Table Of Contents
Cisco UCS XML Object-Access Privileges
Privileges Description and Object List
Cisco UCS XML Object-Access Privileges
This chapter provides details on the object-access privileges for the Cisco UCS XML API.
This chapter contains the following sections:
•
Privileges Description and Object List
Privileges Summary Table
When users are assigned to a role, that role allows certain privileges. Those privileges allow the user access to specific system resources and authorize permission to perform tasks on those resources. The following table lists each privilege and the initial default user role that has been given that privilege.
Privileges Description and Object List
This section describes each of the available privileges.
aaa
Purpose: System security and AAA.
This privilege has read and write access to all users, roles, AAA, and communication services configuration. Read access is available for all other objects.
Responsible role: AAA Administrator
Controlled Objects:
aaa:AuthRealm, aaa:EpAuthProfile, aaa:EpUser, aaa:ExtMgmtCutThruTkn, aaa:LdapEp, aaa:LdapProvider, aaa:Locale, aaa:Log, aaa:Org, aaa:RadiusEp, aaa:RadiusProvider, aaa:RemoteUser, aaa:Role, aaa:Session, aaa:SshAuth, aaa:TacacsPlusEp, aaa:TacacsPlusProvider, aaa:User, aaa:UserEp, aaa:UserLocale, aaa:UserRole, comm:Cimxml, comm:Dns, comm:DnsProvider, comm:EvtChannel, comm:Http, comm:Https, comm:SmashCLP, comm:Snmp, comm:SnmpTrap, comm:SnmpUser, comm:Ssh, comm:SvcEp, comm:Telnet, comm:WebChannel, comm:Wsman, comm:XmlClConnPolicy, comm:XmlClConnPolicy, pki:CertReq, pki:KeyRing, pki:TP
admin
Purpose: System administration
Responsible role: Administrator
Controlled Objects:
This role is system level. The administrator controls all objects.
ext-lan-config
Purpose: External LAN configuration
Responsible role: Network Administrator
Controlled Objects:
adaptor:ExtIf, adaptor:ExtEthIf, adaptor:HostIf, adaptor:HostEthIf, adaptor:HostFcIf, comm:DateTime, comm:Dns, comm:DnsProvider, comm:NtpProvider, fabric:EthLan, fabric:EthLanEp, fabric:EthLanPc, fabric:EthLanPcEp, fabric:LanCloud, fabric:LanPinGroup, fabric:LanPinTarget, fabric:Vlan, macpool:Format, network:Element, top:System, vnic:FcOEIf, vnic:LanConnTempl
ext-lan-policy
Purpose: External LAN policy
Responsible role: Network Administrator
Controlled Objects:
adaptor:ExtIf, adaptor:ExtEthIf, adaptor:HostIf, adaptor:HostEthIf, adaptor:HostFcIf, fabric:EthLan, fabric:EthLanEp, fabric:EthLanPc, fabric:EthLanPcEp, fabric:LanCloud, fabric:LanPinGroup, fabric:LanPinTarget, fabric:VCon, fabric:VConProfile, fabric:Vlan, macpool:Format, vnic:FcOEIf, vnic:LanConnTempl
ext-lan-qos
Purpose: External LAN QoS
Responsible role: Network Administrator
Controlled Objects:
qosclass:Definition, qosclass:EthBE, qosclass:EthClassified, qosclass:Fc
ext-lan-security
Purpose: External LAN security
Responsible role: Network Administrator
Controlled Objects:
comm:DateTime, comm:NtpProvider
ext-san-config
Purpose: External SAN configuration
Responsible role: Storage Administrator
Controlled Objects:
fabric:FcSan, fabric:FcSanEp, fabric:FcSanPc, fabric:FcSanPcEp, fabric:FcVsanPortEp, fabric:SanPinGroup, fabric:SanPinTarget, fabric:Vsan, fcpool:Format, vnic:FcOEIf
ext-san-policy
Purpose: External SAN policy
Responsible role: Storage Administrator
Controlled Objects:
fabric:FcSan, fabric:FcSanEp, fabric:FcSanPc, fabric:FcSanPcEp, fabric:FcVsanPortEp, fabric:SanPinGroup, fabric:SanPinTarget, fabric:Vsan, fcpool:Format, vnic:FcOEIf
ext-san-qos
Purpose: External SAN QoS
Responsible role: Storage Administrator
Controlled Objects:
qosclass:Definition, qosclass:EthBE, qosclass:EthClassified, qosclass:Fc
ext-san-security
Purpose: External SAN security
Responsible role: Storage Administrator
Controlled Objects:
There are no objects assigned to this privilege.
fault
Purpose: Alarms and alarm policies
Responsible role: Operations
Controlled Objects:
callhome:Policy, event:EpCtrl, event:Log, fault:Holder, fault:Inst, fault:Policy
ls-config
Purpose: Service profile configuration
Responsible role: Server Profile Administrator
Controlled Objects:
bios:VFeat, bios:VfConsoleRedirection, bios:VfEnhancedIntelSpeedStepTech, bios:VfFrontPanelLockout, bios:VfIntelHyperThreadingTech, bios:VfIntelTurboBoostTech, bios:VfIntelVTForDirectedIO, bios:VfIntelVirtualizationTechnology, bios:VfLvDIMMSupport, bios:VfMirroringMode, bios:VfNUMAOptimized, bios:VfProcessorC3Report, bios:VfProcessorC6Report, bios:VfQuietBoot, bios:VfResumeOnACPowerLoss, bios:VfSelectMemoryRASConfiguration, bios:VProfile, extvmm:Ep, extvmm:KeyRing, extvmm:KeyStore, extvmm:MasterExtKey, extvmm:Provider, extvmm:SwitchDelTask, ls:ComputeBinding, ls:Binding, ls:Requirement, ls:Power, ls:Server, ls:Tie, lsboot:Def, lsboot:Lan, lsboot:LanImagePath, lsboot:LocalStorage, lsboot:SanImage, lsboot:SanImagePath, lsboot:Storage, lsboot:VirtualMedia, org:Org, power:Group, power:Regulation, power:Rule, sol:Config, storage:LocalDiskConfigDef, storage:LocalDiskPartition, vm:Cont, vm:DirCont, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:VnicProfCl, vnic:BootTarget, vnic:DynamicCon, vnic:Ether, vnic:EtherIf, vnic:Fc, vnic:FcIf, vnic:FcOEIf, vnic:IPv4Dhcp, vnic:IPv4Dns, vnic:IPv4If, vnic:IPv4StaticRoute, vnic:IpV4PooledAddr, vnic:IpV4StaticAddr, vnic:Ipc, vnic:IpcIf, vnic:Scsi, vnic:ScsiIf
ls-config-policy
Purpose: Service profile configuration policy
Responsible role: Server Profile Administrator
Controlled Objects:
adaptor:EthCompQueueProfile, adaptor:EthFailoverProfile, adaptor:EthInterruptProfile, adaptor:EthOffloadProfile,
adaptor:EthRecvQueueProfile, adaptor:EthWorkQueueProfile, adaptor:ExtIpV6RssHashProfile, adaptor:FcCdbWorkQueueProfile, adaptor:FcErrorRecoveryProfile, adaptor:FcInterruptProfile, adaptor:FcPortFLogiProfile, adaptor:FcPortPLogiProfile, adaptor:FcPortProfile, adaptor:FcRecvQueueProfile, adaptor:FcWorkQueueProfile, adaptor:HostEthIfProfile, adaptor:HostFcIfProfile, adaptor:IpV4RssHashProfile, adaptor:IpV6RssHashProfile, adaptor:RssProfile, extvmm:Ep, extvmm:KeyRing, extvmm:KeyStore, extvmm:MasterExtKey, extvmm:Provider, extvmm:SwitchDelTask, firmware:ComputeHostPack, firmware:ComputeMgmtPack, ls:AgentPolicy, ls:ComputeBinding, ls:Binding, ls:Requirement, ls:Tier, lsboot:Def, lsboot:Lan, lsboot:LanImagePath, lsboot:LocalStorage, lsboot:Policy, lsboot:SanImage, lsboot:SanImagePath, lsboot:Storage, lsboot:VirtualMedia, org:Org, sol:Config, sol:Policy, storage:LocalDiskConfigDef, storage:LocalDiskConfigPolicy, storage:LocalDiskPartition, vm:Cont, vm:DirCont, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:VnicProfCl
ls-ext-access
Purpose: Service profile end point access
Responsible role: Server Profile Administrator
This privilege is not used.
ls-network
Purpose: Service profile network
Responsible role: Network Administrator
Controlled Objects:
dpsec:Mac, extvmm:Provider, extvmm:SwitchDelTask, fabric:DceSwSrvEp, fabric:VCon, fabric:VConProfile, flowctrl:Definition, flowctrl:Item, macpool:Format, nwctrl:Definition, qos:Definition, epqos:Definition, epqos:DefinitionDelTask, qosclass:Definition, qos:Item, epqos:Item, epqos:Egress, qosclass:Item, qosclass:Eth, qosclass:EthBE, qosclass:EthClassified, qosclass:Fc, vm:Cont, vm:DirCont, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:VnicProfCl, vnic:DefBeh, vnic:DynamicCon, vnic:DynamicConPolicy, vnic:DynamicIdUniverse, vnic:Ether, vnic:EtherIf, vnic:IPv4Dhcp, vnic:IPv4Dns, vnic:IPv4If, vnic:IPv4StaticRoute, vnic:IpV4PooledAddr, vnic:IpV4StaticAddr, vnic:Ipc, vnic:IpcIf, vnic:LanConnTempl, vnic:Profile, vnic:ProfileSet
ls-network-policy
Purpose: Service profile network policy
Responsible role: Network Administrator
Controlled Objects:
dpsec:Mac, fabric:DceSrv, fabric:DceSwSrv, fabric:DceSwSrvEp, fabric:EthDiag, fabric:FcDiag, fabric:VCon, fabric:VConProfile, flowctrl:Definition, flowctrl:Item, ippool:Block, ippool:Pool, macpool:Block, macpool:Format, macpool:Pool, nwctrl:Definition, qos:Definition, epqos:Definition, epqos:DefinitionDelTask, qosclass:Definition, qos:Item, epqos:Item, epqos:Egress, qosclass:Item, qosclass:Eth, qosclass:EthBE, qosclass:EthClassified, qosclass:Fc, uuidpool:Block, vnic:DynamicCon, vnic:DynamicConPolicy, vnic:DynamicIdUniverse, vnic:LanConnTempl, vnic:Profile, vnic:ProfileSet
ls-qos
Purpose: Service profile
Responsible role: QoS Network Administrator
This privilege is not used.
ls-qos-policy
Purpose: Service profile QoS policy
Responsible role: Network Administrator
Controlled Objects:
flowctrl:Definition, flowctrl:Item, qos:Definition, epqos:Definition, epqos:DefinitionDelTask, qosclass:Definition, qos:Item, epqos:Item, epqos:Egress, qosclass:Item, qosclass:Eth, qosclass:EthBE, qosclass:EthClassified, qosclass:Fc
ls-security
Purpose: Service profile security
Responsible role: Server Security Administrator
Controlled Objects:
aaa:EpAuthProfile, aaa:EpUser
ls-security-policy
Purpose: Service profile security policy
Responsible role: Server Security Administrator
Controlled Objects:
aaa:EpAuthProfile, aaa:EpUser
ls-server
Purpose: Service profile server management
Responsible role: Server Security Administrator
Controlled Objects:
bios:VFeat, bios:VfConsoleRedirection, bios:VfEnhancedIntelSpeedStepTech, bios:VfFrontPanelLockout, bios:VfIntelHyperThreadingTech, bios:VfIntelTurboBoostTech, bios:VfIntelVTForDirectedIO, bios:VfIntelVirtualizationTechnology, bios:VfLvDIMMSupport, bios:VfMirroringMode, bios:VfNUMAOptimized, bios:VfProcessorC3Report, bios:VfProcessorC6Report, bios:VfQuietBoot, bios:VfResumeOnACPowerLoss, bios:VfSelectMemoryRASConfiguration, bios:VProfile, ls:ComputeBinding, ls:Binding, ls:Requirement, ls:Power, ls:Server, ls:Tier, lsboot:Def, lsboot:Lan, lsboot:LanImagePath, lsboot:LocalStorage, lsboot:SanImage, lsboot:SanImagePath, lsboot:Storage, lsboot:VirtualMedia, power:Group, power:Regulation, power:Rule, sol:Config, storage:LocalDiskConfigDef, storage:LocalDiskPartition, vnic:BootTarget, vnic:DefBeh, vnic:DynamicCon, vnic:Ether, vnic:EtherIf, vnic:Fc, vnic:FcIf, vnic:FcNode, vnic:FcOEI, vnic:IPv4Dhcp, vnic:IPv4Dns, vnic:IPv4If, vnic:IPv4StaticRoute, vnic:IpV4PooledAddr, vnic:IpV4StaticAddr, vnic:Ipc, vnic:IpcIf, vnic:Scsi, vnic:ScsiIf
ls-server-policy
Purpose: Service profile pool policy
Responsible role: Server Security Administrator
Controlled Objects:
adaptor:EthCompQueueProfile, adaptor:EthFailoverProfile, adaptor:EthInterruptProfile, adaptor:EthOffloadProfile, adaptor:EthRecvQueueProfile, adaptor:EthWorkQueueProfile, adaptor:ExtIpV6RssHashProfile, adaptor:FcCdbWorkQueueProfile, adaptor:FcErrorRecoveryProfile, adaptor:FcInterruptProfile, adaptor:FcPortFLogiProfile, adaptor:FcPortPLogiProfile, adaptor:FcPortProfile, adaptor:FcRecvQueueProfile, adaptor:FcWorkQueueProfile, adaptor:HostEthIfProfile, adaptor:HostFcIfProfile, adaptor:IpV4RssHashProfile, adaptor:IpV6RssHashProfile, adaptor:RssProfile, bios:VFeat, bios:VfConsoleRedirection, bios:VfEnhancedIntelSpeedStepTech, bios:VfFrontPanelLockout, bios:VfIntelHyperThreadingTech, bios:VfIntelTurboBoostTech, ios:VfIntelVTForDirectedIO, bios:VfIntelVirtualizationTechnology, bios:VfLvDIMMSupport, bios:VfMirroringMode, bios:VfNUMAOptimized, bios:VfProcessorC3Report, bios:VfProcessorC6Report, bios:VfQuietBoot, bios:VfResumeOnACPowerLoss, bios:VfSelectMemoryRASConfiguration, bios:VProfile, fabric:VCon, fabric:VConProfile, firmware:ComputeHostPack, firmware:ComputeMgmtPack, ls:AgentPolicy, ls:ComputeBinding, ls:Binding, ls:Requirement, ls:Power, ls:Tier, lsboot:Policy, power:Group, power:Regulation, power:Rule
ls-storage
Purpose: Service profile storage
Responsible role: Storage Administrator
Controlled Objects:
fcpool:Format, lsboot:Def, lsboot:Lan, lsboot:LanImagePath, lsboot:LocalStorage, lsboot:SanImage, lsboot:SanImagePath, lsboot:Storage, lsboot:VirtualMedia, storage:LocalDiskConfigDef, storage:LocalDiskConfigPolicy, storage:LocalDiskPartition, uuidpool:Format, vnic:BootTarget, vnic:DefBeh, vnic:Fc, vnic:FcIf, vnic:FcNode, vnic:FcOEIf, vnic:SanConnTempl, vnic:Scsi, vnic:ScsiIf
ls-storage-policy
Purpose: Service profile storage policy
Responsible role: Storage Administrator
Controlled Objects:
fabric:VCon, fabric:VConProfile, fcpool:Block, fcpool:BootTarget, fcpool:Format, fcpool:Initiator, fcpool:Initiators, lsboot:Def, lsboot:Lan, lsboot:LanImagePath, lsboot:LocalStorage, lsboot:SanImage, lsboot:SanImagePath, lsboot:Storage, lsboot:VirtualMedia, storage:LocalDiskConfigDefstorage:LocalDiskConfigPolicy, storage:LocalDiskPartition, uuidpool:Format, vnic:SanConnTempl
operations
Purpose: Logs and Smart Call Home
Responsible role: Operations
Controlled Objects:
aaa:Log, callhome:Dest, callhome:Ep, callhome:PeriodicSystemInventory, callhome:Profile, callhome:Smtp, callhome:Source, callhome:TestAlert, comm:DateTime, comm:NtpProvider, comm:Syslog, comm:SyslogClient,
comm:SyslogConsole, comm:SyslogFile, comm:SyslogMonitor, condition:Log, aaa:Log, event:Log, event:EpCtrl, event:Log, fault:Inst, stats:CollectionPolicy, stats:Curr, adaptor:EthPortBySizeLargeStats, adaptor:EthPortBySizeSmallStats, adaptor:EthPortErrStats, adaptor:EthPortMcastStats, adaptor:EthPortOutsizedStats, adaptor:EthPortStats, adaptor:EtherIfStats, adaptor:FcIfEventStats, adaptor:FcIfFC4Stats, adaptor:FcIfFrameStats, adaptor:FcPortStats, adaptor:MenloBaseErrorStats, adaptor:MenloDcePortStats, adaptor:MenloEthErrorStats, adaptor:MenloEthStats, adaptor:MenloFcErrorStats, adaptor:MenloFcStats, adaptor:MenloHostPortStats, adaptor:MenloMcpuErrorStats, adaptor:MenloMcpuStats, adaptor:MenloNetEgStats, adaptor:MenloNetInStats, adaptor:MenloQErrorStats, adaptor:MenloQStats, adaptor:VnicStats, compute:IOHubEnvStats, compute:MbPowerStats, compute:MbTempStats, compute:PCIeFatalCompletionStats, compute:PCIeFatalProtocolStats, compute:PCIeFatalReceiveStats, compute:PCIeFatalStats, equipment:ChassisStats, equipment:FanModuleStats, equipment:FanStats, equipment:IOCardStats, equipment:PsuInputStats, equipment:PsuStats, ether:ErrStats, ether:LossStats, ether:PauseStats, ether:RxStats, ether:TxStats, fc:ErrStats, fc:Stats, memory:ArrayEnvStats, memory:BufferUnitEnvStats, memory:ErrorStats, memory:Runtime, memory:UnitEnvStats, processor:EnvStats, processor:ErrorStats, processor:Runtime, sw:EnvStats, sw:SystemStats, stats:Holder, stats:Thr32Definition, stats:Thr32Value, stats:Thr64Definition, stats:Thr64Value, stats:ThrFloatDefinition, stats:ThrFloatValue, stats:ThresholdClass, stats:ThresholdDefinition, stats:Thr32Definition, stats:Thr64Definition, stats:ThrFloatDefinition, stats:ThresholdPolicy, stats:ThresholdValue, stats:Thr32Value, stats:Thr64Value, stats:ThrFloatValue, sysdebug:AutoCoreFileExportTarget, sysdebug:BackupBehavior, sysdebug:Core, sysdebug:CoreFileExportTarget, sysdebug:AutoCoreFileExportTarget, ysdebug:ManualCoreFileExportTarget), sysdebug:CoreFileRepository, sysdebug:LogControlDestinationFile, ysdebug:LogControlDestinationSyslog, sysdebug:LogControlDomain, sysdebug:LogControlEp, sysdebug:LogControlModule, sysdebug:MEpLog, sysdebug:MEpLogPolicy, sysdebug:ManualCoreFileExportTarget, sysfile:Mutation
pn-equipment
Purpose: Server hardware management
Responsible role: Server Equipment Administrator
Controlled Objects:
adaptor:ExtIf, adaptor:ExtEthIf, adaptor:HostIf, adaptor:HostEthIf, adaptor:HostFcIf, compute:Blade, compute:PsuPolicy, diag:SrvCtrl, equipment:Chassis, equipment:Led, equipment:IndicatorLed, equipment:LocatorLed, fabric:ComputeSlotEp, fabric:SwChPhEp
pn-maintenance
Purpose: Server maintenance
Responsible role: Server Equipment Administrator
Controlled Objects:
adaptor:ExtIf, adaptor:ExtEthIf, adaptor:HostIf, adaptor:HostEthIf, adaptor:HostFcIf, compute:Blade, diag:SrvCtrl, equipment:Chassis, equipment:Led, equipment:IndicatorLed, equipment:LocatorLed, fabric:ComputeSlotEp, fabric:SwChPhEp
pn-policy
Purpose: Server policy
Responsible role: Server Equipment Administrator
Controlled Objects:
adaptor:CapQual, adaptor:Qual, bios:VFeat, bios:VfConsoleRedirection, bios:VfEnhancedIntelSpeedStepTech, bios:VfFrontPanelLockout, bios:VfIntelHyperThreadingTech, bios:VfIntelTurboBoostTech, bios:VfIntelVTForDirectedIO, bios:VfIntelVirtualizationTechnology, bios:VfLvDIMMSupport, bios:VfMirroringMode, bios:VfNUMAOptimized, bios:VfProcessorC3Report, bios:VfProcessorC6Report, bios:VfQuietBoot, bios:VfResumeOnACPowerLoss, bios:VfSelectMemoryRASConfiguration, bios:VProfile, compute:AutoconfigPolicy, compute:Blade, compute:BladeDiscPolicy, compute:BladeInheritPolicy, compute:ChassisDiscPolicy, compute:ChassisQual, compute:DiscPolicy, compute:BladeDiscPolicy, compute:ChassisDiscPolicy, compute:PhysicalQual, compute:Pool, compute:PooledPhysical, compute:PooledSlot, compute:PooledSlot, compute:PoolingPolicy, compute:PsuPolicy, compute:Qual, compute:QualItem, adaptor:CapDef, adaptor:CapQual, adaptor:CapSpec, adaptor:Qual, compute:BladePosQual, compute:ChassisQual, compute:SlotQual, compute:PhysicalQual, memory:Qual, processor:Qual, storage:Qual, compute:ScrubPolicy, compute:SlotQual, diag:BladeTest, diag:NetworkTest, diag:RunPolicy, equipment:Chassis, equipment:Led, equipment:IndicatorLed, equipment:LocatorLed, extvmm:Ep, extvmm:KeyRing, extvmm:KeyStore, extvmm:MasterExtKey, extvmm:Provider, extvmm:SwitchDelTask, fabric:ComputeSlotEp, fabric:SwChPhEp, memory:Qual, org:Org, processor:Qual, storage:Qual, uuidpool:Pool, vm:Cont, vm:DirCont, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:DC, vm:DCOrg, vm:LifeCyclePolicy, vm:Org, vm:Switch, vm:VnicProfCl
pn-security
Purpose: Server security
Responsible role: Server Security Administrator
Controlled Objects:
mgmt:IntAuthPolicy
pod-config
Purpose: Pod configuration
Responsible role: Network Administrator
This privilege is not used.
pod-policy
Purpose: Pod policy
Responsible role: Network Administrator
This privilege is not used.
pod-qos
Purpose: Pod QoS
Responsible role: Network Administrator
This privilege is not used.
pod-security
Purpose: Pod security
Responsible role: Network Administrator
This privilege is not used.
read-only
Purpose: Read-only access.
Responsible role: This is not a selectable privilege. All roles have read-only access to all objects. Roles that have read-write privileges on some objects also have read-only access to all other objects.
Power Management
This section describes power management privileges. The facility manager is reponsible for providing and ensuring availability of power for the data center and all contents.
power-mgmt
Purpose: Data center power management
This role provides read and write access for power capacity management including power group configurations and other power-related policies.
Responsible role: Facility Manager
ls-server-oper
Purpose: Service profile consumer role
This privilege controls these operations on the service-profile:
•
•
•
•
Responsible role: Server Profile Administrator
ls-power
Purpose: Service profile power management
Responsible role: Facility Manager