must not contain spaces.

password password—Specifies the password to be used with the username.

password—Alphanumeric string used with this username to provide access to the VMware vSphere HypervisorTM.

A password must contain a mix of characters from the following four character classes:

Lowercase letters

Uppercase letters

Digits

Special characters, such as an underscore or dash

Password Length Requirements:

If the password contains characters from one or two classes, it must contain eight characters.

If the password contains characters from three classes, it must contain seven characters.

If the password contains characters from all four classes, it must contain six characters.

Note If the password begins with an uppercase character, that character does not count towards the number of character classes used. If the password ends with a digit, that digit does not count towards the number of character classes used.

Password Examples:

xQaTEhbU—Contains eight characters from two character classes.

xQaT3pb—Contains seven characters from three character classes.

xQaT3#—Contains six characters from four character classes.

fullname full name—(Optional) Specifies the full name of the user.

full name—Alphanumeric string used with this username. Maximum string length: 64 characters. You can choose to create the full name at a later time by using the user update command.

Related Topics

Creating Roles

Creating User Groups

Viewing Existing Users

To view details about a specific user or to list all of the existing users, use the following command:

show user {name username | all}

SUMMARY STEPS

From the Console Manager interface, enter:

1. show user {name username | all}

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3.

 
Command or Action
Purpose

Step 1 

show user {name username | all}

Example:

SRE-Module# show user name jsmith

Username: jsmith

Full Name: Linux User,,,


---------- Groups User Belongs To ----------

users


1 total group(s)


---------- Roles Assigned ----------

Role Object-Defined-In Propagate

esx-admins VM: CentOS 5 Yes

esx-admins Host Yes


2 total role(s)



SRE-Module# show user all

jsmith

jsmith3


2 total user(s)

Displays details about a specific user or lists all of the existing users.

name username—Displays details about the specified user.

username—Unique string used to identify the user.

all—Lists all the existing users.

Updating User Account Information

You can update the user password or full name, or add and remove the user from a specific group. To update existing user account information, use the following command:

user update username {password password | fullname full name | add-group group name | remove-group group name}

SUMMARY STEPS

From the Console Manager interface, enter:

1. user update username {password password | fullname full name | add-group group name | remove-group group name}

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

user update username {password password | fullname full name | add-group group name | remove-group group name}

Example:

SRE-Module# user update jsmith password xQaTEhbU


SRE-Module# user update jsmith fullname "JohnSmith"


SRE-Module# user update jsmith add-group Network


SRE-Module# user update jsmith remove-group Network

Updates the existing user account information. You can update the user password or full name, or add and remove the user from a specific group.

username—Login username of the user whose account you want to update.

password password—Specifies the updated password.

password—New alphanumeric string used with this username to provide access to the Cisco SRE Service Module. Maximum string length: 30 alphanumeric characters.

fullname full name—Specifies the updated fullname.

full name—New full name (alphanumeric string) used with this username. Maximum string length: 64 characters.

add-group group name—Adds the user to a specified user group.

group name—Name of the group in which you want to add the user.

remove-group group name—Removes the user from the specified user group.

group name—Name of the group from which you want to remove the user.

.

Deleting Users

To delete an existing user account, use the following command:

user delete username

SUMMARY STEPS

From the Console Manager interface, enter:

1. user delete username

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

user delete username

Example:

SRE-Module# user delete jsmith

Deletes the specified user account.

username—Login username of the user whose account you want to delete.

Note When you delete a specific user, the user group to which the user belongs to is not deleted, nor is the role that was assigned to that user deleted.

.

Working with User Groups

To create, view, or delete user groups, or to update user group information, see the following sections:

Creating User Groups

Viewing Existing User Groups

Updating User Group Information

Deleting User Groups

Creating User Groups

To create a user group, use the following command:

group create group name

SUMMARY STEPS

From the Console Manager interface, enter:

1. group create group name

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

group create group name

Example:

SRE-Module# group create admin-user

Creates a new user group.

group name—Unique string used to identify the new user group. Maximum string length: 16 alphanumeric characters. This group name is case sensitive and must not contain spaces.

.

Related Topics

Updating User Group Information

Viewing Existing User Groups

To view details about a specific user group or to list all of the existing user groups, use the following command:

show group {name group name | all}

SUMMARY STEPS

From the Console Manager interface, enter:

1. show group {name group name | all}

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

show group {name group name | all}

Example:

SRE-Module# show group name vmadmin_group

Group Name: vmadmin_group


---------- Users Belong to the Group ----------


0 total user(s)


---------- Roles Assigned ----------

Role Object-Defined-In Propagate


0 total role(s)


SRE-Module# show group all

vmadmin_group

vmuser_group


2 total group(s)

Displays details about a specific group or lists all of the existing user groups.

name group name—Displays details about a specific user group.

group name—Unique string used to identify the user group.

all—Displays all the existing user groups.

.

Updating User Group Information

To add or remove the specified user from a group, use the following command:

group update group name {add-user username | remove-user username}

SUMMARY STEPS

From the Console Manager interface, enter:

1. group update group name {add-user username | remove-user username}

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

group update group name {add-user username | remove-user username}

Example:

SRE-Module# group update supergroup add-user jsmith3


SRE-Module# group update supergroup remove-user jsmith3

Updates the existing user group information. You can use this command to add or remove the specified user from a group.

group name—Name of the group that you want to update.

add-user username—Adds the specified user to the group.

username—Unique string used to identify the user.

remove-user username—Removes the specified user from the group.

username—Unique string used to identify the user.

.

Related Topics

Creating Roles

Deleting User Groups

To delete an existing user group, use the following command:

group delete group name

SUMMARY STEPS

From the Console Manager interface, enter:

1. group delete group name

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

group delete group name

Example:

SRE-Module# group delete supergroup1

Deletes the specified group.

group name—Name of the group that you want to delete.

Note When you delete a specific group, the user accounts that belong to the group are not deleted, nor the roles that are assigned to that group deleted.

.

Working with Roles

To create, view, or delete roles; or to update existing role information, see the following sections:

Creating Roles

Viewing Existing Roles

Updating Existing Role Information

Viewing System Pre-defined Privileges

Deleting Roles

Creating Roles

To create a role, use the following command:

role create role name

SUMMARY STEPS

From the Console Manager interface, enter:

1. role create role name

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

role create role name

Example:

SRE-Module# role create SuperRole

Creates a new role.

role name—Unique string used to identify the role. Maximum string length: 80 alphanumeric characters. The role name is not case sensitive and can contain spaces.

.

Related Topics

Adding Privileges to an Existing Role

Viewing Existing Roles

To view details about a specific role or to list all of the existing roles, use the following command:

show role {name role name | all}

SUMMARY STEPS

From the Console Manager interface, enter:

1. show role {name role name | all}

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

show role {name role name | all}

Example:

SRE-Module# show role name SuperRole

Role Name: SuperRole


---------- Permissions Granted ----------

Users:

jsmith (Host, Propagate)


1 total user(s)


Groups:

admingroup (Host, Propagate)


1 total group(s)


---------- Privileges ----------

System.Anonymous

System.Read

System.View


3 total privileges


SRE-Module# show role all

No Access

Read-only

Administrator

SuperRole


4 total role(s)

Displays details about a specific role or lists all of the existing roles.

name role name—Displays the following details about the specified role:

Privileges that are associated with the role.

Permissions, such as users or user groups that are granted with the role.

role name—Unique string used to identify the role.

all—Lists all of the existing roles in the system. Only the role names are listed.

.

Updating Existing Role Information

You update role information by adding or removing privileges from an existing role. A role can have one or more privileges associated with it. Privileges are pre-defined in VMware vSphere HypervisorTM. Each privilege has a unique ID, which is contained in a privilege group. The privilege group can have one or more privileges. For example:

The VirtualMachine.Config.AddNewDisk privilege is associated with a role called, SuperRole.

The VirtualMachine.Config.AddNewDisk privilege belongs to the privilege group called, VirtualMachine.Config.

The VirtualMachine.Config privilege group also has other privileges besides the VirtualMachine.Config.AddNewDisk privilege.

To add or remove privileges or a privilege group from an existing role, see the following sections:

Adding Privileges to an Existing Role

Removing Privileges from an Existing Role

Adding a Privilege Group to an Existing Role

Removing a Privilege Group from an Existing Role

Adding Privileges to an Existing Role

To add a privilege to an existing role, use the following command:

role update role name add-privilege {privilege ID | all}

SUMMARY STEPS

From the Console Manager interface, enter:

1. role update role name add-privilege {privilege ID | all}

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

role update role name add-privilege {privilege ID | all}

Example:

SRE-Module# role update SuperRole add-privilege VirtualMachine.Config.AddNewDisk


SRE-Module# role update SuperRole add-privilege all

Adds the privilege to the specified role.

role name—Unique string used to identify the role.

add-privilege privilege ID—Adds the privilege to the specified role.

privilege ID—Privilege string to be added.

all—Adds all of the privileges to the specified role.

.

Related Topics

Assigning a Role to a User

Adding a Privilege Group to an Existing Role

Removing Privileges from an Existing Role

To remove a privilege from an existing role, use the following command:

role update role name remove-privilege {privilege ID | all}

SUMMARY STEPS

From the Console Manager interface, enter:

1. role update role name remove-privilege {privilege ID | all}

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

role update role name remove-privilege {privilege ID | all}

Example:

SRE-Module# role update SuperRole remove-privilege VirtualMachine.Config.AddNewDisk


SRE-Module# role update SuperRole remove-privilege all

Removes the privilege from the specified role.

role name—Unique string used to identify the role.

remove-privilege privilege ID—Removes the privilege from the specified role.

privilege ID—Privilege string to be removed.

all—Removes all of the privileges from the specified role.

.

Adding a Privilege Group to an Existing Role

To add a privilege group to an existing role, use the following command:

role update role name add-privilege-group {privilege group ID | all}

SUMMARY STEPS

From the Console Manager interface, enter:

1. role update role name add-privilege-group {privilege group ID | all}

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

role update role name add-privilege-group {privilege group ID | all}

Example:

SRE-Module# role update SuperRole add-privilege-group VirtualMachine.Config


SRE-Module# role update SuperRole add-privilege-group all

Adds the privilege group to the specified role.

role name—Unique string used to identify the role.

add-privilege-group privilege group ID—Adds the privilege group to the specified role.

privilege group ID—Privilege group string to be added.

all—Adds all of the privilege groups to the specified role.

.

Removing a Privilege Group from an Existing Role

To remove a privilege group from an existing role, use the following command:

role update role name remove-privilege-group {privilege group ID | all}

SUMMARY STEPS

From the Console Manager interface, enter:

1. role update role name remove-privilege-group {privilege group ID | all}

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

role update role name remove-privilege-group {privilege group ID | all}

Example:

SRE-Module# role update SuperRole remove-privilege-group VirtualMachine.Config


SRE-Module# role update SuperRole remove-privilege-group all

Removes the privilege from the specified role.

role name—Unique string used to identify the role.

remove-privilege-group privilege group ID—Removes the privilege group from the specified role.

privilege group ID—Privilege group string to be removed.

all—Removes all of the privilege groups from the specified role.

.

Viewing System Pre-defined Privileges

To view system pre-defined privileges, see the following sections:

Viewing Privileges

Viewing Group Privileges

Viewing Privileges

To view all of the system predefined privileges, use the following command:

show privilege all

SUMMARY STEPS

From the Console Manager interface, enter:

1. show privilege all

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

show privilege all


Example:

SRE-Module# show privilege all

System.Anonymous

System.View

System.Read

...

208 total privileges

Displays all of the system predefined privileges.

.

Viewing Group Privileges

To view the privileges of a specific group; or to view all the system predefined privilege groups, use the following command:

show privilege-group {privilege group ID | all}

SUMMARY STEPS

From the Console Manager interface, enter:

1. show privilege-group {privilege group ID | all}

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

show privilege-group {privilege group ID | all}

Example:

SRE-Module# show privilege-group System

System.Anonymous

System.View

System.Read


3 total privileges


SRE-Module# show privilege-group all

System

Global

Folder

...


27 total privilege groups

Displays the privileges of a specific group or displays all the system predefined privilege groups.

privilege group ID—Privilege group string for which you want the predefined privileges displayed.

all—Displays all of the system predefined privilege groups.

.

Deleting Roles

To delete an existing role, use the following command:

role delete role name

SUMMARY STEPS

From the Console Manager interface, enter:

1. role delete role name

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

role delete role name

Example:

SRE-Module# role delete SuperRole

Deletes the specified role.

role name—Name of the role that you want to delete.

Note When you delete a specific role, the users or the user groups that are assigned to that role are not deleted.

.

Working with Permissions

Permission refers to an object, which consists of an authorization role, a user or group name, a managed virtual machine, and host reference. Permission allows the user to access a virtual machine with any of the privileges that apply to the specified role.

To assign or remove a role from a user or user group, use the permission add or permission remove commands.

See the following sections for more information:

Assigning a Role to a User

Removing a Role from a User

Assigning a Role to a User Group

Removing a Role from a User Group

Assigning a Role to a User

When you assign a role to a user, you provide the user with the permission to access a virtual machine with the privileges that apply to the specified role. To assign the role to the user, use the following command:

permission add role name user username [virtual-machine VM] [nopropogate]

SUMMARY STEPS

From the Console Manager interface, enter:

1. permission add role name user username [virtual-machine VM] [nopropogate]

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

permission add role name user username 
[virtual-machine VM] [nopropogate]
Example:

SRE-Module# permission add SuperRole user jsmith virtual-machine VM_1 nopropogate

Assigns the role to the user and provides the user with the permission to access a virtual machine with any of the privileges that apply to the specified role.

role name—Name of the role that you want to assign to the user.

user username—Specifies the username to which you want to assign the role.

username—Unique string used to identify the user.

virtual-machine VM—(Optional) Provides the user the permission to access the specified virtual machine.

VM—Name of the virtual machine.

Role permissions are provided at object level in VMware vSphere HypervisorTM. The virtual-machine keyword provides the user the permission to access the specified virtual machine. Without the virtual-machine keyword, the user has the permission to access all of the virtual machines in the system.

nopropogate—(Optional) Does not allow role permissions to be propagated to the sub-entities of the host.

Without the nopropogate keyword, permissions are propagated to the granted object.

.

Removing a Role from a User

When you remove a role from a user, the permission for the user to access the virtual machine is also removed. To remove the role from the user, use the following command:

permission remove role name user username [virtual-machine VM] [nopropogate]

SUMMARY STEPS

From the Console Manager interface, enter:

1. permission remove role name user username [virtual-machine VM] [nopropogate]

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

permission remove role name user username 
[virtual-machine VM] [nopropogate]
Example:

SRE-Module# permission remove SuperRole user jsmith virtual-machine VM_1 nopropogate

Removes the role from the user. When you remove the role, the permission for the user to access the virtual machine is also removed.

role name—Name of the role that you want to remove from the user.

user username—Specifies the username of the user whose role you want to remove.

username—Unique string used to identify the user.

virtual-machine VM—(Optional) Removes the role permission from the specified virtual machine.

VM—Name of the virtual machine.

Role permissions are provided at object level in VMware vSphere HypervisorTM. The virtual-machine keyword removes the user's permission to access the specified virtual machine. Without the virtual-machine keyword, the user cannot access any of the virtual machines in the system.

nopropogate—(Optional) Does not allow role permissions to be propagated to the sub-entities of the host.

.

Assigning a Role to a User Group

When you assign a role to a user group, you provide the user group the permission to access a virtual machine with any of the privileges that apply to the specified role. To assign a role to a user group, use the following command:

permission add role name group group name [virtual-machine VM] [nopropogate]

SUMMARY STEPS

From the Console Manager interface, enter:

1. permission add role name group group name [virtual-machine VM] [nopropogate]

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

permission add role name group group name 
[virtual-machine VM] [nopropogate]
Example:

SRE-Module# permission add SuperRole group Network virtual-machine VM_1 nopropogate

Assigns the role to the user group and provides the user group the permission to access a virtual machine with any of the privileges that apply to the specified role.

role name—Name of the role that you want to assign to the user group.

group group name—Specifies the name of the user group to which you want to assign the role.

group name—Unique string used to identify the user group.

virtual-machine VM—(Optional) Provides the user the permission to access the specified virtual machine.

VM—Name of the virtual machine.

Role permissions are provided at object level in VMware vSphere HypervisorTM. The virtual-machine keyword provides the user group the permission to access the specified virtual machine. Without the virtual-machine key word, the user group has the permission to access all of the virtual machines in the system.

nopropogate—(Optional) Does not allow role permissions to be propagated to the sub-entities of the host.

Without the nopropogate keyword, permissions are propagated to the granted object.

.

Removing a Role from a User Group

When you remove a role from a user group, the permission for the user group to access the virtual machine is also removed. To remove the role from the user group, use the following command:

permission remove role name group group name [virtual-machine VM] [nopropogate]

SUMMARY STEPS

From the Console Manager interface, enter:

1. permission remove role name group group name [virtual-machine VM] [nopropogate]

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3

 
Command or Action
Purpose

Step 1 

permission remove role name group group name 
[virtual-machine VM] [nopropogate]
Example:

SRE-Module# permission remove SuperRole group Network virtual-machine VM_1 nopropogate

Removes the role from the user group. When you remove the role, the permission for the user group to access the virtual machine is also removed.

role name—Name of the role that you want to remove from the user group.

group group name—Specifies the name of the user group whose role you want to remove.

group name—Unique string used to identify the user group.

virtual-machine VM—(Optional) Removes the role permission from the specified virtual machine.

VM—Name of the virtual machine.

Role permissions are provided at object level in VMware vSphere HypervisorTM. The virtual-machine keyword removes the user group's permission to access the specified virtual machine. Without the virtual-machine keyword, the user group cannot access any of the virtual machines in the system.

nopropogate—(Optional) Does not allow role permissions to be propagated to the sub-entities of the host.

.

Basic Workflow Option 1 Example

To create a user and role, add privileges to the role, and then assign the role to the user, follow these steps.

SUMMARY STEPS

From the Console Manager interface, enter:

1. user create username password password [fullname full name]

2. role create role name

3. role update role name add-privilege {privilege ID | all}

4. permission add role name user username [virtual-machine VM] [nopropogate]

5. exit

DETAILED STEPS

To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section on page 5-3.

.

 
Command or Action
Purpose

Step 1 

user create username password password [fullname full name]

Example:

SRE-Module# user create jsmith password xQaTEhbU fullname "JohnSmith"

Creates a new user account.

username—Unique string used to log into the VMware vSphere HypervisorTM. Maximum string length: 16 alphanumeric characters. This login username is case sensitive and must not contain spaces.

password password—Specifies the password to be used with the username.

password—Alphanumeric string used with this username to provide access to the VMware vSphere HypervisorTM.

A password must contain a mix of characters from the following four character classes:

Lowercase letters

Uppercase letters

Digits

Special characters, such as an underscore or dash

Password Length Requirements:

If the password contains characters from one or two classes, it must contain eight characters.

If the password contains characters from three classes, it must contain seven characters.

If the password contains characters from all four classes, it must contain six characters.

Note If the password begins with an uppercase character, that character does not count towards the number of character classes used. If the password ends with a digit, that digit does not count towards the number of character classes used.

Password Examples:

xQaTEhbU—Contains eight characters from two character classes.

xQaT3pb—Contains seven characters from three character classes.

xQaT3#—Contains six characters from four character classes.

fullname full name—(Optional) Specifies the full name of the user.

full name—Alphanumeric string used with this username. Maximum string length: 64 characters. You can choose to create the full name at a later time by using the user update command.

 

Step 2 

role create role name

Example:

SRE-Module# role create SuperRole

Creates a role.

role name—Unique string used to identify the role. Maximum string length: 80 alphanumeric characters. The role name is not case sensitive and can contain spaces.

Step 3 

role update role name add-privilege {privilege ID | all}

Example:

SRE-Module# role update SuperRole add-privilege VirtualMachine.Config.AddNewDisk


SRE-Module# role update SuperRole add-privilege all

Adds the privilege to the specified role.

role name—Unique string used to identify the role.

add-privilege privilege ID—Adds the privilege to the specified role.

privilege ID—Privilege string to be added.

all—Adds all of the privileges to the specified role.

Step 4 

permission add role name user username 
[virtual-machine VM] [nopropogate]
Example:

SRE-Module# permission add SuperRole user jsmith virtual-machine VM_1 nopropogate

Assigns the role to the user and provides the user with the permission to access a virtual machine with any of the privileges that apply to the specified role.

role name—Name of the role that you want to assign to the user.

user username—Specifies the username to which you want to assign the role.

username—Unique string used to identify the user.

virtual-machine VM—(Optional) Provides the user the permission to access the specified virtual machine.

VM—Name of the virtual machine.

Role permissions are provided at object level in VMware vSphere HypervisorTM. The virtual-machine keyword gives the user the permission to access the specified virtual machine. Without the virtual-machine keyword, the user has the permission to access all of the virtual machines in the system.

nopropogate—(Optional) Does not allow role permissions to be propagated to the sub-entities of the host.

Without the nopropogate keyword, permissions are propagated to the granted object.

Step 5 

exit

Closes the service module session.