Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2808
Views
0
Helpful
4
Replies

Cisco ACI GUI : Interface stats cannot be seen with a read-only account

Go to solution
andrei.strateanu
Level 1
Level 1

‎07-05-2016 12:32 AM - edited ‎03-01-2019 04:59 AM

Hi,

I have a question related to the RBAC capabilities of ACI.

I have a TACACS user who has all/read-all role assigned with Cisco ACS(by using an AVP pair).

What I noticed is that it has read capabilities on most of the objects, except that he cannot see interface stats.

is there a way to provide someone's  account access to ACI and allow him to see all interface stats, but not to be able to change anything?

I tried with different roles, but I didn't figure it out how : read-all, ops, fabric-admin, access-admin.

The only role which have access to the interface stats is admin.

Regards,

Andrei

Labels:
Preview file
58 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dpita
Cisco Employee
Cisco Employee

‎07-05-2016 04:21 AM

Hello

Thanks for using SupportForums. 

This is a very interesting questions. You are correct that the only privilege that has access to the stats tab would be admin read. 

I looked in the API documentation included on all APICs and found the physical interface object l1PhysIf, then i saw it had some "stats" which related to the ones in the GUI/graph. i picked one at random which happened to be the "Ingress Unknown Bytes in 1 hour of sampling" or eqptIngrUnkBytesHist1h object which has a read access of admin.

Class eqpt:IngrUnkBytesHist1h (CONCRETE)

Class ID:3074
Class Label: historical Ingress Unknown Bytes stats in 1 hour
Encrypted: false - Exportable: false - Persistent: false - Configurable: false
Write Access: [NON CONFIGURABLE]
Read Access: [admin]
Creatable/Deletable: no (see Container Mos for details)
Semantic Scope: None
Semantic Scope Evaluation Rule: Parent
Monitoring Policy Source: Parent
Monitoring Flags : [ IsObservable: false, HasStats: false, HasFaults: false, HasHealth: false, HasEventRules: false ]

A class that represents historical statistics for Ingress Unknown Bytes in a 1 hour sampling interval. This class updates every 15 minutes.

you can find this information on your APIC under <APIC-IP>/doc/html/MO-eqptIngrUnkBytesHist1h.html

Ill ask the question internally regarding why statistics are only for admin. Seems like something Ops or some other team would like to have or need. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
dpita
Cisco Employee
Cisco Employee

‎07-05-2016 04:21 AM

Hello

Thanks for using SupportForums. 

This is a very interesting questions. You are correct that the only privilege that has access to the stats tab would be admin read. 

I looked in the API documentation included on all APICs and found the physical interface object l1PhysIf, then i saw it had some "stats" which related to the ones in the GUI/graph. i picked one at random which happened to be the "Ingress Unknown Bytes in 1 hour of sampling" or eqptIngrUnkBytesHist1h object which has a read access of admin.

Class eqpt:IngrUnkBytesHist1h (CONCRETE)

Class ID:3074
Class Label: historical Ingress Unknown Bytes stats in 1 hour
Encrypted: false - Exportable: false - Persistent: false - Configurable: false
Write Access: [NON CONFIGURABLE]
Read Access: [admin]
Creatable/Deletable: no (see Container Mos for details)
Semantic Scope: None
Semantic Scope Evaluation Rule: Parent
Monitoring Policy Source: Parent
Monitoring Flags : [ IsObservable: false, HasStats: false, HasFaults: false, HasHealth: false, HasEventRules: false ]

A class that represents historical statistics for Ingress Unknown Bytes in a 1 hour sampling interval. This class updates every 15 minutes.

you can find this information on your APIC under <APIC-IP>/doc/html/MO-eqptIngrUnkBytesHist1h.html

Ill ask the question internally regarding why statistics are only for admin. Seems like something Ops or some other team would like to have or need. 

0 Helpful

Go to solution
andrei.strateanu
Level 1
Level 1
In response to dpita

‎07-07-2016 03:45 AM

Hi,

Thanks a lot.

If there is a way to provide access to another role, please let me know.

Regards,

Andrei

0 Helpful

Go to solution
myanuary
Level 1
Level 1
In response to dpita

‎10-19-2016 04:01 AM

Hi dpita,

I've similar question too..

My question is about cisco-av-pair value that needed to monitoring user.

We want user avalilable to see all configuration on apic but can't make configuration changes..

We've tried "read-all", but it can make configuration change. We've tried "ops" too, but we can't see full configuration on Tenant, fabric, etc..

So how "read-all" role can have "read-only" rules ? What is the value for cisco-av-pair needed on our Tacacs+ server

0 Helpful

Go to solution
melgebal
Cisco Employee
Cisco Employee
In response to myanuary

‎12-24-2017 03:22 AM

Hi Muhammad,

You may need to use the below AV-Pair, check the below link:

shell:domains = all//read-all (16003)

https://supportforums.cisco.com/t5/data-center-documents/configuring-tacacs-authentication-to-aci-fabric-with-cisco-acs/ta-p/3228328
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License