Managing Users and Roles

About Role-Based Access Control

The Cisco APIC-EM supports role-based access control (RBAC). RBAC is a method of restricting or authorizing controller access for users based on their user roles. A role defines the privileges of a user on the controller. Because users are not directly assigned privileges, the management of individual user privileges is simply a matter of assigning the appropriate roles to users who need access the Cisco APIC-EM GUI.

About User Roles

When you deploy the Cisco APIC-EM for the first time, the configuration wizard prompts for a username and password. This first-time user is given full administrative (read and write) permissions for the controller and is able to create user accounts for other users.




Note

Only users with the administrative role (ROLE_ADMIN) can create users and assign user roles.

Users are assigned roles that determine the functions that they are permitted to perform:

  • Administrator (ROLE_ADMIN)—Provides full administrative privileges to all Cisco APIC-EM resources, including the ability to add or remove users and accounts. For more information, see Administrator Role.


    Note

    We highly recommend that you configure at least two users with administrator (ROLE_ADMIN) privileges. In the unlikely event that one user is locked out or forgets his or her password, you have another user with administrative privileges who can help you to recover from this situation.

  • Policy Administrator (ROLE_POLICY_ADMIN)—Allows you to create and manage policies. For more information, see Policy Administrator Role.

  • Observer (ROLE_OBSERVER)—Provides primarily read-only privileges to the Cisco APIC-EM. For information, see Observer Role.

  • Installer (ROLE_INSTALLER)—Allows an installer to use the Cisco Plug and Play Mobile App to remotely access the APIC-EM controller to deploy devices and view their status. An installer cannot directly access the Cisco APIC-EM GUI. For information, see Installer Role.

Administrator Role

Users with the administrator role have full administrative privileges to all Cisco APIC-EM resources, including the ability to add or remove users and accounts. Users with the administrator role (ROLE_ADMIN) can perform the following tasks:

  • Change their own password (by providing current password).

  • Create a new user and assign any existing role to it.

  • View all other users with their role and scope.

  • Edit their own user role and the user role of any other user.

  • Delete any user including themselves.

Although an administrator cannot directly change another user's password in the GUI, an administrator can delete and then re-create the user with a new password using the GUI.

For information about the specific resources available to the administrator role, see Cisco APIC-EM Resources and Permissions.


Note

For security reasons, passwords are not displayed to any user, not even those with administrator privileges.


Note

We highly recommend that you configure at least two users with administrator (ROLE_ADMIN) privileges. In the unlikely event that one user is locked out or forgets his or her password, you have another user with administrative privileges who can help you to recover from this situation.

Policy Administrator Role

The policy administrator role has full read/write access to policy-administration functionality and APIs, including Discovery, Discovery Credentials (global and discovery-specific), Inventory, Topology, Path Trace, and EasyQoS. In particular, a user in this role can create, modify, and deploy application quality-of-service policies.

This role cannot access system-wide controller-administration functions, such as Network Settings (Trustpool, Controller Certificate, Proxy Certificate) and system-wide Controller Settings (Update, Backup & Restore, Logging Level, Auth Timeout, Password Policy, Telemetry Collection and Controller Proxy.) This role cannot create or delete any user accounts but it can change its own password and read its own account information. This role cannot access Prime Credentials.

Observer Role

The observer role provides read-only privileges to the Cisco APIC-EM. Users who are assigned the observer role (ROLE_OBSERVER) can change their own password (by providing current password).

They cannot perform the following tasks:

  • Edit their role or scope

  • Delete themselves

  • View their own password

For information about the specific resources available to the observer role, see Cisco APIC-EM Resources and Permissions.


Note

For security reasons, passwords are not displayed to any user, not even those with administrator privileges.

Installer Role

Users who are assigned the installer role (ROLE_INSTALLER) can use the Cisco Plug and Play Mobile application to access the Cisco APIC-EM remotely to perform the following functions:

  • View device status.

  • Trigger device deployments.

Installers cannot access the Cisco APIC-EM GUI.


Note

For security reasons, passwords are not displayed to any user, not even those with administrator privileges.

Users and Domains

You can create multiple users for the different domains (network or sub-networks) in your network. Each user can have a different role in a different domain. For example, a user can have an observer role in Network A and an administrator role in Network B.

About AAA

Authentication and Authorization

Users and their roles are subject to an authentication and authorization process.

With the Cisco APIC-EM, each resource for the controller is mapped to an action and each action is mapped to a required permission for a user. All REST APIs are therefore protected by the controller authentication process. For a list of resources and the roles that are allowed access to them, see Cisco APIC-EM Resources and Permissions.

Cisco APIC-EM Resources and Permissions

The following table describes the role permissions that are required for each Cisco APIC-EM resource.


Note
Depending upon your role and its permissions, certain Cisco APIC-EM GUI functionality will not display. To view the role behavior (for example, administrator and observer) side-by-side in the GUI, you need to either use multiple browsers or incognito mode in the browser. You will not be able to view the role behavior side-by-side in a single browser using tabs.
Table 1 Cisco APIC-EM Resources and Permissions

Resource

Role Permissions

Discovery: Scan

  • Administrator

  • Policy Administrator

Inventory: Retrieving inventory list with device credentials

  • Administrator

  • Policy Administrator

Inventory: Adding tags

  • Administrator

  • Policy Administrator

  • Observer

Inventory: Creating device roles

  • Administrator

  • Policy Administrator

  • Observer

Inventory: Actions other than adding tags and creating device roles

  • Administrator

  • Policy Administrator

  • Observer

Role-based access control: Creating and deleting users and security roles

  • Administrator

  • Observer can view and change own password.

File Service

  • Administrator

  • Policy Administrator

Host

  • Administrator

  • Policy Administrator

  • Observer

Task ID

  • Administrator

  • Policy Administrator

  • Observer

Telemetry

  • Administrator

  • Policy Administrator

  • Observer

Topology

  • Administrator

  • Policy Administrator

  • Observer

Path Analysis

  • Administrator

  • Policy Administrator

  • Observer

Accounting

As an administrator, you can access the content of logs for authenticated sessions. The following information about users, actions, and APIs are captured in these logs for security or troubleshooting purposes:

  • Northbound API access data

  • Authentication successes with the user name or failures for any method

Changing Your Password

You can change the password that you use to log into the Cisco APIC-EM.


Note

You can change only your own password. To change another user's password, you must have administrator privileges. Changing the password involves deleting the user from the controller database and then recreating the user as a new user with a new password.

You can use the password generator provided in the Change Password window or the following guidelines to create a secure password.

Create a password of at least 8 characters and one that contains characters from at least three of the following four classes:

  • Uppercase alphabet

  • Lowercase alphabet

  • Numerical digits

  • Special characters—include the space character or any of the following characters or character combinations:

    ! @ # $ % ^ & * ( ) - = + _ { } [ ] \\ | ; : " ' , < . > ? / :: #! ./ ;; >> << () **

In addition to a complex password, you should also ensure that user names do not create security vulnerabilities. To avoid user names that can create security vulnerabilities, the following rules should be followed:

  • All users should have unique user names and passwords.

  • Do not allow users to use the admin login and password

To avoid creating security vulnerabilities, we recommend that you follow the Cisco APIC-EM password policies when creating a password. For information, see the Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide.

Procedure
    Step 1   From the Global toolbar, click the Administrative Functions (Gear) icon > Settings.
    Step 2   From the navigation pane in the Settings window, click Change Password.
    Step 3   In the Change Password window, enter the appropriate values in the following fields:

    • Username—Your user name appears in this field by default.

    • Current Password—Your current password.

    • New Password—Your new password. Create your own or, to create a stronger password, click Generate, enter a seed phrase, and click Generate. You can apply the generated password by clicking Apply Password, or you can copy and paste it or any part of it before or after your new password entry.

      Note   

      We highly recommend that you use the password generator to create a stronger password.

    • Confirm New Password—Your new password entered a second time as confirmation.

    Step 4   When you are finished, click Update to update and save the new password.

    Click Cancel to cancel the password change.

    Configuring Users and Roles

    To access the Users window, from the Global toolbar click the Settings icon. Then from the navigation pane on the Settings window, click Users.

    Name

    Description

    Username

    Displays the user's current access status.

    Create User

    Allows you to add a new user.

    You must have administrator (ROLE_ADMIN) permissions to perform this procedure.

    Edit

    Allows you to change the user role settings. You cannot change any other settings.

    You must have administrator (ROLE_ADMIN) permissions to perform this procedure.

    Delete

    Removes the user from the Cisco APIC-EM database. The deleted user is no longer able to log into the controller.

    You must have administrator (ROLE_ADMIN) permissions to perform this procedure.

    Adding a User

    Only a user with the administrator role (ROLE_ADMIN) can add a user to the Cisco APIC-EM.


    Note

    User information (credentials) is stored in a local database on the controller.


    Note

    We highly recommend that you configure at least two users with administrator (ROLE_ADMIN) privileges. In the unlikely event that one user is locked out or forgets his or her password, you have another user with administrative privileges who can help you to recover from this situation.

    Before You Begin

    You must be an administrator (ROLE_ADMIN).

    Procedure
      Step 1   From the Global toolbar, click the Administrative Functions (Gear) icon > Settings.
      Step 2   From the navigation pane in the Settings window, click Users.

      The Users window is displayed with the following information about the users:

      • Username—Username assigned to the user.

      • Role—Role that defines the user's privileges within the APIC-EM. Valid roles are ROLE_ADMIN, ROLE_POLICY_ADMIN, ROLE_OBSERVER, or ROLE_INSTALLER.

      • Scope—Domain or tenancy that the user is allowed to access. In this release, the scope is set to ALL and cannot be changed.

      • Actions—Icons that allow you to edit user information or delete a user.

      Step 3   Click Create User.
      Step 4   In the Create User dialog box, enter the username, password (twice), and role of the new user. The scope is set to SCOPE ALL by default.
      Step 5   Click Add.

      The new user appears in the Users window.

      Deleting a User

      A user with the administrator role (ROLE_ADMIN) can delete a user from the Cisco APIC-EM.

      Before You Begin

      You must have administrator (ROLE_ADMIN) permissions to perform this procedure.

      Procedure
        Step 1   From the Global toolbar, click the Administrative Functions (Gear) icon > Settings.
        Step 2   From the navigation pane in the Settings window, click Users.

        The Users window is displayed with the following information about the users:

        • Username—Username assigned to the user.

        • Role—Role that defines the user's privileges within the APIC-EM. Valid roles are ROLE_ADMIN, ROLE_POLICY_ADMIN, ROLE_OBSERVER, or ROLE_INSTALLER.

        • Scope—Domain or tenancy that the user is allowed to access. In this release, the scope is set to ALL and cannot be changed.

        • Actions—Icons that allow you to edit user information or delete a user.

        Step 3   Locate the user that you want to delete and, in the Actions column, click the Delete icon.

        The user is deleted from the Cisco APIC-EM database and is unable to access the controller.

        Note   

        You cannot delete the default administrative user. The Cisco APIC-EM requires at least one administrative user who can log into the controller.

        Viewing and Editing User Information

        You can view and change user information.


        Note

        User information (credentials) is stored in a local database on the controller.

        Before You Begin

        You must have administrator (ROLE_ADMIN) permissions to perform this procedure.

        Procedure
          Step 1   From the Global toolbar, click the Administrative Functions (Gear) icon > Settings.
          Step 2   From the navigation pane in the Settings window, click Users.

          The Users window is displayed with the following information about the uses:

          • Username—Username assigned to the user.

          • Role—Role that defines the user's privileges within the APIC-EM. Valid roles are ROLE_ADMIN, ROLE_POLICY_ADMIN, ROLE_OBSERVER, or ROLE_INSTALLER.

          • Scope—Domain or tenancy that the user is allowed to access.

          • Actions—Icons that allow you to edit user information or delete a user.

          Step 3   If you want to edit a user's information, from the Actions column, click the Edit icon.

          The username and scope are configured by default so you cannot change their settings. However, you can change the role setting. Valid roles are ROLE_ADMIN, ROLE_POLICY_ADMIN, ROLE_OBSERVER, or ROLE_INSTALLER.

          Step 4   When you are finished editing the user information, click Update.

          Viewing User Access Status

          As an administrator, you can display the access status of a Cisco APIC-EM user.

          Before You Begin

          You must have administrator (ROLE_ADMIN) permissions to perform this procedure.

          Procedure
            Step 1   From the Global toolbar, click theAdministrative Functions (Gear) icon > Settings.
            Step 2   From the navigation pane in the Settings window, click Users.

            The Users window is displayed with the following information about the users:

            • Username—Username assigned to the user.

            • Role—Role that defines the user's privileges within the APIC-EM. Valid roles are ROLE_ADMIN, ROLE_POLICY_ADMIN, ROLE_OBSERVER, or ROLE_INSTALLER.

            • Scope—Domain or tenancy that the user is allowed to access.

            • Actions—Icons that allow you to edit user information or delete a user.

            Step 3   Click the individual username (link) to view the user's current access status.

            The User Status dialog box opens, displaying the following information:

            • Username

            • Account status—Locked or unlocked

            • Account Locked At—Date and time user account was locked

            • Account Locked Expiration—Time until user account is unlocked

            If you are an administrator, you can unlock the user account by clicking Unlock.

            Note   

            See the Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide for information about configuring a password policy for user access to the controller.

            Step 4   When you are finished viewing or editing the user information, click Close.