Feedback
Contents
- Configuring Role-Based Access Control
- Role-Based Access Control
- User Accounts
- User Roles
- Privileges
- User Locales
- Creating a User Role
- Adding Privileges to a User Role
- Removing Privileges from a User Role
- Deleting a User Role
- Creating a Locale
- Adding an Organization to a Locale
- Deleting an Organization from a Locale
- Deleting a Locale
- Creating a User Account
- Deleting a Locally Authenticated User Account
- Monitoring User Sessions
Configuring Role-Based Access Control
This chapter includes the following sections:
- Role-Based Access Control
- User Accounts
- User Roles
- Privileges
- User Locales
- Monitoring User Sessions
- Creating a User Role
- Adding Privileges to a User Role
- Removing Privileges from a User Role
- Deleting a User Role
- Creating a Locale
- Adding an Organization to a Locale
- Deleting an Organization from a Locale
- Deleting a Locale
- Creating a User Account
- Deleting a Locally Authenticated User Account
Role-Based Access Control
Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and the locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, management of individual user privileges is simply a matter of assigning the appropriate roles and locales.
A user is granted write access to desired system resources only if the assigned role grants the access privileges and the assigned locale allows access. For example, a user with the Server Administrator role in the Engineering organization could update server configurations in the Engineering organization, but would not be able to update server configurations in the Finance organization unless the locales assigned to the user include the Finance organization.
User Accounts
User accounts are used to access the system. Up to 48 user accounts can be configured in each Cisco UCS instance. Each user account must have a unique username and password.
The system has a default user account, admin, which cannot be modified or deleted. This account is the system administrator or superuser account and has full privileges. There is no default password assigned to the admin account; you must choose the password during the initial system setup.
The unique username for each user account cannot be all-numeric and cannot start with a number. If an all-numeric user name exists on an AAA server (RADIUS or TACACS+) and is entered during login, Cisco UCS Manager cannot log in the user. Local users with all-numeric names cannot be created.
For authentication purposes, a password is required for each user account. To prevent users from choosing insecure passwords, each password must meet the following requirements:
At least eight characters long
Does not contain more than three consecutive characters, such as abcd
Does not contain more than two repeating characters, such as aaabbb
Does not contain dictionary words
Does not contain common proper names
A user account can also be set with a SSH public key. The public key can be set in one of the two formats: OpenSSH and SECSH.
User accounts can be configured to expire at a predefined time. When the expiration time is reached the user account is disabled. By default, user accounts do not expire.
User Roles
User roles contain one or more privileges that define the operations allowed for the user who is assigned the role. A user can be assigned one or more roles. A user assigned multiple roles has the combined privileges of all assigned roles. For example, if Role1 has storage related privileges, and Role2 has server related privileges, users who are assigned to both Role1 and Role2 have storage and server related privileges.
All roles include read access to all configuration settings in the Cisco UCS instance. The difference between the read-only role and other roles is that a user who is only assigned the read-only role cannot modify the system state. A user assigned another role can modify the system state in that user's assigned area or areas.
The system contains the following default user roles:
- AAA Administrator
Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system.
- Administrator
Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.
- Network Administrator
Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the rest of the system.
- Operations
Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the rest of the system.
- Read-Only
Read-only access to system configuration with no privileges to modify the system state.
- Server Equipment Administrator
Read-and-write access to physical server related operations. Read access to the rest of the system.
- Server Profile Administrator
Read-and-write access to logical server related operations. Read access to the rest of the system.
- Server Security Administrator
Read-and-write access to server security related operations. Read access to the rest of the system.
- Storage Administrator
Read-and-write access to storage operations. Read access to the rest of the system.
Roles can be created, modified to add new or remove existing privileges, or deleted. When a role is modified, the new privileges are applied to all users assigned to that role. Privilege assignment is not restricted to the privileges defined for the default roles. That is, you can use a custom set of privileges to create a unique role. For example, the default Server Administrator and Storage Administrator roles have different set of privileges, but a new Server and Storage Administrator role can be created that combines the privileges of both roles.
If a role is deleted after it has been assigned to users, it is also deleted from those user accounts.
User profiles on AAA servers (RADIUS or TACACS+) should be modified to add the roles corresponding to the privileges granted to that user. The cisco-av-pair vendor-specific attribute is used to store the role information. The AAA servers return this attribute with the request and parse it to get the roles. LDAP servers return the roles in the user profile attributes.
Privileges
Privileges give users assigned to user roles access to specific system resources and permission to perform specific tasks. The following table lists each privilege and the user role given that privilege by default.
Privilege
Description
Default Role Assignment
aaa
System security and AAA
AAA Administrator
admin
System administration
Administrator
ext-lan-config
External LAN configuration
Network Administrator
ext-lan-policy
External LAN policy
Network Administrator
ext-lan-qos
External LAN QoS
Network Administrator
ext-lan-security
External LAN security
Network Administrator
ext-san-config
External SAN configuration
Storage Administrator
ext-san-policy
External SAN policy
Storage Administrator
ext-san-qos
External SAN QoS
Storage Administrator
ext-san-security
External SAN security
Storage Administrator
fault
Alarms and alarm policies
Operations
operations
Logs and Smart Call Home
Operations
pod-config
Pod configuration
Network Administrator
pod-policy
Pod policy
Network Administrator
pod-qos
Pod QoS
Network Administrator
pod-security
Pod security
Network Administrator
read-only
Read-only access
Read-only cannot be selected as a privilege; it is assigned to every user role.
Read-Only
server-equipment
Server hardware management
Server Equipment Administrator
server-maintenance
Server maintenance
Server Equipment Administrator
server-policy
Server policy
Server Equipment Administrator
server-security
Server security
Server Security Administrator
service-profile-config
Service profile configuration
Server Profile Administrator
service-profile-config-policy
Service profile configuration policy
Server Profile Administrator
service-profile-ext-access
Service profile end point access
Server Profile Administrator
service-profile-network
Service profile network
Network Administrator
service-profile-network-policy
Service profile network policy
Network Administrator
service-profile-qos
Service profile QoS
Network Administrator
service-profile-qos-policy
Service profile QoS policy
Network Administrator
service-profile-security
Service profile security
Server Security Administrator
service-profile-security-policy
Service profile security policy
Server Security Administrator
service-profile-server
Service profile server management
Server Security Administrator
service-profile-server-policy
Service profile pool policy
Server Security Administrator
service-profile-storage
Service profile storage
Storage Administrator
service-profile-storage-policy
Service profile storage policy
Storage Administrator
User Locales
A user can be assigned one or more locales. Each locale defines one or more organizations (domains) the user is allowed access, and access would be limited to the organizations specified in the locale. One exception to this rule is a locale without any organizations, which gives unrestricted access to system resources in all organizations.
Users with AAA Administrator privileges (AAA Administrator role) can assign organizations to the locale of other users. The assignment of organizations is restricted to only those in the locale of the user assigning the organizations. For example, if a locale contains only the Engineering organization then a user assigned that locale can only assign the Engineering organization to other users.
You can hierarchically manage organizations. A user that is assigned at a top level organization has automatic access to all organizations under it. For example, an Engineering organization can contain a Software Engineering organization and a Hardware Engineering organization. A locale containing only the Software Engineering organization has access to system resources only within that organization; however, a locale that contains the Engineering organization has access to the resources for both the Software Engineering and Hardware Engineering organizations.
Configuring User Roles
Creating a User Role
Procedure
Adding Privileges to a User Role
Procedure
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, expand . Step 3 Expand the Roles node. Step 4 Choose the role to which you want to add privileges. Step 5 In the General tab, check the boxes for the privileges you want to add to the role. Step 6 Click Save Changes.
Removing Privileges from a User Role
Procedure
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, expand . Step 3 Expand the Roles node. Step 4 Choose the role from which you want to remove privileges. Step 5 In the General tab, uncheck the boxes for the privileges you want to remove from the role. Step 6 Click Save Changes.
Deleting a User Role
ProcedureWhen you delete a user role, Cisco UCS Manager removes that role from all user accounts to which the role has been assigned.
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, expand . Step 3 Expand the Roles node. Step 4 Right-click the role you want to delete and choose Delete. Step 5 In the Delete dialog box, click Yes.
Configuring Locales
Creating a Locale
Procedure
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, expand . Step 3 Right-click on Locales and choose Create a Locale. Step 4 In the Create Locale page, do the following:
Step 5 In the Assign Organizations page, do the following:
- Expand the Organizations area to view the organizations in the Cisco UCS instance.
- Click an organization that you want to assign to the locale.
- Drag the organization from the Organizations area and drop it into the design area on the right.
- Repeat Steps b and c until you have assigned all desired organizations to the locale.
Step 6 Click Finish.
What to Do Next
Add the locale to one or more user accounts.
Adding an Organization to a Locale
Procedure
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, expand . Step 3 Expand the Locales node and click the locale to which you want to add an organization. Step 4 In the Work pane, click the General tab. Step 5 In the Organizations area, click + on the table icon bar. Step 6 In the Assign Organizations page, do the following:
- Expand the Organizations area to view the organizations in the Cisco UCS instance.
- Click an organization that you want to assign to the locale.
- Drag the organization from the Organizations area and drop it into the design area on the right.
- Repeat Steps b and c until you have assigned all desired organizations to the locale.
Step 7 Click OK.
Deleting an Organization from a Locale
Procedure
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, expand . Step 3 Expand the Locales node and click the locale from which you want to delete an organization. Step 4 In the Work pane, click the General tab. Step 5 In the Organizations area, right-click the organization that you want to delete from the locale and choose Delete. Step 6 Click Save Changes.
Configuring User Accounts
Creating a User Account
Before You BeginProcedureIf the system includes any of the following:
Remote authentication services, ensure the users exist in the remote authentication server with the appropriate roles and privileges.
Multi-tenancy with organizations, create one or more locales. If you do not have any locales, all users are created in root and are assigned roles and privileges in all organizations.
SSH authentication, obtain the SSH key.
Step 1 In the Navigation pane, click the Admin tab. Step 2 On the Admin tab, expand . Step 3 Right-click User Services and choose Create User to open the User Properties dialog box. Step 4 Complete the following fields with the required information about the user:
Name Description Login ID field
The account name that is used when logging into this account.
The login ID can contain between 1 and 32 characters, including the following:
After you save the user, the login ID cannot be changed.
Note You can create up to 48 user accounts in a Cisco UCS instance.
First Name field
The first name of the user. This field can contain up to 32 characters.
Last Name field
The last name of the user. This field can contain up to 32 characters.
Email field
The email address for the user.
Phone field
The telephone number for the user.
Password field
The password associated with this account.
The password must contain at least 8 characters and it must pass a basic strength check. A strong password contains a mix of the alphanumeric characters, including uppercase and lowercase letters. It can also contain special characters such as !, @, or #.
Passwords cannot contain the characters $ (dollar sign) or ? (question mark).
Confirm Password field
The password a second time for confirmation purposes.
Password Expires check box
If checked, this password expires and must be changed on a given date.
Expiration Date field
If Password Expires is checked, this field specifies the date on which the password expires. The date should be in the format yyyy-mm-dd.
Click the down arrow at the end of this field to view a calendar that you can use to select the expiration date.
Step 5 In the Roles area, check one or more boxes to assign roles and privileges to the user account. Step 6 (Optional) If the system includes organizations, check one or more boxes in the Locales area to assign the user to the appropriate locales. Step 7 In the SSH area, complete the following fields:
Step 8 Click OK.
Monitoring User Sessions
ProcedureYou can monitor Cisco UCS Manager sessions for both locally authenticated users and remotely authenticated users, whether they logged in through the CLI or the GUI.
Step 1 In the Navigation pane, click the Admin tab. Step 2 In the Admin tab, expand . Step 3 Click the User Services node. Step 4 In the Work pane, click the Sessions tab. The tab displays the following details of user sessions: