CCIE DC: RBAC on UCS

Hi Guys!

Cisco UCS supports Role-Based-Access-Control (RBAC) just like the Nexus 7k/5k. It varies slightly in it's configuration on UCS and the model is slightly different. Let's look at the diagram below to get a better idea.


 OK Let's Examine:


A User is assigned to UCS, the user can have multiple Roles, these roles define privileges, which are the configuration tasks the user is allowed to perform, there are some built in roles also such as storage admin, facility manager, operations, network admin etc. etc.


Next is the concept of a Locale, a Locale specifies what organization's in the org/sub-org tree you have access to as that user, this could be used for diffirent departments in Cisco UCS, so that some departments have access to certain resources, while others have other resources. Your user can belong to multiple locales, and in turn a locale can contain multiple organizations, note that access to an organization also gives you access to the suborganizations too.

One more thing: There is no concept of read-only in UCS, if your setting the rights here, you are setting to allow the user to make changes to that particular area, but they can ALWAYS see other area's, see below from the Cisco UCS Documentation

"All roles include read access to all configuration settings in the Cisco UCS domain. The difference between the read-only role and other roles is that a user who is only assigned the read-only role cannot modify the system state. A user assigned another role can modify the system state in that user's assigned area or areas."

(Source: http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/gui/config/guide/2.0/b_UCSM_GUI_Configuration_Guide_2_0_chapter_01001.html)

OK let's have a super quick look, this is hopefully relatively straightforward.

Login to UCS and go to the admin Tab, then to the roles tab:



Here youc an see some predefined roles, for us we are going to create a new role called LANAdmin, he is kind of like the network operator role, we are only going to allow him to perform changes to the way the external LAN runs.


To test further, we are going to limit him to our suborganization TestOrg

Just above Roles, go to "Locales"



From here you can assign your organization, if its part of a tree it will show in this interface.
The interface is somewhat confusing, you actually have to pop the tree down on the left hand side of the interface, to be honest the UCS interface is actually normally very very good, so it's strange to see such a terrible design element in it.

 


You then have to drag the organization into the right hand pane






Totally bizarre, anyway once that is done you will now see that the locale has a organization associated with it:






Our final step is to create our user, here is where we link it all together:




Then we login as our user! On initial look it's hard to tell we are not just admin...

But further inspection reveals a heck of a lot of greyed out options:




So we should be allowed to modify some uplink profiles etc:

Under the LAN admin we can see we can do things like creating port channels, setting pin groups and ethernet switching mode etc




I hope this helps someone out there!


3 comments:

Popular old posts.