The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco APIC-EM supports role-based access control (RBAC). RBAC is a method of restricting or authorizing controller access for users based on their user roles. A role defines the privileges of a user on the controller. Because users are not directly assigned privileges, the management of individual user privileges is simply a matter of assigning the appropriate roles to users who need access the Cisco APIC-EM GUI.
When you deploy the Cisco APIC-EM for the first time, the configuration wizard prompts for a username and password. This first-time user is given full administrative (read and write) permissions for the controller and is able to create user accounts for other users.
Note | Only users with the administrative role (ROLE_ADMIN) can create users and assign user roles. |
Users are assigned roles that determine the functions that they are permitted to perform:
Administrator (ROLE_ADMIN)—Provides full administrative privileges to all Cisco APIC-EM resources, including the ability to add or remove users and accounts. For more information, see Administrator Role.
Note | We highly recommend that you configure at least two users with administrator (ROLE_ADMIN) privileges. In the unlikely event that one user is locked out or forgets his or her password, you have another user with administrative privileges who can help you to recover from this situation. |
Policy Administrator (ROLE_POLICY_ADMIN)—Allows you to create and manage policies. For more information, see Policy Administrator Role.
Observer (ROLE_OBSERVER)—Provides primarily read-only privileges to the Cisco APIC-EM. For information, see Observer Role.
Installer (ROLE_INSTALLER)—Allows an installer to use the Cisco Plug and Play Mobile App to remotely access the APIC-EM controller to deploy devices and view their status. An installer cannot directly access the Cisco APIC-EM GUI. For information, see Installer Role.
Users with the administrator role have full administrative privileges to all Cisco APIC-EM resources, including the ability to add or remove users and accounts. Users with the administrator role (ROLE_ADMIN) can perform the following tasks:
Change their own password (by providing current password).
Create a new user and assign any existing role to it.
View all other users with their role and scope.
Edit their own user role and the user role of any other user.
Delete any user including themselves.
Although an administrator cannot directly change another user's password in the GUI, an administrator can delete and then re-create the user with a new password using the GUI.
For information about the specific resources available to the administrator role, see Cisco APIC-EM Resources and Permissions.
Note | For security reasons, passwords are not displayed to any user, not even those with administrator privileges. |
Note | We highly recommend that you configure at least two users with administrator (ROLE_ADMIN) privileges. In the unlikely event that one user is locked out or forgets his or her password, you have another user with administrative privileges who can help you to recover from this situation. |
The policy administrator role has full read/write access to policy-administration functionality and APIs, including Discovery, Discovery Credentials (global and discovery-specific), Inventory, Topology, Path Trace, and EasyQoS. In particular, a user in this role can create, modify, and deploy application quality-of-service policies.
This role cannot access system-wide controller-administration functions, such as Network Settings (Trustpool, Controller Certificate, Proxy Certificate) and system-wide Controller Settings (Update, Backup & Restore, Logging Level, Auth Timeout, Password Policy, Telemetry Collection and Controller Proxy.) This role cannot create or delete any user accounts but it can change its own password and read its own account information. This role cannot access Prime Credentials.
The observer role provides read-only privileges to the Cisco APIC-EM. Users who are assigned the observer role (ROLE_OBSERVER) can change their own password (by providing current password).
They cannot perform the following tasks:
For information about the specific resources available to the observer role, see Cisco APIC-EM Resources and Permissions.
Note | For security reasons, passwords are not displayed to any user, not even those with administrator privileges. |
Users who are assigned the installer role (ROLE_INSTALLER) can use the Cisco Plug and Play Mobile application to access the Cisco APIC-EM remotely to perform the following functions:
Installers cannot access the Cisco APIC-EM GUI.
Note | For security reasons, passwords are not displayed to any user, not even those with administrator privileges. |
You can create multiple users for the different domains (network or sub-networks) in your network. Each user can have a different role in a different domain. For example, a user can have an observer role in Network A and an administrator role in Network B.
About AAA
Users and their roles are subject to an authentication and authorization process.
With the Cisco APIC-EM, each resource for the controller is mapped to an action and each action is mapped to a required permission for a user. All REST APIs are therefore protected by the controller authentication process. For a list of resources and the roles that are allowed access to them, see Cisco APIC-EM Resources and Permissions.
The following table describes the role permissions that are required for each Cisco APIC-EM resource.
Note | Depending upon your role and its permissions, certain Cisco APIC-EM GUI functionality will not display. To view the role behavior (for example, administrator and observer) side-by-side in the GUI, you need to either use multiple browsers or incognito mode in the browser. You will not be able to view the role behavior side-by-side in a single browser using tabs. |
Resource |
Role Permissions |
---|---|
Discovery: Scan |
|
Inventory: Retrieving inventory list with device credentials |
|
Inventory: Adding tags |
|
Inventory: Creating device roles |
|
Inventory: Actions other than adding tags and creating device roles |
|
Role-based access control: Creating and deleting users and security roles |
|
File Service |
|
Host |
|
Task ID |
|
Telemetry |
|
Topology |
|
Path Analysis |
As an administrator, you can access the content of logs for authenticated sessions. The following information about users, actions, and APIs are captured in these logs for security or troubleshooting purposes:
You can change the password that you use to log into the Cisco APIC-EM.
Note | You can change only your own password. To change another user's password, you must have administrator privileges. Changing the password involves deleting the user from the controller database and then recreating the user as a new user with a new password. |
You can use the password generator provided in the Change Password window or the following guidelines to create a secure password.
Create a password of at least 8 characters and one that contains characters from at least three of the following four classes:
Uppercase alphabet
Lowercase alphabet
Numerical digits
Special characters—include the space character or any of the following characters or character combinations:
! @ # $ % ^ & * ( ) - = + _ { } [ ] \\ | ; : " ' , < . > ? / :: #! ./ ;; >> << () **
In addition to a complex password, you should also ensure that user names do not create security vulnerabilities. To avoid user names that can create security vulnerabilities, the following rules should be followed:
All users should have unique user names and passwords.
Do not allow users to use the admin login and password
To avoid creating security vulnerabilities, we recommend that you follow the Cisco APIC-EM password policies when creating a password. For information, see the Cisco Application Policy Infrastructure Controller Enterprise Module Deployment Guide.
To access the Users window, from the Global toolbar click the Settings icon. Then from the navigation pane on the Settings window, click Users.
Name |
Description |
---|---|
Username |
Displays the user's current access status. |
Create User |
Allows you to add a new user. You must have administrator (ROLE_ADMIN) permissions to perform this procedure. |
Edit |
Allows you to change the user role settings. You cannot change any other settings. You must have administrator (ROLE_ADMIN) permissions to perform this procedure. |
Delete |
Removes the user from the Cisco APIC-EM database. The deleted user is no longer able to log into the controller. You must have administrator (ROLE_ADMIN) permissions to perform this procedure. |
Only a user with the administrator role (ROLE_ADMIN) can add a user to the Cisco APIC-EM.
Note | User information (credentials) is stored in a local database on the controller. |
Note | We highly recommend that you configure at least two users with administrator (ROLE_ADMIN) privileges. In the unlikely event that one user is locked out or forgets his or her password, you have another user with administrative privileges who can help you to recover from this situation. |
You must be an administrator (ROLE_ADMIN).
Step 1 | From the Global toolbar, click the Administrative Functions (Gear) icon > Settings. |
Step 2 | From the
navigation pane in the
Settings window, click
Users.
The Users window is displayed with the following information about the users:
|
Step 3 | Click Create User. |
Step 4 | In the Create User dialog box, enter the username, password (twice), and role of the new user. The scope is set to SCOPE ALL by default. |
Step 5 | Click
Add.
The new user appears in the Users window. |
A user with the administrator role (ROLE_ADMIN) can delete a user from the Cisco APIC-EM.
You must have administrator (ROLE_ADMIN) permissions to perform this procedure.
Step 1 | From the Global toolbar, click the Administrative Functions (Gear) icon > Settings. | ||
Step 2 | From the navigation pane in the
Settings window, click
Users.
The Users window is displayed with the following information about the users:
| ||
Step 3 | Locate the user that you want to delete and,
in the Actions column, click the Delete icon.
The user is deleted from the Cisco APIC-EM database and is unable to access the controller.
|
You can view and change user information.
Note | User information (credentials) is stored in a local database on the controller. |
You must have administrator (ROLE_ADMIN) permissions to perform this procedure.
Step 1 | From the Global toolbar, click the Administrative Functions (Gear) icon > Settings. |
Step 2 | From the
navigation pane in the
Settings window, click
Users.
The Users window is displayed with the following information about the uses:
|
Step 3 | If you want to
edit a user's information, from the
Actions column, click the
Edit icon.
The username and scope are configured by default so you cannot change their settings. However, you can change the role setting. Valid roles are ROLE_ADMIN, ROLE_POLICY_ADMIN, ROLE_OBSERVER, or ROLE_INSTALLER. |
Step 4 | When you are finished editing the user information, click Update. |
As an administrator, you can display the access status of a Cisco APIC-EM user.
You must have administrator (ROLE_ADMIN) permissions to perform this procedure.
Step 1 | From the Global toolbar, click theAdministrative Functions (Gear) icon > Settings. | ||
Step 2 | From the
navigation pane in the
Settings window, click
Users.
The Users window is displayed with the following information about the users:
| ||
Step 3 | Click the
individual username (link) to view the user's current access status.
The User Status dialog box opens, displaying the following information:
If you are an administrator, you can unlock the user account by clicking Unlock.
| ||
Step 4 | When you are finished viewing or editing the user information, click Close. |