The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Configuring User Roles
Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and a locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, you can manage individual user privileges by assigning the appropriate roles and locales.
A user is granted write access to the required system resources only if the assigned role grants the access privileges and the assigned locale allows access. For example, a user with the Server Administrator role in the engineering organization can update server configurations in the Engineering organization. They cannot, however, update server configurations in the Finance organization, unless the locales assigned to the user include the Finance organization.
User roles contain one or more privileges that define the operations that are allowed for a user. You can assign one or more roles to each user. Users with multiple roles have the combined privileges of all assigned roles. For example, if Role1 has storage-related privileges, and Role 2 has server-related privileges, users with Role1 and Role 2 have both storage-related and server-related privileges.
A Cisco UCS domain can contain up to 48 user roles, including the default user roles. Any user roles configured after the first 48 are accepted, but they are inactive with faults raised.
All roles include read access to all configuration settings in the Cisco UCS domain. Users with read-only roles cannot modify the system state.
You can create, modify or remove existing privileges, and delete roles. When you modify a role, the new privileges apply to all users with that role. Privilege assignment is not restricted to the privileges defined for the default roles. Meaning, you can use a custom set of privileges to create a unique role. For example, the default Server Administrator and Storage Administrator roles have a different set of privileges. However, you can create a Server and Storage Administrator role that combines the privileges of both roles.
Note | If you delete a role after it was assigned to users, it is also deleted from those user accounts. |
Modify the user profiles on AAA servers (RADIUS or TACACS+) to add the roles corresponding to the privileges granted to that user. The attribute stores the role information. The AAA servers return this attribute with the request and parse it to obtain the roles. LDAP servers return the roles in the user profile attributes.
The system contains the following default user roles:
Read-and-write access to users, roles, and AAA configuration. Read access to the remaining system.
Complete read-and-write access to the entire system. Assigns this role to the default administrator account by default. You cannot change it.
Read-and-write access to power management operations through the power management privilege. Read access to the remaining system.
Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the remaining system.
Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the remaining system.
Read-only access to system configuration with no privileges to modify the system state.
Read and write access to most aspects of service profiles. However, the user cannot create, modify or delete vNICs or vHBAs.
Read-and-write access to physical server-related operations. Read access to the remaining system.
Read-and-write access to logical server-related operations. Read access to the remaining system.
Read-and-write access to server security-related operations. Read access to the remaining system.
Read-and-write access to storage operations. Read access to the remaining system.
You cannot use the following words when creating custom roles in Cisco UCS.
Privileges give users, assigned to user roles, access to specific system resources and permission to perform specific tasks. The following table lists each privilege and the user role given that privilege by default.
Tip | Detailed information about these privileges and the tasks that they enable users to perform is available in Privileges in Cisco UCS available at the following URL: http://www.cisco.com/en/US/products/ps10281/prod_technical_reference_list.html. |
Privilege |
Description |
Default Role Assignment |
---|---|---|
aaa |
System security and AAA |
AAA Administrator |
admin |
System administration |
Administrator |
ext-lan-config |
External LAN configuration |
Network Administrator |
ext-lan-policy |
External LAN policy |
Network Administrator |
ext-lan-qos |
External LAN QoS |
Network Administrator |
ext-lan-security |
External LAN security |
Network Administrator |
ext-san-config |
External SAN configuration |
Storage Administrator |
ext-san-policy |
External SAN policy |
Storage Administrator |
ext-san-qos |
External SAN QoS |
Storage Administrator |
ext-san-security |
External SAN security |
Storage Administrator |
fault |
Alarms and alarm policies |
Operations |
operations |
Logs and Smart Call Home |
Operations |
org-management |
Organization management |
Operations |
pod-config |
Pod configuration |
Network Administrator |
pod-policy |
Pod policy |
Network Administrator |
pod-qos |
Pod QoS |
Network Administrator |
pod-security |
Pod security |
Network Administrator |
power-mgmt |
Read-and-write access to power management operations |
Facility Manager |
read-only |
Read-only access Read-only cannot be selected as a privilege; it is assigned to every user role. |
Read-Only |
server-equipment |
Server hardware management |
Server Equipment Administrator |
server-maintenance |
Server maintenance |
Server Equipment Administrator |
server-policy |
Server policy |
Server Equipment Administrator |
server-security |
Server security |
Server Security Administrator |
service-profile-compute |
Service profile compute |
Server Compute Administrator |
service-profile-config |
Service profile configuration |
Server Profile Administrator |
service-profile-config-policy |
Service profile configuration policy |
Server Profile Administrator |
service-profile-ext-access |
Service profile endpoint access |
Server Profile Administrator |
service-profile-network |
Service profile network |
Network Administrator |
service-profile-network-policy |
Service profile network policy |
Network Administrator |
service-profile-qos |
Service profile QoS |
Network Administrator |
service-profile-qos-policy |
Service profile QoS policy |
Network Administrator |
service-profile-security |
Service profile security |
Server Security Administrator |
service-profile-security-policy |
Service profile security policy |
Server Security Administrator |
service-profile-server |
Service profile server management |
Server Profile Administrator |
service-profile-server-oper |
Service profile consumer |
Server Profile Administrator |
service-profile-server-policy |
Service profile pool policy |
Server Security Administrator |
service-profile-storage |
Service profile storage |
Storage Administrator |
service-profile-storage-policy |
Service profile storage policy |
Storage Administrator |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # create role ls-security-admin UCSC(policy-mgr) /org/device-profile/security/role* # add privilege service-profile-security service-profile-security-policy UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/role #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. |
Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # delete role name |
Deletes the user role. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # delete role service-profile-security-admin UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/role #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. | ||
Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. | ||
Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. | ||
Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. | ||
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope role name |
Enters role security mode for the specified role. | ||
Step 6 | UCSC(policy-mgr) /org/device-profile/security/role # add privilege privilege-name |
Adds one or more privileges to the existing privileges of the user role.
| ||
Step 7 | UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope role UCSC(policy-mgr) /org/device-profile/security/role # scope role service-profile-security-admin UCSC(policy-mgr) /org/device-profile/security/role* # add privilege server-security server-policy UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/role #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. | ||
Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. | ||
Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. | ||
Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. | ||
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope role name |
Enters role security mode for the specified role. | ||
Step 6 | UCSC(policy-mgr) /org/device-profile/security/role # set privilege privilege-name |
Replaces the existing privileges of the user role.
| ||
Step 7 | UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope role UCSC(policy-mgr) /org/device-profile/security/role # scope role service-profile-security-admin UCSC(policy-mgr) /org/device-profile/security/role* # set privilege server-security server-policy UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/role #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. | ||
Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. | ||
Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. | ||
Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. | ||
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope role name |
Enters role security mode for the specified role. | ||
Step 6 | UCSC(policy-mgr) /org/device-profile/security/role # remove privilege privilege-name |
Removes one or more privileges from the existing user role privileges.
| ||
Step 7 | UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope role UCSC(policy-mgr) /org/device-profile/security/role # remove privilege server-security server-policy UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/role #
Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. | ||
Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. | ||
Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. | ||
Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. | ||
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope local-user local-user-name |
Enters local user security mode for the specified local user account. | ||
Step 6 | UCSC(policy-mgr) /org/device-profile/security/local-user # create role role-name |
Assigns the specified role to the user account.
| ||
Step 7 | UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer |
Commits the transaction. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope local-user kikipopo UCSC(policy-mgr) /org/device-profile/security/local-user # create role operations UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/local-user #
Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. | ||
Step 2 | UCSC(policy-mgr)# scope org / |
Enters the organization root. | ||
Step 3 | UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. | ||
Step 4 | UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. | ||
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope local-user local-user-name |
Enters local user security mode for the specified local user account. | ||
Step 6 | UCSC(policy-mgr) /org/device-profile/security/local-user # delete role role-name |
Removes the specified role from the user account.
| ||
Step 7 | UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer |
Commits the transaction. |
CSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope local-user kikipopo UCSC(policy-mgr) /org/device-profile/security/local-user # delete role operations UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/local-user #