cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5029
Views
2
Helpful
4
Replies

definitions for UCS privileges

masennott
Level 1
Level 1

The documentation for UCSM lists all of the privileges you can use for creating Roles, but not what resources and permissions each one allows. For example:

PrivilegeDescriptionDefault Role Assignment
aaaSystem security and AAAAAA Administrator
adminSystem administrationAdministrator
ext-lan-configExternal LAN configurationNetwork Administrator
ext-lan-policyExternal LAN policyNetwork Administrator
server-maintenanceServer maintenanceServer Equipment Adminstrator

What I need to know is what each privilege provides in terms of access and perms - I really don't want to have to experiment for days to get a solid/safe role configuration.

4 Replies 4

stechamb
Level 1
Level 1

Mark,  the docs could be better in this regard.  It's not too complex though if you read the rest of the chapter this section describes the object groups / parts of UCSM that the role applies to - I've added a bit to each just to make this more clear.

In practice, there should be very few people with access to UCS and in fact a new kind of role called a Data Center Engineer is useful who can manage this "big host" that is UCS and has Admin access.  You _could_ give the network guys access via the Network Admin role, same for Storage, but I find it easier for customers to simplify this and not have a legion of different roles doing their little bit - but I appreciate enterprise orgs can be complex :-)

Hope this helps!

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/gui/config/guide/1.1.1/UCSM_GUI_Configuration_Guide_1_1_1_chapter9.html

AAA Administrator

Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system

SC> This is the User part of the Admin tab

Administrator

Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.

Network Administrator

Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the rest of the system.

SC> This is the FI Equipment and the LAN tab

Operations

Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the rest of the system.

Read-Only

Read-only access to system configuration with no privileges to modify the system state.

Server Equipment Administrator

Read-and-write access to physical server related operations. Read access to the rest of the system.

SC> Equipment tab for Chassis

Server Profile Administrator

Read-and-write access to logical server related operations. Read access to the rest of the system.

SC> Server tab

Server Security Administrator

Read-and-write access to server security related operations. Read access to the rest of the system.

SC> Admin tab, server policies

Storage Administrator

Read-and-write access to storage operations. Read access to the rest of the system.

SC> SAN tab

masennott
Level 1
Level 1

A Cisco engineer sent me this doc - it answers the question in extreme detail. See attached.

This is a good document, but it's very old and many of the privileges that I can see in the UCS gui nowadays are missing from the doc.  Example: service-profile-ext-access.

According to Cisco UCS Manager CLI Configuration Guide, Release 2.2 there is supposed to be a detailed list at 

http://preview.cisco.com/en/US/products/ps10281/prod_technical_reference_list.html

But that link isn't working.

After some digging here is the new location for the detailed RBAC Privileges list :

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucsm_privileges/CiscoUCSManager_Privileges_release21.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: