Configuring Users, Roles, and Permissions
By default, the Cisco SRE-V software comes with two predefined roles: esx-admins role and vm-users role. Besides the default esx-admins and vm-users roles, you can use the Cisco SRE-V commands provided in this chapter to configure additional users, roles, and provide permissions to those users to access virtual machines.
This chapter provides the Cisco SRE-V commands to configure users, roles, and permissions. It contains the following sections:
•Users, Roles, Privileges, and Permissions Overview
•Basic Workflow for Configuring Users, Roles, and Permissions
•Working with Users
•Working with User Groups
•Working with Roles
•Working with Permissions
•Basic Workflow Option 1 Example
Users, Roles, Privileges, and Permissions Overview
A user is the person who is authorized to log into the VMware vSphere HypervisorTM. When you assign roles and permissions to users or groups, you control the objects that the users can access in the vSphere environment and the actions that they can perform on those objects.
The VMware vSphere HypervisorTM determines the level of access for a user based on the permissions assigned to that user. The user name, password, and permissions combination is the mechanism by which the VMware vSphere HypervisorTM authenticates the user for access, and authorizes the user to perform activities.
To control which users or user groups can access particular vSphere objects, the VMware vSphere HypervisorTM uses sets of pre-established privileges or roles. A role, and a user or group that are assigned to an inventory object, constitutes a permission.
By default, the Cisco SRE-V software comes with two predefined roles: esx-admins role and vm-users role. Each role has certain privileges assigned to it. Users with the esx-admins role have the privilege to manage the VMware vSphere HypervisorTM. Users with the vm-users role have the privilege to manage virtual machines.
Besides the default esx-admins and vm-users roles, you can use the Cisco SRE-V commands provided in this chapter to configure additional users, roles, and provide permissions to those users to access virtual machines.
|
Note The default pre-configured username for the esx-admins role is esx-admin and the password is change_it. We highly recommend that you change the default password after the first reboot.
|
Related Topics
•Basic Workflow for Configuring Users, Roles, and Permissions
•Working with Users
•Working with User Groups
•Working with Roles
•Working with Permissions
Basic Workflow for Configuring Users, Roles, and Permissions
Basic Workflow Option 1
1. Create a user. See the "Creating Users" section.
2. Create a role. See the "Creating Roles" section.
3. Add privileges to the role. See the "Adding Privileges to an Existing Role" section.
4. Assign the role to the user. When you assign a role, you provide the user with the permission to access virtual machines with the privileges that apply to the specified role. See the "Assigning a Role to a User" section.
For all of the commands used in the basic workflow option 1, see the "Basic Workflow Option 1 Example" section.
Basic Workflow Option 2
1. Create users. See the "Creating Users" section.
2. Create user groups. See the "Creating User Groups" section.
3. Assign users to user groups. See the "Updating User Group Information" section.
4. Create roles. See the "Creating Roles" section.
5. Add privileges to the roles. See the "Adding Privileges to an Existing Role" section.
6. Assign the roles to the user groups. See the "Adding a Privilege Group to an Existing Role" section.
Working with Users
To create, view, or delete users; or to update user account information, see the following sections:
•Creating Users
•Viewing Existing Users
•Updating User Account Information
•Deleting Users
Creating Users
A user is the person who is authorized to log into the VMware vSphere HypervisorTM. To create a user, use the following command:
user create username password password [fullname full name]
SUMMARY STEPS
From the Console Manager interface, enter:
1. user create username password password [fullname full name]
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section.
|
|
|
Step 1 |
user create username password password [fullname full name]
SRE-Module# user create jsmith password xQaTEhbU fullname "JohnSmith" |
Creates a new user account. •username—Unique string used to log into the VMware vSphere HypervisorTM. Maximum string length: 16 alphanumeric characters. This login username is case sensitive and must not contain spaces. •password password—Specifies the password to be used with the username. password—Alphanumeric string used with this username to provide access to the VMware vSphere HypervisorTM. A password must contain a mix of characters from the following four character classes: –Lowercase letters –Uppercase letters –Digits –Special characters, such as an underscore or dash Password Length Requirements: –If the password contains characters from one or two classes, it must contain eight characters. –If the password contains characters from three classes, it must contain seven characters. –If the password contains characters from all four classes, it must contain six characters. Note If the password begins with an uppercase character, that character does not count towards the number of character classes used. If the password ends with a digit, that digit does not count towards the number of character classes used. Password Examples: –xQaTEhbU—Contains eight characters from two character classes. –xQaT3pb—Contains seven characters from three character classes. –xQaT3#—Contains six characters from four character classes. •fullname full name—(Optional) Specifies the full name of the user. full name—Alphanumeric string used with this username. Maximum string length: 64 characters. You can choose to create the full name at a later time by using the user update command. |
Related Topics
•Creating Roles
•Creating User Groups
Viewing Existing Users
To view details about a specific user or to list all of the existing users, use the following command:
show user {name username | all}
SUMMARY STEPS
From the Console Manager interface, enter:
1. show user {name username | all}
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section.
|
|
|
Step 1 |
show user {name username | all}
SRE-Module# show user name jsmith Username: jsmith Full Name: Linux User,,, ---------- Groups User Belongs To ---------- users 1 total group(s) ---------- Roles Assigned ---------- Role Object-Defined-In Propagate esx-admins VM: CentOS 5 Yes esx-admins Host Yes 2 total role(s) SRE-Module# show user all jsmith jsmith3 2 total user(s) |
Displays details about a specific user or lists all of the existing users. •name username—Displays details about the specified user. username—Unique string used to identify the user. •all—Lists all the existing users. |
Updating User Account Information
You can update the user password or full name, or add and remove the user from a specific group. To update existing user account information, use the following command:
user update username {password password | fullname full name | add-group group name | remove-group group name}
SUMMARY STEPS
From the Console Manager interface, enter:
1. user update username {password password | fullname full name | add-group group name | remove-group group name}
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
user update username {password password | fullname full name | add-group group name | remove-group group name}
SRE-Module# user update jsmith password xQaTEhbU SRE-Module# user update jsmith fullname "JohnSmith" SRE-Module# user update jsmith add-group Network SRE-Module# user update jsmith remove-group Network |
Updates the existing user account information. You can update the user password or full name, or add and remove the user from a specific group. •username—Login username of the user whose account you want to update. •password password—Specifies the updated password. password—New alphanumeric string used with this username to provide access to the Cisco SRE Service Module. Maximum string length: 30 alphanumeric characters. •fullname full name—Specifies the updated fullname. full name—New full name (alphanumeric string) used with this username. Maximum string length: 64 characters. •add-group group name—Adds the user to a specified user group. group name—Name of the group in which you want to add the user. •remove-group group name—Removes the user from the specified user group. group name—Name of the group from which you want to remove the user. |
.
Deleting Users
To delete an existing user account, use the following command:
user delete username
SUMMARY STEPS
From the Console Manager interface, enter:
1. user delete username
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
user delete username
SRE-Module# user delete jsmith |
Deletes the specified user account. •username—Login username of the user whose account you want to delete. Note When you delete a specific user, the user group to which the user belongs to is not deleted, nor is the role that was assigned to that user deleted. |
.
Working with User Groups
To create, view, or delete user groups, or to update user group information, see the following sections:
•Creating User Groups
•Viewing Existing User Groups
•Updating User Group Information
•Deleting User Groups
Creating User Groups
To create a user group, use the following command:
group create group name
SUMMARY STEPS
From the Console Manager interface, enter:
1. group create group name
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
group create group name
SRE-Module# group create admin-user |
Creates a new user group. •group name—Unique string used to identify the new user group. Maximum string length: 16 alphanumeric characters. This group name is case sensitive and must not contain spaces. |
.
Related Topic
•Updating User Group Information
Viewing Existing User Groups
To view details about a specific user group or to list all of the existing user groups, use the following command:
show group {name group name | all}
SUMMARY STEPS
From the Console Manager interface, enter:
1. show group {name group name | all}
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
show group {name group name | all}
SRE-Module# show group name vmadmin_group Group Name: vmadmin_group ---------- Users Belong to the Group ---------- 0 total user(s) ---------- Roles Assigned ---------- Role Object-Defined-In Propagate 0 total role(s) SRE-Module# show group all vmadmin_group vmuser_group 2 total group(s) |
Displays details about a specific group or lists all of the existing user groups. •name group name—Displays details about a specific user group. group name—Unique string used to identify the user group. •all—Displays all the existing user groups. |
.
Updating User Group Information
To add or remove the specified user from a group, use the following command:
group update group name {add-user username | remove-user username}
SUMMARY STEPS
From the Console Manager interface, enter:
1. group update group name {add-user username | remove-user username}
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
group update group name {add-user username | remove-user username}
SRE-Module# group update supergroup add-user jsmith3 SRE-Module# group update supergroup remove-user jsmith3 |
Updates the existing user group information. You can use this command to add or remove the specified user from a group. •group name—Name of the group that you want to update. •add-user username—Adds the specified user to the group. username—Unique string used to identify the user. •remove-user username—Removes the specified user from the group. username—Unique string used to identify the user. |
.
Related Topic
•Creating Roles
Deleting User Groups
To delete an existing user group, use the following command:
group delete group name
SUMMARY STEPS
From the Console Manager interface, enter:
1. group delete group name
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
group delete group name
SRE-Module# group delete supergroup1 |
Deletes the specified group. •group name—Name of the group that you want to delete. Note When you delete a specific group, the user accounts that belong to the group are not deleted, nor the roles that are assigned to that group deleted. |
.
Working with Roles
To create, view, or delete roles; or to update existing role information, see the following sections:
•Creating Roles
•Viewing Existing Roles
•Updating Existing Role Information
•Viewing System Pre-defined Privileges
•Deleting Roles
Creating Roles
To create a role, use the following command:
role create role name
SUMMARY STEPS
From the Console Manager interface, enter:
1. role create role name
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
role create role name
SRE-Module# role create SuperRole |
Creates a new role. •role name—Unique string used to identify the role. Maximum string length: 80 alphanumeric characters. The role name is not case sensitive and can contain spaces. |
.
Related Topic
•Adding Privileges to an Existing Role
Viewing Existing Roles
To view details about a specific role or to list all of the existing roles, use the following command:
show role {name role name | all}
SUMMARY STEPS
From the Console Manager interface, enter:
1. show role {name role name | all}
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
show role {name role name | all}
SRE-Module# show role name SuperRole Role Name: SuperRole ---------- Permissions Granted ---------- Users: jsmith (Host, Propagate) 1 total user(s) Groups: admingroup (Host, Propagate) 1 total group(s) ---------- Privileges ---------- System.Anonymous System.Read System.View 3 total privileges SRE-Module# show role all No Access Read-only Administrator SuperRole 4 total role(s) |
Displays details about a specific role or lists all of the existing roles. •name role name—Displays the following details about the specified role: –Privileges that are associated with the role. –Permissions, such as users or user groups that are granted with the role. role name—Unique string used to identify the role. •all—Lists all of the existing roles in the system. Only the role names are listed. |
.
Updating Existing Role Information
You update role information by adding or removing privileges from an existing role. A role can have one or more privileges associated with it. Privileges are pre-defined in VMware vSphere HypervisorTM. Each privilege has a unique ID, which is contained in a privilege group. The privilege group can have one or more privileges. For example:
•The VirtualMachine.Config.AddNewDisk privilege is associated with a role called SuperRole.
•The VirtualMachine.Config.AddNewDisk privilege belongs to the privilege group called VirtualMachine.Config.
•The VirtualMachine.Config privilege group also has other privileges besides the VirtualMachine.Config.AddNewDisk privilege.
To add or remove privileges or a privilege group from an existing role, see the following sections:
•Adding Privileges to an Existing Role
•Removing Privileges from an Existing Role
•Adding a Privilege Group to an Existing Role
•Removing a Privilege Group from an Existing Role
Adding Privileges to an Existing Role
To add a privilege to an existing role, use the following command:
role update role name add-privilege {privilege ID | all}
SUMMARY STEPS
From the Console Manager interface, enter:
1. role update role name add-privilege {privilege ID | all}
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
role update role name add-privilege {privilege ID | all}
SRE-Module# role update SuperRole add-privilege VirtualMachine.Config.AddNewDisk SRE-Module# role update SuperRole add-privilege all |
Adds the privilege to the specified role. •role name—Unique string used to identify the role. •add-privilege privilege ID—Adds the privilege to the specified role. privilege ID—Privilege string to be added. •all—Adds all of the privileges to the specified role. |
.
Related Topics
•Assigning a Role to a User
•Adding a Privilege Group to an Existing Role
Removing Privileges from an Existing Role
To remove a privilege from an existing role, use the following command:
role update role name remove-privilege {privilege ID | all}
SUMMARY STEPS
From the Console Manager interface, enter:
1. role update role name remove-privilege {privilege ID | all}
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
role update role name remove-privilege {privilege ID | all}
SRE-Module# role update SuperRole remove-privilege VirtualMachine.Config.AddNewDisk SRE-Module# role update SuperRole remove-privilege all |
Removes the privilege from the specified role. •role name—Unique string used to identify the role. •remove-privilege privilege ID—Removes the privilege from the specified role. privilege ID—Privilege string to be removed. •all—Removes all of the privileges from the specified role. |
.
Adding a Privilege Group to an Existing Role
To add a privilege group to an existing role, use the following command:
role update role name add-privilege-group {privilege group ID | all}
SUMMARY STEPS
From the Console Manager interface, enter:
1. role update role name add-privilege-group {privilege group ID | all}
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
role update role name add-privilege-group {privilege group ID | all}
SRE-Module# role update SuperRole add-privilege-group VirtualMachine.Config SRE-Module# role update SuperRole add-privilege-group all |
Adds the privilege group to the specified role. •role name—Unique string used to identify the role. •add-privilege-group privilege group ID—Adds the privilege group to the specified role. privilege group ID—Privilege group string to be added. •all—Adds all of the privilege groups to the specified role. |
.
Removing a Privilege Group from an Existing Role
To remove a privilege group from an existing role, use the following command:
role update role name remove-privilege-group {privilege group ID | all}
SUMMARY STEPS
From the Console Manager interface, enter:
1. role update role name remove-privilege-group {privilege group ID | all}
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
role update role name remove-privilege-group {privilege group ID | all}
SRE-Module# role update SuperRole remove-privilege-group VirtualMachine.Config SRE-Module# role update SuperRole remove-privilege-group all |
Removes the privilege from the specified role. •role name—Unique string used to identify the role. •remove-privilege-group privilege group ID—Removes the privilege group from the specified role. privilege group ID—Privilege group string to be removed. •all—Removes all of the privilege groups from the specified role. |
.
Viewing System Pre-defined Privileges
To view system pre-defined privileges, see the following sections:
•Viewing Privileges
•Viewing Group Privileges
Viewing Privileges
To view all of the system predefined privileges, use the following command:
show privilege all
SUMMARY STEPS
From the Console Manager interface, enter:
1. show privilege all
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
show privilege all Example: SRE-Module# show privilege all System.Anonymous System.View System.Read ... 208 total privileges |
Displays all of the system predefined privileges. |
.
Viewing Group Privileges
To view the privileges of a specific group; or to view all the system predefined privilege groups, use the following command:
show privilege-group {privilege group ID | all}
SUMMARY STEPS
From the Console Manager interface, enter:
1. show privilege-group {privilege group ID | all}
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
show privilege-group {privilege group ID | all}
SRE-Module# show privilege-group System System.Anonymous System.View System.Read 3 total privileges SRE-Module# show privilege-group all System Global Folder ... 27 total privilege groups |
Displays the privileges of a specific group or displays all the system predefined privilege groups. •privilege group ID—Privilege group string for which you want the predefined privileges displayed. •all—Displays all of the system predefined privilege groups. |
.
Deleting Roles
To delete an existing role, use the following command:
role delete role name
SUMMARY STEPS
From the Console Manager interface, enter:
1. role delete role name
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
role delete role name
SRE-Module# role delete SuperRole |
Deletes the specified role. •role name—Name of the role that you want to delete. Note When you delete a specific role, the users or the user groups that are assigned to that role are not deleted. |
.
Working with Permissions
Permission refers to an object, which consists of an authorization role, a user or group name, a managed virtual machine, and host reference. Permission allows the user to access a virtual machine with any of the privileges that apply to the specified role.
To assign or remove a role from a user or user group, use the permission add or permission remove commands.
See the following sections for more information:
•Assigning a Role to a User
•Removing a Role from a User
•Assigning a Role to a User Group
•Removing a Role from a User Group
Assigning a Role to a User
When you assign a role to a user, you provide the user with the permission to access a virtual machine with the privileges that apply to the specified role. To assign the role to the user, use the following command:
permission add role name user username [virtual-machine VM] [nopropogate]
SUMMARY STEPS
From the Console Manager interface, enter:
1. permission add role name user username [virtual-machine VM] [nopropogate]
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
permission add role name user username
[virtual-machine VM] [nopropogate]
SRE-Module# permission add SuperRole user jsmith virtual-machine VM_1 nopropogate |
Assigns the role to the user and provides the user with the permission to access a virtual machine with any of the privileges that apply to the specified role. •role name—Name of the role that you want to assign to the user. •user username—Specifies the username to which you want to assign the role. username—Unique string used to identify the user. •virtual-machine VM—(Optional) Provides the user the permission to access the specified virtual machine. VM—Name of the virtual machine. Role permissions are provided at object level in VMware vSphere HypervisorTM. The virtual-machine keyword provides the user the permission to access the specified virtual machine. Without the virtual-machine keyword, the user has the permission to access all of the virtual machines in the system. •nopropogate—(Optional) Does not allow role permissions to be propagated to the sub-entities of the host. Without the nopropogate keyword, permissions are propagated to the granted object. |
.
Removing a Role from a User
When you remove a role from a user, the permission for the user to access the virtual machine is also removed. To remove the role from the user, use the following command:
permission remove role name user username [virtual-machine VM] [nopropogate]
SUMMARY STEPS
From the Console Manager interface, enter:
1. permission remove role name user username [virtual-machine VM] [nopropogate]
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
permission remove role name user username
[virtual-machine VM] [nopropogate]
SRE-Module# permission remove SuperRole user jsmith virtual-machine VM_1 nopropogate |
Removes the role from the user. When you remove the role, the permission for the user to access the virtual machine is also removed. •role name—Name of the role that you want to remove from the user. •user username—Specifies the username of the user whose role you want to remove. username—Unique string used to identify the user. •virtual-machine VM—(Optional) Removes the role permission from the specified virtual machine. VM—Name of the virtual machine. Role permissions are provided at object level in VMware vSphere HypervisorTM. The virtual-machine keyword removes the user's permission to access the specified virtual machine. Without the virtual-machine keyword, the user cannot access any of the virtual machines in the system. •nopropogate—(Optional) Does not allow role permissions to be propagated to the sub-entities of the host. |
.
Assigning a Role to a User Group
When you assign a role to a user group, you provide the user group the permission to access a virtual machine with any of the privileges that apply to the specified role. To assign a role to a user group, use the following command:
permission add role name group group name [virtual-machine VM] [nopropogate]
SUMMARY STEPS
From the Console Manager interface, enter:
1. permission add role name group group name [virtual-machine VM] [nopropogate]
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
permission add role name group group name
[virtual-machine VM] [nopropogate]
SRE-Module# permission add SuperRole group Network virtual-machine VM_1 nopropogate |
Assigns the role to the user group and provides the user group the permission to access a virtual machine with any of the privileges that apply to the specified role. •role name—Name of the role that you want to assign to the user group. •group group name—Specifies the name of the user group to which you want to assign the role. group name—Unique string used to identify the user group. •virtual-machine VM—(Optional) Provides the user the permission to access the specified virtual machine. VM—Name of the virtual machine. Role permissions are provided at object level in VMware vSphere HypervisorTM. The virtual-machine keyword provides the user group the permission to access the specified virtual machine. Without the virtual-machine key word, the user group has the permission to access all of the virtual machines in the system. •nopropogate—(Optional) Does not allow role permissions to be propagated to the sub-entities of the host. Without the nopropogate keyword, permissions are propagated to the granted object. |
.
Removing a Role from a User Group
When you remove a role from a user group, the permission for the user group to access the virtual machine is also removed. To remove the role from the user group, use the following command:
permission remove role name group group name [virtual-machine VM] [nopropogate]
SUMMARY STEPS
From the Console Manager interface, enter:
1. permission remove role name group group name [virtual-machine VM] [nopropogate]
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section
|
|
|
Step 1 |
permission remove role name group group name
[virtual-machine VM] [nopropogate]
SRE-Module# permission remove SuperRole group Network virtual-machine VM_1 nopropogate |
Removes the role from the user group. When you remove the role, the permission for the user group to access the virtual machine is also removed. •role name—Name of the role that you want to remove from the user group. •group group name—Specifies the name of the user group whose role you want to remove. group name—Unique string used to identify the user group. •virtual-machine VM—(Optional) Removes the role permission from the specified virtual machine. VM—Name of the virtual machine. Role permissions are provided at object level in VMware vSphere HypervisorTM. The virtual-machine keyword removes the user group's permission to access the specified virtual machine. Without the virtual-machine keyword, the user group cannot access any of the virtual machines in the system. •nopropogate—(Optional) Does not allow role permissions to be propagated to the sub-entities of the host. |
.
Basic Workflow Option 1 Example
To create a user and role, add privileges to the role, and then assign the role to the user, follow these steps.
SUMMARY STEPS
From the Console Manager interface, enter:
1. user create username password password [fullname full name]
2. role create role name
3. role update role name add-privilege {privilege ID | all}
4. permission add role name user username [virtual-machine VM] [nopropogate]
5. exit
DETAILED STEPS
To perform configuration tasks on the Cisco SRE Service Module, you must enter the Cisco SRE-V command environment, and then enter the configuration commands. See the "Entering the Cisco SRE-V Command Environment" section.
.
|
|
|
Step 1 |
user create username password password [fullname full name]
SRE-Module# user create jsmith password xQaTEhbU fullname "JohnSmith" |
Creates a new user account. •username—Unique string used to log into the VMware vSphere HypervisorTM. Maximum string length: 16 alphanumeric characters. This login username is case sensitive and must not contain spaces. •password password—Specifies the password to be used with the username. password—Alphanumeric string used with this username to provide access to the VMware vSphere HypervisorTM. A password must contain a mix of characters from the following four character classes: –Lowercase letters –Uppercase letters –Digits –Special characters, such as an underscore or dash Password Length Requirements: –If the password contains characters from one or two classes, it must contain eight characters. –If the password contains characters from three classes, it must contain seven characters. –If the password contains characters from all four classes, it must contain six characters. Note If the password begins with an uppercase character, that character does not count towards the number of character classes used. If the password ends with a digit, that digit does not count towards the number of character classes used. Password Examples: –xQaTEhbU—Contains eight characters from two character classes. –xQaT3pb—Contains seven characters from three character classes. –xQaT3#—Contains six characters from four character classes. •fullname full name—(Optional) Specifies the full name of the user. full name—Alphanumeric string used with this username. Maximum string length: 64 characters. You can choose to create the full name at a later time by using the user update command. |
|
Step 2 |
role create role name Example: SRE-Module# role create SuperRole |
Creates a role. •role name—Unique string used to identify the role. Maximum string length: 80 alphanumeric characters. The role name is not case sensitive and can contain spaces. |
Step 3 |
role update role name add-privilege {privilege ID | all}
SRE-Module# role update SuperRole add-privilege VirtualMachine.Config.AddNewDisk SRE-Module# role update SuperRole add-privilege all |
Adds the privilege to the specified role. •role name—Unique string used to identify the role. •add-privilege privilege ID—Adds the privilege to the specified role. privilege ID—Privilege string to be added. •all—Adds all of the privileges to the specified role. |
Step 4 |
permission add role name user username
[virtual-machine VM] [nopropogate]
SRE-Module# permission add SuperRole user jsmith virtual-machine VM_1 nopropogate |
Assigns the role to the user and provides the user with the permission to access a virtual machine with any of the privileges that apply to the specified role. •role name—Name of the role that you want to assign to the user. •user username—Specifies the username to which you want to assign the role. username—Unique string used to identify the user. •virtual-machine VM—(Optional) Provides the user the permission to access the specified virtual machine. VM—Name of the virtual machine. Role permissions are provided at object level in VMware vSphere HypervisorTM. The virtual-machine keyword gives the user the permission to access the specified virtual machine. Without the virtual-machine keyword, the user has the permission to access all of the virtual machines in the system. •nopropogate—(Optional) Does not allow role permissions to be propagated to the sub-entities of the host. Without the nopropogate keyword, permissions are propagated to the granted object. |
Step 5 |
exit |
Closes the service module session. |