Cisco UCS Manager 4.2 Privileges
Aaa (aaa)
This privilege allows a user to perform provisioning operations related to Authentication, Authorization and Accounting. This includes managing users and roles, and configuring services that are exposed to the management interfaces.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure whether communication policies are resolved locally or through UCS Central.
-
Configure UCS management connectivity: HTTP, HTTPs, SSH, telnet, CIM, WS-MAN, event channel security.
-
Configure DNS providers and DNS domain.
-
Configure SNMP policy, SNMP users, SNMP trap destinations.
-
Configure users, roles, user locales, user sessions, login banner, authentication domains, authentication providers (LDAP, RADIUS, TACACS).
-
Configure Key Ring. Import certificates of trusted authorities. Generate and import Certificates.
Admin (admin)
This privilege provides a user with full access to all operations in Cisco UCS Manager.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
This privilege has full access to all operations.
Ext Lan Config (ext-lan-config)
This privilege allows a user to configure LAN settings on a fabric interconnect, including Ethernet border ports, VLANs, LAN PIN groups, Ethernet SPAN sessions, LAN policies, and management interfaces.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure Ethernet Link Profile and LACP policy.
-
Configure Ethernet monitoring sessions (SPAN).
-
Enable/Disable Ethernet/FC/iSCSI ports and port channels on a server adapter. Set port/port channel label.
-
Configure NetFlow policies, exporters and collectors.
-
Configure MAC aging properties. Specify Ethernet end-host or switching mode. Enable/Disable VLAN compression.
-
Configure VLANs and VLAN groups.
-
Configure Inband CIMC profile.
-
Configure Ethernet PIN Groups.
-
Configure Ethernet border ports on the Fabric Interconnect. Add/remove VLANs to border ports.
-
Configure management interfaces (IPv4 and IPv6) on the Fabric Interconnect.
-
Specify the allowed range for virtual MAC addresses.
-
Configure management interfaces monitoring policy.
-
Configure DNS providers and DNS domain.
-
Enable/Disable Ethernet ports on a Fabric Interconnect or IO Module. Set port labels.
-
Configure Fabric Interconnect system name.
Ext Lan Policy (ext-lan-policy)
This privilege allows a user to configure LAN settings on a fabric interconnect, including Ethernet border ports, VLANs, LAN PIN groups, Ethernet SPAN sessions, LAN policies, and vNIC/vHBA placement policies
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure Ethernet Link Profile and LACP policy.
-
Configure Ethernet monitoring sessions (SPAN).
-
Enable/Disable Ethernet/FC/iSCSI ports and port channels on a server adapter. Set port/port channel label.
-
Configure NetFlow policies, exporters and collectors.
-
Specify the allowed range for virtual MAC addresses.
-
Configure MAC aging properties. Specify Ethernet end-host or switching mode. Enable/Disable VLAN compression.
-
Configure VLANs and VLAN groups.
-
Configure Inband CIMC profile.
-
Enable/Disable Ethernet ports on a Fabric Interconnect or IO Module. Set port labels.
-
Configure Ethernet PIN Groups.
-
Configure Ethernet border ports on the Fabric Interconnect. Add/remove VLANs to border ports.
-
Create/modify/delete vNIC/vHBA placement.
Ext Lan Qos (ext-lan-qos)
This privilege allows a user to configure QoS classes of service for Ethernet and Fibre Channel and to configure Ethernet MTU.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
Ext Lan Security (ext-lan-security)
This privilege allows a user to configure NTP providers, and date and time zone settings.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure NTP providers, date and time zone.
Ext San Config (ext-san-config)
This privilege allows a user to configure SAN settings on a fabric interconnect, including FC/FCoE border ports, VSANs, SAN PIN groups, and Fibre Channel SPAN sessions.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
Ext San Policy (ext-san-policy)
This privilege allows a user to configure SAN settings on a fabric interconnect, including FC/FCoE border ports, VSANs, SAN PIN Groups, and Fibre Channel SPAN sessions.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure Fibre Channel PIN Groups.
-
Configure storage connection within a Service Profile.
-
Configure the allowed range for virtual WWN addresses.
-
Create/modify/delete storage connection policies.
-
Specify Fibre Channel end-host or switching mode. Specify FC trunking mode.
-
Configure Fibre Channel and FCoE ports on the Fabric Interconnect. Add/remove VSANs to FC ports. Configure the FCoE native VLAN.
-
Configure VSANs.
-
Configure Fibre Channel monitoring sessions.
Ext San Qos (ext-san-qos)
This privilege allows a user to configure QoS classes of service for Ethernet and Fibre Channel and to configure Ethernet MTU.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
Fault (fault)
This privilege allows a user to configure fault policies, Call Home policies, and fault suppression policies. The user can also acknowledge faults in Cisco UCS Manager.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Acknowledge faults, configure fault policies (flap interval, soak interval, clear/ack action, limits, retention).
-
Configure whether fault policies are resolved locally or through UCS Central.
-
Configure Call Home policies. Used to send call home events when a fault is raised.
Service Profile Compute (ls-compute)
This privilege allows a user to configure most aspects of service profiles. However the user cannot create, modify or delete vNICs or vHBAs. You can use this privilege to enforce a strong separation between server, network, and storage provisioning activities. For example, a network administrator can create vNICs, a storage administrator can create vHBAs, and the server administrator can configure all other elements of a service profile
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure the vNIC/vHBA placement of a Service Profile.
-
Perform maintenance tasks on local disks, local LUNs and remote LUNs.
-
Configure Storage Profiles. Assign storage profiles to Service Profiles.
-
Configure power policies and power placement.
-
Create/modify/delete Service Profile maintenance policies.
-
Configure Inband CIMC IP connectivity.
-
Configure Service Profile BIOS policies.
-
Create/modify/delete local storage policies (disks and LUNs).
-
Create/modify/delete Service Profile dynamic vNICs within a Service Profile.
-
Configure VMQ policies.
-
Configure vHBA initiator groups.
-
Configure schedules. Schedules can be used to trigger one-time or periodic tasks in the future.
-
Configure iSCSI boot parameters.
-
Configure Service Profile scriptable vMedia.
-
Create/modify/delete Service Profiles/Templates. Assign policies to Service Profiles. Acknowledge service profile pending tasks.
-
Assign usNIC policies to service profile.
-
Configure Service Profile scriptable vMedia policies.
-
Associate and Disassociate Service Profiles.
-
Assign storage profiles to Service Profiles.
Service Profile Config (ls-config)
This privilege allows a user to configure service profiles and to configure distributed virtual switches (DVSes) in a VM-FEX environment.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure the vNIC/vHBA placement of a Service Profile.
-
Perform maintenance tasks on local disks, local LUNs and remote LUNs.
-
Configure Storage Profiles. Assign storage profiles to Service Profiles.
-
Configure power policies and power placement.
-
Create/modify/delete local storage policies (disks and LUNs).
-
Create/modify/delete Service Profile dynamic vNICs within a Service Profile.
-
Configure Service Profile vNICs storage initiator autoconfig policies.
-
Configure schedules. Schedules can be used to trigger one-time or periodic tasks in the future.
-
Configure iSCSI boot parameters.
-
Create/modify/delete Service Profiles/Templates. Assign policies to Service Profiles. Acknowledge service profile pending tasks.
-
Configure vHBA behavior policy when vHBAs are not explicitly defined.
-
Configure Service Profile iSCSI vNICs.
-
Configure FC group templates.
-
Configure Service Profile scriptable vMedia policies.
-
Associate and Disassociate Service Profiles.
-
Assign port profiles to Distributed Virtual Switches.
-
Configure SAN connectivity policies. Configure Service Profile vHBAs and add/remove VSANs on vHBAs.
-
Configure VMware vCenter connections, datacenters, folders, switch.
-
Create/modify/delete Service Profile maintenance policies.
-
Configure Inband CIMC IP connectivity.
-
Configure Service Profile BIOS policies.
-
Configure LAN connectivity policies. Configure Service Profile vNICs and add/remove VLANs on vNICs.
-
Configure Service Profile scriptable vMedia.
-
Within a service profile, specify if vNICs/vHBAs should be inherited from the hardware when vNICs/vHBAs are not explicitly defined.
-
Configure vNIC behavior policy when vNICs are not explicitly defined.
-
Assign storage profiles to Service Profiles.
-
Configure VMware vCenter cryptographic keys.
Service Profile Config Policy (ls-config-policy)
This privilege allows a user to configure policies that are applied to Service Profiles, including host firmware packages, local disk policies, boot policies, and Serial over LAN policies
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Assign port profiles to Distributed Virtual Switches.
-
Create/modify/delete Ethernet adapter policies (Ethernet and iSCSI).
-
Configure power policies and power placement.
-
Configure VMware vCenter connections, datacenters, folders, switch.
-
Create/modify/delete FC adapter policies.
-
Create/modify/delete Service Profile maintenance policies.
-
Create/modify/delete local storage policies (disks and LUNs).
-
Configure Service Profile boot policies.
-
Create/modify/delete management firmware packages. This feature is deprecated.
-
Configure Serial over LAN policies.
-
Configure iSCSI authentication profile.
-
Configure Service Profile scriptable vMedia.
-
Configure Service Profile scriptable vMedia policies.
-
Associate and Disassociate Service Profiles.
-
Assign storage profiles to Service Profiles.
-
Configure VMware vCenter cryptographic keys.
Service Profile Ext Access (ls-ext-access)
Service profile end point access
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
Service Profile Network (ls-network)
This privilege allows a user to configure network policies and network elements that are applied to service profile vNICs. A user can also configure other network elements that impact service profiles, such as server ports.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Assign port profiles to Distributed Virtual Switches.
-
Create/modify/delete Ethernet adapter policies (Ethernet and iSCSI).
-
Create/modify/delete Network Control policies.
-
Configure VLAN and VLAN group org permissions.
-
Reset IO Module and FEX. Set IO Module/FEX labels.
-
Configure VMware vCenter connections, datacenters, folders, switch.
-
Configure Inband CIMC IP connectivity.
-
Configure LAN connectivity policies. Configure Service Profile vNICs and add/remove VLANs on vNICs.
-
Create/modify/delete Service Profile dynamic vNICs within a Service Profile.
-
Configure VMQ policies.
-
Configure iSCSI boot parameters.
-
Specify the allowed range for virtual MAC addresses.
-
Configure Ethernet server ports on the Fabric Interconnect.
-
Configure VM-FEX Port Profile policy.
-
Configure vNIC templates.
-
Configure Service Profile iSCSI vNICs.
-
Configure vNIC behavior policy when vNICs are not explicitly defined.
-
Create/modify/delete Service Profile dynamic vNIC policies.
-
Create/modify/delete vNIC/vHBA placement.
Service Profile Network Policy (ls-network-policy)
This privilege allows a user to configure network policies and network elements that are applied to service profile vNICs.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure pools of IP addresses.
-
Specify the allowed range for virtual MAC addresses.
-
Configure Ethernet server ports on the Fabric Interconnect.
-
Create/modify/delete Network Control policies.
-
Reset IO Module and FEX. Set IO Module/FEX labels.
-
Create/modify/delete Service Profile dynamic vNICs within a Service Profile.
-
Configure VMQ policies.
-
Create/modify/delete Service Profile dynamic vNIC policies.
-
Create/modify/delete vNIC/vHBA placement.
-
Configure pools of MAC addresses.
Service Profile Qos Policy (ls-qos-policy)
Service Profile QOS policy
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Create/modify/delete QoS rate-limiting and Flow Control policies.
Service Profile Security (ls-security)
This privilege allows a user to configure IPMI policies.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
Service Profile Security Policy (ls-security-policy)
This privilege allows a user to configure IPMI policies.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure IPMI users and IPMI authentication profiles.
Service Profile Server (ls-server)
This privilege allows a user to configure service profiles.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure the vNIC/vHBA placement of a Service Profile.
-
Perform maintenance tasks on local disks, local LUNs and remote LUNs.
-
Configure Storage Profiles. Assign storage profiles to Service Profiles.
-
Configure power policies and power placement.
-
Create/modify/delete local storage policies (disks and LUNs).
-
Create/modify/delete Service Profile dynamic vNICs within a Service Profile.
-
Configure Service Profile vNICs storage initiator autoconfig policies.
-
Configure schedules. Schedules can be used to trigger one-time or periodic tasks in the future.
-
Configure iSCSI boot parameters.
-
Create/modify/delete Service Profiles/Templates. Assign policies to Service Profiles. Acknowledge service profile pending tasks.
-
Configure vHBA behavior policy when vHBAs are not explicitly defined.
-
Configure Service Profile iSCSI vNICs.
-
Configure FC group templates.
-
Configure Service Profile scriptable vMedia policies.
-
Associate and Disassociate Service Profiles.
-
Configure SAN connectivity policies. Configure Service Profile vHBAs and add/remove VSANs on vHBAs.
-
Create/modify/delete Service Profile maintenance policies.
-
Configure Inband CIMC IP connectivity.
-
Configure Service Profile BIOS policies.
-
Configure LAN connectivity policies. Configure Service Profile vNICs and add/remove VLANs on vNICs.
-
Configure VMQ policies.
-
Configure Service Profile scriptable vMedia.
-
Within a service profile, specify if vNICs/vHBAs should be inherited from the hardware when vNICs/vHBAs are not explicitly defined.
-
Configure vNIC behavior policy when vNICs are not explicitly defined.
-
Assign storage profiles to Service Profiles.
Service Profile Server Oper (ls-server-oper)
This privilege allows a user to control the power state of a service profile.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Control the power state of a Service Profile.
Service Profile Server Policy (ls-server-policy)
This privilege allows a user to control the power state of a service profile, associate and disassociate service profiles, and configure server-related policies.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Create/modify/delete Ethernet adapter policies (Ethernet and iSCSI).
-
Create/modify/delete server-related policies: maintenance, BIOS.
-
Configure power policies and power placement.
-
Create/modify/delete FC adapter policies.
-
Configure Service Profile boot policies.
-
Create/modify/delete management firmware packages. This feature is deprecated.
-
Configure Service Profile vNICs storage initiator autoconfig policies.
-
Configure DIMM black listing policy.
-
Configure iSCSI authentication profile.
-
Configure Service Profile scriptable vMedia.
-
Configure Service Profile scriptable vMedia policies.
-
Associate and Disassociate Service Profiles.
-
Control the power state of a Service Profile.
-
Create/modify/delete vNIC/vHBA placement.
Service Profile Storage (ls-storage)
This privilege allows a user to configure storage policies and storage elements that are applied to service profile vHBAs. The user can also configure other storage elements that impact service profiles.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Perform maintenance tasks on local disks, local LUNs and remote LUNs.
-
Create/modify/delete storage connection policies.
-
Configure Storage Profiles. Assign storage profiles to Service Profiles.
-
Configure the FC storage visibility for a vHBA initiator group.
-
Configure the allowed range for UUIDs.
-
Create/modify/delete FC adapter policies.
-
Create/modify/delete local storage policies (disks and LUNs).
-
Configure vHBA initiator groups.
-
Configure Service Profile vNICs storage initiator autoconfig policies.
-
Configure iSCSI boot parameters.
-
Configure Service Profile scriptable vMedia.
-
Configure the allowed range for virtual WWN addresses.
-
Configure vHBA behavior policy when vHBAs are not explicitly defined.
-
Configure Service Profile iSCSI vNICs.
-
Configure FC group templates.
-
Configure Service Profile scriptable vMedia policies.
-
Set FC zone labels.
-
Assign storage profiles to Service Profiles.
Service Profile Storage Policy (ls-storage-policy)
This privilege allows a user to configure storage policies and storage elements that are applied to service profile vHBAs.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Create/modify/delete storage connection policies.
-
Configure Storage Profiles. Assign storage profiles to Service Profiles.
-
Configure the allowed range for UUIDs.
-
Configure pools of IQN addresses (for iSCSI).
-
Configure pools of WWN addresses.
-
Create/modify/delete local storage policies (disks and LUNs).
-
Configure Service Profile boot policies.
-
Configure Service Profile vNICs storage initiator autoconfig policies.
-
Configure Service Profile scriptable vMedia.
-
Configure storage connection within a Service Profile.
-
Configure the allowed range for virtual WWN addresses.
-
Configure FC group templates.
-
Configure Service Profile scriptable vMedia policies.
-
Create/modify/delete vNIC/vHBA placement.
-
Assign storage profiles to Service Profiles.
Operations (operations)
This privilege allows a user to perform maintenance activities, such as SEL backup operations, and to configure system-level policies, such as call home, syslog, and log level, and to create tech support files.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure the statistics collection policies.
-
Configure log file export policies. Export log files.
-
Acknowledge faults.
-
Configure the Syslog feature.
-
Clear or backup SEL log files (FEX, IO Module, CIMC). Configure SEL log policy.
-
Configure the Catalog pack, specifying which catalog to be used.
-
Configure whether config, firmware and monitoring policies are resolved locally or through UCS Central.
-
Generate and download Tech Support files.
-
Create/modify/delete stats threshold policies.
-
Configure the logging level for debug log files on the Fabric Interconnect.
-
Configure core file export policies. Download core files.
Org Management (org-management)
This privilege allows a user to configure organizations in the org hierarchy.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Create/modify/delete organizations.
Server Equipment (pn-equipment)
This privilege allows a user to configure the power supply redundancy policy and to control the power state of network adapters.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Control power state of network adaptors.
-
Configure Power Supply Redundancy policy. Configure whether PSU redundancy policies can be resolved through UCS Central.
Server Maintenance (pn-maintenance)
This privilege allows a user to perform maintenance operations on physical servers, such as acknowledging servers, configuring locator LEDs, and decommissioning servers.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Enable/Disable Ethernet/FC/iSCSI ports and port channels on a server adapter. Set port/port channel label.
-
Acknowledge Chassis and IO Module. Set Chassis labels and chassis IDs.
-
Enable/Disable mapping out of black-listed DIMMs. Reset server DIMM errors.
-
Reset IO Module and FEX. Set IO Module/FEX labels.
-
Acknowledge, decommission, recommission and recover blade servers and rack servers.
-
Enable/Disable Ethernet ports on a Fabric Interconnect or IO Module. Set port labels.
-
Configure diagnostics.
-
Perform server maintenance operations: reset CIMC, reset KVM server, reset CMOS, reset BIOS password,perform diagnostic interrupt, reset server. Set blade and rack server labels.
-
Configure locator, indicator, beacon and health LEDs.
-
Control the power state of a Service Profile.
Server Policy (pn-policy)
This privilege allows a user to configure server-related policies.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Assign port profiles to Distributed Virtual Switches.
-
Configure Virtual Machine and Virtual Machine vNIC retention policy.
-
Control power state of network adaptors.
-
Reset IO Module and FEX. Set IO Module/FEX labels.
-
Configure VMware vCenter connections, datacenters, folders, switch.
-
Configure Service Profile BIOS policies.
-
Perform server maintenance operations: reset CIMC, reset KVM server, reset CMOS, reset BIOS password,perform diagnostic interrupt, reset server. Set blade and rack server labels.
-
Configure server/chassis discovery, acknowledgement and connectivity policies. Configure blade inheritance and auto-configuration policy.
-
Configure DIMM black listing policy.
-
Configure whether server/chassis discovery policies can be resolved through UCS Central.
-
Acknowledge Chassis and IO Module. Set Chassis labels and chassis IDs.
-
Enable/Disable mapping out of black-listed DIMMs. Reset server DIMM errors.
-
Run diagnostics.
-
Acknowledge, decommission, recommission and recover blade servers and rack servers.
-
Configure UUID pools.
-
Configure locator, indicator, beacon and health LEDs.
-
Control the power state of a Service Profile.
-
Configure Service Profile disk and BIOS scrub policies.
-
Configure VMware vCenter cryptographic keys.
-
Configure server pools, server pool policies, and server pool qualification policies.
-
Configure Power Supply Redundancy policy. Configure whether PSU redundancy policies can be resolved through UCS Central.
Server Security (pn-security)
Server security
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
Power Mgmt (power-mgmt)
This privilege allows a user to configure power groups, the power budget, and power policies.
Tasks Allowed with this Privilege
A user with this privilege can perform the following tasks:
-
Configure Power Groups, power budget, and power policies.