- Preface
- New and Changed Information
- DCNM Introduction
- Cisco DCNM Fundamentals Overview
- Cisco DCNM User Roles and Perspectives
- Cisco DCNM Web Client
- Configuring Cisco DCNM-SAN Server
- Configuring Authentication in Cisco DCNM-SAN
- Configuring Cisco DCNM-SAN Client
- Device Manager
- Configuring Performance Manager
- Monitoring the Network
- Monitoring Performance
- Software Images
- Management Software FAQ
- Overview of DCNM-LAN
- Installing and Launching the Cisco DCNM-LAN Client
- Using the Cisco DCNM-LAN Client
- Administering DCNM-LAN Authentication Settings
- Working with Topology
- Working with Inventory
- Managing Virtual Devices
- Configuring Interfaces on DCNM-LAN Client
- Configuring Switching on DCNM-LAN Client
- Configuring Routing on DCNM-LAN Client
- Security Configurations on DCNM-LAN Client
- Working with Configuration Change Management
- Managing Device Operating Systems
- Starting and Stopping Cisco DCNM-LAN Servers
- Vacuum Postgres Databases
- Administering Device Discovery
- Administering Devices and Credentials
- Administering Auto-Synchronization with Devices
- Administering Statistical Data Collection
- Working With Threshold Rules
- Administering DCNM-LAN Server Log Settings
- Managing Events
- Working with Network Analysis
- Maintaining the Cisco DCNM-LAN Database
- Troubleshooting DCNM-LAN
- Cisco DCNM Unsupported Feature List
- Interface Nonoperational Reason Codes
- DCNM-SAN Event Management
- Vcenter Plugin
Cisco Prime DCNM User Roles
Cisco DCNM defines what operations a user can perform in Cisco DCNM Web Client by controlling what features are available in the menu and tool bar items. Cisco DCNM role-based authorization limits access to the server operations depending on the user roles.
Cisco DCNM Credentials
Cisoc DCNM has two sets of credentials, namely:
- Device credentials—used to discover and manage devices
- Cisco DCNM credentials—used to access the Cisco DCNM server.
This document describes about DCNM credentials and how user roles are mapped to specific set of DCNM server operations.
Cisco DCNM Users
Cisco DCNM user-based access allows the administrator to control the access to the Cisco DCNM server by using the DCNM client (Web Client or LAN client). The user access is secured by a password.
DCNM Roles
Cisco DCNM performs authorization of access to the users based on roles. The role-based authorization limits access to the Cisco DCNM server operations based on the roles to which the users are assigned. Cisco DCNM does not define new roles to access the DCNM server; however, the Cisco DCNM leverages the existing roles that are supported on the devices monitored, such as Cisco MDS 9000 Series Switches, and Cisco Nexus Switches.
Cisco DCNM supports following roles:
- global-admin
- network-admin
- lan-network-admin
- san-network-admin
- san-admin
- server-admin
- sme-admin
- sme-stg-admin
- sme-kmc-admin
- sme-recovery
- network-operator
In a typical enterprise environment, users and their roles are defined in a centralized place such as, TACACS+, RADIUS or LDAP. As Cisco DCNM supports the existing device roles, the administrator need not define new roles specifically.
Roles from Cisco DCNM Perspective
Cisco DCNM perspective defines the operations a user can perform on the Cisco DCNM client by controlling the menu and tool bar items. Different perspectives define different set of operations.
For example, the Admin perspective allows all the operations by showing all the menu and tool bar items where as Operator perspective allows limited set of operation by hiding Admin and Config Menu items.
Each DCNM user role is mapped to a particular DCNM perspective, which allows limited access to server features. DCNM clients support following four perspectives:
Table 3-1 describes how DCNM roles are mapped to client perspectives.
|
|
---|---|
Admin Perspective
Admin Perspective can be accessed through the Cisco DCNM Web Client and SAN Client only, by the users who are assigned the role of global-admin, network-admin, san-admin, san-network-admin and lan-network-admin.
Web Client Admin Perspective
Web client admin perspective has full control of the DCNM server and can access all the features. Via the access to the Admin menu items, the users also has full control of Cisco DCNM authentication settings.
SAN Thick Client Admin Perspective
SAN thick client admin perspective has full control of the DCNM server and can access all the features. All the top-level menu items are accessible.
Server Admin Perspective
Server admin perspective can be accessed via web client and SAN thick client only by the users who are assigned the role of server-admin.
Web Client Server Admin Perspective
Web client server admin perspective has access to all the web client features. Via the access to the Admin menu items, the users also has full control of Cisco DCNM authentication settings.
SAN Thick Client Server Admin Perspective
The configuration capabilities of a server admin role are limited to FlexAttach and relevant data. The server admin can pre-configure SAN for new servers, move a server to another port on the same NPV device or another NPV device and replace a failed server onto the same port without involving the SAN administrator. The server admin will not be able to manage Fabric Manager users or connected clients. The menu items that are not related to server management are not accessible, e.g. Zone, Performance, etc. SAN thick client server admin perspective has no access to Discover button, Fabrics and License Files tabs. The server admin is not able to manage Fabric Manager users or connected clients in SAN thick client.
SME Perspective
Storage Media Encryption (SME) perspective is designed for sme-admin, sme-sgt-admin, sme-kmc-admin and sme-recovery role-based users. It can be categorized to five different sme admin perspective according to the roles:
Web Client SME Admin Perspective
Web client sme admin perspective is designed to sme-admin role users who have no access to Admin and Config menu items in the Web client and cannot use features under those menu items. On the other hand, the SME provision features are accessible.
SME Storage Perspective
SME storage perspective is designed to the sme-stg-admin role users. sme-stg-admin role users have same perspective as sme-admin role except you cannot manage the key management features.
SME Key Management Perspective
SME key management perspective is designed to the sme-kmc-admin role users. sme-kmc-admin role users have same perspective as sme-admin role except that you cannot perform SME configurations.
SME Recovery Perspective
SME recovery perspective is designed to the sme-recovery role users for master key recovery. sme-recovery role users have same perspective as sme-admin role except that you cannot perform the storage and key management features.
SAN Thick Client SME Perspective
SAN thick client SME perspective has no access to Discover button, Fabrics and License Files tabs.All the SME related perspective would not be able to manage Fabric Manager users or connected clients, as well as operator perspective.
Operator Perspective
Operator perspective is designed for network-operator and lan-network-admin role users, and lan-network-admin role only has SAN thick client operator perspective.
Web Client Operator Perspective
Web client operator perspective has no access to Admin and Config menu items and the features under those menu items cannot be used. All the other features can be used.
SAN Thick Client Operator Perspective
SAN thick client operator perspective has no access to Discover button, Fabrics and License Files tabs, and would not be able to manage Fabric Manager users or connected clients.