Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
5
Helpful
1
Replies

ND/NDO user permissions (RBAC)

kjdhghsghsfg
Level 1
Level 1

‎08-01-2022 11:51 PM

Hi

I'm having hard time figuring out tacacs/RBAC configuration for ND/NDO (nexus dashboard and nexus dashboard orchestrator). We use ND/NDO for ACI multi-site management. For APIC everything seems quite clear but ND is a different beast.

Goal is to authenticate all users from tacacs with no local user accounts on ND/NDO (or APIC) and to configure different level of access to different user groups.

1) How can I e.g. configure some users to only see some tenants? I can select local users here:
NDO -> application management -> tenants -> xxx -> edit -> associated users
This appears to work, i.e. users will only be able to add selected tenants when creating templates.
But how can I do this when there are no local users?


2) I read from here that there are no security domains in NDO and I cannot create new roles from GUI either. Unfortunately the "view swagger docs" does not seem to exist anymore.
https://unofficialaciguide.com/2020/03/01/understanding-roles-in-aci-mso-and-integrating-with-freeradius/

However I can create security domains here:
ND -> administrative -> security -> security domains
The problem is I cannot figure out what does this security domain do and where can I use it.


3) I can also select security domain here:
NDO -> application management -> tenants -> tenant_xxx -> ... -> edit -> site -> security domain
But this only seems to affect APIC configuration and because NDO uses different user when logging to apic this does not seem to affect NDO user rights.


Any help and pointers to good documentation appreciated
Or is this something that's missing in ND/NDO today?
Quote from (page 86) https://www.cisco.com/c/en/us/td/docs/dcn/nd/2x/user-guide-22/cisco-nexus-dashboard-user-guide-221.pdf
"In this release, only the all domain is supported"

 

Labels:
0 Helpful
1 Reply 1

Robert Burns
Cisco Employee
Cisco Employee

‎08-04-2022 12:32 PM

1.  You can associate NDO tenants with remote accounts.  They will need to have logged into ND at least once for the remote AAA record to be created and available to assign to tenants.

2. You can create security domains for ND use from ND.  This can be used to allow/prevent user access to various aspects of ND - Sites, Services, Cluster access etc.  Details available in the built-in Help Center docs: https://[ND_IP]/docs/user-guide/index.html#_security_domains

3. Within NDO it leverages existing security domains defined on the local Sites, which can be assigned to NDO tenant config.  You can assign security domains to local users from NDO, but for remote users, you'd need to leverage the av-pair to assign the remote user account a permission to each/every security domains you want them to access (similar to what you would do w/ APIC).   I have not tested this, but this is how I understand this to function.

Robert

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License