The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes the following sections:
Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and the locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, management of individual user privileges is simply a matter of assigning the appropriate roles and locales.
A user is granted write access to desired system resources only if the assigned role grants the access privileges and the assigned locale allows access. For example, a user with the Server Administrator role in the Engineering organization could update server configurations in the Engineering organization but could not update server configurations in the Finance organization unless the locales assigned to the user include the Finance organization.
User accounts are used to access the system. Up to 48 user accounts can be configured in each Cisco UCS instance. Each user account must have a unique username and password.
A user account can be set with a SSH public key. The public key can be set in either of the two formats: OpenSSH and SECSH.
Each Cisco UCS instance has a default user account, admin, which cannot be modified or deleted. This account is the system administrator or superuser account and has full privileges. There is no default password assigned to the admin account; you must choose the password during the initial system setup.
The unique username for each user account cannot be all-numeric and cannot start with a number.
If an all-numeric username exists on an AAA server (RADIUS or TACACS+) and is entered during login, Cisco UCS Manager cannot log in the user. You cannot create a local user with an all-numeric username.
For authentication purposes, a password is required for each user account. To prevent users from choosing insecure passwords, each password should meet the following requirements and guidelines:
Must be least 8 characters long
Must not contain more than 3 consecutive characters, such as abcd
Must not contain more than 3 repeating characters, such as aaabbb
Should not be based on standard dictionary words
Should not contain common proper names
Should contain at least 5 uppercase letters, such as N, or 5 lowercase letters, such as t, or a combination of both
Should contain at least 2 numerical characters, such as 5
Should contain at least 1 special character, such as $
Should not be blank for local user accounts
If the Cisco UCS instance is configured to use remote authentication with LDAP, RADIUS, or TACACS+, passwords for those remote accounts can be blank. With this configuration, the remote credentials store is used just for authentication, not authorization. The definition of the local user role definition applies to the remotely authenticated user.
User accounts can be configured to expire at a predefined time. When the expiration time is reached the user account is disabled.
By default, user accounts do not expire.
User roles contain one or more privileges that define the operations allowed for the user who is assigned the role. A user can be assigned one or more roles. A user assigned multiple roles has the combined privileges of all assigned roles. For example, if Role1 has storage related privileges, and Role2 has server related privileges, users who are assigned to both Role1 and Role2 have storage and server related privileges.
All roles include read access to all configuration settings in the Cisco UCS instance. The difference between the read-only role and other roles is that a user who is only assigned the read-only role cannot modify the system state. A user assigned another role can modify the system state in that user's assigned area or areas.
The system contains the following default user roles:
Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system.
Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.
Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the rest of the system.
Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the rest of the system.
Read-only access to system configuration with no privileges to modify the system state.
Read-and-write access to physical server related operations. Read access to the rest of the system.
Read-and-write access to logical server related operations. Read access to the rest of the system.
Read-and-write access to server security related operations. Read access to the rest of the system.
Read-and-write access to storage operations. Read access to the rest of the system.
Roles can be created, modified to add new or remove existing privileges, or deleted. When a role is modified, the new privileges are applied to all users assigned to that role. Privilege assignment is not restricted to the privileges defined for the default roles. That is, you can use a custom set of privileges to create a unique role. For example, the default Server Administrator and Storage Administrator roles have different set of privileges, but a new Server and Storage Administrator role can be created that combines the privileges of both roles.
If a role is deleted after it has been assigned to users, it is also deleted from those user accounts.
User profiles on AAA servers (RADIUS or TACACS+) should be modified to add the roles corresponding to the privileges granted to that user. The cisco-av-pair vendor-specific attribute is used to store the role information. The AAA servers return this attribute with the request and parse it to get the roles. LDAP servers return the roles in the user profile attributes.
Privileges give users assigned to user roles access to specific system resources and permission to perform specific tasks. The following table lists each privilege and the user role given that privilege by default.
Privilege |
Description |
Default Role Assignment |
---|---|---|
aaa |
System security and AAA |
AAA Administrator |
admin |
System administration |
Administrator |
ext-lan-config |
External LAN configuration |
Network Administrator |
ext-lan-policy |
External LAN policy |
Network Administrator |
ext-lan-qos |
External LAN QoS |
Network Administrator |
ext-lan-security |
External LAN security |
Network Administrator |
ext-san-config |
External SAN configuration |
Storage Administrator |
ext-san-policy |
External SAN policy |
Storage Administrator |
ext-san-qos |
External SAN QoS |
Storage Administrator |
ext-san-security |
External SAN security |
Storage Administrator |
fault |
Alarms and alarm policies |
Operations |
operations |
Logs and Smart Call Home |
Operations |
pod-config |
Pod configuration |
Network Administrator |
pod-policy |
Pod policy |
Network Administrator |
pod-qos |
Pod QoS |
Network Administrator |
pod-security |
Pod security |
Network Administrator |
read-only |
Read-only access Read-only cannot be selected as a privilege; it is assigned to every user role. |
Read-Only |
server-equipment |
Server hardware management |
Server Equipment Administrator |
server-maintenance |
Server maintenance |
Server Equipment Administrator |
server-policy |
Server policy |
Server Equipment Administrator |
server-security |
Server security |
Server Security Administrator |
service-profile-config |
Service profile configuration |
Server Profile Administrator |
service-profile-config-policy |
Service profile configuration policy |
Server Profile Administrator |
service-profile-ext-access |
Service profile end point access |
Server Profile Administrator |
service-profile-network |
Service profile network |
Network Administrator |
service-profile-network-policy |
Service profile network policy |
Network Administrator |
service-profile-qos |
Service profile QoS |
Network Administrator |
service-profile-qos-policy |
Service profile QoS policy |
Network Administrator |
service-profile-security |
Service profile security |
Server Security Administrator |
service-profile-security-policy |
Service profile security policy |
Server Security Administrator |
service-profile-server |
Service profile server management |
Server Security Administrator |
service-profile-server-policy |
Service profile pool policy |
Server Security Administrator |
service-profile-storage |
Service profile storage |
Storage Administrator |
service-profile-storage-policy |
Service profile storage policy |
Storage Administrator |
A user can be assigned one or more locales. Each locale defines one or more organizations (domains) the user is allowed access, and access would be limited to the organizations specified in the locale. One exception to this rule is a locale without any organizations, which gives unrestricted access to system resources in all organizations.
Users with AAA Administrator privileges (AAA Administrator role) can assign organizations to the locale of other users. The assignment of organizations is restricted to only those in the locale of the user assigning the organizations. For example, if a locale contains only the Engineering organization then a user assigned that locale can only assign the Engineering organization to other users.
You can hierarchically manage organizations. A user that is assigned at a top level organization has automatic access to all organizations under it. For example, an Engineering organization can contain a Software Engineering organization and a Hardware Engineering organization. A locale containing only the Software Engineering organization has access to system resources only within that organization; however, a locale that contains the Engineering organization has access to the resources for both the Software Engineering and Hardware Engineering organizations.
Configuring User Roles
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
||
Step 2 | UCS-A /security # create role name | Creates the user role and enters security role mode. |
||
Step 3 | UCS-A /security/role # add privilege privilege-name | Adds one or more privileges to the role.
|
||
Step 4 | UCS-A /security/role # commit-buffer | Commits the transaction to the system configuration. |
The following example creates the service-profile-security-admin role, adds the service profile security and service profile security policy privileges to the role, and commits the transaction:
UCS-A# scope security UCS-A /security # create role ls-security-admin UCS-A /security/role* # add privilege service-profile-security service-profile-security-policy UCS-A /security/role* # commit-buffer UCS-A /security/role #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
||
Step 2 | UCS-A /security # scope role name | Enters security role mode for the specified role. |
||
Step 3 | UCS-A /security/role # add privilege privilege-name | Adds one or more privileges to the existing privileges of the user role.
|
||
Step 4 | UCS-A /security/role # commit-buffer | Commits the transaction to the system configuration. |
The following example adds the server security and server policy privileges to the service-profile-security-admin role and commits the transaction:
UCS-A# scope security UCS-A /security # scope role service-profile-security-admin UCS-A /security/role # add privilege server-security server-policy UCS-A /security/role* # commit-buffer UCS-A /security/role #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
||
Step 2 | UCS-A /security # scope role name | Enters security role mode for the specified role. |
||
Step 3 | UCS-A /security/role # remove privilege privilege-name | Removes one or more privileges from the existing user role privileges.
|
||
Step 4 | UCS-A /security/role # commit-buffer | Commits the transaction to the system configuration. |
The following example removes the server security and server policy privileges from the service-profile-security-admin role and commits the transaction:
UCS-A# scope security UCS-A /security # scope role service-profile-security-admin UCS-A /security/role # remove privilege server-security server-policy UCS-A /security/role* # commit-buffer UCS-A /security/role #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # delete role name | Deletes the user role. |
Step 3 | UCS-A /security # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the service-profile-security-admin role and commits the transaction:
UCS-A# scope security UCS-A /security # delete role service-profile-security-admin UCS-A /security* # commit-buffer UCS-A /security #
Configuring Locales
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # create locale locale-name | Creates a locale and enters security locale mode. |
Step 3 | UCS-A /security/locale # create org-ref org-ref-name orgdn orgdn-name | References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced. |
Step 4 | UCS-A /security/locale # commit-buffer | Commits the transaction to the system configuration. |
The following example creates the western locale, references the finance organization to the locale, names the reference finance-ref, and commits the transaction:
UCS-A# scope security UCS-A /security # create locale western UCS-A /security/locale* # create org-ref finance-ref orgdn finance UCS-A /security/locale* # commit-buffer UCS-A /security/locale #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A# scope locale locale-name | Enters security locale mode. |
Step 3 | UCS-A /security/locale # create org-ref org-ref-name orgdn orgdn-name | References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced. |
Step 4 | UCS-A /security/locale # commit-buffer | Commits the transaction to the system configuration. |
The following example enters the western locale, adds (references) the marketing organization to the locale, names the reference marketing-ref, and commits the transaction:
UCS-A# scope security UCS-A /security # scope locale western UCS-A /security/locale* # create org-ref marketing-ref orgdn marketing UCS-A /security/locale* # commit-buffer UCS-A /security/locale #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope locale locale-name | Enters security locale mode. |
Step 3 | UCS-A /security/locale # delete org-ref org-ref-name | Deletes the organization from the locale. |
Step 4 | UCS-A /security/locale # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the finance organization from the western locale and commits the transaction:
UCS-A# scope security UCS-A /security # scope locale western UCS-A /security/locale # delete org-ref finance-ref UCS-A /security/locale* # commit-buffer UCS-A /security/locale #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # delete locale locale-name | Deletes the locale. |
Step 3 | UCS-A /security # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the western locale and commits the transaction:
UCS-A# scope security UCS-A /security # delete locale western UCS-A /security* # commit-buffer UCS-A /security #
Configuring User Accounts
At a minimum, we recommend that you create the following users:
Perform the following tasks, if the system includes any of the following:
Remote authentication services, ensure the users exist in the remote authentication server with the appropriate roles and privileges.
Multi-tenancy with organizations, create one or more locales. If you do not have any locales, all users are created in root and are assigned roles and privileges in all organizations.
SSH authentication, obtain the SSH key.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # create local-user local-user-name | Creates a user account for the specified local user and enters security local user mode. |
Step 3 | UCS-A /security/local-user # set password password | Sets the password for the user account |
Step 4 | UCS-A /security/local-user # set firstname first-name | (Optional) Specifies the first name of the user. |
Step 5 | UCS-A /security/local-user # set lastname last-name | (Optional) Specifies the last name of the user. |
Step 6 | UCS-A /security/local-user # set expiration month day-of-month year | (Optional) Specifies the date that the user account expires. The month argument is the first three letters of the month name. |
Step 7 | UCS-A /security/local-user # set email email-addr | (Optional) Specifies the user e-mail address. |
Step 8 | UCS-A /security/local-user # set phone phone-num | (Optional) Specifies the user phone number. |
Step 9 | UCS-A /security/local-user # set sshkey ssh-key | (Optional) Specifies the SSH key used for passwordless access. |
Step 10 | UCS-A security/local-user # commit-buffer | Commits the transaction. |
The following example creates the user account named kikipopo, sets the password to foo12345, commits the transaction, and commits the transaction:
UCS-A# scope security UCS-A /security # create local-user kikipopo UCS-A /security/local-user* # set password Enter a password: Confirm the password: UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
The following example creates the user account named lincey, sets an OpenSSH key for passwordless access, and commits the transaction.
UCS-A# scope security UCS-A /security # create local-user lincey UCS-A /security/local-user* # set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw85lkdQqap+NFuNmHcb4K iaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VOIEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpD m8HPh2LOgyH7Ei1MI8=" UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
The following example creates the user account named jforlenz, sets a Secure SSH key for passwordless access, and commits the transaction.
UCS-A# scope security UCS-A /security # create local-user jforlenz UCS-A /security/local-user* # set sshkey Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort. User's SSH key: > ---- BEGIN SSH2 PUBLIC KEY ---- >AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw8 >5lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VO >IEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8= > ---- END SSH2 PUBLIC KEY ---- > ENDOFBUF UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # delete local-user local-user-name | Deletes the user user account. |
Step 3 | UCS-A /security # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the foo user account and commits the transaction:
UCS-A# scope security UCS-A /security # delete local-user foo UCS-A /security* # commit-buffer UCS-A /security #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
||
Step 2 | UCS-A /security # scope local-user local-user-name | Enters security local user mode for the specified local user account. |
||
Step 3 | UCS-A /security/local-user # create role role-name | Assigns the specified role to the user account .
|
||
Step 4 | UCS-A security/local-user # commit-buffer | Commits the transaction. |
The following example assigns the operations role to the kikipopo local user account and commits the transaction:
UCS-A# scope security UCS-A /security # scope local-user kikipopo UCS-A /security/local-user # create role operations UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
||
Step 2 | UCS-A /security # scope local-user local-user-name | Enters security local user mode for the specified local user account. |
||
Step 3 | UCS-A /security/local-user # delete role role-name | Removes the specified role from the user account .
|
||
Step 4 | UCS-A security/local-user # commit-buffer | Commits the transaction. |
The following example removes the operations role from the kikipopo local user account and commits the transaction:
UCS-A# scope security UCS-A /security # scope local-user kikipopo UCS-A /security/local-user # delete role operations UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
||
Step 2 | UCS-A /security # scope local-user local-user-name | Enters security local user mode for the specified local user account. |
||
Step 3 | UCS-A /security/local-user # create locale locale-name | Assigns the specified locale to the user account .
|
||
Step 4 | UCS-A security/local-user # commit-buffer | Commits the transaction. |
The following example assigns the western locale to the kikipopo local user account and commits the transaction:
UCS-A# scope security UCS-A /security # scope local-user kikipopo UCS-A /security/local-user # create locale western UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
||
Step 2 | UCS-A /security # scope local-user local-user-name | Enters security local user mode for the specified local user account. |
||
Step 3 | UCS-A /security/local-user # delete locale locale-name | Removes the specified locale from the user account .
|
||
Step 4 | UCS-A security/local-user # commit-buffer | Commits the transaction. |
The following example removes the western locale from the kikipopo local user account and commits the transaction:
UCS-A# scope security UCS-A /security # scope local-user kikipopo UCS-A /security/local-user # delete locale western UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # show user-session {local | remote} [detail] | Displays session information for all users currently logged in to the system. |
The following example lists all local users currently logged in to the system:
UCS-A# scope security UCS-A /security # show user-session local Session Id User Host Login Time --------------- --------------- -------------------- ---------- pts_25_1_31264 steve 192.168.100.111 2009-05-09T14:06:59 ttyS0_1_3532 jeff console 2009-05-02T15:11:08 web_25277_A faye 192.168.100.112 2009-05-15T22:11:25
The following example displays detailed information on all local users currently logged in to the system:
UCS-A# scope security UCS-A /security # show user-session local detail Session Id pts_25_1_31264: Fabric Id: A Term: pts/25 User: steve Host: 64.101.53.93 Pid: 31264 Login Time: 2009-05-09T14:06:59 Session Id ttyS0_1_3532: Fabric Id: A Term: ttyS0 User: jeff Host: console Pid: 3532 Login Time: 2009-05-02T15:11:08 Session Id web_25277_A: Fabric Id: A Term: web_25277 User: faye Host: 192.168.100.112 Pid: 3518 Login Time: 2009-05-15T22:11:25