The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco APIC-EM supports role-based access control (RBAC). RBAC is a method of restricting or authorizing controller access for users based on their user roles. A role defines the privileges of a user on the controller. Because users are not directly assigned privileges, the management of individual user privileges is simply a matter of assigning the appropriate roles to users who need access the Cisco APIC-EM GUI.
When you deploy the Cisco APIC-EM for the first time, the configuration wizard prompts for a username and password. This first-time user is given full administrative (read and write) permissions for the controller and is able to create user accounts for other users.
Note | Only users with the administrative role can create users and assign user roles. |
Note | We highly recommend that you configure at least two users with administrator (ROLE_ADMIN) privileges. In the unlikely event that one user is locked out or forgets his or her password, you have another user with administrative privileges who can help you to recover from this situation. |
Observer (ROLE_OBSERVER)—Provides primarily read-only privileges to the Cisco APIC-EM. For information, see Observer Role.
Installer (ROLE_INSTALLER)—Allows an installer to use the Cisco Plug and Play Mobile App to remotely access the APIC-EM controller to deploy devices and view their status. An installer cannot directly access the Cisco APIC-EM GUI.
For information, see Installer Role.
Users with the administrator role have full administrative privileges to all Cisco APIC-EM resources, including the ability to add or remove users and accounts. Users with the administrator role (ROLE_ADMIN) can perform the following tasks:
Change their own password (by providing current password).
Create a new user with administrator (ROLE_ADMIN) or observer (ROLE_OBSERVER) priviledges.
View all other users with their role and scope.
Edit any other user role including their own.
Delete any user including themselves.
Although an administrator cannot directly change another user's password in the GUI, an administrator can delete and then re-create the user with a new password using the GUI.
For information about the specific resources available to the administrator role, see Cisco APIC-EM Resources and Permissions.
Note | For security reasons, passwords are not displayed to any user, not even those with administrator privileges. |
Note | We highly recommend that you configure at least two users with administrator (ROLE_ADMIN) privileges. In the unlikely event that one user is locked out or forgets his or her password, you have another user with administrative privileges who can help you to recover from this situation. |
The observer role provides read-only privileges to the Cisco APIC-EM. Users who are assigned the observer role (ROLE_OBSERVER) can change their own password (by providing current password).
They cannot perform the following tasks:
Edit their role or scope
Delete themselves
View their own password
View the list of devices in the device inventory.
For information about the specific resources available to the observer role, see Cisco APIC-EM Resources and Permissions.
Note | For security reasons, passwords are not displayed to any user, not even those with administrator privileges. |
Users who are assigned the installer role (ROLE_INSTALLER) can use the Cisco Plug and Play Mobile App to access the Cisco APIC-EM remotely to perform the following functions:
Installers cannot directly access the Cisco APIC-EM GUI.
Note | For security reasons, passwords are not displayed to any user, not even those with administrator privileges. |
You can create multiple users for the different domains (network or sub-networks) in your network. Each user can have a different role in a different domain. For example, a user can have an observer role in Network A and an administrator role in Network B.
About AAA
Users and their roles are subject to an authentication and authorization process.
With the Cisco APIC-EM, each resource for the controller is mapped to an action and each action is mapped to a required permission for a user. All REST APIs are therefore protected by the controller authentication process. For a list of resources and the roles that are allowed access to them, see Cisco APIC-EM Resources and Permissions.
Note | Depending upon your user role and its permissions, certain Cisco APIC-EM GUI functionality will not display. To view the role behavior (for example, administrator, installer, and observer) side-by-side in the GUI, you need to either use multiple Chrome browsers or incognito mode in the Chrome browser. You will not be able to view the role behavior side-by-side in a single Chrome browser using tabs. |
The following table describes the role permissions that are required for each Cisco APIC-EM resource.
Note | Depending upon your role and its permissions, certain Cisco APIC-EM GUI functionality will not display. To view the role behavior (for example, administrator and observer) side-by-side in the GUI, you need to either use multiple browsers or incognito mode in the browser. You will not be able to view the role behavior side-by-side in a single browser using tabs. |
Resource |
Role Permissions |
---|---|
Discovery: Scan |
|
Inventory: Retrieving inventory list with device credentials |
|
Inventory: Adding tags |
|
Inventory: Creating device roles |
|
Inventory: Actions other than adding tags and creating device roles |
|
Role-based access control: Creating and deleting users and security roles |
|
File Service |
|
Host |
|
Task ID |
|
Telemetry |
|
Topology |
|
Path Analysis |
As an administrator, you can access the content of logs for authenticated sessions. The following information about users, actions, and APIs are captured in these logs for security or troubleshooting purposes:
You can change the password that you use to log into the Cisco APIC-EM.
Note | You can change only your own password. To change another user's password, you must have administrator privileges. Changing the password involves deleting the user from the controller database and then recreating the user as a new user with a new password. |
You can use the password generator provided in the Change Password window or the following guidelines to create a secure password.
Create a password of at least 8 characters and one that contains characters from at least three of the following four classes:
Uppercase alphabet
Lowercase alphabet
Numerical digits
Special characters—include the space character or any of the following characters or character combinations:
! @ # $ % ^ & * ( ) - = + _ { } [ ] \\ | ; : " ' , < . > ? / :: #! ./ ;; >> << () **
In addition to a complex password, you should also ensure that user names do not create security vulnerabilities. To avoid user names that can create security vulnerabilities, the following rules should be followed:
All users should have unique user names and passwords.
Do not allow users to use the admin login and password
To avoid creating security vulnerabilities, we recommend that you follow the Cisco APIC-EM password policies when creating a password. For information, see the Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide.
To access the Users window, from the Global toolbar click the Settings icon. Then from the navigation pane on the Settings window, click Users.
Numbered Callout |
Name |
Description |
---|---|---|
1 |
Actual username |
Displays the user's current access status. |
2 |
Create User |
Allows you to add a new user. 1 |
3 |
Edit |
Allows you to change the user role setting. You cannot change any other settings. 2 |
4 |
Delete |
Removes the user from the Cisco APIC-EM database. The deleted user is no longer able to log into the controller. 3 |
Only a user with the administrator role (ROLE_ADMIN) can add a user to the Cisco APIC-EM.
Note | User information (credentials) is stored in a local database on the controller. |
Note | We highly recommend that you configure at least two users with administrator (ROLE_ADMIN) privileges. In the unlikely event that one user is locked out or forgets his or her password, you have another user with administrative privileges who can help you to recover from this situation. |
You must be an administrator (ROLE_ADMIN).
Step 1 | From the
Global
toolbar,
click the
Settings icon.
The Settings window appears. |
Step 2 | From the
navigation pane in the
Settings window, click
Users.
The Users window appears with the following information displayed about the users: |
Step 3 | Click Create User. |
Step 4 | In the Create User dialog box, enter the username, password (twice), and role of the new user. The scope is set to SCOPE ALL by default. |
Step 5 | Click
Add.
The new user appears in the Users window. |
A user with the administrator role (ROLE_ADMIN) can delete a user from the Cisco APIC-EM.
You must be an administrator (ROLE_ADMIN).
Step 1 | From the
Global
toolbar,
click the
Settings icon.
The Settings window appears. | ||
Step 2 | From the navigation pane in the
Settings window, click
Users.
The Users window appears with the following information displayed about the users: | ||
Step 3 | Locate the user
that you want to delete and, in the
Actions column, click the
Delete icon
icon
The user is deleted from the Cisco APIC-EM database and is unable to access the controller.
|
A user with the administrator role (ROLE_ADMIN) can view and change user settings and roles.
Note | User information (credentials) is stored in a local database on the controller. |
You must be an administrator (ROLE_ADMIN).
Step 1 | From the
Global
toolbar,
click the
Settings icon.
The Settings window appears. |
Step 2 | From the
navigation pane in the
Settings window, click
Users.
The Users window appears with the following information displayed about the users: |
Step 3 | If you want to
edit a user's information, from the
Actions column, click the
Edit icon.
The username and scope are configured by default so you cannot change their settings. However, you can change the role setting. Valid roles are ROLE_ADMIN, ROLE_OBSERVER, or ROLE_INSTALLER. |
Step 4 | When you are finished editing the user information, click Update. |
You can view a user's access status to the Cisco APIC-EM.
You must be an administrator (ROLE_ADMIN).
Step 1 | From the
Global
toolbar,
click the
Settings icon.
The Settings window appears. | ||
Step 2 | From the
navigation pane in the
Settings window, click
Users.
The Users window appears with the following information displayed about the users: | ||
Step 3 | Click the
individual username (link) to view the user's current access status.
The User Status dialog box opens, displaying the following information:
If you are an administrator, you can unlock the user account by clicking Unlock.
| ||
Step 4 | When you are finished viewing or editing the user information, click Close. |
You are able to review the user logs using the Elastic Service Platform (Grapevine) developer console.
Note | We recommend that only advanced users use the developer console to perform the steps described in this procedure. |
You must have successfully deployed the Cisco APIC-EM and it must be operational.
Step 1 | Review the
status of each service listed in the
Overview window in the console.
Each service is represented as a square. A green square represents an active instance of the service, and a red square represents a service with a faulty or failed instance. Squares without color represents inactive services (no instances initiated and running). | ||
Step 2 | Review the
version of each service in the
Overview window in the console.
The version is located in the header of each listed service. | ||
Step 3 | Review the service logs by clicking a specific active instance of a service (green square icon) and then viewing the Instance logs located at the bottom of the window. | ||
Step 4 | Search through
the logs for the keyword: USER-ACCOUNTING.
The following data is displayed for these log entry types:
|
After reviewing the user data in the logs, proceed to troubleshoot any user activity.
When finished with the developer console, click Logout.