03-18-2010 01:19 PM - edited 03-01-2019 09:37 AM
The documentation for UCSM lists all of the privileges you can use for creating Roles, but not what resources and permissions each one allows. For example:
Privilege Description Default Role Assignment aaa System security and AAA AAA Administrator admin System administration Administrator ext-lan-config External LAN configuration Network Administrator ext-lan-policy External LAN policy Network Administrator server-maintenance Server maintenance Server Equipment Adminstrator
What I need to know is what each privilege provides in terms of access and perms - I really don't want to have to experiment for days to get a solid/safe role configuration.
03-19-2010 11:21 AM
Mark, the docs could be better in this regard. It's not too complex though if you read the rest of the chapter this section describes the object groups / parts of UCSM that the role applies to - I've added a bit to each just to make this more clear.
In practice, there should be very few people with access to UCS and in fact a new kind of role called a Data Center Engineer is useful who can manage this "big host" that is UCS and has Admin access. You _could_ give the network guys access via the Network Admin role, same for Storage, but I find it easier for customers to simplify this and not have a legion of different roles doing their little bit - but I appreciate enterprise orgs can be complex :-)
Hope this helps!
Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system SC> This is the User part of the Admin tab Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed. Read-and-write access to fabric interconnect infrastructure and network security operations. Read access to the rest of the system. SC> This is the FI Equipment and the LAN tab Read-and-write access to systems logs, including the syslog servers, and faults. Read access to the rest of the system. Read-only access to system configuration with no privileges to modify the system state. Read-and-write access to physical server related operations. Read access to the rest of the system. SC> Equipment tab for Chassis Read-and-write access to logical server related operations. Read access to the rest of the system. SC> Server tab Read-and-write access to server security related operations. Read access to the rest of the system. SC> Admin tab, server policies Read-and-write access to storage operations. Read access to the rest of the system. SC> SAN tab
03-22-2010 10:27 AM
11-21-2014 02:18 PM
This is a good document, but it's very old and many of the privileges that I can see in the UCS gui nowadays are missing from the doc. Example: service-profile-ext-access.
According to Cisco UCS Manager CLI Configuration Guide, Release 2.2 there is supposed to be a detailed list at
http://preview.cisco.com/en/US/products/ps10281/prod_technical_reference_list.html
But that link isn't working.
10-26-2017 03:32 AM
After some digging here is the new location for the detailed RBAC Privileges list :
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: