Cisco UCS Central CLI Configuration Guide, Release 1.0
Configuring Role-Based Access Control
Downloads: This chapterpdf (PDF - 626.0KB) The complete bookPDF (PDF - 2.17MB) | The complete bookePub (ePub - 408.0KB) | Feedback

Configuring Role-Based Access Control

Contents

Configuring Role-Based Access Control

This chapter includes the following sections:

Role-Based Access Control

Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and the locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, management of individual user privileges is simply a matter of assigning the appropriate roles and locales.

A user is granted write access to desired system resources only if the assigned role grants the access privileges and the assigned locale allows access. For example, a user with the Server Administrator role in the Engineering organization could update server configurations in the Engineering organization but could not update server configurations in the Finance organization unless the locales assigned to the user include the Finance organization.

User Accounts for Cisco UCS

User accounts are used to access the system. Up to 128 user accounts can be configured in each Cisco UCS Central domain. Each user account must have a unique username and password.

A user account can be set with a SSH public key. The public key can be set in either of the two formats: OpenSSH and SECSH.

Admin Account

Cisco UCS Central has an admin account. The admin account is a default user account and cannot be modified or deleted. This account is the system administrator or superuser account and has full privileges. There is no default password assigned to the admin account; you must choose the password during the initial system setup.

The admin account is always active and does not expire. You cannot configure the admin account as inactive.

The local admin user is able to login for fail over, even when authentication is set to remote.

Locally Authenticated User Accounts

A locally authenticated user account is authenticated through the Cisco UCS Central user database, and can be enabled or disabled by anyone with admin or aaa privileges. Once a local user account is disabled, the user cannot log in. Configuration details for disabled local user accounts are not deleted by the database. If you re-enable a disabled local user account, the account becomes active again with the existing configuration, including username and password.

Remotely Authenticated User Accounts

A remotely authenticated user account is any Cisco UCS Central user account that is authenticated through LDAP. Cisco UCS domainssupport LDAP, RADIUS and TACACS+.

If a user maintains a local user account and a remote user account simultaneously, the roles defined in the local user account override those maintained in the remote user account.

Expiration of User Accounts

User accounts can be configured to expire at a predefined time. When the expiration time is reached, the user account is disabled.

By default, user accounts do not expire.


Note


After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. You can, however, configure the account with the latest expiration date available.


Guidelines for Cisco UCS Usernames

The username is also used as the login ID for Cisco UCS Central. When you assign login IDs to Cisco UCS user accounts, consider the following guidelines and restrictions:

  • The login ID can contain between 1 and 32 characters, including the following:
    • Any alphabetic character
    • Any digit
    • _ (underscore)
    • - (dash)
    • . (dot)
  • The login ID must be unique within Cisco UCS Central.
  • The login ID must start with an alphabetic character. It cannot start with a number or a special character, such as an underscore.
  • The login ID is case-sensitive.
  • You cannot create an all-numeric login ID.
  • After you create a user account, you cannot change the login ID. You must delete the user account and create a new one.

Reserved Words: Locally Authenticated User Accounts

The following words cannot be used when creating a local user account in Cisco UCS.

  • root
  • bin
  • daemon
  • adm
  • lp
  • sync
  • shutdown
  • halt
  • news
  • uucp
  • operator
  • games
  • gopher
  • nobody
  • nscd
  • mailnull
  • mail
  • rpcuser
  • rpc
  • mtsuser
  • ftpuser
  • ftp
  • man
  • sys
  • samdme
  • debug

Guidelines for Cisco UCS Passwords

A password is required for each locally authenticated user account. A user with admin, aaa, or domain-group-management privileges can configure Cisco UCS Central to perform a password strength check on user passwords. If the password strength check is enabled, each user must have a strong password.

Cisco recommends that each user have a strong password. If you enable the password strength check for locally authenticated users, Cisco UCS Central rejects any password that does not meet the following requirements:

  • Must contain a minimum of 8 characters and a maximum of 80 characters.
  • Must contain at least three of the following:
    • Lower case letters
    • Upper case letters
    • Digits
    • Special characters
  • Must not contain a character that is repeated more than 3 times consecutively, such as aaabbb.
  • Must not be identical to the username or the reverse of the username.
  • Must pass a password dictionary check. For example, the password must not be based on a standard dictionary word.
  • Must not contain the following symbols: $ (dollar sign), ? (question mark), and = (equals sign).
  • Should not be blank for local user and admin accounts.

Web Session Limits for User Accounts

Cisco UCS Central does not support managing a number of concurrent web sessions at this time. We do support 32 concurrent web sessions for Cisco UCS Central users and a total of 256 concurrent sessions for all users.

Configuring User Roles

User Roles

User roles contain one or more privileges that define the operations that are allowed for a user. One or more roles can be assigned to each user. Users with multiple roles have the combined privileges of all assigned roles. For example, if Role1 has storage-related privileges, and Role2 has server-related privileges, users with Role1 and Role2 have both storage-related and server-related privileges.

A Cisco UCS domain can contain up to 48 user roles, including the default user roles. Each domain group in Cisco UCS Central can contain 48 user roles, including the user roles that are inherited from the parent domain group. When user roles are pushed to Cisco UCS Manager from Cisco UCS Central, only the first 48 roles will be active. Any user roles after the first 48 will be inactive with faults raised.

All roles include read access to all configuration settings in the Cisco UCS domain. Users with read-only roles cannot modify the system state.

Roles can be created, modified to add new or remove existing privileges, or deleted. When a role is modified, the new privileges are applied to all users that have that role. Privilege assignment is not restricted to the privileges defined for the default roles. That is, you can use a custom set of privileges to create a unique role. For example, the default Server Administrator and Storage Administrator roles have a different set of privileges, but a new Server and Storage Administrator role can be created that combines the privileges of both roles.

If a role is deleted after it has been assigned to users, it is also deleted from those user accounts.

User profiles on AAA servers (RADIUS or TACACS+) should be modified to add the roles corresponding to the privileges granted to that user. The attribute is used to store the role information. The AAA servers return this attribute with the request and parse it to get the roles. LDAP servers return the roles in the user profile attributes.

Default User Roles

The system contains the following default user roles:

AAA Administrator

Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system.

Administrator

Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.

Facility Manager

Read-and-write access to power management operations through the power-mgmt privilege. Read access to the rest of the system.

Network Administrator

Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the rest of the system.

Operations

Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the rest of the system.

Read-Only

Read-only access to system configuration with no privileges to modify the system state.

Server Compute

Read and write access to most aspects of service profiles. However the user cannot create, modify or delete vNICs or vHBAs.

Server Equipment Administrator

Read-and-write access to physical server related operations. Read access to the rest of the system.

Server Profile Administrator

Read-and-write access to logical server related operations. Read access to the rest of the system.

Server Security Administrator

Read-and-write access to server security related operations. Read access to the rest of the system.

Storage Administrator

Read-and-write access to storage operations. Read access to the rest of the system.

Reserved Words: User Roles

The following words cannot be used when creating custom roles in Cisco UCS.

  • network-admin
  • network-operator
  • vdc-admin
  • vdc-operator
  • server-admin

Privileges

Privileges give users assigned to user roles access to specific system resources and permission to perform specific tasks. The following table lists each privilege and the user role given that privilege by default.

Table 1 User Privileges

Privilege

Description

Default Role Assignment

aaa

System security and AAA

AAA Administrator

admin

System administration

Administrator

domain-group-management

Domain Group Management

Domain Group Administrator

ext-lan-config

External LAN configuration

Network Administrator

ext-lan-policy

External LAN policy

Network Administrator

ext-lan-qos

External LAN QoS

Network Administrator

ext-lan-security

External LAN security

Network Administrator

ext-san-config

External SAN configuration

Storage Administrator

ext-san-policy

External SAN policy

Storage Administrator

ext-san-qos

External SAN QoS

Storage Administrator

ext-san-security

External SAN security

Storage Administrator

fault

Alarms and alarm policies

Operations

operations

Logs and Smart Call Home

Operations

org-management

Organization management

Operations

pod-config

Pod configuration

Network Administrator

pod-policy

Pod policy

Network Administrator

pod-qos

Pod QoS

Network Administrator

pod-security

Pod security

Network Administrator

power-mgmt

Read-and-write access to power management operations

Facility Manager

read-only

Read-only access

Read-only cannot be selected as a privilege; it is assigned to every user role.

Read-Only

server-equipment

Server hardware management

Server Equipment Administrator

server-maintenance

Server maintenance

Server Equipment Administrator

server-policy

Server policy

Server Equipment Administrator

server-security

Server security

Server Security Administrator

service-profile-compute

Service profile compute

Server Compute Administrator

service-profile-config

Service profile configuration

Server Profile Administrator

service-profile-config-policy

Service profile configuration policy

Server Profile Administrator

service-profile-ext-access

Service profile end point access

Server Profile Administrator

service-profile-network

Service profile network

Network Administrator

service-profile-network-policy

Service profile network policy

Network Administrator

service-profile-qos

Service profile QoS

Network Administrator

service-profile-qos-policy

Service profile QoS policy

Network Administrator

service-profile-security

Service profile security

Server Security Administrator

service-profile-security-policy

Service profile security policy

Server Security Administrator

service-profile-server

Service profile server management

Server Profile Administrator

service-profile-server-oper

Service profile consumer

Server Profile Administrator

service-profile-server-policy

Service profile pool policy

Server Security Administrator

service-profile-storage

Service profile storage

Storage Administrator

service-profile-storage-policy

Service profile storage policy

Storage Administrator

Creating a User Role

Procedure
      Command or Action Purpose
    Step 1 UCSC# connect policy-mgr  

    Enters policy manager mode.

     
    Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

     
    Step 3 UCSC(policy-mgr) /domain-group # scope security  

    Enters security mode.

     
    Step 4 UCSC(policy-mgr) /domain-group/security # create role name  

    Creates the user role and enters security role mode.

     
    Step 5 UCSC(policy-mgr) /domain-group/security/role* # add privilege privilege-name  

    Adds one or more privileges to the role.

    Note   

    You can specify more than one privilege-name on the same command line to add multiple privileges to the role, or you can add privileges to the same role using multiple add commands.

     
    Step 6 UCSC(policy-mgr) /domain-group/security/role* # commit-buffer  

    Commits the transaction to the system configuration.

     

    The following example creates the service-profile-security-admin role, adds the service profile security and service profile security policy privileges to the role, and commits the transaction:

    UCSC # connect policy-mgr
    UCSC(policy-mgr)# scope domain-group
    UCSC(policy-mgr) /domain-group # scope security
    UCSC(policy-mgr) /domain-group/security # create role ls-security-admin
    UCSC(policy-mgr) /domain-group/security/role* # add privilege service-profile-security service-profile-security-policy
    UCSC(policy-mgr) /domain-group/security/role* # commit-buffer
    UCSC(policy-mgr) /domain-group/security/role # 
    

    Deleting a User Role

    Procedure
        Command or Action Purpose
      Step 1 UCSC# connect policy-mgr  

      Enters policy manager mode.

       
      Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

       
      Step 3 UCSC(policy-mgr) /domain-group # scope security  

      Enters security mode.

       
      Step 4 UCSC(policy-mgr) /domain-group/security # delete role name  

      Deletes the user role.

       
      Step 5 UCSC(policy-mgr) /domain-group/security/role* # commit-buffer  

      Commits the transaction to the system configuration.

       

      The following example deletes the service-profile-security-admin role and commits the transaction:

      UCSC # connect policy-mgr
      UCSC(policy-mgr)# scope domain-group
      UCSC(policy-mgr) /domain-group # scope security
      UCSC(policy-mgr) /domain-group/security # delete role service-profile-security-admin
      UCSC(policy-mgr) /domain-group/security/role* # commit-buffer
      UCSC(policy-mgr) /domain-group/security/role # 
      

      Adding Privileges to a User Role

      Procedure
          Command or Action Purpose
        Step 1 UCSC# connect policy-mgr  

        Enters policy manager mode.

         
        Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

         
        Step 3 UCSC(policy-mgr) /domain-group # scope security  

        Enters security mode.

         
        Step 4 UCSC(policy-mgr) /domain-group/security # scope role name  

        Enters security role mode for the specified role.

         
        Step 5 UCSC(policy-mgr) /domain-group/security/role # add privilege privilege-name  

        Adds one or more privileges to the existing privileges of the user role.

        Note   

        You can specify more than one privilege-name on the same command line to add multiple privileges to the role, or you can add privileges to the same role using multiple add privilege commands.

         
        Step 6 UCSC(policy-mgr) /domain-group/security/role* # commit-buffer  

        Commits the transaction to the system configuration.

         

        The following example shows how to add the server security and server policy privileges to the service-profile-security-admin role and commit the transaction:

        UCSC # connect policy-mgr
        UCSC(policy-mgr)# scope domain-group
        UCSC(policy-mgr) /domain-group # scope security
        UCSC(policy-mgr) /domain-group/security # scope role
        UCSC(policy-mgr) /domain-group/security/role # scope role service-profile-security-admin
        UCSC(policy-mgr) /domain-group/security/role* # add privilege server-security server-policy
        UCSC(policy-mgr) /domain-group/security/role* # commit-buffer
        UCSC(policy-mgr) /domain-group/security/role # 
        

        Replacing Privileges for a User Role

        Procedure
            Command or Action Purpose
          Step 1 UCSC# connect policy-mgr  

          Enters policy manager mode.

           
          Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

           
          Step 3 UCSC(policy-mgr) /domain-group # scope security  

          Enters security mode.

           
          Step 4 UCSC(policy-mgr) /domain-group/security # scope role name  

          Enters security role mode for the specified role.

           
          Step 5 UCSC(policy-mgr) /domain-group/security/role # set privilege privilege-name  

          Replaces the existing privileges of the user role.

          Note   

          You can specify more than one privilege-name on the same command line to replace the existing privilege with multiple privileges. After replacing the privileges, you can add privileges to the same role using the add privilege command.

           
          Step 6 UCSC(policy-mgr) /domain-group/security/role* # commit-buffer  

          Commits the transaction to the system configuration.

           

          The following example shows how to replace the existing privileges for the service-profile-security-admin role with the server security and server policy privileges and commit the transaction:

          UCSC # connect policy-mgr
          UCSC(policy-mgr)# scope domain-group
          UCSC(policy-mgr) /domain-group # scope security
          UCSC(policy-mgr) /domain-group/security # scope role
          UCSC(policy-mgr) /domain-group/security/role # scope role service-profile-security-admin
          UCSC(policy-mgr) /domain-group/security/role* # set privilege server-security server-policy
          UCSC(policy-mgr) /domain-group/security/role* # commit-buffer
          UCSC(policy-mgr) /domain-group/security/role # 
          

          Removing Privileges from a User Role

          Procedure
              Command or Action Purpose
            Step 1 UCSC# connect policy-mgr  

            Enters policy manager mode.

             
            Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

             
            Step 3 UCSC(policy-mgr) /domain-group # scope security  

            Enters security mode.

             
            Step 4 UCSC(policy-mgr) /domain-group/security # scope role name  

            Enters security role mode for the specified role.

             
            Step 5 UCSC(policy-mgr) /domain-group/security/role # remove privilege privilege-name  

            Removes one or more privileges from the existing user role privileges.

            Note   

            You can specify more than one privilege-name on the same command line to remove multiple privileges from the role, or you can remove privileges from the same role using multiple remove privilege commands.

             
            Step 6 UCSC(policy-mgr) /domain-group/security/role* # commit-buffer  

            Commits the transaction to the system configuration.

             

            The following example removes the server security and server policy privileges from the service-profile-security-admin role and commits the transaction:

            UCSC # connect policy-mgr
            UCSC(policy-mgr)# scope domain-group
            UCSC(policy-mgr) /domain-group # scope security
            UCSC(policy-mgr) /domain-group/security # scope role
            UCSC(policy-mgr) /domain-group/security/role # remove privilege server-security server-policy
            UCSC(policy-mgr) /domain-group/security/role* # commit-buffer
            UCSC(policy-mgr) /domain-group/security/role # 
            

            Assigning a Role to a User Account

            Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.

            Procedure
                Command or Action Purpose
              Step 1 UCSC# connect policy-mgr  

              Enters policy manager mode.

               
              Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

               
              Step 3 UCSC(policy-mgr) /domain-group # scope security  

              Enters security mode.

               
              Step 4 UCSC(policy-mgr) /domain-group/security # scope local-user local-user-name  

              Enters security local user mode for the specified local user account.

               
              Step 5 UCSC(policy-mgr) /domain-group/security/local-user # create role role-name  

              Assigns the specified role to the user account .

              Note   

              The create role command can be entered multiple times to assign more than one role to a user account.

               
              Step 6 UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer  

              Commits the transaction.

               

              The following example assigns the operations role to the kikipopo local user account and commits the transaction:

              UCSC # connect policy-mgr
              UCSC(policy-mgr)# scope domain-group
              UCSC(policy-mgr) /domain-group # scope security
              UCSC(policy-mgr) /domain-group/security # scope local-user kikipopo
              UCSC(policy-mgr) /domain-group/security/local-user # create role operations
              UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer
              UCSC(policy-mgr) /domain-group/security/local-user # 
              
              

              Removing a Role from a User Account

              Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.

              Procedure
                  Command or Action Purpose
                Step 1 UCSC# connect policy-mgr  

                Enters policy manager mode.

                 
                Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                 
                Step 3 UCSC(policy-mgr) /domain-group # scope security  

                Enters security mode.

                 
                Step 4 UCSC(policy-mgr) /domain-group/security # scope local-user local-user-name  

                Enters security local user mode for the specified local user account.

                 
                Step 5 UCSC(policy-mgr) /domain-group/security/local-user # delete role role-name  

                Removes the specified role from the user account .

                Note   

                The delete role command can be entered multiple times to remove more than one role from a user account.

                 
                Step 6 UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer  

                Commits the transaction.

                 

                The following example removes the operations role from the kikipopo local user account and commits the transaction:

                CSC # connect policy-mgr
                UCSC(policy-mgr)# scope domain-group
                UCSC(policy-mgr) /domain-group # scope security
                UCSC(policy-mgr) /domain-group/security # scope local-user kikipopo
                UCSC(policy-mgr) /domain-group/security/local-user # delete role operations
                UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer
                UCSC(policy-mgr) /domain-group/security/local-user # 
                
                

                Configuring Locally Authenticated User Accounts

                Creating a Locally Authenticated User Account

                At a minimum, we recommend that you create the following users:

                • Server administrator account
                • Network administrator account
                • Storage administrator
                Before You Begin

                Perform the following tasks, if the system includes any of the following:

                • Remote authentication services, ensure the users exist in the remote authentication server with the appropriate roles and privileges.
                • Multi-tenancy with organizations, create one or more locales. If you do not have any locales, all users are created in root and are assigned roles and privileges in all organizations.
                • SSH authentication, obtain the SSH key.
                Procedure
                    Command or Action Purpose
                  Step 1 UCSC# connect policy-mgr  

                  Enters policy manager mode.

                   
                  Step 2 UCSC(policy-mgr)# scope domain-group /  

                  Enters domain group root mode.

                   
                  Step 3 UCSC(policy-mgr) /domain-group # scope security  

                  Enters security mode.

                   
                  Step 4 UCSC(policy-mgr) /domain-group/security # create local-user local-user-name  

                  Creates a user account for the specified local user and enters security local user mode.

                   
                  Step 5 UCSC(policy-mgr) /domain-group/security/local-user* # set account-status {active | inactive}  

                  Specifies whether the local user account is enabled or disabled.

                  The admin user account is always set to active. It cannot be modified.

                  Note   

                  If you set the account status to inactive, the configuration is not deleted from the database. The user is prevented from logging into the system using their existing credentials.

                   
                  Step 6 UCSC(policy-mgr) /domain-group/security/local-user* # set password password  

                  Sets the password for the user account

                   
                  Step 7 UCSC(policy-mgr) /domain-group/security/local-user* # set firstname first-name   (Optional)

                  Specifies the first name of the user.

                   
                  Step 8 UCSC(policy-mgr) /domain-group/security/local-user* # set lastname last-name   (Optional)

                  Specifies the last name of the user.

                   
                  Step 9 UCSC(policy-mgr) /domain-group/security/local-user* # set expiration month day-of-month year   (Optional)

                  Specifies the date that the user account expires. The month argument is the first three letters of the month name.

                  Note   

                  After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. You can, however, configure the account with the latest expiration date available.

                   
                  Step 10 UCSC(policy-mgr) /domain-group/security/local-user* # set email email-addr   (Optional)

                  Specifies the user e-mail address.

                   
                  Step 11 UCSC(policy-mgr) /domain-group/security/local-user* # set phone phone-num   (Optional)

                  Specifies the user phone number.

                   
                  Step 12 UCSC(policy-mgr) /domain-group/security/local-user* # set sshkey ssh-key   (Optional)

                  Specifies the SSH key used for passwordless access.

                   
                  Step 13 UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer  

                  Commits the transaction.

                   

                  The following example shows how to create the user account named kikipopo, enable the user account, set the password to foo12345, and commit the transaction:

                  UCSC # connect policy-mgr
                  UCSC(policy-mgr)# scope domain-group /
                  UCSC(policy-mgr) /domain-group # scope security
                  UCSC(policy-mgr) /domain-group/security # create local-user kikipopo
                  UCSC(policy-mgr) /domain-group/security/local-user* # set account-status active
                  UCSC(policy-mgr) /domain-group/security/local-user* # set password
                  Enter a password:
                  Confirm the password:
                  UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer
                  UCSC(policy-mgr) /domain-group/security/local-user # 
                  
                  

                  The following example shows how to create the user account named lincey, enable the user account, set an OpenSSH key for passwordless access, and commit the transaction.

                  UCSC # connect policy-mgr
                  UCSC(policy-mgr)# scope domain-group /
                  UCSC(policy-mgr) /domain-group # scope security
                  UCSC(policy-mgr) /domain-group/security # create local-user lincey
                  UCSC(policy-mgr) /domain-group/security/local-user* # set account-status active
                  UCSC(policy-mgr) /domain-group/security/local-user* #  set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAA BIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw85lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4 VcOelBxlsGk5luq5ls1ob1VOIEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8="
                  UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer
                  UCSC(policy-mgr) /domain-group/security/local-user # 
                  
                  

                  The following example shows how to create the user account named jforlenz, enable the user account, set a Secure SSH key for passwordless access, and commit the transaction.

                  UCSC # connect policy-mgr
                  UCSC(policy-mgr)# scope domain-group /
                  UCSC(policy-mgr) /domain-group # scope security
                  UCSC(policy-mgr) /domain-group/security # create local-user jforlenz
                  UCSC(policy-mgr) /domain-group/security/local-user* # set account-status active
                  UCSC(policy-mgr) /domain-group/security/local-user* #  set sshkey
                  Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
                  User's SSH key:
                  > ---- BEGIN SSH2 PUBLIC KEY ----
                  > AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw8
                  > 5lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VO
                  > IEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8=
                  > ---- END SSH2 PUBLIC KEY ----
                  > ENDOFBUF
                  UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer
                  UCSC(policy-mgr) /domain-group/security/local-user # 
                  

                  Deleting a Locally Authenticated User Account

                  Procedure
                      Command or Action Purpose
                    Step 1 UCSC# connect policy-mgr  

                    Enters policy manager mode.

                     
                    Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                     
                    Step 3 UCSC(policy-mgr) /domain-group # scope security  

                    Enters security mode.

                     
                    Step 4 UCSC(policy-mgr) /domain-group/security # delete local-user local-user-name  

                    Deletes the local-user account.

                     
                    Step 5 UCSC(policy-mgr) /domain-group/security* # commit-buffer  

                    Commits the transaction to the system configuration.

                     

                    The following example deletes the foo user account and commits the transaction:

                    UCSC # connect policy-mgr
                    UCSC(policy-mgr)# scope domain-group
                    UCSC(policy-mgr) /domain-group # scope security
                    UCSC(policy-mgr) /domain-group/security # delete local-user foo
                    UCSC(policy-mgr) /domain-group/security* # commit-buffer
                    UCSC(policy-mgr) /domain-group/security # 
                    

                    Enabling the Password Strength Check for Locally Authenticated Users

                    You must be a user with admin, aaa, or domain-group-management privileges to enable the password strength check. If the password strength check is enabled, Cisco UCS Central does not permit a user to choose a password that does not meet the guidelines for a strong password.

                    Procedure
                        Command or Action Purpose
                      Step 1 UCSC# connect policy-mgr  

                      Enters policy manager mode.

                       
                      Step 2 UCSC(policy-mgr)# scope domain-group /  

                      Enters domain group root mode.

                       
                      Step 3 UCSC(policy-mgr) /domain-group # scope security  

                      Enters security mode.

                       
                      Step 4 UCSC(policy-mgr) /domain-group/security # scope password-profile.  

                      Specifies whether the password strength check is enabled or disabled.

                       
                      Step 5 UCSC(policy-mgr) /domain-group/security/password-profile # set enforce-strong-password {yes | no}  

                      Specifies whether the password strength check is enabled or disabled.

                       

                      The following example enables the password strength check:

                      UCSC # connect policy-mgr
                      UCSC(policy-mgr)# scope domain-group /
                      UCSC(policy-mgr) /domain-group # scope security
                      UCSC(policy-mgr) /domain-group/security # scope password-profile 
                      UCSC(policy-mgr) /domain-group/security/password-profile # set enforce-strong-password yes 
                      UCSC(policy-mgr) /domain-group/security/password-profile # 
                      

                      Clearing the Password History for a Locally Authenticated User

                      You must have admin, aaa, or domain-group-management privileges to change the password profile properties.

                      Procedure
                          Command or Action Purpose
                        Step 1 UCSC# connect policy-mgr  

                        Enters policy manager mode.

                         
                        Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                         
                        Step 3 UCSC(policy-mgr) /domain-group # scope security  

                        Enters security mode.

                         
                        Step 4 UCSC(policy-mgr) /domain-group/security # scope local-user local-user-name  

                        Commits the transaction.

                         
                        Step 5 UCSC(policy-mgr) /domain-group/security/local-user # scope password-profile 

                        Enters password profile security mode.

                         
                        Step 6 UCSC(policy-mgr) /domain-group/security/password-profile # set history-count 0 

                        Setting the History Count field to 0 (the default setting) disables the history count and allows users to reuse previously used passwords at any time.

                         
                        Step 7 UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer 

                        Commits the transaction to the system configuration.

                         

                        The following example shows how to clear the password history count for the user account named kikipopo, and commit the transaction:

                        UCSC # connect policy-mgr
                        UCSC(policy-mgr)# scope domain-group
                        UCSC(policy-mgr) /domain-group # scope security
                        UCSC(policy-mgr) /domain-group/security # scope local-user kikipopo
                        UCSC(policy-mgr) /domain-group/security/local-user # scope password-profile
                        UCSC(policy-mgr) /domain-group/security/password-profile # set history-count 0
                        UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer
                        UCSC(policy-mgr) /domain-group/security/password-profile # 

                        Enabling or Disabling a User Account

                        You must be a user with admin, aaa, or domain-group-management privileges to enable or disable a local user account.

                        Before You Begin

                        Create a local user account.

                        Procedure
                            Command or Action Purpose
                          Step 1 UCSC# connect policy-mgr  

                          Enters policy manager mode.

                           
                          Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                           
                          Step 3 UCSC(policy-mgr) /domain-group # scope security  

                          Enters security mode.

                           
                          Step 4 UCSC(policy-mgr) /domain-group/security # scope local-user  

                          Enters local-user security mode.

                           
                          Step 5 UCSC(policy-mgr) /domain-group/security/local-user # set account-status {active | inactive}  

                          Specifies whether the local user account is enabled or disabled.

                          The admin user account is always set to active. It cannot be modified.

                          Note   

                          If you set the account status to inactive, the configuration is not deleted from the database. The user is prevented from logging into the system using their existing credentials.

                           

                          The following example shows how to enable a local user account called accounting:

                          UCSC # connect policy-mgr
                          UCSC(policy-mgr)# scope domain-group
                          UCSC(policy-mgr) /domain-group # scope security
                          UCSC(policy-mgr) /domain-group/security # scope local-user accounting
                          UCSC(policy-mgr) /domain-group/security/local-user # set account-status active
                          

                          Configuring User Locales

                          User Locales

                          A user can be assigned one or more locales. Each locale defines one or more organizations (domains) the user is allowed access, and access would be limited to the organizations specified in the locale. One exception to this rule is a locale without any organizations, which gives unrestricted access to system resources in all organizations.

                          A Cisco UCS domain can contain up to 48 user locales. Each domain group in Cisco UCS Central can contain 48 user locales, including the user locales that are inherited from the parent domain group. When user locales are pushed to Cisco UCS Manager from Cisco UCS Central, only the first 48 locales will be active. Any user locales after the first 48 will be inactive with faults raised.

                          Users with admin, aaa, or domain-group-management privileges can assign organizations to the locale of other users.


                          Note


                          You cannot assign a locale to users with the admin privilege.


                          You can hierarchically manage organizations. A user that is assigned at a top level organization has automatic access to all organizations under it. For example, an Engineering organization can contain a Software Engineering organization and a Hardware Engineering organization. A locale containing only the Software Engineering organization has access to system resources only within that organization; however, a locale that contains the Engineering organization has access to the resources for both the Software Engineering and Hardware Engineering organizations.

                          Creating a User Locale

                          Procedure
                              Command or Action Purpose
                            Step 1 UCSC# connect policy-mgr  

                            Enters policy manager mode.

                             
                            Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                             
                            Step 3 UCSC(policy-mgr) /domain-group # scope security  

                            Enters security mode.

                             
                            Step 4 UCSC(policy-mgr) /domain-group/security # create locale name  

                            Creates the user role and enters security role mode.

                             
                            Step 5 UCSC(policy-mgr) /domain-group/security/locale * # create org-ref org-ref-name orgdn orgdn-name  

                            References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced.

                             
                            Step 6 UCSC(policy-mgr) /domain-group/security/locale * # commit-buffer  

                            Commits the transaction to the system configuration.

                             

                            The following example shows how to create the finance organization for the western locale and commit the transaction:

                            UCSC # connect policy-mgr
                            UCSC(policy-mgr)# scope domain-group
                            UCSC(policy-mgr) /domain-group # scope security
                            UCSC(policy-mgr) /domain-group/security # create locale western
                            UCSC(policy-mgr) /domain-group/security/locale* # create org-ref finance-ref orgdn finance
                            UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer
                            UCSC(policy-mgr) /domain-group/security/locale # 
                            

                            Deleting a User Locale

                            Procedure
                                Command or Action Purpose
                              Step 1 UCSC# connect policy-mgr  

                              Enters policy manager mode.

                               
                              Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                               
                              Step 3 UCSC(policy-mgr) /domain-group # scope security  

                              Enters security mode.

                               
                              Step 4 UCSC(policy-mgr) /domain-group/security # delete locale locale-name  

                              Deletes the locale.

                               
                              Step 5 UCSC(policy-mgr) /domain-group/security * # commit-buffer  

                              Commits the transaction to the system configuration.

                               

                              The following example deletes the western locale and commits the transaction:

                              UCSC # connect policy-mgr
                              UCSC(policy-mgr)# scope domain-group
                              UCSC(policy-mgr) /domain-group # scope security
                              UCSC(policy-mgr) /domain-group/security # delete locale western
                              UCSC(policy-mgr) /domain-group/security* # commit-buffer
                              UCSC(policy-mgr) /domain-group/security # 
                              

                              Assigning a Locale to a User Account


                              Note


                              Do not assign locales to users with an admin role.


                              Procedure
                                  Command or Action Purpose
                                Step 1 UCSC# connect policy-mgr  

                                Enters policy manager mode.

                                 
                                Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                 
                                Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                Enters security mode.

                                 
                                Step 4 UCSC /security # scope local-user local-user-name  

                                Enters security local user mode for the specified local user account.

                                 
                                Step 5 UCSC(policy-mgr) /domain-group/security/local-user # create locale locale-name  

                                Assigns the specified locale to the user account.

                                Note   

                                The create locale command can be entered multiple times to assign more than one locale to a user account.

                                 
                                Step 6 UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer  

                                Commits the transaction.

                                 

                                The following example shows how to assign the western locale to the kikipopo local user account and commit the transaction:

                                UCSC # connect policy-mgr
                                UCSC(policy-mgr)# scope domain-group
                                UCSC(policy-mgr) /domain-group # scope security
                                UCSC(policy-mgr) /domain-group/security/local-user # create locale western
                                UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer
                                UCSC(policy-mgr) /domain-group/security/local-user # 
                                
                                

                                Removing a Locale from a User Account

                                Procedure
                                    Command or Action Purpose
                                  Step 1 UCSC# connect policy-mgr  

                                  Enters policy manager mode.

                                   
                                  Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                  Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                   
                                  Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                  Enters security mode.

                                   
                                  Step 4 UCSC(policy-mgr) /domain-group/security # scope local-user local-user-name  

                                  Enters security local user mode for the specified local user account.

                                   
                                  Step 5 UCSC(policy-mgr) /domain-group/security/local-user # delete locale locale-name  

                                  Removes the specified locale from the user account.

                                  Note   

                                  The delete locale command can be entered multiple times to remove more than one locale from a user account.

                                   
                                  Step 6 UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer  

                                  Commits the transaction.

                                   

                                  The following example removes the western locale from the kikipopo local user account and commits the transaction:

                                  UCSC # connect policy-mgr
                                  UCSC(policy-mgr)# scope domain-group
                                  UCSC(policy-mgr) /domain-group # scope security
                                  UCSC(policy-mgr) /domain-group/security/local-user # delete locale western
                                  UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer
                                  UCSC(policy-mgr) /domain-group/security/local-user # 
                                  
                                  

                                  Assigning an Organization to a User Locale

                                  Procedure
                                      Command or Action Purpose
                                    Step 1 UCSC# connect policy-mgr  

                                    Enters policy manager mode.

                                     
                                    Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                     
                                    Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                    Enters security mode.

                                     
                                    Step 4 UCSC(policy-mgr) /domain-group/security # scope locale locale-name  

                                    Enters security locale mode.

                                     
                                    Step 5 UCSC(policy-mgr) /domain-group/security/locale # create org-ref org-ref-name orgdn orgdn-name  

                                    References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced.

                                     
                                    Step 6 UCSC(policy-mgr) /domain-group/security/locale * # commit-buffer  

                                    Commits the transaction to the system configuration.

                                     

                                    The following example enters the western locale, adds (references) the marketing organization to the locale, names the reference marketing-ref, and commits the transaction:

                                    UCSC # connect policy-mgr
                                    UCSC(policy-mgr)# scope domain-group
                                    UCSC(policy-mgr) /domain-group # scope security
                                    UCSC(policy-mgr) /domain-group/security # scope locale western
                                    UCSC(policy-mgr) /domain-group/security/locale # create org-ref marketing-ref orgdn marketing
                                    UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer
                                    UCSC(policy-mgr) /domain-group/security/locale # 
                                    

                                    Deleting an Organization from a User Locale

                                    Procedure
                                        Command or Action Purpose
                                      Step 1 UCSC# connect policy-mgr  

                                      Enters policy manager mode.

                                       
                                      Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                       
                                      Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                      Enters security mode.

                                       
                                      Step 4 UCSC(policy-mgr) /domain-group/security # scope locale locale-name  

                                      Enters security locale mode.

                                       
                                      Step 5 UCSC(policy-mgr) /domain-group/security/locale # delete org-ref org-ref-name  

                                      Deletes the organization from the locale.

                                       
                                      Step 6 UCSC(policy-mgr) /domain-group/security/locale * # commit-buffer  

                                      Commits the transaction to the system configuration.

                                       

                                      The following example deletes the finance organization from the western locale and commits the transaction:

                                      UCSC # connect policy-mgr
                                      UCSC(policy-mgr)# scope domain-group
                                      UCSC(policy-mgr) /domain-group # scope security
                                      UCSC(policy-mgr) /domain-group/security # scope locale western
                                      UCSC(policy-mgr) /domain-group/security/locale # delete org-ref finance-ref
                                      UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer
                                      UCSC(policy-mgr) /domain-group/security/locale # 
                                      

                                      Assigning a Domain Group to a User Locale

                                      Procedure
                                          Command or Action Purpose
                                        Step 1 UCSC# connect policy-mgr  

                                        Enters policy manager mode.

                                         
                                        Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                         
                                        Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                        Enters security mode.

                                         
                                        Step 4 UCSC(policy-mgr) /domain-group/security # scope locale locale-name  

                                        Enters security locale mode.

                                         
                                        Step 5 UCSC(policy-mgr) /domain-group/security/locale # create domain-group-ref domain-group-ref-name domain-group-dn domaingroup-root-name  

                                        References (binds) a domain group to the locale. The domain-group-ref-name argument (1-16 characters) is the name used to identify the domain group reference, and the domain-group-dn-name argument is the distinguished name of the domain group root being referenced.

                                         
                                        Step 6 UCSC(policy-mgr) /domain-group/security/locale * # commit-buffer  

                                        Commits the transaction to the system configuration.

                                         

                                        The following example enters the western locale, adds (references) the marketing domain group to the locale, names the reference marketdomain01-ref, and commits the transaction:

                                        UCSC # connect policy-mgr
                                        UCSC(policy-mgr)# scope domain-group
                                        UCSC(policy-mgr) /domain-group # scope security
                                        UCSC(policy-mgr) /domain-group/security # scope locale western
                                        UCSC(policy-mgr) /domain-group/security/locale # create domain-group-ref marketdomain01 domain-group-dn marketing
                                        UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer
                                        UCSC(policy-mgr) /domain-group/security/locale # 
                                        

                                        Deleting a Domain Group from a User Locale

                                        Procedure
                                            Command or Action Purpose
                                          Step 1 UCSC# connect policy-mgr  

                                          Enters policy manager mode.

                                           
                                          Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                           
                                          Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                          Enters security mode.

                                           
                                          Step 4 UCSC(policy-mgr) /domain-group/security # scope locale locale-name  

                                          Enters security locale mode.

                                           
                                          Step 5 UCSC(policy-mgr) /domain-group/security/locale # delete domain-group-ref domain-group-ref-name  

                                          Deletes references (unbinds) domain groups referenced to the locale. The domain-group-ref-name argument (1-16 characters) is the name used to identify the domain group reference.

                                           
                                          Step 6 UCSC(policy-mgr) /domain-group/security/locale * # commit-buffer  

                                          Commits the transaction to the system configuration.

                                           

                                          The following example enters the western locale, deletes references (unbinds) the marketing domain group references from the locale marketdomain01, and commits the transaction:

                                          UCSC # connect policy-mgr
                                          UCSC(policy-mgr)# scope domain-group
                                          UCSC(policy-mgr) /domain-group # scope security
                                          UCSC(policy-mgr) /domain-group/security # scope locale western
                                          UCSC(policy-mgr) /domain-group/security/locale # delete domain-group-ref marketdomain01
                                          UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer
                                          UCSC(policy-mgr) /domain-group/security/locale # 
                                          

                                          Configuring User Domain Groups

                                          Creating a User Domain Group

                                          Procedure
                                              Command or Action Purpose
                                            Step 1 UCSC# connect policy-mgr  

                                            Enters policy manager mode.

                                             
                                            Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                             
                                            Step 3 UCSC(policy-mgr) /domain-group # create domain-group name  

                                            Creates the domain group.

                                             
                                            Step 4 UCSC(policy-mgr) /domain-group * # commit-buffer  

                                            Commits the transaction to the system configuration.

                                             

                                            The following example creates the central-audit domain group and commits the transaction:

                                            UCSC # connect policy-mgr
                                            UCSC(policy-mgr)# scope domain-group
                                            UCSC(policy-mgr) /domain-group # create domain-group central-audit
                                            UCSC(policy-mgr) /domain-group* # commit-buffer
                                            UCSC(policy-mgr) /domain-group # 
                                            

                                            Deleting a User Domain Group

                                            Procedure
                                                Command or Action Purpose
                                              Step 1 UCSC# connect policy-mgr  

                                              Enters policy manager mode.

                                               
                                              Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                               
                                              Step 3 UCSC(policy-mgr) /domain-group # delete domain-group name  

                                              Deletes the domain group.

                                               
                                              Step 4 UCSC(policy-mgr) /domain-group * # commit-buffer  

                                              Commits the transaction to the system configuration.

                                               

                                              The following example deletes the central-audit domain group and commits the transaction:

                                              UCSC # connect policy-mgr
                                              UCSC(policy-mgr)# scope domain-group
                                              UCSC(policy-mgr) /domain-group # delete domain-group central-audit
                                              UCSC(policy-mgr) /domain-group* # commit-buffer
                                              UCSC(policy-mgr) /domain-group # 
                                              

                                              Configuring User Organizations

                                              User Organizations

                                              A user can create one or more organizations. Each organization defines sub-organizations, faults, events, UUID suffix pools and blocks of UUIDs.

                                              Cisco UCS organizations are hierarchically managed by users. A user that is assigned at the root level organization has automatic access to all organizations and domain groups under it.

                                              Creating a User Organization

                                              Procedure
                                                  Command or Action Purpose
                                                Step 1 UCSC# connect policy-mgr  

                                                Enters policy manager mode.

                                                 
                                                Step 2 UCSC(policy-mgr)# scope org org-name 

                                                Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name.

                                                 
                                                Step 3 UCSC(policy-mgr) /org # create org name  

                                                Creates the organization.

                                                 
                                                Step 4 UCSC(policy-mgr) /org * # commit-buffer  

                                                Commits the transaction to the system configuration.

                                                 

                                                The following example creates the central-audit organization and commits the transaction:

                                                UCSC # connect policy-mgr
                                                UCSC(policy-mgr)# scope org /
                                                UCSC(policy-mgr) /org # create org central-audit
                                                UCSC(policy-mgr) /org* # commit-buffer
                                                UCSC(policy-mgr) /org # 
                                                

                                                Deleting a User Organization

                                                Procedure
                                                    Command or Action Purpose
                                                  Step 1 UCSC# connect policy-mgr  

                                                  Enters policy manager mode.

                                                   
                                                  Step 2 UCSC(policy-mgr)# scope org org-name 

                                                  Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name.

                                                   
                                                  Step 3 UCSC(policy-mgr) /org # delete org name  

                                                  Deletes the organization.

                                                   
                                                  Step 4 UCSC(policy-mgr) /org * # commit-buffer  

                                                  Commits the transaction to the system configuration.

                                                   

                                                  The following example deletes the central-audit organization and commits the transaction:

                                                  UCSC # connect policy-mgr
                                                  UCSC(policy-mgr)# scope org /
                                                  UCSC(policy-mgr) /org # delete org central-audit
                                                  UCSC(policy-mgr) /org* # commit-buffer
                                                  UCSC(policy-mgr) /org # 
                                                  

                                                  Creating a User Sub-Organization

                                                  Procedure
                                                      Command or Action Purpose
                                                    Step 1 UCSC# connect policy-mgr  

                                                    Enters policy manager mode.

                                                     
                                                    Step 2 UCSC(policy-mgr)# scope org org-name 

                                                    Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name.

                                                     
                                                    Step 3 UCSC(policy-mgr) /org # create org name  

                                                    Creates the sub-organization under the organization scoped.

                                                     
                                                    Step 4 UCSC(policy-mgr) /org * # commit-buffer  

                                                    Commits the transaction to the system configuration.

                                                     

                                                    The following example enters the central-audit organization, creates the north-audit sub-organization and commits the transaction:

                                                    UCSC # connect policy-mgr
                                                    UCSC(policy-mgr)# scope org central-audit
                                                    UCSC(policy-mgr) /org # create org north-audit
                                                    UCSC(policy-mgr) /org* # commit-buffer
                                                    UCSC(policy-mgr) /org # 
                                                    

                                                    Deleting a User Sub-Organization

                                                    Procedure
                                                      Step 1   UCSC# connect policy-mgr

                                                      Enters policy manager mode.

                                                      Step 2   UCSC(policy-mgr)# scope org org-name

                                                      Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name.

                                                      Step 3   UCSC(policy-mgr) /org # delete org name

                                                      Deletes the sub-organization under the organization scoped.

                                                      Step 4   UCSC(policy-mgr) /org * # commit-buffer

                                                      Commits the transaction to the system configuration.


                                                      The following example enters the central-audit organization, deletes the north-audit sub-organization and commits the transaction:

                                                      UCSC # connect policy-mgr
                                                      UCSC(policy-mgr)# scope org central-audit
                                                      UCSC(policy-mgr) /domain-group # delete org north-audit
                                                      UCSC(policy-mgr) /domain-group* # commit-buffer
                                                      UCSC(policy-mgr) /domain-group # 
                                                      

                                                      Configuring Passwords

                                                      Password Profile for Locally Authenticated Users

                                                      The password profile contains the password history and password change interval properties for all locally authenticated users of Cisco UCS Central. You cannot specify a different password profile for each locally authenticated user.


                                                      Note


                                                      You must have admin, aaa, or domain-group-management privileges to change the password profile properties. Except for password history, these properties do not apply to users with these administrative privileges.


                                                      Password History Count

                                                      The password history count allows you to prevent locally authenticated users from reusing the same password over and over again. When this property is configured, Cisco UCS Central stores passwords that were previously used by locally authenticated users up to a maximum of 15 passwords. The passwords are stored in reverse chronological order with the most recent password first to ensure that the only the oldest password can be reused when the history count threshold is reached.

                                                      A user must create and use the number of passwords configured in the password history count before being able to reuse one. For example, if you set the password history count to 8, a locally authenticated user cannot reuse the first password until after the ninth password has expired.

                                                      By default, the password history is set to 0. This value disables the history count and allows users to reuse previously passwords at any time.

                                                      If necessary, you can clear the password history count for a locally authenticated user and enable reuse of previous passwords.

                                                      Password Change Interval

                                                      The password change interval enables you to restrict the number of password changes a locally authenticated user can make within a given number of hours. The following table describes the two configuration options for the password change interval.

                                                      Interval Configuration Description Example

                                                      No password change allowed

                                                      This option does not allow passwords for locally authenticated users to be changed within a specified number of hours after a password change.

                                                      You can specify a no change interval between 1 and 745 hours. By default, the no change interval is 24 hours.

                                                      For example, to prevent passwords from being changed within 48 hours after a locally authenticated user changes his or her password, set the following:

                                                      • Change during interval to disable
                                                      • No change interval to 48

                                                      Password changes allowed within change interval

                                                      This option specifies the maximum number of times that passwords for locally authenticated users can be changed within a pre-defined interval.

                                                      You can specify a change interval between 1 and 745 hours and a maximum number of password changes between 0 and 10. By default, a locally authenticated user is permitted a maximum of 2 password changes within a 48 hour interval.

                                                      For example, to allow to be changed a maximum of once within 24 hours after a locally authenticated user changes his or her password, set the following:

                                                      • Change during interval to enable
                                                      • Change count to 1
                                                      • Change interval to 24

                                                      Configuring the Maximum Number of Password Changes for a Change Interval

                                                      You must have admin, aaa, or domain-group-management privileges to change the password profile properties. Except for password history, these properties do not apply to users with these administrative privileges.

                                                      Procedure
                                                          Command or Action Purpose
                                                        Step 1 UCSC# connect policy-mgr  

                                                        Enters policy manager mode.

                                                         
                                                        Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                                        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                         
                                                        Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                                        Enters security mode.

                                                         
                                                        Step 4 UCSC(policy-mgr) /domain-group/security # scope password-profile 

                                                        Enters password profile security mode.

                                                         
                                                        Step 5 UCSC(policy-mgr) /domain-group/security/password-profile # set change-during-interval enable 

                                                        Restricts the number of password changes a locally authenticated user can make within a given number of hours.

                                                         
                                                        Step 6 UCSC(policy-mgr) /domain-group/security/password-profile* # set change-count pass-change-num 

                                                        Specifies the maximum number of times a locally authenticated user can change his or her password during the Change Interval.

                                                        This value can be anywhere from 0 to 10.

                                                         
                                                        Step 7 UCSC(policy-mgr) /domain-group/security/password-profile* # set change-interval num-of-hours 

                                                        Specifies the maximum number of hours over which the number of password changes specified in the Change Count field are enforced.

                                                        This value can be anywhere from 1 to 745 hours.

                                                        For example, if this field is set to 48 and theChange Count field is set to 2, a locally authenticated user can make no more than 2 password changes within a 48 hour period.

                                                         
                                                        Step 8 UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer 

                                                        Commits the transaction to the system configuration.

                                                         

                                                        The following example shows how to enable the change during interval option, set the change count to 5, set the change interval to 72 hours, and commit the transaction:

                                                        UCSC # connect policy-mgr
                                                        UCSC(policy-mgr)# scope domain-group
                                                        UCSC(policy-mgr) /domain-group # scope security
                                                        UCSC(policy-mgr) /domain-group/security # scope password-profile
                                                        UCSC(policy-mgr) /domain-group/security/password-profile # set change-during-interval enable
                                                        UCSC(policy-mgr) /domain-group/security/password-profile* # set change-count 5
                                                        UCSC(policy-mgr) /domain-group/security/password-profile* # set change-interval 72
                                                        UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer
                                                        UCSC(policy-mgr) /domain-group/security/password-profile # 

                                                        Configuring a No Change Interval for Passwords

                                                        You must have admin, aaa, or domain-group-management privileges to change the password profile properties. Except for password history, these properties do not apply to users with these administrative privileges.

                                                        Procedure
                                                            Command or Action Purpose
                                                          Step 1 UCSC# connect policy-mgr  

                                                          Enters policy manager mode.

                                                           
                                                          Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                           
                                                          Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                                          Enters security mode.

                                                           
                                                          Step 4 UCSC(policy-mgr) /domain-group/security # scope password-profile 

                                                          Enters password profile security mode.

                                                           
                                                          Step 5 UCSC(policy-mgr) /domain-group/security/password-profile # set change-during-interval disable 

                                                          Disables the change during interval feature.

                                                           
                                                          Step 6 UCSC(policy-mgr) /domain-group/security/password-profile* # set no-change-interval min-num-hours 

                                                          Specifies the minimum number of hours that a locally authenticated user must wait before changing a newly created password..

                                                          This value can be anywhere from 1 to 745 hours.

                                                          This interval is ignored if the Change During Interval property is not set to Disable.

                                                           
                                                          Step 7 UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer 

                                                          Commits the transaction to the system configuration.

                                                           

                                                          The following example shows how to disable the change during interval option, set the no change interval to 72 hours, and commit the transaction:

                                                          UCSC # connect policy-mgr
                                                          UCSC(policy-mgr)# scope domain-group
                                                          UCSC(policy-mgr) /domain-group # scope security
                                                          UCSC(policy-mgr) /domain-group/security # scope password-profile
                                                          UCSC(policy-mgr) /domain-group/security/password-profile # set change-during-interval disable
                                                          UCSC(policy-mgr) /domain-group/security/password-profile* # set no-change-interval 72
                                                          UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer
                                                          UCSC(policy-mgr) /domain-group/security/password-profile # 

                                                          Configuring the Password History Count

                                                          You must have admin or aaa privileges to change the password profile properties.

                                                          Procedure
                                                              Command or Action Purpose
                                                            Step 1 UCSC# connect policy-mgr  

                                                            Enters policy manager mode.

                                                             
                                                            Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                                            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                             
                                                            Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                                            Enters security mode.

                                                             
                                                            Step 4 UCSC(policy-mgr) /domain-group/security # scope password-profile 

                                                            Enters password profile security mode.

                                                             
                                                            Step 5 UCSC(policy-mgr) /domain-group/security/password-profile # set history-count num-of-passwords 

                                                            Specifies the number of unique passwords that a locally authenticated user must create before that user can reuse a previously used password

                                                            This value can be anywhere from 0 to 15.

                                                            By default, the History Count field is set to 0, which disables the history count and allows users to reuse previously used passwords at any time.

                                                             
                                                            Step 6 UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer 

                                                            Commits the transaction to the system configuration.

                                                             

                                                            The following example configures the password history count and commits the transaction:

                                                            UCSC # connect policy-mgr
                                                            UCSC(policy-mgr)# scope domain-group
                                                            UCSC(policy-mgr) /domain-group # scope security
                                                            UCSC(policy-mgr) /domain-group/security # scope password-profile
                                                            UCSC(policy-mgr) /domain-group/security/password-profile # set history-count 5
                                                            UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer
                                                            UCSC(policy-mgr) /domain-group/security/password-profile # 

                                                            Monitoring User Sessions

                                                            Procedure
                                                                Command or Action Purpose
                                                              Step 1 UCSC# scope system  

                                                              Enters system mode.

                                                               
                                                              Step 2 UCSC /system # scope security  

                                                              Enters security mode.

                                                               
                                                              Step 3 UCSC /security # show user-sessions {local | remote} [detail]  

                                                              Displays session information for all users logged in to the system. An asterisk (*) next to the session ID denotes the current login session.

                                                               

                                                              The following example lists all local users logged in to the system. The asterisk indicates which session is the current login session.

                                                              UCSC# scope system
                                                              UCSC /system # scope security
                                                              UCSC /security # show user-sessions local
                                                              Session Id      User            Host                 Login Time
                                                              --------------- --------------- -------------------- ----------
                                                              pts_25_1_31264* steve           192.168.100.111      2012-05-09T14:06:59.000
                                                              ttyS0_1_3532    jeff            console              2012-05-02T15:11:08.000
                                                              web_25277_A     faye            192.168.100.112      2012-05-15T22:11:25.000
                                                              
                                                              

                                                              The following example displays detailed information on all local users logged in to the system:

                                                              UCSC# scope system
                                                              UCSC /system # scope security
                                                              UCSC /security # show user-sessions local detail
                                                              Session Id pts_25_1_31264:
                                                                  Fabric Id: A
                                                                  Term: pts/25
                                                                  User: steve
                                                                  Host: 64.101.53.93
                                                                  Pid: 31264
                                                                  Login Time: 2012-05-09T14:06:59.000
                                                              
                                                              Session Id ttyS0_1_3532:
                                                                  Fabric Id: A
                                                                  Term: ttyS0
                                                                  User: jeff
                                                                  Host: console
                                                                  Pid: 3532
                                                                  Login Time: 2012-05-02T15:11:08.000
                                                              
                                                              Session Id web_25277_A:
                                                                  Fabric Id: A
                                                                  Term: web_25277
                                                                  User: faye
                                                                  Host: 192.168.100.112
                                                                  Pid: 3518
                                                                  Login Time: 2012-05-15T22:11:25.000