UCS RBAC Role-Based Access Control [Explained]
Role-Based Access Control (RBAC) is a method of restricting or authorizing system access for users based on user roles and locales. A role defines the privileges of a user in the system and the locale defines the organizations (domains) that a user is allowed access to.
User accounts are used to access the system. Up to 48 user accounts can be configured in each Cisco UCS instance. Each user account must have a unique username and password.
Types of User Accounts
Default User Account:
Each Cisco UCS instance has a default user account, admin, which cannot be modified or deleted. This account is the system administrator or superuser account and has full privileges.
Local User Accounts:
Local user accounts are authenticated directly through the fabric interconnect and can be enabled or disabled by anyone with admin or aaa privileges. Once a local user account is disabled, the user cannot log in. Configuration details for disabled local user accounts are not deleted by the database. If you re-enable a disabled local user account, the account becomes active again with the existing configuration, including username and password.
Remote User Accounts:
A remote authenticated user account is any user account that is authenticated through LDAP, RADIUS, or TACACS+.
If a user maintains a local user account and a remote user account simultaneously, the roles defined in the local user account override those maintained in the remote user account.
User roles contain one or multiple privileges that define what operations are allowed for the user who is assigned the role. A user can be assigned one or more roles. A user assigned multiple roles has the combined privileges of all assigned roles.
For example, if Role1 has storage-related privileges, and Role2 has server-related privileges, users who are assigned to both Role1 and Role2 have storage and server-related privileges.
Default User Roles:
The system contains the following default user roles:
- AAA Administrator: Read-and-write access to users, roles, and AAA configuration. Read-only access to the rest of the system.
- Administrator: Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.
- Facility Manager: Read-and-write access to power management operations through the power-mgmt privilege. Read-only access to the rest of the system.
- Network Administrator: Read-and-write access to the fabric interconnect infrastructure and network security operations. Read-only access to the rest of the system.
- Operations: Read-and-write access to systems logs, including the Syslog servers, and faults. Read-only access to the rest of the system.
- Read-Only: Read-only access to system configuration with no privileges to modify the system state.
- Server Equipment Administrator: Read-and-write access to physical server related operations. Read-only access to the rest of the system.
- Server Profile Administrator: Read-and-write access to logical server-related operations. Read-only access to the rest of the system.
- Server Security Administrator: Read-and-write access to server security-related operations. Read-only access to the rest of the system.
- Storage Administrator: Read-and-write access to storage operations. Read-only access to the rest of the system
Privileges give users assigned to user roles access to specific system resources and permission to perform specific tasks. The following table lists each privilege and the user role that gave that privilege by default.
|Default Role Assignment
|System security and AAA
|External LAN configuration
|External LAN policy
|External LAN QoS
|External LAN security
|External SAN configuration
|External SAN policy
|External SAN QoS
|External SAN security