The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes the following sections:
Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and the locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, management of individual user privileges is simply a matter of assigning the appropriate roles and locales.
A user is granted write access to desired system resources only if the assigned role grants the access privileges and the assigned locale allows access. For example, a user with the Server Administrator role in the Engineering organization could update server configurations in the Engineering organization but could not update server configurations in the Finance organization unless the locales assigned to the user include the Finance organization.
User accounts are used to access the system. Up to 128 user accounts can be configured in each Cisco UCS Central domain. Each user account must have a unique username and password.
A user account can be set with a SSH public key. The public key can be set in either of the two formats: OpenSSH and SECSH.
Cisco UCS Central has an admin account. The admin account is a default user account and cannot be modified or deleted. This account is the system administrator or superuser account and has full privileges. There is no default password assigned to the admin account; you must choose the password during the initial system setup.
The admin account is always active and does not expire. You cannot configure the admin account as inactive.
The local admin user is able to login for fail over, even when authentication is set to remote.
A locally authenticated user account is authenticated through the Cisco UCS Central user database, and can be enabled or disabled by anyone with admin or aaa privileges. Once a local user account is disabled, the user cannot log in. Configuration details for disabled local user accounts are not deleted by the database. If you re-enable a disabled local user account, the account becomes active again with the existing configuration, including username and password.
A remotely authenticated user account is any Cisco UCS Central user account that is authenticated through LDAP. Cisco UCS domainssupport LDAP, RADIUS and TACACS+.
If a user maintains a local user account and a remote user account simultaneously, the roles defined in the local user account override those maintained in the remote user account.
User accounts can be configured to expire at a predefined time. When the expiration time is reached, the user account is disabled.
By default, user accounts do not expire.
Note |
After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. You can, however, configure the account with the latest expiration date available. |
The username is also used as the login ID for Cisco UCS Central. When you assign login IDs to Cisco UCS user accounts, consider the following guidelines and restrictions:
The following words cannot be used when creating a local user account in Cisco UCS.
A password is required for each locally authenticated user account. A user with admin, aaa, or domain-group-management privileges can configure Cisco UCS Central to perform a password strength check on user passwords. If the password strength check is enabled, each user must have a strong password.
Cisco recommends that each user have a strong password. If you enable the password strength check for locally authenticated users, Cisco UCS Central rejects any password that does not meet the following requirements:
Cisco UCS Central does not support managing a number of concurrent web sessions at this time. We do support 32 concurrent web sessions for Cisco UCS Central users and a total of 256 concurrent sessions for all users.
Configuring User Roles
User roles contain one or more privileges that define the operations that are allowed for a user. One or more roles can be assigned to each user. Users with multiple roles have the combined privileges of all assigned roles. For example, if Role1 has storage-related privileges, and Role2 has server-related privileges, users with Role1 and Role2 have both storage-related and server-related privileges.
A Cisco UCS domain can contain up to 48 user roles, including the default user roles. Each domain group in Cisco UCS Central can contain 48 user roles, including the user roles that are inherited from the parent domain group. When user roles are pushed to Cisco UCS Manager from Cisco UCS Central, only the first 48 roles will be active. Any user roles after the first 48 will be inactive with faults raised.
All roles include read access to all configuration settings in the Cisco UCS domain. Users with read-only roles cannot modify the system state.
Roles can be created, modified to add new or remove existing privileges, or deleted. When a role is modified, the new privileges are applied to all users that have that role. Privilege assignment is not restricted to the privileges defined for the default roles. That is, you can use a custom set of privileges to create a unique role. For example, the default Server Administrator and Storage Administrator roles have a different set of privileges, but a new Server and Storage Administrator role can be created that combines the privileges of both roles.
If a role is deleted after it has been assigned to users, it is also deleted from those user accounts.
User profiles on AAA servers (RADIUS or TACACS+) should be modified to add the roles corresponding to the privileges granted to that user. The attribute is used to store the role information. The AAA servers return this attribute with the request and parse it to get the roles. LDAP servers return the roles in the user profile attributes.
The system contains the following default user roles:
Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system.
Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.
Read-and-write access to power management operations through the power-mgmt privilege. Read access to the rest of the system.
Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the rest of the system.
Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the rest of the system.
Read-only access to system configuration with no privileges to modify the system state.
Read and write access to most aspects of service profiles. However the user cannot create, modify or delete vNICs or vHBAs.
Read-and-write access to physical server related operations. Read access to the rest of the system.
Read-and-write access to logical server related operations. Read access to the rest of the system.
Read-and-write access to server security related operations. Read access to the rest of the system.
Read-and-write access to storage operations. Read access to the rest of the system.
The following words cannot be used when creating custom roles in Cisco UCS.
Privileges give users assigned to user roles access to specific system resources and permission to perform specific tasks. The following table lists each privilege and the user role given that privilege by default.
Privilege |
Description |
Default Role Assignment |
---|---|---|
aaa |
System security and AAA |
AAA Administrator |
admin |
System administration |
Administrator |
domain-group-management |
Domain Group Management |
Domain Group Administrator |
ext-lan-config |
External LAN configuration |
Network Administrator |
ext-lan-policy |
External LAN policy |
Network Administrator |
ext-lan-qos |
External LAN QoS |
Network Administrator |
ext-lan-security |
External LAN security |
Network Administrator |
ext-san-config |
External SAN configuration |
Storage Administrator |
ext-san-policy |
External SAN policy |
Storage Administrator |
ext-san-qos |
External SAN QoS |
Storage Administrator |
ext-san-security |
External SAN security |
Storage Administrator |
fault |
Alarms and alarm policies |
Operations |
operations |
Logs and Smart Call Home |
Operations |
org-management |
Organization management |
Operations |
pod-config |
Pod configuration |
Network Administrator |
pod-policy |
Pod policy |
Network Administrator |
pod-qos |
Pod QoS |
Network Administrator |
pod-security |
Pod security |
Network Administrator |
power-mgmt |
Read-and-write access to power management operations |
Facility Manager |
read-only |
Read-only access Read-only cannot be selected as a privilege; it is assigned to every user role. |
Read-Only |
server-equipment |
Server hardware management |
Server Equipment Administrator |
server-maintenance |
Server maintenance |
Server Equipment Administrator |
server-policy |
Server policy |
Server Equipment Administrator |
server-security |
Server security |
Server Security Administrator |
service-profile-compute |
Service profile compute |
Server Compute Administrator |
service-profile-config |
Service profile configuration |
Server Profile Administrator |
service-profile-config-policy |
Service profile configuration policy |
Server Profile Administrator |
service-profile-ext-access |
Service profile end point access |
Server Profile Administrator |
service-profile-network |
Service profile network |
Network Administrator |
service-profile-network-policy |
Service profile network policy |
Network Administrator |
service-profile-qos |
Service profile QoS |
Network Administrator |
service-profile-qos-policy |
Service profile QoS policy |
Network Administrator |
service-profile-security |
Service profile security |
Server Security Administrator |
service-profile-security-policy |
Service profile security policy |
Server Security Administrator |
service-profile-server |
Service profile server management |
Server Profile Administrator |
service-profile-server-oper |
Service profile consumer |
Server Profile Administrator |
service-profile-server-policy |
Service profile pool policy |
Server Security Administrator |
service-profile-storage |
Service profile storage |
Storage Administrator |
service-profile-storage-policy |
Service profile storage policy |
Storage Administrator |
The following example creates the service-profile-security-admin role, adds the service profile security and service profile security policy privileges to the role, and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # create role ls-security-admin UCSC(policy-mgr) /domain-group/security/role* # add privilege service-profile-security service-profile-security-policy UCSC(policy-mgr) /domain-group/security/role* # commit-buffer UCSC(policy-mgr) /domain-group/security/role #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # delete role name | Deletes the user role. |
Step 5 | UCSC(policy-mgr) /domain-group/security/role* # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the service-profile-security-admin role and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # delete role service-profile-security-admin UCSC(policy-mgr) /domain-group/security/role* # commit-buffer UCSC(policy-mgr) /domain-group/security/role #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
||
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
||
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
||
Step 4 | UCSC(policy-mgr) /domain-group/security # scope role name | Enters security role mode for the specified role. |
||
Step 5 | UCSC(policy-mgr) /domain-group/security/role # add privilege privilege-name | Adds one or more privileges to the existing privileges of the user role.
|
||
Step 6 | UCSC(policy-mgr) /domain-group/security/role* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to add the server security and server policy privileges to the service-profile-security-admin role and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope role UCSC(policy-mgr) /domain-group/security/role # scope role service-profile-security-admin UCSC(policy-mgr) /domain-group/security/role* # add privilege server-security server-policy UCSC(policy-mgr) /domain-group/security/role* # commit-buffer UCSC(policy-mgr) /domain-group/security/role #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
||
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
||
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
||
Step 4 | UCSC(policy-mgr) /domain-group/security # scope role name | Enters security role mode for the specified role. |
||
Step 5 | UCSC(policy-mgr) /domain-group/security/role # set privilege privilege-name | Replaces the existing privileges of the user role.
|
||
Step 6 | UCSC(policy-mgr) /domain-group/security/role* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to replace the existing privileges for the service-profile-security-admin role with the server security and server policy privileges and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope role UCSC(policy-mgr) /domain-group/security/role # scope role service-profile-security-admin UCSC(policy-mgr) /domain-group/security/role* # set privilege server-security server-policy UCSC(policy-mgr) /domain-group/security/role* # commit-buffer UCSC(policy-mgr) /domain-group/security/role #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
||
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
||
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
||
Step 4 | UCSC(policy-mgr) /domain-group/security # scope role name | Enters security role mode for the specified role. |
||
Step 5 | UCSC(policy-mgr) /domain-group/security/role # remove privilege privilege-name | Removes one or more privileges from the existing user role privileges.
|
||
Step 6 | UCSC(policy-mgr) /domain-group/security/role* # commit-buffer | Commits the transaction to the system configuration. |
The following example removes the server security and server policy privileges from the service-profile-security-admin role and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope role UCSC(policy-mgr) /domain-group/security/role # remove privilege server-security server-policy UCSC(policy-mgr) /domain-group/security/role* # commit-buffer UCSC(policy-mgr) /domain-group/security/role #
Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
||
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
||
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
||
Step 4 | UCSC(policy-mgr) /domain-group/security # scope local-user local-user-name | Enters security local user mode for the specified local user account. |
||
Step 5 | UCSC(policy-mgr) /domain-group/security/local-user # create role role-name | Assigns the specified role to the user account .
|
||
Step 6 | UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer | Commits the transaction. |
The following example assigns the operations role to the kikipopo local user account and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope local-user kikipopo UCSC(policy-mgr) /domain-group/security/local-user # create role operations UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer UCSC(policy-mgr) /domain-group/security/local-user #
Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
||
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
||
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
||
Step 4 | UCSC(policy-mgr) /domain-group/security # scope local-user local-user-name | Enters security local user mode for the specified local user account. |
||
Step 5 | UCSC(policy-mgr) /domain-group/security/local-user # delete role role-name | Removes the specified role from the user account .
|
||
Step 6 | UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer | Commits the transaction. |
The following example removes the operations role from the kikipopo local user account and commits the transaction:
CSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope local-user kikipopo UCSC(policy-mgr) /domain-group/security/local-user # delete role operations UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer UCSC(policy-mgr) /domain-group/security/local-user #
Configuring Locally Authenticated User Accounts
At a minimum, we recommend that you create the following users:
Perform the following tasks, if the system includes any of the following:
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
||
Step 2 | UCSC(policy-mgr)# scope domain-group / | Enters domain group root mode. |
||
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
||
Step 4 | UCSC(policy-mgr) /domain-group/security # create local-user local-user-name | Creates a user account for the specified local user and enters security local user mode. |
||
Step 5 | UCSC(policy-mgr) /domain-group/security/local-user* # set account-status {active | inactive} | Specifies whether the local user account is enabled or disabled. The admin user account is always set to active. It cannot be modified.
|
||
Step 6 | UCSC(policy-mgr) /domain-group/security/local-user* # set password password | Sets the password for the user account |
||
Step 7 | UCSC(policy-mgr) /domain-group/security/local-user* # set firstname first-name | (Optional) Specifies the first name of the user. |
||
Step 8 | UCSC(policy-mgr) /domain-group/security/local-user* # set lastname last-name | (Optional) Specifies the last name of the user. |
||
Step 9 | UCSC(policy-mgr) /domain-group/security/local-user* # set expiration month day-of-month year | (Optional) Specifies the date that the user account expires. The month argument is the first three letters of the month name.
|
||
Step 10 | UCSC(policy-mgr) /domain-group/security/local-user* # set email email-addr | (Optional) Specifies the user e-mail address. |
||
Step 11 | UCSC(policy-mgr) /domain-group/security/local-user* # set phone phone-num | (Optional) Specifies the user phone number. |
||
Step 12 | UCSC(policy-mgr) /domain-group/security/local-user* # set sshkey ssh-key | (Optional) Specifies the SSH key used for passwordless access. |
||
Step 13 | UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer | Commits the transaction. |
The following example shows how to create the user account named kikipopo, enable the user account, set the password to foo12345, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # create local-user kikipopo UCSC(policy-mgr) /domain-group/security/local-user* # set account-status active UCSC(policy-mgr) /domain-group/security/local-user* # set password Enter a password: Confirm the password: UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer UCSC(policy-mgr) /domain-group/security/local-user #
The following example shows how to create the user account named lincey, enable the user account, set an OpenSSH key for passwordless access, and commit the transaction.
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # create local-user lincey UCSC(policy-mgr) /domain-group/security/local-user* # set account-status active UCSC(policy-mgr) /domain-group/security/local-user* # set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAA BIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw85lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4 VcOelBxlsGk5luq5ls1ob1VOIEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8=" UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer UCSC(policy-mgr) /domain-group/security/local-user #
The following example shows how to create the user account named jforlenz, enable the user account, set a Secure SSH key for passwordless access, and commit the transaction.
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # create local-user jforlenz UCSC(policy-mgr) /domain-group/security/local-user* # set account-status active UCSC(policy-mgr) /domain-group/security/local-user* # set sshkey Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort. User's SSH key: > ---- BEGIN SSH2 PUBLIC KEY ---- > AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw8 > 5lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VO > IEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8= > ---- END SSH2 PUBLIC KEY ---- > ENDOFBUF UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer UCSC(policy-mgr) /domain-group/security/local-user #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # delete local-user local-user-name | Deletes the local-user account. |
Step 5 | UCSC(policy-mgr) /domain-group/security* # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the foo user account and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # delete local-user foo UCSC(policy-mgr) /domain-group/security* # commit-buffer UCSC(policy-mgr) /domain-group/security #
You must be a user with admin, aaa, or domain-group-management privileges to enable the password strength check. If the password strength check is enabled, Cisco UCS Central does not permit a user to choose a password that does not meet the guidelines for a strong password.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group / | Enters domain group root mode. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope password-profile. | Specifies whether the password strength check is enabled or disabled. |
Step 5 | UCSC(policy-mgr) /domain-group/security/password-profile # set enforce-strong-password {yes | no} | Specifies whether the password strength check is enabled or disabled. |
The following example enables the password strength check:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group / UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope password-profile UCSC(policy-mgr) /domain-group/security/password-profile # set enforce-strong-password yes UCSC(policy-mgr) /domain-group/security/password-profile #
You must have admin, aaa, or domain-group-management privileges to change the password profile properties.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope local-user local-user-name | Commits the transaction. |
Step 5 | UCSC(policy-mgr) /domain-group/security/local-user # scope password-profile | Enters password profile security mode. |
Step 6 | UCSC(policy-mgr) /domain-group/security/password-profile # set history-count 0 | Setting the History Count field to 0 (the default setting) disables the history count and allows users to reuse previously used passwords at any time. |
Step 7 | UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to clear the password history count for the user account named kikipopo, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope local-user kikipopo UCSC(policy-mgr) /domain-group/security/local-user # scope password-profile UCSC(policy-mgr) /domain-group/security/password-profile # set history-count 0 UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer UCSC(policy-mgr) /domain-group/security/password-profile #
You must be a user with admin, aaa, or domain-group-management privileges to enable or disable a local user account.
Create a local user account.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
||
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
||
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
||
Step 4 | UCSC(policy-mgr) /domain-group/security # scope local-user | Enters local-user security mode. |
||
Step 5 | UCSC(policy-mgr) /domain-group/security/local-user # set account-status {active | inactive} | Specifies whether the local user account is enabled or disabled. The admin user account is always set to active. It cannot be modified.
|
The following example shows how to enable a local user account called accounting:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope local-user accounting UCSC(policy-mgr) /domain-group/security/local-user # set account-status active
Configuring User Locales
A user can be assigned one or more locales. Each locale defines one or more organizations (domains) the user is allowed access, and access would be limited to the organizations specified in the locale. One exception to this rule is a locale without any organizations, which gives unrestricted access to system resources in all organizations.
A Cisco UCS domain can contain up to 48 user locales. Each domain group in Cisco UCS Central can contain 48 user locales, including the user locales that are inherited from the parent domain group. When user locales are pushed to Cisco UCS Manager from Cisco UCS Central, only the first 48 locales will be active. Any user locales after the first 48 will be inactive with faults raised.
Users with admin, aaa, or domain-group-management privileges can assign organizations to the locale of other users.
Note |
You cannot assign a locale to users with the admin privilege. |
You can hierarchically manage organizations. A user that is assigned at a top level organization has automatic access to all organizations under it. For example, an Engineering organization can contain a Software Engineering organization and a Hardware Engineering organization. A locale containing only the Software Engineering organization has access to system resources only within that organization; however, a locale that contains the Engineering organization has access to the resources for both the Software Engineering and Hardware Engineering organizations.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # create locale name | Creates the user role and enters security role mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/locale * # create org-ref org-ref-name orgdn orgdn-name | References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced. |
Step 6 | UCSC(policy-mgr) /domain-group/security/locale * # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to create the finance organization for the western locale and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # create locale western UCSC(policy-mgr) /domain-group/security/locale* # create org-ref finance-ref orgdn finance UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer UCSC(policy-mgr) /domain-group/security/locale #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # delete locale locale-name | Deletes the locale. |
Step 5 | UCSC(policy-mgr) /domain-group/security * # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the western locale and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # delete locale western UCSC(policy-mgr) /domain-group/security* # commit-buffer UCSC(policy-mgr) /domain-group/security #
Note |
Do not assign locales to users with an admin role. |
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
||
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
||
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
||
Step 4 | UCSC /security # scope local-user local-user-name | Enters security local user mode for the specified local user account. |
||
Step 5 | UCSC(policy-mgr) /domain-group/security/local-user # create locale locale-name | Assigns the specified locale to the user account.
|
||
Step 6 | UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer | Commits the transaction. |
The following example shows how to assign the western locale to the kikipopo local user account and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security/local-user # create locale western UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer UCSC(policy-mgr) /domain-group/security/local-user #
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
||
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
||
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
||
Step 4 | UCSC(policy-mgr) /domain-group/security # scope local-user local-user-name | Enters security local user mode for the specified local user account. |
||
Step 5 | UCSC(policy-mgr) /domain-group/security/local-user # delete locale locale-name | Removes the specified locale from the user account.
|
||
Step 6 | UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer | Commits the transaction. |
The following example removes the western locale from the kikipopo local user account and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security/local-user # delete locale western UCSC(policy-mgr) /domain-group/security/local-user* # commit-buffer UCSC(policy-mgr) /domain-group/security/local-user #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope locale locale-name | Enters security locale mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/locale # create org-ref org-ref-name orgdn orgdn-name | References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced. |
Step 6 | UCSC(policy-mgr) /domain-group/security/locale * # commit-buffer | Commits the transaction to the system configuration. |
The following example enters the western locale, adds (references) the marketing organization to the locale, names the reference marketing-ref, and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope locale western UCSC(policy-mgr) /domain-group/security/locale # create org-ref marketing-ref orgdn marketing UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer UCSC(policy-mgr) /domain-group/security/locale #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope locale locale-name | Enters security locale mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/locale # delete org-ref org-ref-name | Deletes the organization from the locale. |
Step 6 | UCSC(policy-mgr) /domain-group/security/locale * # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the finance organization from the western locale and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope locale western UCSC(policy-mgr) /domain-group/security/locale # delete org-ref finance-ref UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer UCSC(policy-mgr) /domain-group/security/locale #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope locale locale-name | Enters security locale mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/locale # create domain-group-ref domain-group-ref-name domain-group-dn domaingroup-root-name | References (binds) a domain group to the locale. The domain-group-ref-name argument (1-16 characters) is the name used to identify the domain group reference, and the domain-group-dn-name argument is the distinguished name of the domain group root being referenced. |
Step 6 | UCSC(policy-mgr) /domain-group/security/locale * # commit-buffer | Commits the transaction to the system configuration. |
The following example enters the western locale, adds (references) the marketing domain group to the locale, names the reference marketdomain01-ref, and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope locale western UCSC(policy-mgr) /domain-group/security/locale # create domain-group-ref marketdomain01 domain-group-dn marketing UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer UCSC(policy-mgr) /domain-group/security/locale #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope locale locale-name | Enters security locale mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/locale # delete domain-group-ref domain-group-ref-name | Deletes references (unbinds) domain groups referenced to the locale. The domain-group-ref-name argument (1-16 characters) is the name used to identify the domain group reference. |
Step 6 | UCSC(policy-mgr) /domain-group/security/locale * # commit-buffer | Commits the transaction to the system configuration. |
The following example enters the western locale, deletes references (unbinds) the marketing domain group references from the locale marketdomain01, and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope locale western UCSC(policy-mgr) /domain-group/security/locale # delete domain-group-ref marketdomain01 UCSC(policy-mgr) /domain-group/security/locale* # commit-buffer UCSC(policy-mgr) /domain-group/security/locale #
Configuring User Domain Groups
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # create domain-group name | Creates the domain group. |
Step 4 | UCSC(policy-mgr) /domain-group * # commit-buffer | Commits the transaction to the system configuration. |
The following example creates the central-audit domain group and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # create domain-group central-audit UCSC(policy-mgr) /domain-group* # commit-buffer UCSC(policy-mgr) /domain-group #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # delete domain-group name | Deletes the domain group. |
Step 4 | UCSC(policy-mgr) /domain-group * # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the central-audit domain group and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # delete domain-group central-audit UCSC(policy-mgr) /domain-group* # commit-buffer UCSC(policy-mgr) /domain-group #
Configuring User Organizations
A user can create one or more organizations. Each organization defines sub-organizations, faults, events, UUID suffix pools and blocks of UUIDs.
Cisco UCS organizations are hierarchically managed by users. A user that is assigned at the root level organization has automatic access to all organizations and domain groups under it.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope org org-name | Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name. |
Step 3 | UCSC(policy-mgr) /org # create org name | Creates the organization. |
Step 4 | UCSC(policy-mgr) /org * # commit-buffer | Commits the transaction to the system configuration. |
The following example creates the central-audit organization and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # create org central-audit UCSC(policy-mgr) /org* # commit-buffer UCSC(policy-mgr) /org #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope org org-name | Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name. |
Step 3 | UCSC(policy-mgr) /org # delete org name | Deletes the organization. |
Step 4 | UCSC(policy-mgr) /org * # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the central-audit organization and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org / UCSC(policy-mgr) /org # delete org central-audit UCSC(policy-mgr) /org* # commit-buffer UCSC(policy-mgr) /org #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope org org-name | Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name. |
Step 3 | UCSC(policy-mgr) /org # create org name | Creates the sub-organization under the organization scoped. |
Step 4 | UCSC(policy-mgr) /org * # commit-buffer | Commits the transaction to the system configuration. |
The following example enters the central-audit organization, creates the north-audit sub-organization and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org central-audit UCSC(policy-mgr) /org # create org north-audit UCSC(policy-mgr) /org* # commit-buffer UCSC(policy-mgr) /org #
Step 1 |
UCSC# connect policy-mgr Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr)# scope org org-name Enters organization mode for the specified organization. To enter the root organization mode, type / as the org-name. |
Step 3 |
UCSC(policy-mgr) /org # delete org name Deletes the sub-organization under the organization scoped. |
Step 4 |
UCSC(policy-mgr) /org * # commit-buffer Commits the transaction to the system configuration. |
The following example enters the central-audit organization, deletes the north-audit sub-organization and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org central-audit UCSC(policy-mgr) /domain-group # delete org north-audit UCSC(policy-mgr) /domain-group* # commit-buffer UCSC(policy-mgr) /domain-group #
Configuring Passwords
The password profile contains the password history and password change interval properties for all locally authenticated users of Cisco UCS Central. You cannot specify a different password profile for each locally authenticated user.
Note |
You must have admin, aaa, or domain-group-management privileges to change the password profile properties. Except for password history, these properties do not apply to users with these administrative privileges. |
The password history count allows you to prevent locally authenticated users from reusing the same password over and over again. When this property is configured, Cisco UCS Central stores passwords that were previously used by locally authenticated users up to a maximum of 15 passwords. The passwords are stored in reverse chronological order with the most recent password first to ensure that the only the oldest password can be reused when the history count threshold is reached.
A user must create and use the number of passwords configured in the password history count before being able to reuse one. For example, if you set the password history count to 8, a locally authenticated user cannot reuse the first password until after the ninth password has expired.
By default, the password history is set to 0. This value disables the history count and allows users to reuse previously passwords at any time.
If necessary, you can clear the password history count for a locally authenticated user and enable reuse of previous passwords.
The password change interval enables you to restrict the number of password changes a locally authenticated user can make within a given number of hours. The following table describes the two configuration options for the password change interval.
Interval Configuration | Description | Example |
---|---|---|
No password change allowed |
This option does not allow passwords for locally authenticated users to be changed within a specified number of hours after a password change. You can specify a no change interval between 1 and 745 hours. By default, the no change interval is 24 hours. |
For example, to prevent passwords from being changed within 48 hours after a locally authenticated user changes his or her password, set the following: |
Password changes allowed within change interval |
This option specifies the maximum number of times that passwords for locally authenticated users can be changed within a pre-defined interval. You can specify a change interval between 1 and 745 hours and a maximum number of password changes between 0 and 10. By default, a locally authenticated user is permitted a maximum of 2 password changes within a 48 hour interval. |
For example, to allow to be changed a maximum of once within 24 hours after a locally authenticated user changes his or her password, set the following: |
You must have admin, aaa, or domain-group-management privileges to change the password profile properties. Except for password history, these properties do not apply to users with these administrative privileges.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope password-profile | Enters password profile security mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/password-profile # set change-during-interval enable | Restricts the number of password changes a locally authenticated user can make within a given number of hours. |
Step 6 | UCSC(policy-mgr) /domain-group/security/password-profile* # set change-count pass-change-num | Specifies the maximum number of times a locally authenticated user can change his or her password during the Change Interval. This value can be anywhere from 0 to 10. |
Step 7 | UCSC(policy-mgr) /domain-group/security/password-profile* # set change-interval num-of-hours | Specifies the maximum number of hours over which the number of password changes specified in the Change Count field are enforced. This value can be anywhere from 1 to 745 hours. For example, if this field is set to 48 and theChange Count field is set to 2, a locally authenticated user can make no more than 2 password changes within a 48 hour period. |
Step 8 | UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to enable the change during interval option, set the change count to 5, set the change interval to 72 hours, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope password-profile UCSC(policy-mgr) /domain-group/security/password-profile # set change-during-interval enable UCSC(policy-mgr) /domain-group/security/password-profile* # set change-count 5 UCSC(policy-mgr) /domain-group/security/password-profile* # set change-interval 72 UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer UCSC(policy-mgr) /domain-group/security/password-profile #
You must have admin, aaa, or domain-group-management privileges to change the password profile properties. Except for password history, these properties do not apply to users with these administrative privileges.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope password-profile | Enters password profile security mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/password-profile # set change-during-interval disable | Disables the change during interval feature. |
Step 6 | UCSC(policy-mgr) /domain-group/security/password-profile* # set no-change-interval min-num-hours | Specifies the minimum number of hours that a locally authenticated user must wait before changing a newly created password.. This value can be anywhere from 1 to 745 hours. This interval is ignored if the Change During Interval property is not set to Disable. |
Step 7 | UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to disable the change during interval option, set the no change interval to 72 hours, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope password-profile UCSC(policy-mgr) /domain-group/security/password-profile # set change-during-interval disable UCSC(policy-mgr) /domain-group/security/password-profile* # set no-change-interval 72 UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer UCSC(policy-mgr) /domain-group/security/password-profile #
You must have admin or aaa privileges to change the password profile properties.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope password-profile | Enters password profile security mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/password-profile # set history-count num-of-passwords | Specifies the number of unique passwords that a locally authenticated user must create before that user can reuse a previously used password This value can be anywhere from 0 to 15. By default, the History Count field is set to 0, which disables the history count and allows users to reuse previously used passwords at any time. |
Step 6 | UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer | Commits the transaction to the system configuration. |
The following example configures the password history count and commits the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope password-profile UCSC(policy-mgr) /domain-group/security/password-profile # set history-count 5 UCSC(policy-mgr) /domain-group/security/password-profile* # commit-buffer UCSC(policy-mgr) /domain-group/security/password-profile #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# scope system | Enters system mode. |
Step 2 | UCSC /system # scope security | Enters security mode. |
Step 3 | UCSC /security # show user-sessions {local | remote} [detail] | Displays session information for all users logged in to the system. An asterisk (*) next to the session ID denotes the current login session. |
The following example lists all local users logged in to the system. The asterisk indicates which session is the current login session.
UCSC# scope system UCSC /system # scope security UCSC /security # show user-sessions local Session Id User Host Login Time --------------- --------------- -------------------- ---------- pts_25_1_31264* steve 192.168.100.111 2012-05-09T14:06:59.000 ttyS0_1_3532 jeff console 2012-05-02T15:11:08.000 web_25277_A faye 192.168.100.112 2012-05-15T22:11:25.000
The following example displays detailed information on all local users logged in to the system:
UCSC# scope system UCSC /system # scope security UCSC /security # show user-sessions local detail Session Id pts_25_1_31264: Fabric Id: A Term: pts/25 User: steve Host: 64.101.53.93 Pid: 31264 Login Time: 2012-05-09T14:06:59.000 Session Id ttyS0_1_3532: Fabric Id: A Term: ttyS0 User: jeff Host: console Pid: 3532 Login Time: 2012-05-02T15:11:08.000 Session Id web_25277_A: Fabric Id: A Term: web_25277 User: faye Host: 192.168.100.112 Pid: 3518 Login Time: 2012-05-15T22:11:25.000