Role-Based Access Configuration

Role-Based Access Control Overview

Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and a locale defines the organizations (domains) that a user is allowed access. Because users are not directly assigned privileges, you can manage individual user privileges by assigning the appropriate roles and locales.

A user is granted write access to the required system resources only if the assigned role grants the access privileges and the assigned locale allows access. For example, a user with the Server Administrator role in the engineering organization can update server configurations in the Engineering organization. They cannot, however, update server configurations in the Finance organization, unless the locales assigned to the user include the Finance organization.

User Accounts for Cisco UCS

User accounts access the system. You can configure up to 48 local user accounts in each Cisco UCS Manager domain. Each user account requires a unique username and password.

You can set user accounts with an SSH public key. The public key can be set in either of the two formats: OpenSSH or SECSH.

Admin Account

An admin account comes with each Cisco UCS domain. The admin account is a default user account and cannot be modified or deleted. This account is the system administrator or superuser account s full privileges. There is no default password assigned to the admin account; you must choose the password during the initial system setup.

The admin account is always active and does not expire. You cannot configure the admin account as inactive.

Locally Authenticated User Accounts

A locally authenticated user account is authenticated directly through the fabric interconnect and can be enabled or disabled by anyone with admin or aaa privileges. After a local user account is disabled, the user cannot log in. The database does not delete the configuration details for disabled local user accounts. If you re-enable a disabled local user account, the account becomes active with the existing configuration, including the username and password.

Remotely Authenticated User Accounts

A remotely authenticated user account is any user account that is authenticated through LDAP, RADIUS, or TACACS+.

If a user maintains a local user account and a remote user account simultaneously, the roles defined in the local user account override those maintained in the remote user account.

Expiration of User Accounts

You can configure user accounts to expire at a predefined time. When the expiration time is reached, the user account is disabled.

By default, user accounts do not expire.


Note

After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. However, you can configure the account to use the latest expiration date available.

Reserved Words: Locally Authenticated User Accounts

You cannot use the following words when creating a local user account in Cisco UCS.

  • root

  • bin

  • daemon

  • adm

  • lp

  • sync

  • shutdown

  • halt

  • news

  • uucp

  • operator

  • games

  • gopher

  • nobody

  • nscd

  • mailnull

  • mail

  • rpcuser

  • rpc

  • mtsuser

  • ftpuser

  • ftp

  • man

  • sys

  • samdme

  • debug

Web Session Limits for User Accounts

Cisco UCS Manager uses web session limits to restrict the number of web sessions (both GUI and XML) that a given user account is permitted to access at any one time.

Each Cisco UCS Manager domain supports a maximum of 32 concurrent web sessions per user and 256 total user sessions. By default, the number of concurrent web sessions allowed by Cisco UCS Manager is set to 32 per user, but you can configure this value up to the system maximum of 256.

User Roles

User roles contain one or more privileges that define the operations that are allowed for a user. You can assign one or more roles to each user. Users with multiple roles have the combined privileges of all assigned roles. For example, if Role1 has storage-related privileges, and Role 2 has server-related privileges, users with Role1 and Role 2 have both storage-related and server-related privileges.

A Cisco UCS domain can contain up to 48 user roles, including the default user roles. Any user roles configured after the first 48 are accepted, but they are inactive with faults raised.

All roles include read access to all configuration settings in the Cisco UCS domain. Users with read-only roles cannot modify the system state.

You can create, modify or remove existing privileges, and delete roles. When you modify a role, the new privileges apply to all users with that role. Privilege assignment is not restricted to the privileges defined for the default roles. Meaning, you can use a custom set of privileges to create a unique role. For example, the default Server Administrator and Storage Administrator roles have a different set of privileges. However, you can create a Server and Storage Administrator role that combines the privileges of both roles.


Note

If you delete a role after it was assigned to users, it is also deleted from those user accounts.

Modify the user profiles on AAA servers (RADIUS or TACACS+) to add the roles corresponding to the privileges granted to that user. The attribute stores the role information. The AAA servers return this attribute with the request and parse it to obtain the roles. LDAP servers return the roles in the user profile attributes.


Note

If a local and a remote user account have the same username, Cisco UCS Manager overrides any roles assigned to the remote user with those assigned to the local user.

Default User Roles

The system contains the following default user roles:

AAA Administrator

Read-and-write access to users, roles, and AAA configuration. Read access to the remaining system.

Administrator

Complete read-and-write access to the entire system. Assigns this role to the default administrator account by default. You cannot change it.

Facility Manager

Read-and-write access to power management operations through the power management privilege. Read access to the remaining system.

Network Administrator

Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the remaining system.

Operations

Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the remaining system.

Read-Only

Read-only access to system configuration with no privileges to modify the system state.

Server Compute

Read and write access to most aspects of service profiles. However, the user cannot create, modify or delete vNICs or vHBAs.

Server Equipment Administrator

Read-and-write access to physical server-related operations. Read access to the remaining system.

Server Profile Administrator

Read-and-write access to logical server-related operations. Read access to the remaining system.

Server Security Administrator

Read-and-write access to server security-related operations. Read access to the remaining system.

Storage Administrator

Read-and-write access to storage operations. Read access to the remaining system.

Reserved Words: User Roles

You cannot use the following words when creating custom roles in Cisco UCS.

  • network-admin

  • network-operator

  • vdc-admin

  • vdc-operator

  • server-admin

Privileges

Privileges give users, assigned to user roles, access to specific system resources and permission to perform specific tasks. The following table lists each privilege and the user role given that privilege by default.


Tip

Detailed information about these privileges and the tasks that they enable users to perform is available in Privileges in Cisco UCS available at the following URL: http://www.cisco.com/en/US/products/ps10281/prod_technical_reference_list.html.

Table 1. User Privileges

Privilege

Description

Default Role Assignment

aaa

System security and AAA

AAA Administrator

admin

System administration

Administrator

ext-lan-config

External LAN configuration

Network Administrator

ext-lan-policy

External LAN policy

Network Administrator

ext-lan-qos

External LAN QoS

Network Administrator

ext-lan-security

External LAN security

Network Administrator

ext-san-config

External SAN configuration

Storage Administrator

ext-san-policy

External SAN policy

Storage Administrator

ext-san-qos

External SAN QoS

Storage Administrator

ext-san-security

External SAN security

Storage Administrator

fault

Alarms and alarm policies

Operations

operations

Logs and Smart Call Home

Operations

org-management

Organization management

Operations

pod-config

Pod configuration

Network Administrator

pod-policy

Pod policy

Network Administrator

pod-qos

Pod QoS

Network Administrator

pod-security

Pod security

Network Administrator

power-mgmt

Read-and-write access to power management operations

Facility Manager

read-only

Read-only access

Read-only cannot be selected as a privilege; it is assigned to every user role.

Read-Only

server-equipment

Server hardware management

Server Equipment Administrator

server-maintenance

Server maintenance

Server Equipment Administrator

server-policy

Server policy

Server Equipment Administrator

server-security

Server security

Server Security Administrator

service-profile-compute

Service profile compute

Server Compute Administrator

service-profile-config

Service profile configuration

Server Profile Administrator

service-profile-config-policy

Service profile configuration policy

Server Profile Administrator

service-profile-ext-access

Service profile endpoint access

Server Profile Administrator

service-profile-network

Service profile network

Network Administrator

service-profile-network-policy

Service profile network policy

Network Administrator

service-profile-qos

Service profile QoS

Network Administrator

service-profile-qos-policy

Service profile QoS policy

Network Administrator

service-profile-security

Service profile security

Server Security Administrator

service-profile-security-policy

Service profile security policy

Server Security Administrator

service-profile-server

Service profile server management

Server Profile Administrator

service-profile-server-oper

Service profile consumer

Server Profile Administrator

service-profile-server-policy

Service profile pool policy

Server Security Administrator

service-profile-storage

Service profile storage

Storage Administrator

service-profile-storage-policy

Service profile storage policy

Storage Administrator

Creating a User Role

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.
Step 2

UCS-A /security # create role name

Creates the user role and enters security role mode.
Step 3

UCS-A /security/role # add privilege privilege-name

Adds one or more privileges to the role.

Note 

You can specify more than one privilege-name on the same command line to add multiple privileges to the role, or you can add privileges to the same role using multiple add commands.

Step 4

UCS-A /security/role # commit-buffer

Commits the transaction to the system configuration.

Example

The following example creates the service-profile-security-admin role, adds the service profile security and service profile security policy privileges to the role, and commits the transaction: 

UCS-A# scope security
UCS-A /security # create role ls-security-admin
UCS-A /security/role* # add privilege service-profile-security service-profile-security-policy
UCS-A /security/role* # commit-buffer
UCS-A /security/role #

Adding Privileges to a User Role

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.
Step 2

UCS-A /security # scope role name

Enters security role mode for the specified role.
Step 3

UCS-A /security/role # add privilege privilege-name

Adds one or more privileges to the existing privileges of the user role.

Note 

You can specify more than one privilege-name on the same command line to add multiple privileges to the role, or you can add privileges to the same role using multiple add privilege commands.

Step 4

UCS-A /security/role # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to add the server security and server policy privileges to the service-profile-security-admin role and commit the transaction: 

UCS-A# scope security
UCS-A /security # scope role service-profile-security-admin
UCS-A /security/role # add privilege server-security server-policy
UCS-A /security/role* # commit-buffer
UCS-A /security/role #

Replacing Privileges for a User Role

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.
Step 2

UCS-A /security # scope role name

Enters security role mode for the specified role.
Step 3

UCS-A /security/role # set privilege privilege-name

Replaces the existing privileges of the user role.

Note 

You can specify more than one privilege-name on the same command line to replace the existing privilege with multiple privileges. After replacing the privileges, you can add privileges to the same role using the add privilege command.

Step 4

UCS-A /security/role # commit-buffer

Commits the transaction to the system configuration.

Example

The following example shows how to replace the existing privileges for the service-profile-security-admin role with the server security and server policy privileges and commit the transaction: 

UCS-A# scope security
UCS-A /security # scope role service-profile-security-admin
UCS-A /security/role # set privilege server-security server-policy
UCS-A /security/role* # commit-buffer
UCS-A /security/role #

Removing Privileges from a User Role

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.
Step 2

UCS-A /security # scope role name

Enters security role mode for the specified role.
Step 3

UCS-A /security/role # remove privilege privilege-name

Removes one or more privileges from the existing user role privileges.

Note 

You can specify more than one privilege-name on the same command line to remove multiple privileges from the role, or you can remove privileges from the same role using multiple remove privilege commands.

Step 4

UCS-A /security/role # commit-buffer

Commits the transaction to the system configuration.

Example

The following example removes the server security and server policy privileges from the service-profile-security-admin role and commits the transaction: 

UCS-A# scope security
UCS-A /security # scope role service-profile-security-admin
UCS-A /security/role # remove privilege server-security server-policy
UCS-A /security/role* # commit-buffer
UCS-A /security/role #

Deleting a User Role

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.
Step 2

UCS-A /security # delete role name

Deletes the user role.
Step 3

UCS-A /security # commit-buffer

Commits the transaction to the system configuration.

Example

The following example deletes the service-profile-security-admin role and commits the transaction:

UCS-A# scope security
UCS-A /security # delete role service-profile-security-admin
UCS-A /security* # commit-buffer
UCS-A /security #

Locales

User Locales

You can assign a user to one or more locales. Each locale defines one or more organizations (domains) to which a user can access. Access is usually limited to the organizations specified in the locale. An exception is a locale without any organizations. It provides unrestricted access to system resources in all organizations.

A Cisco UCS domain can contain up to 48 user locales. Any user locales configured after the first 48 are accepted, but are inactive with faults raised.

Users with admin or aaa privileges can assign organizations to the locale of other users. The assignment of organizations is restricted to only those in the locale of the user assigning the organizations. For example, if a locale contains only the Engineering organization, a user assigned to that locale can only assign the Engineering organization to other users.


Note

You cannot assign a locale to users with one or more of the following privileges:

  • aaa

  • admin

  • fault

  • operations

You can hierarchically manage organizations. A user who is assigned to a top-level organization has automatic access to all organizations below it. For example, an Engineering organization can contain a Software Engineering organization and a Hardware Engineering organization. A locale containing only the Software Engineering organization has access to system resources only within that organization. However, a locale that contains the Engineering organization has access to the resources for both the Software Engineering and Hardware Engineering organizations.

Creating a Locale

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A /security # create locale locale-name

Creates a locale and enters security locale mode.

Step 3

UCS-A /security/locale # create org-ref org-ref-name orgdn orgdn org-root/org-ref-name

References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced.

Step 4

UCS-A /security/locale # commit-buffer

Commits the transaction to the system configuration.

Example

The following example creates the western locale, references the finance organization to the locale, names the reference finance-ref, and commits the transaction: 

UCS-A# scope security
UCS-A /security # create locale western
UCS-A /security/locale* # create org-ref finance-ref orgdn org-root/org-finance
UCS-A /security/locale* # commit-buffer
UCS-A /security/locale #

Assigning an Organization to a Locale

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A# scope locale locale-name

Enters security locale mode.

Step 3

UCS-A /security/locale # create org-ref org-ref-name orgdn org-root/org-ref-name

References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced.

Step 4

UCS-A /security/locale # commit-buffer

Commits the transaction to the system configuration.

Example

The following example enters the western locale, adds (references) the marketing organization to the locale, names the reference marketing-ref, and commits the transaction: 

UCS-A# scope security
UCS-A /security # scope locale western
UCS-A /security/locale* # create org-ref marketing-ref orgdn org-root/org-marketing
UCS-A /security/locale* # commit-buffer
UCS-A /security/locale #

Deleting an Organization from a Locale

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.
Step 2

UCS-A /security # scope locale locale-name

Enters security locale mode.
Step 3

UCS-A /security/locale # delete org-ref org-ref-name

Deletes the organization from the locale.
Step 4

UCS-A /security/locale # commit-buffer

Commits the transaction to the system configuration.

Example

The following example deletes the finance organization from the western locale and commits the transaction:

UCS-A# scope security
UCS-A /security # scope locale western
UCS-A /security/locale # delete org-ref finance-ref
UCS-A /security/locale* # commit-buffer
UCS-A /security/locale #

Deleting a Locale

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A /security # delete locale locale-name

Deletes the locale.

Step 3

UCS-A /security # commit-buffer

Commits the transaction to the system configuration.

Example

The following example deletes the western locale and commits the transaction: 

UCS-A# scope security
UCS-A /security # delete locale western
UCS-A /security* # commit-buffer
UCS-A /security #

Locally Authenticated User Accounts

Creating a User Account

At a minimum, Cisco recommends that you create the following users:

  • Server administrator account

  • Network administrator account

  • Storage administrator

Before you begin

Perform the following tasks, if the system includes any of the following:

  • Remote authentication services—Ensures that the users exist in the remote authentication server with the appropriate roles and privileges.

  • Multitenancy with organizations—Creates one or more locales. If you do not have any locales, all users are created in root and are assigned roles and privileges in all organizations.

  • SSH authentication—Obtains the SSH key.

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A /security # create local-user local-user-name

Creates a user account for the specified local user and enters security local user mode.

Step 3

UCS-A /security/local-user # set account-status {active | inactive }

Specifies whether the local user account is enabled or disabled.

If the account status for a local user account is set to inactive, the user is prevented from logging into the system using their existing credentials.

Step 4

UCS-A /security/local-user # set password password

Sets the password for the user account

Step 5

(Optional) UCS-A /security/local-user # set firstname first-name

(Optional)

Specifies the first name of the user.

Step 6

(Optional) UCS-A /security/local-user # set lastname last-name

(Optional)

Specifies the last name of the user.

Step 7

(Optional) UCS-A /security/local-user # set expiration month day-of-month year

(Optional)

Specifies the date that the user account expires. The month argument is the first three letters of the month name.

Note 

After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. However, you can configure the account to use the latest expiration date available.

Step 8

(Optional) UCS-A /security/local-user # set email email-addr

(Optional)

Specifies the user e-mail address.

Step 9

(Optional) UCS-A /security/local-user # set phone phone-num

(Optional)

Specifies the user phone number.

Step 10

(Optional) UCS-A /security/local-user # set sshkey ssh-key

(Optional)

Specifies the SSH key used for passwordless access.

Step 11

UCS-A security/local-user # commit-buffer

Commits the transaction.

Example

The following example creates the user account named kikipopo, enables the user account, sets the password to foo12345, and commits the transaction: 

UCS-A# scope security
UCS-A /security # create local-user kikipopo
UCS-A /security/local-user* # set account-status active
UCS-A /security/local-user* # set password
Enter a password:
Confirm the password:
UCS-A /security/local-user* # commit-buffer
UCS-A /security/local-user #

The following example creates the user account named lincey, enables the user account, sets an OpenSSH key for passwordless access, and commits the transaction. 

UCS-A# scope security
UCS-A /security # create local-user lincey
UCS-A /security/local-user* # set account-status active
UCS-A /security/local-user* #  set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw85lkdQqap+NFuNmHcb4K
iaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VOIEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpD
m8HPh2LOgyH7Ei1MI8="
UCS-A /security/local-user* # commit-buffer
UCS-A /security/local-user #

The following example creates the user account named jforlenz, enables the user account, sets a Secure SSH key for passwordless access, and commits the transaction. 

UCS-A# scope security
UCS-A /security # create local-user jforlenz
UCS-A /security/local-user* # set account-status active
UCS-A /security/local-user* #  set sshkey
Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
User's SSH key:
> ---- BEGIN SSH2 PUBLIC KEY ----
>AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw8
>5lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VO
>IEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8=
> ---- END SSH2 PUBLIC KEY ----
> ENDOFBUF
UCS-A /security/local-user* # commit-buffer
UCS-A /security/local-user #

Enabling the Password Strength Check for Locally Authenticated Users

You must have admin or aaa privileges to enable the password strength check. If enabled, Cisco UCS Manager does not permit a user to choose a password that does not meet the guidelines for a strong password.

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A /security # enforce-strong-password {yes | no }

Specifies whether the password strength check is enabled or disabled.

Example

The following example enables the password strength check: 

UCS-A# scope security 
UCS-A /security # set enforce-strong-password yes 
UCS-A /security #

Setting Web Session Limits for User Accounts

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope system

Enters system mode.
Step 2

UCS-A /system # scope services

Enters system services mode.
Step 3

UCS-A /system/services # scope web-session-limits

Enters system services web session limits mode.
Step 4

UCS-A /system/services/web-session-limits # set peruser num-of-logins-per-user

Sets the maximum number of concurrent HTTP and HTTPS sessions allowed for each user.

Enter an integer between 1 and 256. By default, this value is set to 32.
Step 5

UCS-A /system/services/web-session-limits # commit-buffer

Commits the transaction to the system configuration.

Example

The following example sets the maximum number of HTTP and HTTPS sessions allowed by each user account to 60 and commits the transaction: 

UCS-A# scope system
UCS-A /system # scope services
UCS-A /system/services # scope web-session-limits			
UCS-A /system/services/web-session-limits* # set peruser 60
UCS-A /system/services/web-session-limits* # commit-buffer
UCS-A /system/services/web-session-limits #

Assigning a Role to a User Account

Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A /security # scope local-user local-user-name

Enters security local user mode for the specified local user account.

Step 3

UCS-A /security/local-user # create role role-name

Assigns the specified role to the user account .

Note 

The create role command can be entered multiple times to assign more than one role to a user account.

Step 4

UCS-A security/local-user # commit-buffer

Commits the transaction.

Example

The following example assigns the operations role to the kikipopo local user account and commits the transaction: 

UCS-A# scope security
UCS-A /security # scope local-user kikipopo
UCS-A /security/local-user # create role operations
UCS-A /security/local-user* # commit-buffer
UCS-A /security/local-user #

Assigning a Locale to a User Account


Note

Do not assign locales to users with an admin or aaa role.

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A /security # scope local-user local-user-name

Enters security local user mode for the specified local user account.

Step 3

UCS-A /security/local-user # create locale locale-name

Assigns the specified locale to the user account.

Note 

The create locale command can be entered multiple times to assign more than one locale to a user account.

Step 4

UCS-A security/local-user # commit-buffer

Commits the transaction.

Example

The following example assigns the western locale to the kikipopo local user account and commits the transaction: 

UCS-A# scope security
UCS-A /security # scope local-user kikipopo
UCS-A /security/local-user # create locale western
UCS-A /security/local-user* # commit-buffer
UCS-A /security/local-user #

Removing a Role from a User Account

Changes in user roles and privileges do not take effect until the next time the user logs in. If a user is logged in when you assign a new role to or remove an existing role from a user account, the active session continues with the previous roles and privileges.

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A /security # scope local-user local-user-name

Enters security local user mode for the specified local user account.

Step 3

UCS-A /security/local-user # delete role role-name

Removes the specified role from the user account .

Note 

The delete role command can be entered multiple times to remove more than one role from a user account.

Step 4

UCS-A security/local-user # commit-buffer

Commits the transaction.

Example

The following example removes the operations role from the kikipopo local user account and commits the transaction: 

UCS-A# scope security
UCS-A /security # scope local-user kikipopo
UCS-A /security/local-user # delete role operations
UCS-A /security/local-user* # commit-buffer
UCS-A /security/local-user #

Removing a Locale from a User Account

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A /security # scope local-user local-user-name

Enters security local user mode for the specified local user account.

Step 3

UCS-A /security/local-user # delete locale locale-name

Removes the specified locale from the user account.

Note 

The delete locale command can be entered multiple times to remove more than one locale from a user account.

Step 4

UCS-A security/local-user # commit-buffer

Commits the transaction.

Example

The following example removes the western locale from the kikipopo local user account and commits the transaction: 

UCS-A# scope security
UCS-A /security # scope local-user kikipopo
UCS-A /security/local-user # delete locale western
UCS-A /security/local-user* # commit-buffer
UCS-A /security/local-user #

Enabling or Disabling a User Account

You must have admin or aaa privileges to enable or disable a local user account.

Before you begin

Create a local user account.

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A /security # scope local-user

Enters local-user security mode.

Step 3

UCS-A /security/local-user # set account-status {active | inactive }

Specifies whether the local user account is enabled or disabled.

The admin user account is always set to active. It cannot be modified.

Note 

If you set the account status to inactive, the configuration is not deleted from the database.

Example

The following example enables a local user account called accounting: 

UCS-A# scope security
UCS-A /security # scope local-user accounting
UCS-A /security/local-user # set account-status active

Deleting a User Account

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.
Step 2

UCS-A /security # delete local-user local-user-name

Deletes the local-user account.
Step 3

UCS-A /security # commit-buffer

Commits the transaction to the system configuration.

Example

The following example deletes the foo user account and commits the transaction:

UCS-A# scope security
UCS-A /security # delete local-user foo
UCS-A /security* # commit-buffer
UCS-A /security #

Monitoring User Sessions from the CLI

Procedure

  Command or Action Purpose
Step 1

UCS-A# scope security

Enters security mode.

Step 2

UCS-A /security # show user-session {local | remote } [detail ]

Displays session information for all users logged in to the system. An asterisk (*) next to the session ID denotes the current login session.

Example

The following example lists all local users logged in to the system. The asterisk indicates which session is the current login session. 

UCS-A# scope security
UCS-A /security # show user-session local
Session Id      User            Host                 Login Time
--------------- --------------- -------------------- ----------
pts_25_1_31264*  steve           192.168.100.111      2009-05-09T14:06:59
ttyS0_1_3532    jeff            console              2009-05-02T15:11:08
web_25277_A     faye            192.168.100.112      2009-05-15T22:11:25

The following example displays detailed information on all local users logged in to the system: 

UCS-A# scope security
UCS-A /security # show user-session local detail
Session Id pts_25_1_31264:
    Fabric Id: A
    Term: pts/25
    User: steve
    Host: 64.101.53.93
    Pid: 31264
    Login Time: 2009-05-09T14:06:59

Session Id ttyS0_1_3532:
    Fabric Id: A
    Term: ttyS0
    User: jeff
    Host: console
    Pid: 3532
    Login Time: 2009-05-02T15:11:08

Session Id web_25277_A:
    Fabric Id: A
    Term: web_25277
    User: faye
    Host: 192.168.100.112
    Pid: 3518
    Login Time: 2009-05-15T22:11:25