- Cisco UCS Central User Accounts
- Guidelines for Creating Usernames
- Reserved Words: Locally Authenticated User Accounts
- Creating a Locally Authenticated User Account
- Deleting a Locally Authenticated User Account
- Enabling the Password Strength Check for Locally Authenticated Users
- Clearing the Password History for a Locally Authenticated User
- Enabling or Disabling a User Account
- Web Session Limits for User Accounts
- Monitoring User Sessions
- Guidelines for Creating Passwords
- Configuring User Locales
- User Locales
- Creating a User Locale
- Deleting a User Locale
- Assigning a Locale to a User Account
- Removing a Locale from a User Account
- Assigning an Organization to a User Locale
- Deleting an Organization from a User Locale
- Assigning a Domain Group to a User Locale
- Deleting a Domain Group from a User Locale
- Configuring User Domain Groups
- Configuring User Organizations
Users and
Roles
Cisco UCS Central User Accounts
Access the system with user accounts. You can configure up to 128 user accounts in each Cisco UCS Central domain. Each user account must have a unique username and password.
You can setup a user account with an SSH public key, in either of the two formats: OpenSSH or SECSH.
Admin Account
The Cisco UCS Central admin account is the default user account. You cannot modify or delete it. This account is the system administrator, or superuser account, and has full privileges. There is no default password assigned to the admin account. You must choose the password during the initial system setup.
The admin account is always active and does not expire. You cannot configure the admin account as inactive.
The local admin user can login for fail over, even when authentication is set to remote.
Locally Authenticated User Accounts
A locally authenticated user account is authenticated through the Cisco UCS Central user database. Anyone with admin or aaa privileges can enable or disable it. Once you disable a local user account, the user cannot log in.
 Note | Cisco UCS Central does not delete configuration details for disabled local user accounts from the database. If you re-enable a disabled local user account, the account becomes active again with the existing configuration, including username and password. |
Remotely Authenticated User Accounts
A remotely authenticated user account is any Cisco UCS Central user account that is authenticated through LDAP. Cisco UCS domains support LDAP, RADIUS and TACACS+.
If a user maintains a local user account and a remote user account simultaneously, the roles defined in the local user account override those maintained in the remote user account.
Expiration of User Accounts
You can configure user accounts to expire at a predefined time. When the user account reaches the expiration time, the account disables.
By default, user accounts do not expire.
Note | After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. You can, however, configure the account to expire with the farthest expiration date available. |
- Guidelines for Creating Usernames
- Reserved Words: Locally Authenticated User Accounts
- Creating a Locally Authenticated User Account
- Deleting a Locally Authenticated User Account
- Enabling the Password Strength Check for Locally Authenticated Users
- Clearing the Password History for a Locally Authenticated User
- Enabling or Disabling a User Account
- Web Session Limits for User Accounts
- Monitoring User Sessions
Guidelines for Creating Usernames
The username is also used as the login ID for Cisco UCS Central. When you assign login IDs to Cisco UCS Central user accounts, consider the following guidelines and restrictions:
-
The login ID can contain between 1 and 32 characters, including the following:
-
The login ID must be unique within Cisco UCS Central.
-
The login ID must start with an alphabetic character. It cannot start with a number or a special character, such as an underscore.
-
The login ID is case-sensitive.
-
You cannot create an all-numeric login ID.
-
After you create a user account, you cannot change the login ID. You must delete the user account and create a new one.
Reserved Words: Locally Authenticated User Accounts
You cannot use the following words when creating a local user account in Cisco UCS.
Creating a Locally Authenticated User Account
At a minimum, Cisco recommends that you create the following users:
Perform the following tasks, if the system includes any of the following:
-
Remote authentication services—Ensures that the users exist in the remote authentication server with the appropriate roles and privileges.
-
Multitenancy with organizations—Creates one or more locales. If you do not have any locales, all users are created in root and are assigned roles and privileges in all organizations.
-
SSH authentication—Obtains the SSH key.
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create local-user kikipopo UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active UCSC(policy-mgr) /org/device-profile/security/local-user* # set password Enter a password: Confirm the password: UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/local-user #
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create local-user lincey UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAA BIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw85lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4 VcOelBxlsGk5luq5ls1ob1VOIEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8=" UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/local-user #
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create local-user hpotter UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort. User's SSH key: > ---- BEGIN SSH2 PUBLIC KEY ---- > AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw8 > 5lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VO > IEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8= > ---- END SSH2 PUBLIC KEY ---- > ENDOFBUF UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/local-user #
Deleting a Locally Authenticated User Account
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # delete local-user local-user-name |
Deletes the local-user account. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr)/org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # delete local-user foo UCSC(policy-mgr) /org/device-profile/security* # commit-buffer UCSC(policy-mgr) /org/device-profile/security #
Enabling the Password Strength Check for Locally Authenticated Users
You must have privileges to enable the password strength check. If enabled, does not permit a user to choose a password that does not meet the guidelines for a strong password.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope password-profile. |
Specifies whether the password strength check is enabled or disabled. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/password-profile # set enforce-strong-password {yes | no} |
Specifies whether the password strength check is enabled or disabled. |
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/password-profile* # commit-buffer |
Commits the transaction. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope password-profile UCSC(policy-mgr) /org/device-profile/security/password-profile # set enforce-strong-password yes UCSC(policy-mgr) /org/device-profile/security/password-profile # commit-buffer
Clearing the Password History for a Locally Authenticated User
You must have admin, aaa, or org/device-profile-management privileges to change the password profile properties.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope local-user local-user-name |
Commits the transaction. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/local-user # scope password-profile |
Enters password profile security mode. |
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/password-profile # set history-count 0 |
Setting the History Count field to 0 (the default setting) disables the history count and allows users to reuse previously used passwords at any time. |
| Step 8 | UCSC(policy-mgr) /org/device-profile/security/password-profile # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope local-user kikipopo UCSC(policy-mgr) /org/device-profile/security/local-user # scope password-profile UCSC(policy-mgr) /org/device-profile/security/password-profile # set history-count 0 UCSC(policy-mgr) /org/device-profile/security/password-profile* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/password-profile #
Enabling or Disabling a User Account
You must have privileges to enable or disable a local user account.
Create a local user account.
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. | ||
| Step 2 | UCSC(policy-mgr)# scope org |
Enters the organization root. | ||
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. | ||
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. | ||
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope local-user |
Enters local-user security mode. | ||
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/local-user # set account-status {active | inactive} |
Specifies whether the local user account is enabled or disabled. The admin user account is always set to active. It cannot be modified.
|
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope local-user accounting UCSC(policy-mgr) /org/device-profile/security/local-user # set account-status active UCSC(policy-mgr) /org/device-profile/security/local-user # commit-buffer
Web Session Limits for User Accounts
Cisco UCS Manager uses web session limits to restrict the number of web sessions (both GUI and XML) that a given user account is permitted to access at any one time.
Monitoring User Sessions
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# scope system |
Enters system mode. |
| Step 2 | UCSC /system # scope security |
Enters security mode. |
| Step 3 | UCSC /security # show user-sessions {local | remote} [detail] |
Displays session information for all users logged in to the system. An asterisk (*) next to the session ID denotes the current login session. |
The following example lists all of the local users logged in to the system. The asterisk indicates which session is the current login session.
UCSC# scope system UCSC /system # scope security UCSC /security # show user-sessions local Session Id User Host Login Time --------------- --------------- -------------------- ---------- pts_25_1_31264* steve 192.168.100.111 2012-05-09T14:06:59.000 ttyS0_1_3532 jeff console 2012-05-02T15:11:08.000 web_25277_A faye 192.168.100.112 2012-05-15T22:11:25.000
The following example displays detailed information on all local users logged in to the system:
UCSC# scope system
UCSC /system # scope security
UCSC /security # show user-sessions local detail
Session Id pts_25_1_31264:
Fabric Id: A
Term: pts/25
User: steve
Host: 64.101.53.93
Pid: 31264
Login Time: 2012-05-09T14:06:59.000
Session Id ttyS0_1_3532:
Fabric Id: A
Term: ttyS0
User: jeff
Host: console
Pid: 3532
Login Time: 2012-05-02T15:11:08.000
Session Id web_25277_A:
Fabric Id: A
Term: web_25277
User: faye
Host: 192.168.100.112
Pid: 3518
Login Time: 2012-05-15T22:11:25.000
Guidelines for Creating Passwords
Each locally authenticated user account requires a password. Cisco recommends that each user have a strong password. A user with admin, aaa, or domain-group-management privileges can configure Cisco UCS Central to perform a password strength check on user passwords. If you enabled the password strength check, each user must use a strong password.
Cisco UCS Central rejects any password that does not meet the following requirements:
-
Must contain a minimum of 8 characters and a maximum of 80 characters.
-
Must contain at least three of the following:
-
Must not contain a character that is repeated more than 3 times consecutively, such as aaabbb.
-
Must not be identical to the username or the reverse of the username.
-
Must pass a password dictionary check. Meaning, the password must not be based on a standard dictionary word.
-
Must not contain the following symbols: $ (dollar sign), ? (question mark), and = (equals sign).
-
Should not be blank for local user and admin accounts.
- Password Profile for Locally Authenticated Users
- Configuring the Maximum Number of Password Changes for a Change Interval
- Configuring a No Change Interval for Passwords
- Configuring the Password History Count
Password Profile for Locally Authenticated Users
The password profile contains the password history and the password change interval properties for all locally authenticated users of . You cannot specify a different password profile for locally authenticated users.
Password History Count
The password history count prevents locally authenticated users from reusing the same password. When you configure the password history count, stores up to a maximum of 15 previously used passwords. The password history count stores the passwords in reverse chronological order with the most recent password first. This ensures that the user can only reuse the oldest password when the history count reaches its threshold.
A user can create and use the number of passwords configured in the password history count before reusing a password. For example, if you set the password history count to 8, a user cannot reuse the first password until the ninth password expires.
By default, the password history is set to 0. This value disables the history count and allows users to reuse previously used passwords at any time.
You can clear the password history count for a locally authenticated user and enable reuse of previous passwords.
Password Change Interval
The password change interval restricts the number of password changes that a locally authenticated user can make within a specific number of hours. The following table describes the two interval configuration options for the password change interval.
| Interval Configuration | Description | Example |
|---|---|---|
|
No password change allowed |
Does not allow changing passwords for locally authenticated user within a specified number of hours after a password change. You can specify a no change interval between 1 and 745 hours. By default, the no change interval is 24 hours. |
To prevent the user from changing passwords within 48 hours after a password change: |
|
Password changes allowed within change interval |
Specifies the maximum number of times that a locally authenticated user password change can occur within a pre-defined interval. You can specify a change interval between 1 and 745 hours and a maximum number of password changes between 0 and 10. By default, a locally authenticated user is permitted a maximum of two password changes within a 48-hour interval. |
To allow a password change for a maximum of one time within 24 hours after a password change: |
Configuring the Maximum Number of Password Changes for a Change Interval
You must have admin, aaa, or org/device-profile-management privileges to change the password profile properties. Except for password history, these properties do not apply to users with these administrative privileges.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope password-profile |
Enters password profile security mode. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/password-profile # set change-during-interval enable |
Restricts the number of password changes a locally authenticated user can make within a given number of hours. |
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/password-profile* # set change-count pass-change-num |
Specifies the maximum number of times a locally authenticated user can change his or her password during the Change Interval. This value can be anywhere from 0 to 10. |
| Step 8 | UCSC(policy-mgr) /org/device-profile/security/password-profile* # set change-interval num-of-hours |
Specifies the maximum number of hours over which the number of password changes specified in the Change Count field are enforced. This value can be anywhere from 1 to 745 hours. For example, if this field is set to 48 and the Change Count field is set to 2, a locally authenticated user can make no more than 2 password changes within a 48 hour period. |
| Step 9 | UCSC(policy-mgr) /org/device-profile/security/password-profile* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope password-profile UCSC(policy-mgr) /org/device-profile/security/password-profile # set change-during-interval enable UCSC(policy-mgr) /org/device-profile/security/password-profile* # set change-count 5 UCSC(policy-mgr) /org/device-profile/security/password-profile* # set change-interval 72 UCSC(policy-mgr) /org/device-profile/security/password-profile* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/password-profile #
Configuring a No Change Interval for Passwords
You must have admin, aaa, or org/device-profile-management privileges to change the password profile properties. Except for password history, these properties do not apply to users with these administrative privileges.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope password-profile |
Enters password profile security mode. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/password-profile # set change-during-interval disable |
Disables the change during interval feature. |
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/password-profile* # set no-change-interval min-num-hours |
Specifies the minimum number of hours that a locally authenticated user must wait before changing a newly created password. This value can be anywhere from 1 to 745 hours. This interval is ignored if the Change During Interval property is set to Disable. |
| Step 8 | UCSC(policy-mgr) /org/device-profile/security/password-profile # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope password-profile UCSC(policy-mgr) /org/device-profile/security/password-profile # set change-during-interval disable UCSC(policy-mgr) /org/device-profile/security/password-profile* # set no-change-interval 72 UCSC(policy-mgr) /org/device-profile/security/password-profile* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/password-profile #
Configuring the Password History Count
You must have admin or aaa privileges to change the password profile properties.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope password-profile |
Enters password profile security mode. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/password-profile # set history-count num-of-passwords |
Specifies the number of unique passwords that a locally authenticated user must create before that user can reuse a previously used password This value can be anywhere from 0 to 15. By default, the History Count field is set to 0, which disables the history count and allows users to reuse previously used passwords at any time. |
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/password-profile* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope password-profile UCSC(policy-mgr) /org/device-profile/security/password-profile # set history-count 5 UCSC(policy-mgr) /org/device-profile/security/password-profile* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/password-profile #
Configuring User Locales
User Locales
You can assign a user to one or more locales. Each locale defines one or more organizations (domains) to which a user can access. Access is usually limited to the organizations specified in the locale. An exception is a locale without any organizations. It provides unrestricted access to system resources in all organizations.
A Cisco UCS domain can contain up to 48 user locales. Any user locales configured after the first 48 are accepted, but are inactive with faults raised.
Users with admin or aaa privileges can assign organizations to the locale of other users. The assignment of organizations is restricted to only those in the locale of the user assigning the organizations. For example, if a locale contains only the Engineering organization, a user assigned to that locale can only assign the Engineering organization to other users.
Note | You cannot assign a locale to users with one or more of the following privileges: |
You can hierarchically manage organizations. A user who is assigned to a top-level organization has automatic access to all organizations below it. For example, an Engineering organization can contain a Software Engineering organization and a Hardware Engineering organization. A locale containing only the Software Engineering organization has access to system resources only within that organization. However, a locale that contains the Engineering organization has access to the resources for both the Software Engineering and Hardware Engineering organizations.
Creating a User Locale
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # create locale name |
Creates the user role and enters security role mode. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/locale * # create org-ref org-ref-name orgdn org-root/org-orgdn-name |
References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference. The orgdn-name argument is the distinguished name of the organization referenced. |
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/locale * # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create locale western UCSC(policy-mgr) /org/device-profile/security/locale* # create org-ref finance-ref orgdn org-root/org-finance UCSC(policy-mgr) /org/device-profile/security/locale* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/locale #
Deleting a User Locale
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # delete locale locale-name |
Deletes the locale. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # delete locale western UCSC(policy-mgr) /org/device-profile/security* # commit-buffer UCSC(policy-mgr) /org/device-profile/security #
Assigning a Locale to a User Account
Note | Do not assign locales to users with an admin role. |
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. | ||
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. | ||
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. | ||
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. | ||
| Step 5 | UCSC /security # scope local-user local-user-name |
Enters local user security mode for the specified local user account. | ||
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/local-user # create locale locale-name |
Assigns the specified locale to the user account.
| ||
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/local-user # commit-buffer |
Commits the transaction. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security/local-user # create locale western UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/local-user #
Removing a Locale from a User Account
| Command or Action | Purpose | |||
|---|---|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. | ||
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. | ||
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. | ||
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. | ||
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope local-user local-user-name |
Enters local user security mode for the specified local user account. | ||
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/local-user # delete locale locale-name |
Removes the specified locale from the user account.
| ||
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer |
Commits the transaction. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security/ # scope local-user UCSC(policy-mgr) /org/device-profile/security/local-user # delete locale western UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/local-user #
Assigning an Organization to a User Locale
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope locale locale-name |
Enters locale security mode. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/locale # create org-ref org-ref-name orgdn org-root/org-orgdn-name |
References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference. The orgdn-name argument is the distinguished name of the organization referenced. |
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/locale * # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope locale western UCSC(policy-mgr) /org/device-profile/security/locale # create org-ref marketing-ref orgdn org-root/org-marketing UCSC(policy-mgr) /org/device-profile/security/locale* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/locale #
Deleting an Organization from a User Locale
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
| Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope locale locale-name |
Enters security locale mode. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/locale # delete org-ref org-ref-name |
Deletes the organization from the locale. |
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/locale # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope locale western UCSC(policy-mgr) /org/device-profile/security/locale # delete org-ref finance-ref UCSC(policy-mgr) /org/device-profile/security/locale* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/locale #
Assigning a Domain Group to a User Locale
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr) #scope org | Enters organization mode for the specified organization. |
| Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
| Step 5 | UCSC(policy-mgr) /domain-group/security # scope locale locale-name |
Enters security locale mode. |
| Step 6 | UCSC(policy-mgr) /domain-group/security/locale # create domain-group-ref domain-group-ref-name domain-group-dn domaingroup-root-name |
References (binds) a domain group to the locale. The domain-group-ref-name argument (1-16 characters) is the name used to identify the domain group reference. The domain-group-dn-name argument is the distinguished name of the domain group root referenced. |
| Step 7 | UCSC(policy-mgr) /domain-group/security/locale # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope locale western UCSC(policy-mgr) /domain-group/security/locale # create domain-group-ref marketdomain01 domain-group-dn domaingroup-root/domaingroup-marketing UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer UCSC(policy-mgr) /domain-group/security/locale #
Deleting a Domain Group from a User Locale
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr) #scope org | Enters organization mode for the specified organization. |
| Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
| Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
| Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope locale locale-name |
Enters security locale mode. |
| Step 6 | UCSC(policy-mgr) /org/device-profile/security/locale # delete domain-group-ref domain-group-ref-name |
Deletes references (unbinds) domain groups referenced to the locale. The domaingroup-ref argument (1-16 characters) is the name used to identify the domain group reference. |
| Step 7 | UCSC(policy-mgr) /org/device-profile/security/locale * # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope locale western UCSC(policy-mgr) /org/device-profile/security/locale # delete domain-group-ref marketdomain01 UCSC(policy-mgr) /org/device-profile/security/locale* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/locale #
Configuring User Domain Groups
Creating a User Domain Group
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr) # scope domain-group domain-group |
Enters domain group root mode and (optionally) enters a sub-domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
| Step 3 | UCSC(policy-mgr) /domain-group # create domain-group name |
Creates the domain group. |
| Step 4 | UCSC(policy-mgr) /domain-group * # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # create domain-group central-audit UCSC(policy-mgr) /domain-group* # commit-buffer UCSC(policy-mgr) /domain-group #
Deleting a User Domain Group
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr) # scope domain-group domain-group |
Enters domain group root mode and (optionally) enters a sub-domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
| Step 3 | UCSC(policy-mgr) /domain-group # delete domain-group name |
Deletes the domain group. |
| Step 4 | UCSC(policy-mgr) /domain-group * # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # delete domain-group central-audit UCSC(policy-mgr) /domain-group* # commit-buffer UCSC(policy-mgr) /domain-group #
Configuring User Organizations
User Organizations
A user can create one or more organizations. Each organization defines sub-organizations, faults, events, UUID suffix pools and blocks of UUIDs.
Cisco UCS organizations are hierarchically managed by users. A user that is assigned at the root level organization has automatic access to all organizations and domain groups under it.
Creating a User Organization
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr) # scope org org-name |
Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name. |
| Step 3 | UCSC(policy-mgr) /org # create org name |
Creates the organization. |
| Step 4 | UCSC(policy-mgr) /org * # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # create org central-audit UCSC(policy-mgr) /org* # commit-buffer UCSC(policy-mgr) /org #
Deleting a User Organization
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr) # scope org org-name |
Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name. |
| Step 3 | UCSC(policy-mgr) /org # delete org name |
Deletes the organization. |
| Step 4 | UCSC(policy-mgr) /org * # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # delete org central-audit UCSC(policy-mgr) /org* # commit-buffer UCSC(policy-mgr) /org #
Creating a User Sub-Organization
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr) # scope org org-name |
Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name. |
| Step 3 | UCSC(policy-mgr) /org # create org name |
Creates the sub-organization under the organization scoped. |
| Step 4 | UCSC(policy-mgr) /org * # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org central-audit UCSC(policy-mgr) /org # create org north-audit UCSC(policy-mgr) /org* # commit-buffer UCSC(policy-mgr) /org #
Deleting a User Sub-Organization
| Command or Action | Purpose | |
|---|---|---|
| Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
| Step 2 | UCSC(policy-mgr) # scope org org-name |
Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name. |
| Step 3 | UCSC(policy-mgr) /org # delete org name |
Deletes the sub-organization under the organization scoped. |
| Step 4 | UCSC(policy-mgr) /org * # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org central-audit UCSC(policy-mgr) /domain-group # delete org north-audit UCSC(policy-mgr) /domain-group* # commit-buffer UCSC(policy-mgr) /domain-group #
Feedback