- Preface
- Overview of Cisco Unified Computing System
- Overview of Cisco UCS Manager
- Overview of Cisco UCS Manager CLI
- Configuring the Fabric Interconnects
- Configuring Ports and Port Channels
- Configuring Communication Services
- Configuring Authentication
- Configuring Organizations
- Configuring Role-Based Access Control
- Configuring DNS Servers
- Configuring System-Related Policies
- Managing Licenses
- Managing Virtual Interfaces
- Registering Cisco UCS Domains with Cisco UCS Central
- VLANs
- Configuring LAN Pin Groups
- Configuring MAC Pools
- Configuring Quality of Service
- Configuring Network-Related Policies
- Configuring Upstream Disjoint Layer-2 Networks
- Configuring Named VSANs
- Configuring SAN Pin Groups
- Configuring WWN Pools
- Configuring Storage-Related Policies
- Configuring Fibre Channel Zoning
- Configuring Server-Related Pools
- Setting the Management IP Address
- Configuring Server-Related Policies
- Configuring Server Boot
- Deferring Deployment of Service Profile Updates
- Service Profiles
- Configuring Storage Profiles
- Managing Power in Cisco UCS
- Managing Time Zones
- Managing the Chassis
- Managing Blade Servers
- Managing Rack-Mount Servers
- CIMC Session Management
- Managing the I/O Modules
- Backing Up and Restoring the Configuration
- Recovering a Lost Password
- Role-Based Access Control Overview
- User Accounts for Cisco UCS
- User Roles
- User Locales
- Configuring User Roles
- Configuring Locales
- Configuring Locally Authenticated User Accounts
- Creating a User Account
- Enabling the Password Strength Check for Locally Authenticated Users
- Setting Web Session Limits for User Accounts
- Assigning a Role to a User Account
- Assigning a Locale to a User Account
- Removing a Role from a User Account
- Removing a Locale from a User Account
- Enabling or Disabling a User Account
- Clearing the Password History for a Locally Authenticated User
- Deleting a User Account
- Password Profile for Locally Authenticated Users
- Monitoring User Sessions from the CLI
Configuring Role-Based Access Control
This chapter includes the following sections:
- Role-Based Access Control Overview
- User Accounts for Cisco UCS
- User Roles
- User Locales
- Configuring User Roles
- Configuring Locales
- Configuring Locally Authenticated User Accounts
- Password Profile for Locally Authenticated Users
- Monitoring User Sessions from the CLI
Role-Based Access Control Overview
Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and a locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, you can manage individual user privileges by assigning the appropriate roles and locales.
A user is granted write access to the required system resources only if the assigned role grants the access privileges and the assigned locale allows access. For example, a user with the Server Administrator role in the engineering organization can update server configurations in the Engineering organization. They cannot, however, update server configurations in the Finance organization, unless the locales assigned to the user include the Finance organization.
User Accounts for Cisco UCS
User accounts access the system. You can configure up to 48 local user accounts in each Cisco UCS Manager domain. Each user account requires a unique username and password.
You can set user accounts with an SSH public key. The public key can be set in either of the two formats: OpenSSH or SECSH.
Admin Account
An admin account comes with each Cisco UCS domain. The admin account is a default user account and cannot be modified or deleted. This account is the system administrator or superuser account s full privileges. There is no default password assigned to the admin account; you must choose the password during the initial system setup.
The admin account is always active and does not expire. You cannot configure the admin account as inactive.
Locally Authenticated User Accounts
A locally authenticated user account is authenticated directly through the fabric interconnect and can be enabled or disabled by anyone with admin or aaa privileges. After a local user account is disabled, the user cannot log in. The database does not delete the configuration details for disabled local user accounts. If you re-enable a disabled local user account, the account becomes active with the existing configuration, including the username and password.
Remotely Authenticated User Accounts
A remotely authenticated user account is any user account that is authenticated through LDAP, RADIUS, or TACACS+.
If a user maintains a local user account and a remote user account simultaneously, the roles defined in the local user account override those maintained in the remote user account.
Expiration of User Accounts
You can configure user accounts to expire at a predefined time. When the expiration time is reached, the user account is disabled.
By default, user accounts do not expire.
 Note | After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. However, you can configure the account to use the latest expiration date available. |
- Guidelines for Cisco UCS Usernames
- Reserved Words: Locally Authenticated User Accounts
- Guidelines for Cisco UCS Passwords
- Web Session Limits for User Accounts
Guidelines for Cisco UCS Usernames
The username is also used as the login ID for Cisco UCS Manager. When you assign login IDs to Cisco UCS user accounts, consider the following guidelines and restrictions:
-
The login ID can contain between 1 and 32 characters, including the following:
-
The login ID must be unique within Cisco UCS Manager.
-
The login ID must start with an alphabetic character. It cannot start with a number or a special character, such as an underscore.
-
The login ID is case-sensitive.
-
You cannot create an all-numeric login ID.
-
After you create a user account, you cannot change the login ID. You must delete the user account and create a new one.
Reserved Words: Locally Authenticated User Accounts
You cannot use the following words when creating a local user account in Cisco UCS.
Guidelines for Cisco UCS Passwords
Each locally authenticated user account requires a password. A user with admin or aaa privileges can configure Cisco UCS Manager to perform a password strength check on user passwords.
Cisco recommends using a strong password; otherwise, the password strength check for locally authenticated users, Cisco UCS Manager rejects any password that does not meet the following requirements:
-
Must contain a minimum of eight characters and a maximum of 80 characters.
-
If the password strength check is turned on, the minimum password length is variable and can be set from a minimum of 6 to a maximum of 80 characters.
Note
The default is 8 characters.
-
Must contain at least three of the following:
-
Must not contain a character that is repeated more than three times consecutively, such as aaabbb.
-
Must not be identical to the username or the reverse of the username.
-
Must pass a password dictionary check. For example, the password must not be based on a standard dictionary word.
-
Must not contain the following symbols: $ (dollar sign), ? (question mark), and = (equals sign).
-
Should not be blank for local user and admin accounts.
Web Session Limits for User Accounts
Cisco UCS Manager uses web session limits to restrict the number of web sessions (both GUI and XML) that a given user account is permitted to access at any one time.
Each Cisco UCS Manager domain supports a maximum of 32 concurrent web sessions per user and 256 total user sessions. By default, the number of concurrent web sessions allowed by Cisco UCS Manager is set to 32 per user, but you can configure this value up to the system maximum of 256.
User Roles
User roles contain one or more privileges that define the operations that are allowed for a user. You can assign one or more roles to each user. Users with multiple roles have the combined privileges of all assigned roles. For example, if Role1 has storage-related privileges, and Role 2 has server-related privileges, users with Role1 and Role 2 have both storage-related and server-related privileges.
A Cisco UCS domain can contain up to 48 user roles, including the default user roles. Any user roles configured after the first 48 are accepted, but they are inactive with faults raised.
All roles include read access to all configuration settings in the Cisco UCS domain. Users with read-only roles cannot modify the system state.
You can create, modify or remove existing privileges, and delete roles. When you modify a role, the new privileges apply to all users with that role. Privilege assignment is not restricted to the privileges defined for the default roles. Meaning, you can use a custom set of privileges to create a unique role. For example, the default Server Administrator and Storage Administrator roles have a different set of privileges. However, you can create a Server and Storage Administrator role that combines the privileges of both roles.
Note | If you delete a role after it was assigned to users, it is also deleted from those user accounts. |
Modify the user profiles on AAA servers (RADIUS or TACACS+) to add the roles corresponding to the privileges granted to that user. The attribute stores the role information. The AAA servers return this attribute with the request and parse it to obtain the roles. LDAP servers return the roles in the user profile attributes.
Note | If a local and a remote user account have the same username, Cisco UCS Manager overrides any roles assigned to the remote user with those assigned to the local user. |
Default User Roles
The system contains the following default user roles:
- AAA Administrator
-
Read-and-write access to users, roles, and AAA configuration. Read access to the remaining system.
- Administrator
-
Complete read-and-write access to the entire system. Assigns this role to the default administrator account by default. You cannot change it.
- Facility Manager
-
Read-and-write access to power management operations through the power management privilege. Read access to the remaining system.
- Network Administrator
-
Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the remaining system.
- Operations
-
Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the remaining system.
- Read-Only
-
Read-only access to system configuration with no privileges to modify the system state.
- Server Compute
-
Read and write access to most aspects of service profiles. However, the user cannot create, modify or delete vNICs or vHBAs.
- Server Equipment Administrator
-
Read-and-write access to physical server-related operations. Read access to the remaining system.
- Server Profile Administrator
-
Read-and-write access to logical server-related operations. Read access to the remaining system.
- Server Security Administrator
-
Read-and-write access to server security-related operations. Read access to the remaining system.
- Storage Administrator
-
Read-and-write access to storage operations. Read access to the remaining system.
Reserved Words: User Roles
You cannot use the following words when creating custom roles in Cisco UCS.
Privileges
Privileges give users, assigned to user roles, access to specific system resources and permission to perform specific tasks. The following table lists each privilege and the user role given that privilege by default.
 Tip | Detailed information about these privileges and the tasks that they enable users to perform is available in Privileges in Cisco UCS available at the following URL: http://www.cisco.com/en/US/products/ps10281/prod_technical_reference_list.html. |
|
Privilege |
Description |
Default Role Assignment |
|---|---|---|
|
aaa |
System security and AAA |
AAA Administrator |
|
admin |
System administration |
Administrator |
|
ext-lan-config |
External LAN configuration |
Network Administrator |
|
ext-lan-policy |
External LAN policy |
Network Administrator |
|
ext-lan-qos |
External LAN QoS |
Network Administrator |
|
ext-lan-security |
External LAN security |
Network Administrator |
|
ext-san-config |
External SAN configuration |
Storage Administrator |
|
ext-san-policy |
External SAN policy |
Storage Administrator |
|
ext-san-qos |
External SAN QoS |
Storage Administrator |
|
ext-san-security |
External SAN security |
Storage Administrator |
|
fault |
Alarms and alarm policies |
Operations |
|
operations |
Logs and Smart Call Home |
Operations |
|
org-management |
Organization management |
Operations |
|
pod-config |
Pod configuration |
Network Administrator |
|
pod-policy |
Pod policy |
Network Administrator |
|
pod-qos |
Pod QoS |
Network Administrator |
|
pod-security |
Pod security |
Network Administrator |
|
power-mgmt |
Read-and-write access to power management operations |
Facility Manager |
|
read-only |
Read-only access Read-only cannot be selected as a privilege; it is assigned to every user role. |
Read-Only |
|
server-equipment |
Server hardware management |
Server Equipment Administrator |
|
server-maintenance |
Server maintenance |
Server Equipment Administrator |
|
server-policy |
Server policy |
Server Equipment Administrator |
|
server-security |
Server security |
Server Security Administrator |
|
service-profile-compute |
Service profile compute |
Server Compute Administrator |
|
service-profile-config |
Service profile configuration |
Server Profile Administrator |
|
service-profile-config-policy |
Service profile configuration policy |
Server Profile Administrator |
|
service-profile-ext-access |
Service profile endpoint access |
Server Profile Administrator |
|
service-profile-network |
Service profile network |
Network Administrator |
|
service-profile-network-policy |
Service profile network policy |
Network Administrator |
|
service-profile-qos |
Service profile QoS |
Network Administrator |
|
service-profile-qos-policy |
Service profile QoS policy |
Network Administrator |
|
service-profile-security |
Service profile security |
Server Security Administrator |
|
service-profile-security-policy |
Service profile security policy |
Server Security Administrator |
|
service-profile-server |
Service profile server management |
Server Profile Administrator |
|
service-profile-server-oper |
Service profile consumer |
Server Profile Administrator |
|
service-profile-server-policy |
Service profile pool policy |
Server Security Administrator |
|
service-profile-storage |
Service profile storage |
Storage Administrator |
|
service-profile-storage-policy |
Service profile storage policy |
Storage Administrator |
User Locales
You can assign a user to one or more locales. Each locale defines one or more organizations (domains) to which a user can access. Access is usually limited to the organizations specified in the locale. An exception is a locale without any organizations. It provides unrestricted access to system resources in all organizations.
A Cisco UCS domain can contain up to 48 user locales. Any user locales configured after the first 48 are accepted, but are inactive with faults raised.
Users with admin or aaa privileges can assign organizations to the locale of other users. The assignment of organizations is restricted to only those in the locale of the user assigning the organizations. For example, if a locale contains only the Engineering organization, a user assigned to that locale can only assign the Engineering organization to other users.
Note | You cannot assign a locale to users with one or more of the following privileges: |
You can hierarchically manage organizations. A user who is assigned to a top-level organization has automatic access to all organizations below it. For example, an Engineering organization can contain a Software Engineering organization and a Hardware Engineering organization. A locale containing only the Software Engineering organization has access to system resources only within that organization. However, a locale that contains the Engineering organization has access to the resources for both the Software Engineering and Hardware Engineering organizations.
Configuring User Roles
Creating a User Role
The following example creates the service-profile-security-admin role, adds the service profile security and service profile security policy privileges to the role, and commits the transaction:
UCS-A# scope security UCS-A /security # create role ls-security-admin UCS-A /security/role* # add privilege service-profile-security service-profile-security-policy UCS-A /security/role* # commit-buffer UCS-A /security/role #
Adding Privileges to a User Role
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. | ||
| Step 2 | UCS-A /security # scope role name |
Enters security role mode for the specified role. | ||
| Step 3 | UCS-A /security/role # add privilege privilege-name |
Adds one or more privileges to the existing privileges of the user role.
| ||
| Step 4 | UCS-A /security/role # commit-buffer |
Commits the transaction to the system configuration. |
The following example shows how to add the server security and server policy privileges to the service-profile-security-admin role and commit the transaction:
UCS-A# scope security UCS-A /security # scope role service-profile-security-admin UCS-A /security/role # add privilege server-security server-policy UCS-A /security/role* # commit-buffer UCS-A /security/role #
Replacing Privileges for a User Role
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. | ||
| Step 2 | UCS-A /security # scope role name |
Enters security role mode for the specified role. | ||
| Step 3 | UCS-A /security/role # set privilege privilege-name |
Replaces the existing privileges of the user role.
| ||
| Step 4 | UCS-A /security/role # commit-buffer |
Commits the transaction to the system configuration. |
The following example shows how to replace the existing privileges for the service-profile-security-admin role with the server security and server policy privileges and commit the transaction:
UCS-A# scope security UCS-A /security # scope role service-profile-security-admin UCS-A /security/role # set privilege server-security server-policy UCS-A /security/role* # commit-buffer UCS-A /security/role #
Removing Privileges from a User Role
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. | ||
| Step 2 | UCS-A /security # scope role name |
Enters security role mode for the specified role. | ||
| Step 3 | UCS-A /security/role # remove privilege privilege-name |
Removes one or more privileges from the existing user role privileges.
| ||
| Step 4 | UCS-A /security/role # commit-buffer |
Commits the transaction to the system configuration. |
The following example removes the server security and server policy privileges from the service-profile-security-admin role and commits the transaction:
UCS-A# scope security UCS-A /security # scope role service-profile-security-admin UCS-A /security/role # remove privilege server-security server-policy UCS-A /security/role* # commit-buffer UCS-A /security/role #
Deleting a User Role
| Command or Action | Purpose |
|---|
The following example deletes the service-profile-security-admin role and commits the transaction:
UCS-A# scope security UCS-A /security # delete role service-profile-security-admin UCS-A /security* # commit-buffer UCS-A /security #
Configuring Locales
Creating a Locale
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. |
| Step 2 | UCS-A /security # create locale locale-name |
Creates a locale and enters security locale mode. |
| Step 3 | UCS-A /security/locale # create org-ref org-ref-name orgdn orgdn org-root/org-ref-name |
References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced. |
| Step 4 | UCS-A /security/locale # commit-buffer |
Commits the transaction to the system configuration. |
The following example creates the western locale, references the finance organization to the locale, names the reference finance-ref, and commits the transaction:
UCS-A# scope security UCS-A /security # create locale western UCS-A /security/locale* # create org-ref finance-ref orgdn org-root/org-finance UCS-A /security/locale* # commit-buffer UCS-A /security/locale #
Assigning an Organization to a Locale
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. |
| Step 2 | UCS-A# scope locale locale-name |
Enters security locale mode. |
| Step 3 | UCS-A /security/locale # create org-ref org-ref-name orgdn org-root/org-ref-name |
References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced. |
| Step 4 | UCS-A /security/locale # commit-buffer |
Commits the transaction to the system configuration. |
The following example enters the western locale, adds (references) the marketing organization to the locale, names the reference marketing-ref, and commits the transaction:
UCS-A# scope security UCS-A /security # scope locale western UCS-A /security/locale* # create org-ref marketing-ref orgdn org-root/org-marketing UCS-A /security/locale* # commit-buffer UCS-A /security/locale #
Deleting an Organization from a Locale
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. |
| Step 2 | UCS-A /security # scope locale locale-name |
Enters security locale mode. |
| Step 3 | UCS-A /security/locale # delete org-ref org-ref-name |
Deletes the organization from the locale. |
| Step 4 | UCS-A /security/locale # commit-buffer |
Commits the transaction to the system configuration. |
The following example deletes the finance organization from the western locale and commits the transaction:
UCS-A# scope security UCS-A /security # scope locale western UCS-A /security/locale # delete org-ref finance-ref UCS-A /security/locale* # commit-buffer UCS-A /security/locale #
Deleting a Locale
| Command or Action | Purpose |
|---|
The following example deletes the western locale and commits the transaction:
UCS-A# scope security UCS-A /security # delete locale western UCS-A /security* # commit-buffer UCS-A /security #
Configuring Locally Authenticated User Accounts
Creating a User Account
At a minimum, Cisco recommends that you create the following users:
Perform the following tasks, if the system includes any of the following:
-
Remote authentication services—Ensures that the users exist in the remote authentication server with the appropriate roles and privileges.
-
Multitenancy with organizations—Creates one or more locales. If you do not have any locales, all users are created in root and are assigned roles and privileges in all organizations.
-
SSH authentication—Obtains the SSH key.
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. | ||
| Step 2 | UCS-A /security # create local-user local-user-name |
Creates a user account for the specified local user and enters security local user mode. | ||
| Step 3 | UCS-A /security/local-user # set account-status {active| inactive} |
Specifies whether the local user account is enabled or disabled. If the account status for a local user account is set to inactive, the user is prevented from logging into the system using their existing credentials. | ||
| Step 4 | UCS-A /security/local-user # set password password |
Sets the password for the user account | ||
| Step 5 | UCS-A /security/local-user # set firstname first-name | (Optional)
Specifies the first name of the user. | ||
| Step 6 | UCS-A /security/local-user # set lastname last-name | (Optional)
Specifies the last name of the user. | ||
| Step 7 | UCS-A /security/local-user # set expiration month day-of-month year | (Optional)
Specifies the date that the user account expires. The month argument is the first three letters of the month name.
| ||
| Step 8 | UCS-A /security/local-user # set email email-addr | (Optional)
Specifies the user e-mail address. | ||
| Step 9 | UCS-A /security/local-user # set phone phone-num | (Optional)
Specifies the user phone number. | ||
| Step 10 | UCS-A /security/local-user # set sshkey ssh-key | (Optional)
Specifies the SSH key used for passwordless access. | ||
| Step 11 | UCS-A security/local-user # commit-buffer |
Commits the transaction. |
The following example creates the user account named kikipopo, enables the user account, sets the password to foo12345, and commits the transaction:
UCS-A# scope security UCS-A /security # create local-user kikipopo UCS-A /security/local-user* # set account-status active UCS-A /security/local-user* # set password Enter a password: Confirm the password: UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
The following example creates the user account named lincey, enables the user account, sets an OpenSSH key for passwordless access, and commits the transaction.
UCS-A# scope security UCS-A /security # create local-user lincey UCS-A /security/local-user* # set account-status active UCS-A /security/local-user* # set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw85lkdQqap+NFuNmHcb4K iaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VOIEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpD m8HPh2LOgyH7Ei1MI8=" UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
The following example creates the user account named jforlenz, enables the user account, sets a Secure SSH key for passwordless access, and commits the transaction.
UCS-A# scope security UCS-A /security # create local-user jforlenz UCS-A /security/local-user* # set account-status active UCS-A /security/local-user* # set sshkey Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort. User's SSH key: > ---- BEGIN SSH2 PUBLIC KEY ---- >AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw8 >5lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VO >IEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8= > ---- END SSH2 PUBLIC KEY ---- > ENDOFBUF UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Enabling the Password Strength Check for Locally Authenticated Users
You must have admin or aaa privileges to enable the password strength check. If enabled, Cisco UCS Manager does not permit a user to choose a password that does not meet the guidelines for a strong password.
| Command or Action | Purpose |
|---|
The following example enables the password strength check:
UCS-A# scope security UCS-A /security # set enforce-strong-password yes UCS-A /security #
Setting Web Session Limits for User Accounts
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCS-A# scope system |
Enters system mode. |
| Step 2 | UCS-A /system # scope services |
Enters system services mode. |
| Step 3 | UCS-A /system/services # scope web-session-limits |
Enters system services web session limits mode. |
| Step 4 | UCS-A /system/services/web-session-limits # set peruser num-of-logins-per-user |
Sets the maximum number of concurrent HTTP and HTTPS sessions allowed for each user. Enter an integer between 1 and 256. By default, this value is set to 32. |
| Step 5 | UCS-A /system/services/web-session-limits # commit-buffer | Commits the transaction to the system configuration. |
The following example sets the maximum number of HTTP and HTTPS sessions allowed by each user account to 60 and commits the transaction:
UCS-A# scope system UCS-A /system # scope services UCS-A /system/services # scope web-session-limits UCS-A /system/services/web-session-limits* # set peruser 60 UCS-A /system/services/web-session-limits* # commit-buffer UCS-A /system/services/web-session-limits #
Assigning a Role to a User Account
Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. | ||
| Step 2 | UCS-A /security # scope local-user local-user-name |
Enters security local user mode for the specified local user account. | ||
| Step 3 | UCS-A /security/local-user # create role role-name |
Assigns the specified role to the user account .
| ||
| Step 4 | UCS-A security/local-user # commit-buffer |
Commits the transaction. |
The following example assigns the operations role to the kikipopo local user account and commits the transaction:
UCS-A# scope security UCS-A /security # scope local-user kikipopo UCS-A /security/local-user # create role operations UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Assigning a Locale to a User Account
Note | Do not assign locales to users with an admin or aaa role. |
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. | ||
| Step 2 | UCS-A /security # scope local-user local-user-name |
Enters security local user mode for the specified local user account. | ||
| Step 3 | UCS-A /security/local-user # create locale locale-name |
Assigns the specified locale to the user account.
| ||
| Step 4 | UCS-A security/local-user # commit-buffer |
Commits the transaction. |
The following example assigns the western locale to the kikipopo local user account and commits the transaction:
UCS-A# scope security UCS-A /security # scope local-user kikipopo UCS-A /security/local-user # create locale western UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Removing a Role from a User Account
Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. | ||
| Step 2 | UCS-A /security # scope local-user local-user-name |
Enters security local user mode for the specified local user account. | ||
| Step 3 | UCS-A /security/local-user # delete role role-name |
Removes the specified role from the user account .
| ||
| Step 4 | UCS-A security/local-user # commit-buffer |
Commits the transaction. |
The following example removes the operations role from the kikipopo local user account and commits the transaction:
UCS-A# scope security UCS-A /security # scope local-user kikipopo UCS-A /security/local-user # delete role operations UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Removing a Locale from a User Account
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. | ||
| Step 2 | UCS-A /security # scope local-user local-user-name |
Enters security local user mode for the specified local user account. | ||
| Step 3 | UCS-A /security/local-user # delete locale locale-name |
Removes the specified locale from the user account.
| ||
| Step 4 | UCS-A security/local-user # commit-buffer |
Commits the transaction. |
The following example removes the western locale from the kikipopo local user account and commits the transaction:
UCS-A# scope security UCS-A /security # scope local-user kikipopo UCS-A /security/local-user # delete locale western UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Enabling or Disabling a User Account
You must have admin or aaa privileges to enable or disable a local user account.
Create a local user account.
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. | ||
| Step 2 | UCS-A /security # scope local-user |
Enters local-user security mode. | ||
| Step 3 | UCS-A /security/local-user # set account-status {active | inactive} |
Specifies whether the local user account is enabled or disabled. The admin user account is always set to active. It cannot be modified.
|
The following example enables a local user account called accounting:
UCS-A# scope security UCS-A /security # scope local-user accounting UCS-A /security/local-user # set account-status active
Clearing the Password History for a Locally Authenticated User
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. |
| Step 2 | UCS-A /security # scope local-user user-name | Enters local user security mode for the specified user account. |
| Step 3 | UCS-A /security/local-user # set clear password-history yes | Clears the password history for the specified user account. |
| Step 4 | UCS-A /security/local-user # commit-buffer | Commits the transaction to the system configuration. |
The following example configures the password history count and commits the transaction:
UCS-A # scope security UCS-A /security # scope local-user admin UCS-A /security/local-user # set clear password-history yes UCS-A /security/local-user* # commit-buffer UCS-A /security/local-user #
Deleting a User Account
| Command or Action | Purpose |
|---|
The following example deletes the foo user account and commits the transaction:
UCS-A# scope security UCS-A /security # delete local-user foo UCS-A /security* # commit-buffer UCS-A /security #
Password Profile for Locally Authenticated Users
The password profile contains the password history and the password change interval properties for all locally authenticated users of Cisco UCS Manager. You cannot specify a different password profile for locally authenticated users.
Note | You must have admin or aaa privileges to change the password profile properties. Except for password history, these properties do not apply to users with admin or aaa privileges. |
Password History Count
The password history count prevents locally authenticated users from reusing the same password. When you configure the password history count, Cisco UCS Manager stores up to a maximum of 15 previously used passwords. The password history count stores the passwords in reverse chronological order with the most recent password first. This ensures that the user can only reuse the oldest password when the history count reaches its threshold.
A user can create and use the number of passwords configured in the password history count before reusing a password. For example, if you set the password history count to 8, a user cannot reuse the first password until the ninth password expires.
By default, the password history is set to 0. This value disables the history count and allows users to reuse previously used passwords at any time.
You can clear the password history count for a locally authenticated user and enable reuse of previous passwords.
Password Change Interval
The password change interval restricts the number of password changes that a locally authenticated user can make within a specific number of hours. The following table describes the two interval configuration options for the password change interval.
| Interval Configuration | Description | Example |
|---|---|---|
|
No password change allowed |
Does not allow changing passwords for locally authenticated user within a specified number of hours after a password change. You can specify a no change interval between 1 and 745 hours. By default, the no change interval is 24 hours. |
To prevent the user from changing passwords within 48 hours after a password change: |
|
Password changes allowed within change interval |
Specifies the maximum number of times that a locally authenticated user password change can occur within a pre-defined interval. You can specify a change interval between 1 and 745 hours and a maximum number of password changes between 0 and 10. By default, a locally authenticated user is permitted a maximum of two password changes within a 48-hour interval. |
To allow a password change for a maximum of one time within 24 hours after a password change: |
- Configuring the Maximum Number of Password Changes for a Change Interval
- Configuring a No Change Interval for Passwords
- Configuring the Password History Count
Configuring the Maximum Number of Password Changes for a Change Interval
You must have admin or aaa privileges to change the password profile properties. Except for password history, these properties do not apply to users with admin or aaa privileges.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. |
| Step 2 | UCS-A /security # scope password-profile | Enters password profile security mode. |
| Step 3 | UCS-A /security/password-profile # set change-during-interval enable | Restricts the number of password changes a locally authenticated user can make within a given number of hours. |
| Step 4 | UCS-A /security/password-profile # set change-count pass-change-num | Specifies the maximum number of times a locally authenticated user can change his or her password during the Change Interval. This value can be anywhere from 0 to 10. |
| Step 5 | UCS-A /security/password-profile # set change-interval num-of-hours | Specifies the maximum number of hours over which the number of password changes specified in the Change Count field are enforced. This value can be anywhere from 1 to 745 hours. For example, if this field is set to 48 and the Change Count field is set to 2, a locally authenticated user can make no more than 2 password changes within a 48 hour period. |
| Step 6 | UCS-A /security/password-profile # commit-buffer | Commits the transaction to the system configuration. |
The following example enables the change during interval option, sets the change count to 5, sets the change interval to 72 hours, and commits the transaction:
UCS-A # scope security UCS-A /security # scope password-profile UCS-A /security/password-profile # set change-during-interval enable UCS-A /security/password-profile* # set change-count 5 UCS-A /security/password-profile* # set change-interval 72 UCS-A /security/password-profile* # commit-buffer UCS-A /security/password-profile #
Configuring a No Change Interval for Passwords
You must have admin or aaa privileges to change the password profile properties. Except for password history, these properties do not apply to users with admin or aaa privileges.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. |
| Step 2 | UCS-A /security # scope password-profile | Enters password profile security mode. |
| Step 3 | UCS-A /security/password-profile # set change-during-interval disable | Disables the change during interval feature. |
| Step 4 | UCS-A /security/password-profile # set no-change-interval min-num-hours | Specifies the minimum number of hours that a locally authenticated user must wait before changing a newly created password. This value can be anywhere from 1 to 745 hours. This interval is ignored if the Change During Interval property is set to Disable. |
| Step 5 | UCS-A /security/password-profile # commit-buffer | Commits the transaction to the system configuration. |
The following example disables the change during interval option, sets the no change interval to 72 hours, and commits the transaction:
UCS-A # scope security UCS-A /security # scope password-profile UCS-A /security/password-profile # set change-during-interval disable UCS-A /security/password-profile* # set no-change-interval 72 UCS-A /security/password-profile* # commit-buffer UCS-A /security/password-profile #
Configuring the Password History Count
You must have admin or aaa privileges to change the password profile properties.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCS-A# scope security |
Enters security mode. |
| Step 2 | UCS-A /security # scope password-profile | Enters password profile security mode. |
| Step 3 | UCS-A /security/password-profile # set history-count num-of-passwords | Specifies the number of unique passwords that a locally authenticated user must create before that user can reuse a previously used password This value can be anywhere from 0 to 15. By default, the History Count field is set to 0, which disables the history count and allows users to reuse previously used passwords at any time. |
| Step 4 | UCS-A /security/password-profile # commit-buffer | Commits the transaction to the system configuration. |
The following example configures the password history count and commits the transaction:
UCS-A # scope security UCS-A /security # scope password-profile UCS-A /security/password-profile # set history-count 5 UCS-A /security/password-profile* # commit-buffer UCS-A /security/password-profile #
Monitoring User Sessions from the CLI
| Command or Action | Purpose |
|---|
The following example lists all local users logged in to the system. The asterisk indicates which session is the current login session.
UCS-A# scope security UCS-A /security # show user-session local Session Id User Host Login Time --------------- --------------- -------------------- ---------- pts_25_1_31264* steve 192.168.100.111 2009-05-09T14:06:59 ttyS0_1_3532 jeff console 2009-05-02T15:11:08 web_25277_A faye 192.168.100.112 2009-05-15T22:11:25
The following example displays detailed information on all local users logged in to the system:
UCS-A# scope security
UCS-A /security # show user-session local detail
Session Id pts_25_1_31264:
Fabric Id: A
Term: pts/25
User: steve
Host: 64.101.53.93
Pid: 31264
Login Time: 2009-05-09T14:06:59
Session Id ttyS0_1_3532:
Fabric Id: A
Term: ttyS0
User: jeff
Host: console
Pid: 3532
Login Time: 2009-05-02T15:11:08
Session Id web_25277_A:
Fabric Id: A
Term: web_25277
User: faye
Host: 192.168.100.112
Pid: 3518
Login Time: 2009-05-15T22:11:25
Feedback