User and Group Management

Introduction

The Ops Center CLI enables management of user accounts and groups. It allows to create, update, or delete users and set password policies and organize users into groups to control access. User and group management ensures that the appropriate access is assigned for Policy Builder, Control Center, and Ops Center.

Add a user from Ops Center CLI

Follow these steps to add a user from Ops Center CLI:

Procedure

Step 1

Login to Ops Center CLI and enter the config mode.

Step 2

Enter this command to create a user:

smiuser add-user username <username> password <password>

Example:

pcf# smiuser add-user username user1 password Cisco@123
Wed Jul  2  09:26:45.907 UTC+00:00
message User user1 added
pcf#

Note

 

Ensure that the password meets parameters:

  • At least eight characters.

  • Contains at least one lowercase letter, one uppercase letter, one digit, and one special character.

  • Allowed special characters: ~, @, #, %, ^, &, *, (, ), _, +, `, -, =, [, ], :, ", ;, ', |, <, >, ?, ,, ., /, $.

  • Do not include { or }.

  • Do not start the password with $.

  • Do not use simple or dictionary-based passwords.

  • Avoid reusing previous passwords.

Delete a user from Ops Center CLI

Follow these steps to delete a user.

Procedure

Step 1

Login to Ops Center CLI and enter the config mode.

Step 2

Enter this command to delete a user account in Ops Center CLI.

smiuser delete-user username <username>

Example:

pcf# smiuser delete-user username user1
Wed Jul  2  09:31:05.100 UTC+00:00
message User user1 deleted (No cleanup necessary)
pcf#

Password change from Ops Center CLI

Follow these steps to change the password from Ops Center CLI:

Procedure

Step 1

Login to Ops Center CLI and enter the config mode.

Step 2

Enter this command to change the password:

smiuser change-self-password current_password <current_password>
new_password <new_password> confirm_password <new_password>
 [password_expire_days <number_of_days>]

Note

 

Replace <number_of_days> with the number of days until the password expires (optional, default is 180 days).

Example:

To change the password from Cisco@123 to Cisco@345 with a 180-day expiration: 

pcf# smiuser change-self-password current_password Cisco@123 new_password Cisco@345 confirm_password Cisco@345 password_expire_days 180
message Password updated successfully

To use the default expiration:

pcf# smiuser change-self-password current_password Cisco@123 new_password Cisco@345 confirm_password Cisco@345
message Password updated successfully

Update password length policy from Ops Center CLI

Follow these steps to update the minimum password length:

Procedure

Step 1

Login to Ops Center CLI and enter the config mode.

Step 2

Enter this command to update length for user passwords:

smiuser update-password-length length <number_of_characters>

Example:

To set the minimum length to ten characters:

pcf# smiuser update-password-length length 10
message Password updated successfully

Add a user-group from Ops Center CLI

Follow these steps to add a user-group:

Procedure

Step 1

Login to Ops Center CLI and enter the config mode.

Step 2

Enter this command to add a new user-group:

smiuser add-group groupname <group_name>

Example:

pcf# smiuser add-group groupname group1
Wed Jul  2  09:46:38.319 UTC+00:00
message Group group1 created successfully
pcf#

Delete a user-group from Ops Center CLI

Follow these steps to delete a user-group:

Procedure

Step 1

Login to Ops Center CLI and enter the config mode.

Step 2

Enter this command to delete a user-group:

smiuser delete-group groupname <group_name>

Example:

pcf# smiuser delete-group groupname group1
Wed Jul  2  09:48:48.164 UTC+00:00
message Group group1 deleted successfully
pcf#

Assign a user to a user-group

Procedure

Follow these steps to assign a user to a user-group:

Follow these steps to assign a user to a user-group:

Step 1

Login to Ops Center CLI and enter the config mode.

Step 2

Enter this command to assign a user to a user-group:

smiuser assign-user-group username <username> group <group_name>

Example:

To assign user1 to group1:
pcf# smiuser assign-user-group username user1 group group1
Wed Jul  2  09:50:42.624 UTC+00:00
message User user1 assigned to group successfully
pcf#

Unassign a user from a user-group

Procedure

Follow these steps to unassign a user from a user-group:

Follow these steps to unassign a user from a user-group:

Step 1

Login to Ops Center CLI and enter the config mode.

Step 2

Enter this command to unassign a user from a group:

smiuser unassign-user-group username <username> group <group_name>

Example:

To unassign user1 to group1:
pcf# smiuser unassign-user-group username user1 group group1
Wed Jul  2  09:52:55.602 UTC+00:00
message User un-assigned from group group1 successfully
pcf#

User privileges and access control in Ops-Center

The user access to Policy-builder, CPC Ops-center, and Control-Center is determined by group membership.

This table lists access privileges for common group assignments:

Table 1. Access privileges for CEE-user-groups
Group User Grafana PB Ops-Center CPC Ops-Center CEE Control Center
Grafana-editor user yes(able to create dashboards and view ) no no yes(read only) no
Grafana-admin user yes(RW) no no yes(read only) no
sadmin user no no no yes(read only) no
policy-admin user no no no yes(read only) no
admin user no no no yes(RW) no
Grafana-viewer user yes(RO) no no yes(RO) no
No group assigned user no no no yes(RO) no
Table 2. Access privileges for CPC user-groups
CPC user-group User Grafana PB Ops -Center CPC Ops- Center CEE Control Center
sadmin user no yes-RO yes-RO no no
policy-admin user no yes-RO yes-RO no no
admin user no yes-RW yes-RW no yes-RW
No group assigned user no yes-RO yes-RO no no
readonly user no yes-RO yes-RO no yes-RO

Predefined Groups:

  • Default user groups are created during system installation. These groups have read-only access to Policy Builder and Ops-Center, but do not have access to Control Center.

User-Defined Groups:

  • Allows to create groups such as group1 with custom privileges. By default, these groups provide Read-only access.

No Group Assigned:

  • If a user is created but not assigned to any group, that user will have read-only access to Policy-Builder and Ops-Center, and no access to Control Center.

Security Principle:

  • Assign users to the group with the minimum required privileges such as Read-only.