definitions for UCS privileges

Unanswered Question
Mar 18th, 2010

The documentation for UCSM lists all of the privileges you can use for creating Roles, but not what resources and permissions each one allows. For example:

PrivilegeDescriptionDefault Role Assignment
aaaSystem security and AAAAAA Administrator
adminSystem administrationAdministrator
ext-lan-configExternal LAN configurationNetwork Administrator
ext-lan-policyExternal LAN policyNetwork Administrator
server-maintenanceServer maintenanceServer Equipment Adminstrator

What I need to know is what each privilege provides in terms of access and perms - I really don't want to have to experiment for days to get a solid/safe role configuration.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
Loading.
stechamb Fri, 03/19/2010 - 11:21

Mark,  the docs could be better in this regard.  It's not too complex though if you read the rest of the chapter this section describes the object groups / parts of UCSM that the role applies to - I've added a bit to each just to make this more clear.

In practice, there should be very few people with access to UCS and in fact a new kind of role called a Data Center Engineer is useful who can manage this "big host" that is UCS and has Admin access.  You _could_ give the network guys access via the Network Admin role, same for Storage, but I find it easier for customers to simplify this and not have a legion of different roles doing their little bit - but I appreciate enterprise orgs can be complex :-)

Hope this helps!

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/gui/config/guide/1.1.1/UCSM_GUI_Configuration_Guide_1_1_1_chapter9.html

AAA Administrator

Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system

SC> This is the User part of the Admin tab

Administrator

Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.

Network Administrator

Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the rest of the system.

SC> This is the FI Equipment and the LAN tab

Operations

Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the rest of the system.

Read-Only

Read-only access to system configuration with no privileges to modify the system state.

Server Equipment Administrator

Read-and-write access to physical server related operations. Read access to the rest of the system.

SC> Equipment tab for Chassis

Server Profile Administrator

Read-and-write access to logical server related operations. Read access to the rest of the system.

SC> Server tab

Server Security Administrator

Read-and-write access to server security related operations. Read access to the rest of the system.

SC> Admin tab, server policies

Storage Administrator

Read-and-write access to storage operations. Read access to the rest of the system.

SC> SAN tab

craig.petty Fri, 11/21/2014 - 14:18

This is a good document, but it's very old and many of the privileges that I can see in the UCS gui nowadays are missing from the doc.  Example: service-profile-ext-access.

According to Cisco UCS Manager CLI Configuration Guide, Release 2.2 there is supposed to be a detailed list at 

http://preview.cisco.com/en/US/products/ps10281/prod_technical_reference_list.html

But that link isn't working.

Actions

This Discussion

Related Content