Role-Based Access Control (RBAC) is a method of restricting or
authorizing system access for users based on user roles and locales. A role
defines the privileges of a user in the system and the locale defines the
organizations (domains) that a user is allowed access. Because users are not
directly assigned privileges, management of individual user privileges is
simply a matter of assigning the appropriate roles and locales.
A user is granted write access to desired system resources only if the
assigned role grants the access privileges and the assigned locale allows
access. For example, a user with the Server Administrator role in the
Engineering organization could update server configurations in the Engineering
organization but could not update server configurations in the
Finance organization unless the locales assigned to the user include the
Finance organization.
User Accounts for Cisco UCS Manager
User accounts are used to access the system. Up to 48 user accounts can
be configured in each
Cisco UCS
instance. Each user account must have a unique username and password.
A user account can be set with a SSH public key. The public key can
be set in either of the two formats: OpenSSH and SECSH.
Default User Account
Each Cisco UCS instance has a default user account, admin, which cannot be modified
or deleted. This account is the system administrator or superuser account and
has full privileges. There is no default password assigned to the admin
account; you must choose the password during the initial system setup.
The admin account is always active and does not expire. You cannot configure the admin account as inactive.
Local User Accounts
Local user accounts can be enabled or disabled by anyone with admin or aaa privileges. Once a local user account is disabled, the user cannot log in. Configuration details for disabled local user accounts are not deleted by the database. I fyou re-enable a disabled local user account, the account becomes active again with the existing configuration, including username and password.
Expiration of User Accounts
User accounts can be configured to expire at a predefined time. When
the expiration time is reached, the user account is disabled.
By default, user
accounts do not expire.
Note
After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. You can, however, configure the account with the latest date available.
The username is also used as the login ID for Cisco UCS Manager. When you assign usernames to Cisco UCS Manager user accounts, consider the following guidelines and restrictions:
The login ID can contain between 1 and 32 characters,
including the following:
Any alphabetic character
Any digit
_ (underscore)
- (dash)
. (dot)
The unique username for each user account cannot be all-numeric. You cannot create a local user with an all-numeric username.
The unique username must start with an alphabetic character. It cannot start with a number or a special character, such as an underscore.
After you create a user account, you cannot change the username. You must delete the user account and create a new one.
Reserved Words: Local User Accounts
The following words cannot be used when creating a local user account in Cisco UCS Manager.
root
bin
daemon
adm
ip
sync
shutdown
halt
news
uucp
operator
games
gopher
nobody
nscd
mailnull
mail
rpcuser
rpc
mtsuser
ftpuser
ftp
man
sys
samdme
debug
Guidelines for Cisco UCS Manager Passwords
A password is required for each locally authenticated user
account. A user with admin or aaa privileges can configure Cisco UCS Manager to perform a password strength check on user passwords. If the password strength check is enabled, each user must have a strong password.
Cisco recommends that each user have a strong password. If you enable the password strength check for locally authenticated users, Cisco UCS Manager rejects any password that does not meet the following requirements:
Must contain a minimum of 8 characters and a maximum of 64 characters.
Must contain at least three of the following:
Lower
case letters
Upper case letters
Digits
Special characters
Must not contain a character that is repeated more than 3 times consecutively, such as aaabbb.
Must not be identical to the username or the reverse of the username.
Must pass a password dictionary check. For example, the password must not be based on a standard dictionary word.
Must not contain the following symbols: $ (dollar sign), ? (question mark), and = (equals sign).
Should not be blank for local user and admin accounts.
Web Session Limits for User Accounts
Web session limits are used by Cisco UCS Manager to restrict the number of web sessions (both GUI and XML) a given user account is permitted to access at any one time.
By default, the number of concurrent web sessions allowed by Cisco UCS Manager is set to 32; although this value can be configured up to the system maximum of 256.
User Roles
User roles contain one or more privileges that define the operations
allowed for the user who is assigned the role. A user can be assigned one or
more roles. A user assigned multiple roles has the combined privileges of all
assigned roles. For example, if Role1 has storage related privileges, and Role2
has server related privileges, users who are assigned to both Role1 and
Role2 have storage and server related privileges.
A Cisco UCS instance can contain up to 48 user roles, including the default user roles.
All roles include read access to all configuration settings in the Cisco UCS instance. The
difference between the read-only role and other roles is that a user who is
only assigned the read-only role cannot modify the system state. A user
assigned another role can modify the system state in that user's assigned area
or areas.
Roles can be created, modified to add new or remove existing privileges,
or deleted. When a role is modified, the new privileges are applied to all
users assigned to that role. Privilege assignment is not restricted to the
privileges defined for the default roles. That is, you can use a custom set of
privileges to create a unique role. For example, the default Server
Administrator and Storage Administrator roles have different set of privileges,
but a new Server and Storage Administrator role can be created that combines
the privileges of both roles.
If a role is deleted after it has been assigned to users, it is also
deleted from those user accounts.
User profiles on AAA servers (RADIUS or TACACS+) should be modified to
add the roles corresponding to the privileges granted to that user. The
attribute is used to store the role information.
The AAA servers return this attribute with the request and parse it to get the
roles. LDAP servers return the roles in the user profile attributes.
Note
If a local user account and a remote user account have the same username, any roles assigned to the remote user are overridden by those assigned to the local user.
The system contains the following default user roles:
AAA Administrator
Read-and-write access to users, roles, and AAA configuration. Read
access to the rest of the system.
Administrator
Complete read-and-write access to the entire system. The default
admin account is assigned this role by default and it cannot be changed.
Facility Manager
Read-and-write access to power management operations through the power-mgmt privilege. Read access to the rest of the system.
Network Administrator
Read-and-write access to fabric interconnect infrastructure and
network security operations. Read access to the rest of the system.
Operations
Read-and-write access to systems logs, including the syslog
servers, and faults. Read access to the rest of the system.
Read-Only
Read-only access to system configuration with no privileges to
modify the system state.
Server Equipment Administrator
Read-and-write access to physical server related operations. Read
access to the rest of the system.
Server Profile Administrator
Read-and-write access to logical server related operations. Read
access to the rest of the system.
Server Security Administrator
Read-and-write access to server security related operations. Read
access to the rest of the system.
Storage Administrator
Read-and-write access to storage operations. Read access to the
rest of the system.
Reserved Words: User Roles
The following words cannot be used when creating custom roles in Cisco UCS Manager.
network-admin
network-operator
vdc-admin
vdc-operator
server-admin
Privileges
Privileges give users assigned to user roles access to specific system
resources and permission to perform specific tasks. The following table lists
each privilege and the user role given that privilege by default.
Table 1 User Privileges
Privilege
Description
Default Role Assignment
aaa
System security and AAA
AAA Administrator
admin
System administration
Administrator
ext-lan-config
External LAN configuration
Network Administrator
ext-lan-policy
External LAN policy
Network Administrator
ext-lan-qos
External LAN QoS
Network Administrator
ext-lan-security
External LAN security
Network Administrator
ext-san-config
External SAN configuration
Storage Administrator
ext-san-policy
External SAN policy
Storage Administrator
ext-san-qos
External SAN QoS
Storage Administrator
ext-san-security
External SAN security
Storage Administrator
fault
Alarms and alarm policies
Operations
operations
Logs and Smart Call Home
Operations
pod-config
Pod configuration
Network Administrator
pod-policy
Pod policy
Network Administrator
pod-qos
Pod QoS
Network Administrator
pod-security
Pod security
Network Administrator
power-mgmt
Read-and-write access to power management operations
Facility Manager
read-only
Read-only access
Read-only cannot be selected as a privilege; it is assigned to every user role.
Read-Only
server-equipment
Server hardware management
Server Equipment Administrator
server-maintenance
Server maintenance
Server Equipment Administrator
server-policy
Server policy
Server Equipment Administrator
server-security
Server security
Server Security Administrator
service-profile-config
Service profile configuration
Server Profile Administrator
service-profile-config-policy
Service profile configuration policy
Server Profile Administrator
service-profile-ext-access
Service profile end point access
Server Profile Administrator
service-profile-network
Service profile network
Network Administrator
service-profile-network-policy
Service profile network policy
Network Administrator
service-profile-qos
Service profile QoS
Network Administrator
service-profile-qos-policy
Service profile QoS policy
Network Administrator
service-profile-security
Service profile security
Server Security Administrator
service-profile-security-policy
Service profile security policy
Server Security Administrator
service-profile-server
Service profile server management
Server Profile Administrator
service-profile-server-oper
Service profile consumer
Server Profile Administrator
service-profile-server-policy
Service profile pool policy
Server Security Administrator
service-profile-storage
Service profile storage
Storage Administrator
service-profile-storage-policy
Service profile storage policy
Storage Administrator
User Locales
A user can be assigned one or more locales. Each locale defines one or
more organizations (domains) the user is allowed access, and access would be
limited to the organizations specified in the locale. One exception to this
rule is a locale without any organizations, which gives unrestricted access to
system resources in all organizations.
A Cisco UCS instance can contain up to 48 user locales.
Users with AAA privileges (AAA Administrator role) can
assign organizations to the locale of other users. The assignment of
organizations is restricted to only those in the locale of the user assigning
the organizations. For example, if a locale contains only the Engineering
organization then a user assigned that locale can only assign the Engineering
organization to other users.
Note
You cannot assign a locale to users with one or more of the following privileges:
aaa
admin
operations
You can hierarchically manage organizations. A user that is assigned at
a top level organization has automatic access to all organizations under it.
For example, an Engineering organization can contain a Software Engineering
organization and a Hardware Engineering organization. A locale containing only
the Software Engineering organization has access to system resources only
within that organization; however, a locale that contains the Engineering
organization has access to the resources for both the Software Engineering and
Hardware Engineering organizations.
Configuring User Roles
Creating a User Role
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Right-click
User Services and choose
Create Role.
You can also right-click Roles to access that option.
Step 4
In the
Create Role dialog box, complete the following
fields:
Name
Description
Name field
A user-defined name for this user role.
This name can be between 1 and 16
alphanumeric characters. You cannot use spaces or any special characters, and
you cannot change this name after the object has been saved.
Privileges list box
A list of the privileges defined in the system.
Click a privilege to view a description of that privilege. Check the check box to assign that privilege to the selected user.
Help Section
Description field
A description of the most recent privilege you clicked in the Privileges list box.
Step 5
Click
OK.
Adding Privileges to a User Role
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Expand the
Roles node.
Step 4
Choose the role to which you want to add privileges.
Step 5
In the
General tab, check the boxes for the
privileges you want to add to the role.
Step 6
Click
Save Changes.
Removing Privileges from a User Role
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Expand the
Roles node.
Step 4
Choose the role from which you want to remove privileges.
Step 5
In the
General tab, uncheck the boxes for the
privileges you want to remove from the role.
Step 6
Click
Save Changes.
Deleting a User Role
When you delete a user role,
Cisco UCS Manager removes that role from all user accounts to which
the role has been assigned.
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Expand the
Roles node.
Step 4
Right-click the role you want to delete and choose
Delete.
Step 5
In the
Delete dialog box, click
Yes.
Configuring Locales
Creating a Locale
Before You Begin
One or more organizations must exist before you create a locale.
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Right-click Locales and choose
Create a Locale.
Step 4
In the
Create Locale page, do the following:
In the
Name field, enter a unique name for the
locale.
This name can be between 1 and 16
alphanumeric characters. You cannot use spaces or any special characters, and
you cannot change this name after the object has been saved.
Click
Next.
Step 5
In the
Assign Organizations dialog box, do the following:
Expand the
Organizations area to view the
organizations in the
Cisco UCS
instance.
Expand the root node to see the sub-organizations.
Click an organization that you want to assign to the
locale.
Drag the organization from the
Organizations area and drop it into the
design area on the right.
Repeat Steps b and c until you have assigned all desired
organizations to the locale.
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Expand the
Locales node and click the locale to which you
want to add an organization.
Step 4
In the
Work pane, click the
General tab.
Step 5
In the
Organizations area, click
+ on the table icon bar.
Step 6
In the
Assign Organizations dialog box, do the following:
Expand the
Organizations area to view the
organizations in the
Cisco UCS
instance.
Expand the root node to see the sub-organizations.
Click an organization that you want to assign to the
locale.
Drag the organization from the
Organizations area and drop it into the
design area on the right.
Repeat Steps b and c until you have assigned all desired
organizations to the locale.
Step 7
Click
OK.
Deleting an Organization from a Locale
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Expand the
Locales node and click the locale from which
you want to delete an organization.
Step 4
In the
Work pane, click the
General tab.
Step 5
In the
Organizations area, right-click the
organization that you want to delete from the locale and choose
Delete.
Step 6
Click
Save Changes.
Deleting a Locale
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Expand the
Locales node.
Step 4
Right-click the locale you want to delete and choose
Delete.
Step 5
If
Cisco UCS Manager GUI
displays a confirmation dialog box, click
Yes.
Configuring User Accounts
Creating a User Account
At a minimum, we recommend that you create
the following users:
Server administrator account
Network administrator account
Storage administrator
Before You Begin
Perform the following tasks, if the system includes any of the following:
Remote authentication services, ensure the users exist in the
remote authentication server with the appropriate roles and privileges.
Multi-tenancy with organizations, create one or more locales. If
you do not have any locales, all users are created in root and are assigned
roles and privileges in all organizations.
SSH authentication, obtain the SSH key.
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Right-click
User Services and choose
Create User to open the
User Properties dialog box.
You can also right-click Locally Authenticated Users to access that option.
Step 4
Complete the following fields with the required information about
the user:
Name
Description
Login ID field
The account name that is used when logging into this account. This account must be unique and meet the guidelines and restrictions for Cisco UCS Manager user accounts.
The login ID can contain between 1 and 32 characters,
including the following:
Any alphabetic character
Any digit
_ (underscore)
- (dash)
. (dot)
The unique username for each user account cannot be all-numeric. You cannot create a local user with an all-numeric username.
The unique username must start with an alphabetic character. It cannot start with a number or a special character, such as an underscore.
After you save the user, the login ID cannot be changed.
You must delete the user account and create a new one.
First Name field
The first name of the user. This field can contain up to 32 characters.
Last Name field
The last name of the user. This field can contain up to 32 characters.
Email field
The email address for the user.
Phone field
The telephone number for the user.
Password field
The password associated with this account. If password strength check is enabled, a user's password must be strong and Cisco UCS Manager rejects any password that does not meet the following requirements:
Must contain a minimum of 8 characters and a maximum of 64 characters.
Must contain at least three of the following:
Lower
case letters
Upper case letters
Digits
Special characters
Must not contain a character that is repeated more than 3 times consecutively, such as aaabbb.
Must not be identical to the username or the reverse of the username.
Must pass a password dictionary check. For example, the password must not be based on a standard dictionary word.
Must not contain the following symbols: $ (dollar sign), ? (question mark), and = (equals sign).
Should not be blank for local user and admin accounts.
Confirm Password field
The password a second time for confirmation purposes.
Account Status field
If the status is set to active, a user can log into Cisco UCS Manager with this login ID and password.
Account Expires check box
If checked, this account expires and cannot be used after the date specified in the Expiration Date field.
Note
After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. You can, however, configure the account with the latest date available.
Expiration Date field
The date on which the account expires. The date should be in the format yyyy-mm-dd.
Click the down arrow at the end of this field to view a calendar that you can use to select the expiration date.
Note
Cisco UCS Manager GUI displays this field when you check the Account Expires check box.
Step 5
In the
Roles area, check one or more boxes to assign
roles and privileges to the user account.
Note
Do not assign locales to users with an admin or aaa role.
Step 6
(Optional)If the system includes organizations, check
one or more check boxes in the
Locales area to assign the user to the
appropriate locales.
Step 7
In the
SSH area, complete the following fields:
In the
Type field, do the following:
Password Required—The user must enter a password when they log in.
Key—SSH encryption is used when this user logs in.
If you chose Key, enter the SSH key in the
SSH data field.
Step 8
Click
OK.
Enabling the Password Strength Check for Locally Authenticated Users
You must be a user with admin or aaa privileges to enable the password strength check. If the password strength check is enabled, Cisco UCS Manager does not permit a user to choose a password that does not meet the guidelines for a strong password.
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Click the Locally Authenticated Users node.
Step 4
In the Work pane, check the Password Strength Check check box in the Properties area.
Step 5
Click Save Changes.
Setting the Web Session Limits for Cisco UCS Manager GUI Users
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
In the
Admin tab, expand
All > Communication Services.
Step 3
Click the
Communication Services tab.
Step 4
In the Web Session Limits area, complete the following fields:
Name
Description
Maximum Sessions Per User field
The maximum number of concurrent HTTP and HTTPS sessions allowed for each user.
Enter an integer between 1 and 256.
Maximum Sessions field
The maximum number of concurrent HTTP and HTTPS sessions allowed for all users within the system.
Enter an integer between 1 and 256.
Step 5
Click
Save Changes.
Changing the Locales Assigned to a Locally Authenticated User Account
Note
Do not assign locales to users with an admin or aaa role.
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the Admin tab, expand All > User Management > User Services > Locally Authenticated Users.
Step 3
Click the user account that you want to modify.
Step 4
In the
Work pane, click the
General tab.
Step 5
In the
Locales area, do the following:
To assign a new locale to the user account, check
the appropriate check boxes.
To remove a locale from the user account, uncheck
the appropriate check boxes.
Step 6
Click
Save Changes.
Changing the Roles Assigned to a Locally Authenticated User Account
Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the Admin tab, expand All > User Management > User Services > Locally Authenticated Users.
Step 3
Click the user account that you want to modify.
Step 4
In the
Work pane, click the
General tab.
Step 5
In the
Roles area, do the following:
To assign a new role to the user account, check
the appropriate check boxes.
To remove a role from the user account, uncheck
the appropriate check boxes.
Step 6
Click
Save Changes.
Deleting a Locally Authenticated User Account
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
On the
Admin tab, expand
All > User Management > User Services.
Step 3
Expand the
Locally Authenticated Users node.
Step 4
Right-click the user account you want to delete and choose
Delete.
Step 5
In the
Delete dialog box, click
Yes.
Monitoring User Sessions
You can monitor
Cisco UCS Manager
sessions for both locally authenticated users and remotely authenticated users,
whether they logged in through the CLI or the GUI.
Procedure
Step 1
In the
Navigation pane, click the
Admin tab.
Step 2
In the
Admin tab, expand
All > User
Management.
Step 3
Click the
User Services node.
Step 4
In the
Work pane, click the
Sessions tab.
The tab displays the following details of user sessions:
Name
Description
Name column
The name for the session.
User column
The username that is involved in the session.
Fabric ID column
The fabric interconnect that the
user logged in to for the session.
Login Time column
The date and time the session started.
Terminal Type column
The kind of terminal the user is
logged in through.
Host column
The IP address from which the user is
logged in.
Current Session column
If this column displays Y, the associated user session is currently active.