- Preface
-
- Configuring the Fabric Interconnects
- Configuring Ports and Port Channels
- Configuring Communication Services
- Configuring Authentication
- Configuring Organizations
- Configuring Role-Based Access Control
- Configuring DNS Servers
- Configuring System-Related Policies
- Managing Licenses
- Managing Virtual Interfaces
- Registering Cisco UCS Domains with Cisco UCS Central
- Index
- Role-Based Access Control
- User Accounts for Cisco UCS
- User Roles
- User Locales
- Configuring User Roles
- Configuring Locales
- Configuring Locally Authenticated User Accounts
- Creating a User Account
- Enabling the Password Strength Check for Locally Authenticated Users
- Setting the Web Session Limits for Cisco UCS Manager GUI Users
- Changing the Locales Assigned to a Locally Authenticated User Account
- Changing the Roles Assigned to a Locally Authenticated User Account
- Enabling a User Account
- Disabling a User Account
- Clearing the Password History for a Locally Authenticated User
- Deleting a Locally Authenticated User Account
- Password Profile for Locally Authenticated Users
- Monitoring User Sessions
Configuring Role-Based Access Control
This chapter includes the following sections:
- Role-Based Access Control
- User Accounts for Cisco UCS
- User Roles
- User Locales
- Configuring User Roles
- Configuring Locales
- Configuring Locally Authenticated User Accounts
- Password Profile for Locally Authenticated Users
- Monitoring User Sessions
Role-Based Access Control
Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and the locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, management of individual user privileges is simply a matter of assigning the appropriate roles and locales.
A user is granted write access to desired system resources only if the assigned role grants the access privileges and the assigned locale allows access. For example, a user with the Server Administrator role in the Engineering organization could update server configurations in the Engineering organization but could not update server configurations in the Finance organization unless the locales assigned to the user include the Finance organization.
User Accounts for Cisco UCS
User accounts are used to access the system. Up to 48 local user accounts can be configured in each Cisco UCS Manager domain. Each user account must have a unique username and password.
A user account can be set with an SSH public key. The public key can be set in either of the two formats: OpenSSH or SECSH.
Admin Account
Each Cisco UCS domain has an admin account. The admin account is a default user account and cannot be modified or deleted. This account is the system administrator or superuser account and has full privileges. There is no default password assigned to the admin account; you must choose the password during the initial system setup.
The admin account is always active and does not expire. You cannot configure the admin account as inactive.
Locally Authenticated User Accounts
A locally authenticated user account is authenticated directly through the fabric interconnect and can be enabled or disabled by anyone with admin or aaa privileges. Once a local user account is disabled, the user cannot log in. Configuration details for disabled local user accounts are not deleted by the database. If you re-enable a disabled local user account, the account becomes active again with the existing configuration, including username and password.
Remotely Authenticated User Accounts
A remotely authenticated user account is any user account that is authenticated through LDAP, RADIUS, or TACACS+.
If a user maintains a local user account and a remote user account simultaneously, the roles defined in the local user account override those maintained in the remote user account.
Expiration of User Accounts
User accounts can be configured to expire at a predefined time. When the expiration time is reached, the user account is disabled.
By default, user accounts do not expire.
Note | After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. You can, however, configure the account with the latest expiration date available. |
- Guidelines for Cisco UCS Usernames
- Reserved Words: Locally Authenticated User Accounts
- Guidelines for Cisco UCS Passwords
- Web Session Limits for User Accounts
Guidelines for Cisco UCS Usernames
The username is also used as the login ID for Cisco UCS Manager. When you assign login IDs to Cisco UCS user accounts, consider the following guidelines and restrictions:
-
The login ID can contain between 1 and 32 characters, including the following:
The login ID must be unique within Cisco UCS Manager.
-
The login ID must start with an alphabetic character. It cannot start with a number or a special character, such as an underscore.
The login ID is case-sensitive.
You cannot create an all-numeric login ID.
After you create a user account, you cannot change the login ID. You must delete the user account and create a new one.
Reserved Words: Locally Authenticated User Accounts
The following words cannot be used when creating a local user account in Cisco UCS.
Guidelines for Cisco UCS Passwords
A password is required for each locally authenticated user account. A user with admin or aaa privileges can configure Cisco UCS Manager to perform a password strength check on user passwords. If the password strength check is enabled, each user must have a strong password.
Cisco recommends that each user have a strong password. If you enable the password strength check for locally authenticated users, Cisco UCS Manager rejects any password that does not meet the following requirements:
-
Must contain a minimum of 8 characters and a maximum of 80 characters.
-
Must contain at least three of the following:
-
Must not contain a character that is repeated more than 3 times consecutively, such as aaabbb.
-
Must not be identical to the username or the reverse of the username.
-
Must pass a password dictionary check. For example, the password must not be based on a standard dictionary word.
-
Must not contain the following symbols: $ (dollar sign), ? (question mark), and = (equals sign).
-
Should not be blank for local user and admin accounts.
Web Session Limits for User Accounts
Web session limits are used by Cisco UCS Manager to restrict the number of web sessions (both GUI and XML) a given user account is permitted to access at any one time.
Each Cisco UCS Manager domain supports a maximum of 32 concurrent web sessions per user and 256 total user sessions. By default, the number of concurrent web sessions allowed by Cisco UCS Manager is set to 32 per user, but this value can be configured up to the system maximum of 256.
User Roles
User roles contain one or more privileges that define the operations that are allowed for a user. One or more roles can be assigned to each user. Users with multiple roles have the combined privileges of all assigned roles. For example, if Role1 has storage-related privileges, and Role2 has server-related privileges, users with Role1 and Role2 have both storage-related and server-related privileges.
A Cisco UCS domain can contain up to 48 user roles, including the default user roles. Any user roles configured after the first 48 will be accepted, but will be inactive with faults raised.
All roles include read access to all configuration settings in the Cisco UCS domain. Users with read-only roles cannot modify the system state.
Roles can be created, modified to add new or remove existing privileges, or deleted. When a role is modified, the new privileges are applied to all users that have that role. Privilege assignment is not restricted to the privileges defined for the default roles. That is, you can use a custom set of privileges to create a unique role. For example, the default Server Administrator and Storage Administrator roles have a different set of privileges, but a new Server and Storage Administrator role can be created that combines the privileges of both roles.
If a role is deleted after it has been assigned to users, it is also deleted from those user accounts.
User profiles on AAA servers (RADIUS or TACACS+) should be modified to add the roles corresponding to the privileges granted to that user. The attribute is used to store the role information. The AAA servers return this attribute with the request and parse it to get the roles. LDAP servers return the roles in the user profile attributes.
Note | If a local user account and a remote user account have the same username, any roles assigned to the remote user are overridden by those assigned to the local user. |
Default User Roles
The system contains the following default user roles:
- AAA Administrator
-
Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system.
- Administrator
-
Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.
- Facility Manager
-
Read-and-write access to power management operations through the power-mgmt privilege. Read access to the rest of the system.
- Network Administrator
-
Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the rest of the system.
- Operations
-
Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the rest of the system.
- Read-Only
-
Read-only access to system configuration with no privileges to modify the system state.
- Server Compute
Read and write access to most aspects of service profiles. However the user cannot create, modify or delete vNICs or vHBAs.
- Server Equipment Administrator
-
Read-and-write access to physical server related operations. Read access to the rest of the system.
- Server Profile Administrator
-
Read-and-write access to logical server related operations. Read access to the rest of the system.
- Server Security Administrator
-
Read-and-write access to server security related operations. Read access to the rest of the system.
- Storage Administrator
-
Read-and-write access to storage operations. Read access to the rest of the system.
Reserved Words: User Roles
The following words cannot be used when creating custom roles in Cisco UCS.
Privileges
Privileges give users assigned to user roles access to specific system resources and permission to perform specific tasks. The following table lists each privilege and the user role given that privilege by default.
Tip | Detailed information about these privileges and the tasks that they enable users to perform is available in Privileges in Cisco UCS available at the following URL: http://www.cisco.com/en/US/products/ps10281/prod_technical_reference_list.html. |
Privilege |
Description |
Default Role Assignment |
---|---|---|
aaa |
System security and AAA |
AAA Administrator |
admin |
System administration |
Administrator |
ext-lan-config |
External LAN configuration |
Network Administrator |
ext-lan-policy |
External LAN policy |
Network Administrator |
ext-lan-qos |
External LAN QoS |
Network Administrator |
ext-lan-security |
External LAN security |
Network Administrator |
ext-san-config |
External SAN configuration |
Storage Administrator |
ext-san-policy |
External SAN policy |
Storage Administrator |
ext-san-qos |
External SAN QoS |
Storage Administrator |
ext-san-security |
External SAN security |
Storage Administrator |
fault |
Alarms and alarm policies |
Operations |
operations |
Logs and Smart Call Home |
Operations |
org-management |
Organization management |
Operations |
pod-config |
Pod configuration |
Network Administrator |
pod-policy |
Pod policy |
Network Administrator |
pod-qos |
Pod QoS |
Network Administrator |
pod-security |
Pod security |
Network Administrator |
power-mgmt |
Read-and-write access to power management operations |
Facility Manager |
read-only |
Read-only access Read-only cannot be selected as a privilege; it is assigned to every user role. |
Read-Only |
server-equipment |
Server hardware management |
Server Equipment Administrator |
server-maintenance |
Server maintenance |
Server Equipment Administrator |
server-policy |
Server policy |
Server Equipment Administrator |
server-security |
Server security |
Server Security Administrator |
service-profile-compute |
Service profile compute |
Server Compute Administrator |
service-profile-config |
Service profile configuration |
Server Profile Administrator |
service-profile-config-policy |
Service profile configuration policy |
Server Profile Administrator |
service-profile-ext-access |
Service profile end point access |
Server Profile Administrator |
service-profile-network |
Service profile network |
Network Administrator |
service-profile-network-policy |
Service profile network policy |
Network Administrator |
service-profile-qos |
Service profile QoS |
Network Administrator |
service-profile-qos-policy |
Service profile QoS policy |
Network Administrator |
service-profile-security |
Service profile security |
Server Security Administrator |
service-profile-security-policy |
Service profile security policy |
Server Security Administrator |
service-profile-server |
Service profile server management |
Server Profile Administrator |
service-profile-server-oper |
Service profile consumer |
Server Profile Administrator |
service-profile-server-policy |
Service profile pool policy |
Server Security Administrator |
service-profile-storage |
Service profile storage |
Storage Administrator |
service-profile-storage-policy |
Service profile storage policy |
Storage Administrator |
User Locales
A user can be assigned one or more locales. Each locale defines one or more organizations (domains) the user is allowed access, and access would be limited to the organizations specified in the locale. One exception to this rule is a locale without any organizations, which gives unrestricted access to system resources in all organizations.
A Cisco UCS domain can contain up to 48 user locales. Any user locales configured after the first 48 will be accepted, but will be inactive with faults raised.
Users with admin or aaa privileges can assign organizations to the locale of other users. The assignment of organizations is restricted to only those in the locale of the user assigning the organizations. For example, if a locale contains only the Engineering organization then a user assigned that locale can only assign the Engineering organization to other users.
Note | You cannot assign a locale to users with one or more of the following privileges: |
You can hierarchically manage organizations. A user that is assigned at a top level organization has automatic access to all organizations under it. For example, an Engineering organization can contain a Software Engineering organization and a Hardware Engineering organization. A locale containing only the Software Engineering organization has access to system resources only within that organization; however, a locale that contains the Engineering organization has access to the resources for both the Software Engineering and Hardware Engineering organizations.
Configuring User Roles
Creating a User Role
Adding Privileges to a User Role
Removing Privileges from a User Role
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Expand the Roles node. |
Step 4 | Choose the role from which you want to remove privileges. |
Step 5 | In the General tab, uncheck the boxes for the privileges you want to remove from the role. |
Step 6 | Click Save Changes. |
Deleting a User Role
When you delete a user role, Cisco UCS Manager removes that role from all user accounts to which the role has been assigned.
Configuring Locales
Creating a Locale
One or more organizations must exist before you create a locale.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Right-click Locales and choose Create a Locale. |
Step 4 | In the
Create Locale page, do the following:
|
Step 5 | In the
Assign Organizations dialog box, do the following:
|
Step 6 | Click Finish. |
What to Do Next
Add the locale to one or more user accounts. For more information, see Changing the Locales Assigned to a Locally Authenticated User Account.
Assigning an Organization to a Locale
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Expand the Locales node and click the locale to which you want to add an organization. |
Step 4 | In the Work pane, click the General tab. |
Step 5 | In the Organizations area, click + on the table icon bar. |
Step 6 | In the
Assign Organizations dialog box, do the following:
|
Step 7 | Click OK. |
Deleting an Organization from a Locale
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Expand the Locales node and click the locale from which you want to delete an organization. |
Step 4 | In the Work pane, click the General tab. |
Step 5 | In the Organizations area, right-click the organization that you want to delete from the locale and choose Delete. |
Step 6 | Click Save Changes. |
Deleting a Locale
Configuring Locally Authenticated User Accounts
Creating a User Account
At a minimum, we recommend that you create the following users:
Note | After you create the user account, if you make any changes to any of the user account fields from the Cisco UCS Manager GUI, make sure to enter the password again. |
Perform the following tasks, if the system includes any of the following:
-
Remote authentication services, ensure the users exist in the remote authentication server with the appropriate roles and privileges.
-
Multi-tenancy with organizations, create one or more locales. If you do not have any locales, all users are created in root and are assigned roles and privileges in all organizations.
-
SSH authentication, obtain the SSH key.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||||||||||||||||||
Step 2 | On the Admin tab, expand . | ||||||||||||||||||||||||||
Step 3 | Right-click
User Services and choose
Create User to open the
User Properties dialog box.
You can also right-click Locally Authenticated Users to access that option. | ||||||||||||||||||||||||||
Step 4 | Complete the following fields with the required information about
the user:
| ||||||||||||||||||||||||||
Step 5 | In the
Roles area, check one or more boxes to assign
roles and privileges to the user account.
| ||||||||||||||||||||||||||
Step 6 | (Optional)If the system includes organizations, check one or more check boxes in the Locales area to assign the user to the appropriate locales. | ||||||||||||||||||||||||||
Step 7 | In the
SSH area, complete the following fields: | ||||||||||||||||||||||||||
Step 8 | Click OK. |
Enabling the Password Strength Check for Locally Authenticated Users
You must be a user with admin or aaa privileges to enable the password strength check. If the password strength check is enabled, Cisco UCS Manager does not permit a user to choose a password that does not meet the guidelines for a strong password.
Setting the Web Session Limits for Cisco UCS Manager GUI Users
Step 1 | In the Navigation pane, click the Admin tab. | ||||||
Step 2 | On the Admin tab, expand . | ||||||
Step 3 | Click the Communication Services tab. | ||||||
Step 4 |
In the Web Session Limits area, complete the following fields:
| ||||||
Step 5 | Click Save Changes. |
Changing the Locales Assigned to a Locally Authenticated User Account
Note | Do not assign locales to users with an admin or aaa role. |
Changing the Roles Assigned to a Locally Authenticated User Account
Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.
Enabling a User Account
You must be a user with admin or aaa privileges to enable or disable a local user account.
Create a local user account.
Disabling a User Account
You must be a user with admin or aaa privileges to enable or disable a local user account.
Note | If you change the password on a disabled account through the Cisco UCS Manager GUI, the user cannot use this changed password after you enable the account and make it active. The user must enter the required password again after the account is enabled and made active. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Click the user that you want to disable. |
Step 4 | In the Work pane, click the General tab. |
Step 5 | In the Account Status field, click the inactive radio button. The admin user account is always set to active. It cannot be modified. |
Step 6 | Click Save Changes. |
Clearing the Password History for a Locally Authenticated User
Deleting a Locally Authenticated User Account
Password Profile for Locally Authenticated Users
The password profile contains the password history and password change interval properties for all locally authenticated users of Cisco UCS Manager. You cannot specify a different password profile for each locally authenticated user.
Note | You must have admin or aaa privileges to change the password profile properties. Except for password history, these properties do not apply to users with admin or aaa privileges. |
Password History Count
The password history count allows you to prevent locally authenticated users from reusing the same password over and over again. When this property is configured, Cisco UCS Manager stores passwords that were previously used by locally authenticated users up to a maximum of 15 passwords. The passwords are stored in reverse chronological order with the most recent password first to ensure that the only the oldest password can be reused when the history count threshold is reached.
A user must create and use the number of passwords configured in the password history count before being able to reuse one. For example, if you set the password history count to 8, a locally authenticated user cannot reuse the first password until after the ninth password has expired.
By default, the password history is set to 0. This value disables the history count and allows users to reuse previously passwords at any time.
If necessary, you can clear the password history count for a locally authenticated user and enable reuse of previous passwords.
Password Change Interval
The password change interval enables you to restrict the number of password changes a locally authenticated user can make within a given number of hours. The following table describes the two configuration options for the password change interval.
Interval Configuration | Description | Example |
---|---|---|
No password change allowed |
This option does not allow passwords for locally authenticated users to be changed within a specified number of hours after a password change. You can specify a no change interval between 1 and 745 hours. By default, the no change interval is 24 hours. |
For example, to prevent passwords from being changed within 48 hours after a locally authenticated user changes his or her password, set the following: |
Password changes allowed within change interval |
This option specifies the maximum number of times that passwords for locally authenticated users can be changed within a pre-defined interval. You can specify a change interval between 1 and 745 hours and a maximum number of password changes between 0 and 10. By default, a locally authenticated user is permitted a maximum of 2 password changes within a 48 hour interval. |
For example, to allow to be changed a maximum of once within 24 hours after a locally authenticated user changes his or her password, set the following: |
- Configuring the Maximum Number of Password Changes for a Change Interval
- Configuring a No Change Interval for Passwords
- Configuring the Password History Count
Configuring the Maximum Number of Password Changes for a Change Interval
You must have admin or aaa privileges to change the password profile properties. Except for password history, these properties do not apply to users with admin or aaa privileges.
Configuring a No Change Interval for Passwords
You must have admin or aaa privileges to change the password profile properties. Except for password history, these properties do not apply to users with admin or aaa privileges.
Configuring the Password History Count
You must have admin or aaa privileges to change the password profile properties.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Click the Locally Authenticated Users node. |
Step 4 | In the Password Profile area, enter the number of unique passwords that a locally authenticated user must create before that user can reuse a previously used password in the History Count field. This value can be anywhere from 0 to 15. By default, the History Count field is set to 0, which disables the history count and allows users to reuse previously used passwords at any time. |
Step 5 | Click Save Changes. |
Monitoring User Sessions
You can monitor Cisco UCS Manager sessions for both locally authenticated users and remotely authenticated users, whether they logged in through the CLI or the GUI.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||||||||||||
Step 2 | In the Admin tab, expand . | ||||||||||||||||||||
Step 3 | Click the User Services node. | ||||||||||||||||||||
Step 4 | In the
Work pane, click the
Sessions tab.
The tab displays the following details of user sessions:
|