User roles contain one
or more privileges that define the operations that are allowed for a user. You
can assign one or more roles to each user. Users with multiple roles have the
combined privileges of all assigned roles. For example, if Role1 has
storage-related privileges, and Role 2 has server-related privileges, users
with Role1 and Role 2 have both storage-related and server-related privileges.
Cisco UCS domain can contain up to 48 user roles, including the default user
user roles configured after the first 48 are accepted, but they are inactive
with faults raised.
All roles include read
access to all configuration settings in the
Cisco UCS domain. Users with read-only roles cannot modify the system state.
You can create, modify
or remove existing privileges, and delete roles. When you modify a role, the
new privileges apply to all users with that role. Privilege assignment is not
restricted to the privileges defined for the default roles. Meaning, you can
use a custom set of privileges to create a unique role. For example, the
default Server Administrator and Storage Administrator roles have a different
set of privileges. However, you can create a Server and Storage Administrator
role that combines the privileges of both roles.
If you delete a role
after it was assigned to users, it is also deleted from those user accounts.
Modify the user
profiles on AAA servers (RADIUS or TACACS+) to add the roles corresponding to
the privileges granted to that user. The attribute stores the role information.
The AAA servers return this attribute with the request and parse it to obtain
the roles. LDAP servers return the roles in the user profile attributes.
If a local and a
remote user account have the same username,
Cisco UCS Manager
overrides any roles assigned to the remote user with those assigned to the