The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes the following sections:
When users are assigned to a role, that role allows certain privileges. Those privileges allow the user access to specific system resources and authorize permission to perform tasks on those resources. The following table lists each privilege and the initial default user role that has been given that privilege.
Internal Name |
Label |
Description |
Default Role Assignment |
---|---|---|---|
AAA |
System security and AAA |
AAA Administrator |
|
ADMIN |
Access to everything (combines all roles) |
Administrator |
|
EXT_LAN_CONFIG |
Configuration of network end points, UCDs, etc. |
Network Administrator |
|
EXT_LAN_POLICY |
External network policies |
Network Administrator |
|
EXT_LAN_QOS |
External LAN QoS |
Network Administrator |
|
EXT_LAN_SECURITY |
External LAN security |
Network Administrator |
|
EXT_SAN_CONFIG |
Configuration of network end points, UCDs, etc. |
Storage Administrator |
|
EXT_SAN_POLICY |
External SAN policy |
Storage Administrator |
|
EXT_SAN_QOS |
External SAN QoS |
Storage Administrator |
|
EXT_SAN_SECURITY |
External SAN security (VACLs, etc.) |
Storage Administrator |
|
FAULT |
Alarms, alarm policies, etc. |
Operations |
|
LS_CONFIG |
Service profile configuration |
Server Profile Administrator |
|
LS_CONFIG_POLICY |
Service profile configuration policy |
Server Profile Administrator |
|
LS_EXT_ACCESS |
Service profile end point access |
Server Profile Administrator |
|
LS_NETWORK |
Service profile network |
Network Administrator |
|
LS_NETWORK_POLICY |
Setting up MAC pools, etc. |
Network Administrator |
|
LS_POWER |
LS power management |
Facility Manager |
|
LS_QOS |
Service profile QoS |
Network Administrator |
|
LS_QOS_POLICY |
Setting up ls-level QoS |
Network Administrator |
|
LS_SECURITY |
Service profile security |
Server Security Administrator |
|
LS_SECURITY_POLICY |
Setting up security policies |
Server Security Administrator |
|
LS_STORAGE |
Service profile storage |
Storage Administrator |
|
LS_STORAGE_POLICY |
Service profile storage policy |
Storage Administrator |
|
OPERATIONS |
Logs, call home functionality, etc. |
Operations |
|
PN_EQUIPMENT |
Server hardware management |
Server Equipment Administrator |
|
PN_MAINTENANCE |
Server maintenance (update BIOS, etc.) |
Server Equipment Administrator |
|
PN_POLICY |
Physical server policies |
Server Equipment Administrator |
|
PN_SECURITY |
Physical node security |
Server Security Administrator |
|
POD_CONFIG |
Pod configuration |
Network Administrator |
|
POD_POLICY |
Pod policies |
Network Administrator |
|
POD_QOS |
Internal pod-QoS (if needed) |
Network Administrator |
|
POD_SECURITY |
Pod security |
Network Administrator |
|
POWER_MGMT |
Data center power management |
Facility Manager |
|
READ_ONLY |
Read-only access |
Available to all roles |
Privileges
System security and AAA.
This privilege has read and write access to all users, roles, AAA, and communication services configuration. Read access is available for all other objects.
AAA Administrator
aaa:AuthRealm, aaa:EpAuthProfile, aaa:EpUser, aaa:ExtMgmtCutThruTkn, aaa:LdapEp, aaa:LdapProvider, aaa:Locale, aaa:Log, aaa:Org, aaa:RadiusEp, aaa:RadiusProvider, aaa:RemoteUser, aaa:Role, aaa:Session, aaa:SshAuth, aaa:TacacsPlusEp, aaa:TacacsPlusProvider, aaa:User, aaa:UserEp, aaa:UserLocale, aaa:UserRole, comm:Cimxml, comm:Dns, comm:DnsProvider, comm:EvtChannel, comm:Http, comm:Https, comm:SmashCLP, comm:Snmp, comm:SnmpTrap, comm:SnmpUser, comm:Ssh, comm:SvcEp, comm:Telnet, comm:WebChannel, comm:Wsman, comm:XmlClConnPolicy, comm:XmlClConnPolicy, pki:CertReq, pki:KeyRing, pki:TP
System administration
Administrator
This role is system level. The administrator controls all objects.
External LAN configuration
Network Administrator
adaptor:ExtIf, adaptor:ExtEthIf, adaptor:HostIf, adaptor:HostEthIf, adaptor:HostFcIf, comm:DateTime, comm:Dns, comm:DnsProvider, comm:NtpProvider, fabric:EthLan, fabric:EthLanEp, fabric:EthLanPc, fabric:EthLanPcEp, fabric:LanCloud, fabric:LanPinGroup, fabric:LanPinTarget, fabric:Vlan, macpool:Format, network:Element, top:System, vnic:FcOEIf, vnic:LanConnTempl
External LAN policy
Network Administrator
adaptor:ExtIf, adaptor:ExtEthIf, adaptor:HostIf, adaptor:HostEthIf, adaptor:HostFcIf, fabric:EthLan, fabric:EthLanEp, fabric:EthLanPc, fabric:EthLanPcEp, fabric:LanCloud, fabric:LanPinGroup, fabric:LanPinTarget, fabric:VCon, fabric:VConProfile, fabric:Vlan, macpool:Format, vnic:FcOEIf, vnic:LanConnTempl
External LAN QoS
Network Administrator
qosclass:Definition, qosclass:EthBE, qosclass:EthClassified, qosclass:Fc
External LAN security
Network Administrator
comm:DateTime, comm:NtpProvider
External SAN configuration
Storage Administrator
fabric:FcSan, fabric:FcSanEp, fabric:FcSanPc, fabric:FcSanPcEp, fabric:FcVsanPortEp, fabric:SanPinGroup, fabric:SanPinTarget, fabric:Vsan, fcpool:Format, vnic:FcOEIf
External SAN policy
Storage Administrator
fabric:FcSan, fabric:FcSanEp, fabric:FcSanPc, fabric:FcSanPcEp, fabric:FcVsanPortEp, fabric:SanPinGroup, fabric:SanPinTarget, fabric:Vsan, fcpool:Format, vnic:FcOEIf
External SAN QoS
Storage Administrator
qosclass:Definition, qosclass:EthBE, qosclass:EthClassified, qosclass:Fc
External SAN security
Storage Administrator
There are no objects assigned to this privilege.
Alarms and alarm policies
Operations
callhome:Policy, event:EpCtrl, event:Log, fault:Holder, fault:Inst, fault:Policy
Service profile configuration
Server Profile Administrator
bios:VFeat, bios:VfConsoleRedirection, bios:VfEnhancedIntelSpeedStepTech, bios:VfFrontPanelLockout, bios:VfIntelHyperThreadingTech, bios:VfIntelTurboBoostTech, bios:VfIntelVTForDirectedIO, bios:VfIntelVirtualizationTechnology, bios:VfLvDIMMSupport, bios:VfMirroringMode, bios:VfNUMAOptimized, bios:VfProcessorC3Report, bios:VfProcessorC6Report, bios:VfQuietBoot, bios:VfResumeOnACPowerLoss, bios:VfSelectMemoryRASConfiguration, bios:VProfile, extvmm:Ep, extvmm:KeyRing, extvmm:KeyStore, extvmm:MasterExtKey, extvmm:Provider, extvmm:SwitchDelTask, ls:ComputeBinding, ls:Binding, ls:Requirement, ls:Power, ls:Server, ls:Tie, lsboot:Def, lsboot:Lan, lsboot:LanImagePath, lsboot:LocalStorage, lsboot:SanImage, lsboot:SanImagePath, lsboot:Storage, lsboot:VirtualMedia, org:Org, power:Group, power:Regulation, power:Rule, sol:Config, storage:LocalDiskConfigDef, storage:LocalDiskPartition, vm:Cont, vm:DirCont, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:VnicProfCl, vnic:BootTarget, vnic:DynamicCon, vnic:Ether, vnic:EtherIf, vnic:Fc, vnic:FcIf, vnic:FcOEIf, vnic:IPv4Dhcp, vnic:IPv4Dns, vnic:IPv4If, vnic:IPv4StaticRoute, vnic:IpV4PooledAddr, vnic:IpV4StaticAddr, vnic:Ipc, vnic:IpcIf, vnic:Scsi, vnic:ScsiIf
Service profile configuration policy
Server Profile Administrator
adaptor:EthCompQueueProfile, adaptor:EthFailoverProfile, adaptor:EthInterruptProfile, adaptor:EthOffloadProfile, adaptor:EthRecvQueueProfile, adaptor:EthWorkQueueProfile, adaptor:ExtIpV6RssHashProfile, adaptor:FcCdbWorkQueueProfile, adaptor:FcErrorRecoveryProfile, adaptor:FcInterruptProfile, adaptor:FcPortFLogiProfile, adaptor:FcPortPLogiProfile, adaptor:FcPortProfile, adaptor:FcRecvQueueProfile, adaptor:FcWorkQueueProfile, adaptor:HostEthIfProfile, adaptor:HostFcIfProfile, adaptor:IpV4RssHashProfile, adaptor:IpV6RssHashProfile, adaptor:RssProfile, extvmm:Ep, extvmm:KeyRing, extvmm:KeyStore, extvmm:MasterExtKey, extvmm:Provider, extvmm:SwitchDelTask, firmware:ComputeHostPack, firmware:ComputeMgmtPack, ls:AgentPolicy, ls:ComputeBinding, ls:Binding, ls:Requirement, ls:Tier, lsboot:Def, lsboot:Lan, lsboot:LanImagePath, lsboot:LocalStorage, lsboot:Policy, lsboot:SanImage, lsboot:SanImagePath, lsboot:Storage, lsboot:VirtualMedia, org:Org, sol:Config, sol:Policy, storage:LocalDiskConfigDef, storage:LocalDiskConfigPolicy, storage:LocalDiskPartition, vm:Cont, vm:DirCont, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:VnicProfCl
Service profile end point access
Server Profile Administrator
This privilege is not used.
Service profile network
Network Administrator
dpsec:Mac, extvmm:Provider, extvmm:SwitchDelTask, fabric:DceSwSrvEp, fabric:VCon, fabric:VConProfile, flowctrl:Definition, flowctrl:Item, macpool:Format, nwctrl:Definition, qos:Definition, epqos:Definition, epqos:DefinitionDelTask, qosclass:Definition, qos:Item, epqos:Item, epqos:Egress, qosclass:Item, qosclass:Eth, qosclass:EthBE, qosclass:EthClassified, qosclass:Fc, vm:Cont, vm:DirCont, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:VnicProfCl, vnic:DefBeh, vnic:DynamicCon, vnic:DynamicConPolicy, vnic:DynamicIdUniverse, vnic:Ether, vnic:EtherIf, vnic:IPv4Dhcp, vnic:IPv4Dns, vnic:IPv4If, vnic:IPv4StaticRoute, vnic:IpV4PooledAddr, vnic:IpV4StaticAddr, vnic:Ipc, vnic:IpcIf, vnic:LanConnTempl, vnic:Profile, vnic:ProfileSet
Service profile network policy
Network Administrator
dpsec:Mac, fabric:DceSrv, fabric:DceSwSrv, fabric:DceSwSrvEp, fabric:EthDiag, fabric:FcDiag, fabric:VCon, fabric:VConProfile, flowctrl:Definition, flowctrl:Item, ippool:Block, ippool:Pool, macpool:Block, macpool:Format, macpool:Pool, nwctrl:Definition, qos:Definition, epqos:Definition, epqos:DefinitionDelTask, qosclass:Definition, qos:Item, epqos:Item, epqos:Egress, qosclass:Item, qosclass:Eth, qosclass:EthBE, qosclass:EthClassified, qosclass:Fc, uuidpool:Block, vnic:DynamicCon, vnic:DynamicConPolicy, vnic:DynamicIdUniverse, vnic:LanConnTempl, vnic:Profile, vnic:ProfileSet
Service profile power management
Facility Manager
Service profile
QoS Network Administrator
This privilege is not used.
Service profile QoS policy
Network Administrator
flowctrl:Definition, flowctrl:Item, qos:Definition, epqos:Definition, epqos:DefinitionDelTask, qosclass:Definition, qos:Item, epqos:Item, epqos:Egress, qosclass:Item, qosclass:Eth, qosclass:EthBE, qosclass:EthClassified, qosclass:Fc
Service profile security
Server Security Administrator
aaa:EpAuthProfile, aaa:EpUser
Service profile security policy
Server Security Administrator
aaa:EpAuthProfile, aaa:EpUser
Service profile server management
Server Security Administrator
bios:VFeat, bios:VfConsoleRedirection, bios:VfEnhancedIntelSpeedStepTech, bios:VfFrontPanelLockout, bios:VfIntelHyperThreadingTech, bios:VfIntelTurboBoostTech, bios:VfIntelVTForDirectedIO, bios:VfIntelVirtualizationTechnology, bios:VfLvDIMMSupport, bios:VfMirroringMode, bios:VfNUMAOptimized, bios:VfProcessorC3Report, bios:VfProcessorC6Report, bios:VfQuietBoot, bios:VfResumeOnACPowerLoss, bios:VfSelectMemoryRASConfiguration, bios:VProfile, ls:ComputeBinding, ls:Binding, ls:Requirement, ls:Power, ls:Server, ls:Tier, lsboot:Def, lsboot:Lan, lsboot:LanImagePath, lsboot:LocalStorage, lsboot:SanImage, lsboot:SanImagePath, lsboot:Storage, lsboot:VirtualMedia, power:Group, power:Regulation, power:Rule, sol:Config, storage:LocalDiskConfigDef, storage:LocalDiskPartition, vnic:BootTarget, vnic:DefBeh, vnic:DynamicCon, vnic:Ether, vnic:EtherIf, vnic:Fc, vnic:FcIf, vnic:FcNode, vnic:FcOEI, vnic:IPv4Dhcp, vnic:IPv4Dns, vnic:IPv4If, vnic:IPv4StaticRoute, vnic:IpV4PooledAddr, vnic:IpV4StaticAddr, vnic:Ipc, vnic:IpcIf, vnic:Scsi, vnic:ScsiIf
Service profile consumer role
This privilege controls these operations on the service profile:
Server Profile Administrator
Service profile pool policy
Server Security Administrator
adaptor:EthCompQueueProfile, adaptor:EthFailoverProfile, adaptor:EthInterruptProfile, adaptor:EthOffloadProfile, adaptor:EthRecvQueueProfile, adaptor:EthWorkQueueProfile, adaptor:ExtIpV6RssHashProfile, adaptor:FcCdbWorkQueueProfile, adaptor:FcErrorRecoveryProfile, adaptor:FcInterruptProfile, adaptor:FcPortFLogiProfile, adaptor:FcPortPLogiProfile, adaptor:FcPortProfile, adaptor:FcRecvQueueProfile, adaptor:FcWorkQueueProfile, adaptor:HostEthIfProfile, adaptor:HostFcIfProfile, adaptor:IpV4RssHashProfile, adaptor:IpV6RssHashProfile, adaptor:RssProfile, bios:VFeat, bios:VfConsoleRedirection, bios:VfEnhancedIntelSpeedStepTech, bios:VfFrontPanelLockout, bios:VfIntelHyperThreadingTech, bios:VfIntelTurboBoostTech, ios:VfIntelVTForDirectedIO, bios:VfIntelVirtualizationTechnology, bios:VfLvDIMMSupport, bios:VfMirroringMode, bios:VfNUMAOptimized, bios:VfProcessorC3Report, bios:VfProcessorC6Report, bios:VfQuietBoot, bios:VfResumeOnACPowerLoss, bios:VfSelectMemoryRASConfiguration, bios:VProfile, fabric:VCon, fabric:VConProfile, firmware:ComputeHostPack, firmware:ComputeMgmtPack, ls:AgentPolicy, ls:ComputeBinding, ls:Binding, ls:Requirement, ls:Power, ls:Tier, lsboot:Policy, power:Group, power:Regulation, power:Rule
Service profile storage
Storage Administrator
fcpool:Format, lsboot:Def, lsboot:Lan, lsboot:LanImagePath, lsboot:LocalStorage, lsboot:SanImage, lsboot:SanImagePath, lsboot:Storage, lsboot:VirtualMedia, storage:LocalDiskConfigDef, storage:LocalDiskConfigPolicy, storage:LocalDiskPartition, uuidpool:Format, vnic:BootTarget, vnic:DefBeh, vnic:Fc, vnic:FcIf, vnic:FcNode, vnic:FcOEIf, vnic:SanConnTempl, vnic:Scsi, vnic:ScsiIf
Service profile storage policy
Storage Administrator
fabric:VCon, fabric:VConProfile, fcpool:Block, fcpool:BootTarget, fcpool:Format, fcpool:Initiator, fcpool:Initiators, lsboot:Def, lsboot:Lan, lsboot:LanImagePath, lsboot:LocalStorage, lsboot:SanImage, lsboot:SanImagePath, lsboot:Storage, lsboot:VirtualMedia, storage:LocalDiskConfigDefstorage:LocalDiskConfigPolicy, storage:LocalDiskPartition, uuidpool:Format, vnic:SanConnTempl
Logs and Smart Call Home
Operations
aaa:Log, callhome:Dest, callhome:Ep, callhome:PeriodicSystemInventory, callhome:Profile, callhome:Smtp, callhome:Source, callhome:TestAlert, comm:DateTime, comm:NtpProvider, comm:Syslog, comm:SyslogClient, comm:SyslogConsole, comm:SyslogFile, comm:SyslogMonitor, condition:Log, aaa:Log, event:Log, event:EpCtrl, event:Log, fault:Inst, stats:CollectionPolicy, stats:Curr, adaptor:EthPortBySizeLargeStats, adaptor:EthPortBySizeSmallStats, adaptor:EthPortErrStats, adaptor:EthPortMcastStats, adaptor:EthPortOutsizedStats, adaptor:EthPortStats, adaptor:EtherIfStats, adaptor:FcIfEventStats, adaptor:FcIfFC4Stats, adaptor:FcIfFrameStats, adaptor:FcPortStats, adaptor:MenloBaseErrorStats, adaptor:MenloDcePortStats, adaptor:MenloEthErrorStats, adaptor:MenloEthStats, adaptor:MenloFcErrorStats, adaptor:MenloFcStats, adaptor:MenloHostPortStats, adaptor:MenloMcpuErrorStats, adaptor:MenloMcpuStats, adaptor:MenloNetEgStats, adaptor:MenloNetInStats, adaptor:MenloQErrorStats, adaptor:MenloQStats, adaptor:VnicStats, compute:IOHubEnvStats, compute:MbPowerStats, compute:MbTempStats, compute:PCIeFatalCompletionStats, compute:PCIeFatalProtocolStats, compute:PCIeFatalReceiveStats, compute:PCIeFatalStats, equipment:ChassisStats, equipment:FanModuleStats, equipment:FanStats, equipment:IOCardStats, equipment:PsuInputStats, equipment:PsuStats, ether:ErrStats, ether:LossStats, ether:PauseStats, ether:RxStats, ether:TxStats, fc:ErrStats, fc:Stats, memory:ArrayEnvStats, memory:BufferUnitEnvStats, memory:ErrorStats, memory:Runtime, memory:UnitEnvStats, processor:EnvStats, processor:ErrorStats, processor:Runtime, sw:EnvStats, sw:SystemStats, stats:Holder, stats:Thr32Definition, stats:Thr32Value, stats:Thr64Definition, stats:Thr64Value, stats:ThrFloatDefinition, stats:ThrFloatValue, stats:ThresholdClass, stats:ThresholdDefinition, stats:Thr32Definition, stats:Thr64Definition, stats:ThrFloatDefinition, stats:ThresholdPolicy, stats:ThresholdValue, stats:Thr32Value, stats:Thr64Value, stats:ThrFloatValue, sysdebug:AutoCoreFileExportTarget, sysdebug:BackupBehavior, sysdebug:Core, sysdebug:CoreFileExportTarget, sysdebug:AutoCoreFileExportTarget, ysdebug:ManualCoreFileExportTarget), sysdebug:CoreFileRepository, sysdebug:LogControlDestinationFile, ysdebug:LogControlDestinationSyslog, sysdebug:LogControlDomain, sysdebug:LogControlEp, sysdebug:LogControlModule, sysdebug:MEpLog, sysdebug:MEpLogPolicy, sysdebug:ManualCoreFileExportTarget, sysfile:Mutation
Server hardware management
Server Equipment Administrator
adaptor:ExtIf, adaptor:ExtEthIf, adaptor:HostIf, adaptor:HostEthIf, adaptor:HostFcIf, compute:Blade, compute:PsuPolicy, diag:SrvCtrl, equipment:Chassis, equipment:Led, equipment:IndicatorLed, equipment:LocatorLed, fabric:ComputeSlotEp, fabric:SwChPhEp
Server maintenance
Server Equipment Administrator
adaptor:ExtIf, adaptor:ExtEthIf, adaptor:HostIf, adaptor:HostEthIf, adaptor:HostFcIf, compute:Blade, diag:SrvCtrl, equipment:Chassis, equipment:Led, equipment:IndicatorLed, equipment:LocatorLed, fabric:ComputeSlotEp, fabric:SwChPhEp
Server policy
Server Equipment Administrator
adaptor:CapQual, adaptor:Qual, bios:VFeat, bios:VfConsoleRedirection, bios:VfEnhancedIntelSpeedStepTech, bios:VfFrontPanelLockout, bios:VfIntelHyperThreadingTech, bios:VfIntelTurboBoostTech, bios:VfIntelVTForDirectedIO, bios:VfIntelVirtualizationTechnology, bios:VfLvDIMMSupport, bios:VfMirroringMode, bios:VfNUMAOptimized, bios:VfProcessorC3Report, bios:VfProcessorC6Report, bios:VfQuietBoot, bios:VfResumeOnACPowerLoss, bios:VfSelectMemoryRASConfiguration, bios:VProfile, compute:AutoconfigPolicy, compute:Blade, compute:BladeDiscPolicy, compute:BladeInheritPolicy, compute:ChassisDiscPolicy, compute:ChassisQual, compute:DiscPolicy, compute:BladeDiscPolicy, compute:ChassisDiscPolicy, compute:PhysicalQual, compute:Pool, compute:PooledPhysical, compute:PooledSlot, compute:PooledSlot, compute:PoolingPolicy, compute:PsuPolicy, compute:Qual, compute:QualItem, adaptor:CapDef, adaptor:CapQual, adaptor:CapSpec, adaptor:Qual, compute:BladePosQual, compute:ChassisQual, compute:SlotQual, compute:PhysicalQual, memory:Qual, processor:Qual, storage:Qual, compute:ScrubPolicy, compute:SlotQual, diag:BladeTest, diag:NetworkTest, diag:RunPolicy, equipment:Chassis, equipment:Led, equipment:IndicatorLed, equipment:LocatorLed, extvmm:Ep, extvmm:KeyRing, extvmm:KeyStore, extvmm:MasterExtKey, extvmm:Provider, extvmm:SwitchDelTask, fabric:ComputeSlotEp, fabric:SwChPhEp, memory:Qual, org:Org, processor:Qual, storage:Qual, uuidpool:Pool, vm:Cont, vm:DirCont, vm:DC, vm:DCOrg, vm:Org, vm:Switch, vm:DC, vm:DCOrg, vm:LifeCyclePolicy, vm:Org, vm:Switch, vm:VnicProfCl
Server security
Server Security Administrator
mgmt:IntAuthPolicy
Pod configuration
Network Administrator
This privilege is not used.
Pod policy
Network Administrator
This privilege is not used.
Pod QoS
Network Administrator
This privilege is not used.
Pod security
Network Administrator
This privilege is not used.
Data center power management
This role provides read and write access for power capacity management including power group configurations and other power-related policies.
Facility Manager
Read-only access
This is not a selectable privilege. All roles have read-only access to all objects. Roles that have read-write privileges on some objects also have read-only access to all other objects.