Cisco DCNM User Roles

Cisco DCNM defines what operations a user can perform in Cisco DCNM Web Client by controlling what features are available in the menu and tool bar items. Cisco DCNM role-based authorization limits access to the server operations depending on the user roles.

This chapter contains following sections:

Cisco DCNM Credentials

Cisco DCNM has two sets of credentials, namely:

  • Device credentials—used to discover and manage devices
  • Cisco DCNM credentials—used to access the Cisco DCNM server.

This document describes about DCNM credentials and how user roles are mapped to specific set of DCNM server operations.

Cisco DCNM Users

Cisco DCNM user-based access allows the administrator to control the access to the Cisco DCNM server by using the DCNM client (Web Client or LAN client). The user access is secured by a password.

note.gif

Noteblank.gif Beginning from Release 10.0(x), DCNM does not allow you to reset the password using adduser script. You must logon to Cisco DCNM Web UI to reset the password. The adduser script is used only to add a new DCNM user on the existing DCNM setup.

DCNM Roles

Cisco DCNM performs authorization of access to the users based on roles. The role-based authorization limits access to the Cisco DCNM server operations based on the roles to which the users are assigned. Cisco DCNM does not define new roles to access the DCNM server; however, the Cisco DCNM leverages the existing roles that are supported on the devices monitored, such as Cisco MDS 9000 Series Switches, and Cisco Nexus Switches.

The table below lists the roles supported by Cisco DCNM:

Role

Description

global-admin

Introduced in Cisco Nexus 5000 series switches and FCoE, a role to administrate LAN and SAN features.

network-admin

General role to administrate LAN features.

lan-network-admin

General role to administrate LAN features.

san-network-admin

General role to administrate SAN features.

san-admin

Introduced in Cisco Nexus 5000 series switches and FCoE, a role to administrate SAN features.

server-admin

Introduced in the FlexAttach feature, a role that administrates FC server host feature.

sme-admin

Introduced in the Storage Media Encryption (SME) feature, a role that administrates SME feature.

sme-stg-admin

Introduced in the Storage Media Encryption (SME)) feature, a role that administrates SME storage.

sme-kmc-admin

Introduced in the Storage Media Encryption (SME) feature, a role that administrates SME Key Management.

sme-recovery

Introduced in the Storage Media Encryption (SME) feature, a role that administrates SME recovery.

network-operator

General network operator role.

In a typical enterprise environment, users and their roles are defined in a centralized place such as, TACACS+, RADIUS or LDAP. As Cisco DCNM supports the existing device roles, the administrator need not define new roles specifically.

Roles from Cisco DCNM Perspective

Cisco DCNM perspective defines the operations a user can perform on the Cisco DCNM client by controlling the menu and tool bar items. Different perspectives define different set of operations.

For example, the Admin perspective allows all the operations by showing all the menu and tool bar items where as Operator perspective allows limited set of operation by hiding Admin and Config Menu items.

Each DCNM user role is mapped to a particular DCNM perspective, which allows limited access to server features. DCNM clients support following four perspectives:

Table 2-1 describes how DCNM roles are mapped to client perspectives.

 

Table 2-1 DCNM Roles and Perspectives Mapping Table
Role
Perspective

global-admin

Admin Perspective

network-admin

san-admin

san-network-admin

lan-network-admin (Web Client)

server-admin

Server Admin Perspective

sme-admin

SME Perspective

sme-sgt-admin

sme-kmc-admin

sme-recovery

network-operator

Operator Perspective

lan-network-admin (SAN Thick Client)

Admin Perspective

Admin Perspective can be accessed through the Cisco DCNM Web Client and SAN Client only, by the users who are assigned the role of global-admin, network-admin, san-admin, san-network-admin and lan-network-admin.

Web Client Admin Perspective

Web client admin perspective has full control of the DCNM server and can access all the features. Via the access to the Admin menu items, the users also has full control of Cisco DCNM authentication settings.

SAN Thick Client Admin Perspective

SAN thick client admin perspective has full control of the DCNM server and can access all the features. All the top-level menu items are accessible.

Server Admin Perspective

Server admin perspective can be accessed via web client and SAN thick client only by the users who are assigned the role of server-admin.

Web Client Server Admin Perspective

Web client server admin perspective has access to all the web client features. Via the access to the Admin menu items, the users also has full control of Cisco DCNM authentication settings.

SAN Thick Client Server Admin Perspective

The configuration capabilities of a server admin role are limited to FlexAttach and relevant data. The server admin can pre-configure SAN for new servers, move a server to another port on the same NPV device or another NPV device and replace a failed server onto the same port without involving the SAN administrator. The server admin will not be able to manage Fabric Manager users or connected clients. The menu items that are not related to server management are not accessible, e.g. Zone, Performance, etc. SAN thick client server admin perspective has no access to Discover button, Fabrics and License Files tabs. The server admin is not able to manage Fabric Manager users or connected clients in SAN thick client.

SME Perspective

Storage Media Encryption (SME) perspective is designed for sme-admin, sme-sgt-admin, sme-kmc-admin and sme-recovery role-based users. It can be categorized to five different sme admin perspective according to the roles:

Web Client SME Admin Perspective

Web client sme admin perspective is designed to sme-admin role users who have no access to Admin and Config menu items in the Web client and cannot use features under those menu items. On the other hand, the SME provision features are accessible.

SME Storage Perspective

SME storage perspective is designed to the sme-stg-admin role users. sme-stg-admin role users have same perspective as sme-admin role except you cannot manage the key management features.

SME Key Management Perspective

SME key management perspective is designed to the sme-kmc-admin role users. sme-kmc-admin role users have same perspective as sme-admin role except that you cannot perform SME configurations.

SME Recovery Perspective

SME recovery perspective is designed to the sme-recovery role users for master key recovery. sme-recovery role users have same perspective as sme-admin role except that you cannot perform the storage and key management features.

SAN Thick Client SME Perspective

SAN thick client SME perspective has no access to Discover button, Fabrics and License Files tabs.All the SME related perspective would not be able to manage Fabric Manager users or connected clients, as well as operator perspective.

Operator Perspective

Operator perspective is designed for network-operator and lan-network-admin role users, and lan-network-admin role only has SAN thick client operator perspective.

Web Client Operator Perspective

Web client operator perspective has no access to Admin and Config menu items and the features under those menu items cannot be used. All the other features can be used.

SAN Thick Client Operator Perspective

SAN thick client operator perspective has no access to Discover button, Fabrics and License Files tabs, and would not be able to manage Fabric Manager users or connected clients.