Re: ACI Tenant Admins with Restrict Domains.

dan.laden · ‎04-08-2022

Cisco APIC Security Configuration Guide, Release 5.2(x)
Chapter: Restricting Access Using Security Domains and Node Rules
https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/5x/security-configuration/cisco-apic-security-configuration-guide-release-52x/restricting-access-using-security-domains-and-node-rules-52x.html

I was implementing tenant administration based the restricted security domain and node rules.

I see the solution uses a custom role with custom privileges to implement the solution. I want to update it but want to confirm these changes would persist upgrades.

1. The custom privileges look to be incomplete. I am unable to create an IPG until i add the infraRsQosLlfcIfPol and infraRsSynceEthIfPol classes to custom-port-privilege. Will this get removed during some normal operation in ACI? Some upgrade?

{
"polUni": {
"attributes": {
"annotation": "",
"dn": "uni",
"nameAlias": "",
"userdom": "all"
},
"children": [

{
"aaaRbacEp": {
"attributes": {
"annotation": "",
"descr": "",
"dn": "uni/rbacdb",
"name": "",
"nameAlias": "",
"ownerKey": "",
"ownerTag": "",
"userdom": "all"
},
"children": [
{
"aaaRbacClassPriv": {
"attributes": {
"annotation": "",
"className": "infraRsQosLlfcIfPol",
"descr": "",
"dn": "",
"name": "",
"nameAlias": "",
"ownerKey": "",
"ownerTag": "",
"rPriv": "custom-port-privilege",
"userdom": "all",
"wPriv": "custom-port-privilege"
}
}
},
{
"aaaRbacClassPriv": {
"attributes": {
"annotation": "",
"className": "infraRsSynceEthIfPol",
"descr": "",
"dn": "",
"name": "",
"nameAlias": "",
"ownerKey": "",
"ownerTag": "",
"rPriv": "custom-port-privilege",
"userdom": "all",
"wPriv": "custom-port-privilege"
}
}
}

2. For the interface policies, i would like reuse them between mulitple tenant admin and not have each tenant admin create their own object. i dont want them to be able to delete/modified the object.
These objects are the "CDP_ENABLED", "LACP_ACTIVE", etc type objects. In the custom-port-privilege, the are the objects (as i understand it ) to create/view the LACP object and the second is to link the LACP object.

{
"aaaRbacClassPriv": {
"attributes": {
"annotation": "",
"className": "lacpIfPol",
"descr": "",
"dn": "",
"name": "",
"nameAlias": "",
"ownerKey": "",
"ownerTag": "",
"rPriv": "custom-port-privilege",
"userdom": ":all:",
"wPriv": "custom-port-privilege"
}
}
},
{
"aaaRbacClassPriv": {
"attributes": {
"annotation": "",
"className": "infraRsLacpPol",
"descr": "",
"dn": "",
"name": "",
"nameAlias": "",
"ownerKey": "",
"ownerTag": "",
"rPriv": "custom-port-privilege",
"userdom": ":all:",
"wPriv": "custom-port-privilege"
}
}
},

seems if i change the lacpIfPol object as such, i get the results i want but will this config persist?
"className": "lacpIfPol",
"rPriv": "custom-port-privilege",
"wPriv": ""

seems i can update the LACP object to expose it to multiple tenant admins but updating the userdom to include all the desired domains. (red and blue security domains) Will this persist?
"userdom": ":red:blue:all:",

3. These are added to the "custom-port-privilege". when i add all the classes to a second privilege "custom-privilege-1" and reference "custom-privilege-1" with port-mgmt role, the fabric tab is not exposed. Is this expected?

4.How do i expose the snapshot/restore so that a tenant admin can snapshot/restore their tenant? I know they can right click and download the tenant object but doesnt give them a rollback option?

Thank you for any insight.

dan.laden · ‎04-08-2022

jiarchen · ‎04-19-2022

HI, Dan
Thank you for providing questions on community site. Found you've already raised a case for testing the tenant administration based the restricted security domain and node rules, suggested to keep following up with the TAC engineer. As for the last question, you're correct, we can choose to configure rollback for sepecific tenant on that page.

After all, thank you for using Cisco comunity site~

Best Regards

Lucy