Re: UCS Manager KVM Sub-Org access without seeing global configuration

Presidio HS-Cloud · ‎12-01-2017

Hi All,

anyone knows if there are news about the configuration, in UCS Manager, of limited KVM access?

We have a lot of service profiles in the root tree and 10 in the Sub-Organizations and want to configure the access to manage poweron, poweroff and console, with this considerations:

1) The users assigned to the Sub-Org are on a dedicated network, for example 192.168.110.0/26;

2) The UCS mgmt is on the ex. 192.168.100.9;

3) Inband or outband? I think first because users are on another network configured in the vNICs and shouldn't have access to the UCS management network;

4) The users (Sub-Org) shouldn't see the global configuration and other Service Profiles;

5) KVM launches a JNLP on the mgmt network, how can we avoid this for external users?

Kind Regards

Roger

Qiese Dides · ‎12-06-2017

Hi Presidio,

If you are looking to grant users just KVM access you would want to allow them "service-profile-ext-access" that should be enough to grant just KVM access.

If you do this then the users won't be able to "Shutdown", "Boot-Up", and "Reset" the servers. If you want them to also be included in that you would need to add the "Power-mgmt"and "Server-Equipment" access which has Read and Write access to power management options.

Below is a guide regarding user roles and permissions.

http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/cli/config/guide/2-2/b_UCSM_CLI_Configuration_Guide_2_2/b_UCSM_CLI_Configuration_Guide_2_2_chapter_01010.html

- Please rate and mark all helpful answers so other members can find them more easily.

- Qiese Dides

Presidio HS-Cloud · ‎12-06-2017

Thanks, but doing so will give the user read access to the entire UCS configuration instead of only to the SUB-ORG or the profiles associated with the user.
Regards

Qiese Dides · ‎12-06-2017

Hi Presidio,

If you would like to person to just be able to launch KVM without any UCS Manager access you could give them the follow steps to launch KVM only.

- Launch KVM using the kvm.jnlp file via http:///ucsm/kvm.jnlp
- Launch KVM using the launchkvm.bat or launchkvm.sh from http:///kvm.zip

However, the UCS RBAC system does not allow that level of granular control in which the user would not be able to launch UCS Manager or see other items.

Now if you would like to restrict the user to ONLY access that blade, you will have to create a Locale that limits the access to a Sub-Organization.(Shown in links below - This will still give them read-only access and no changes).

Cisco UCS Manager GUI Configuration Guide, Release 2.2 - Configuring Role-Based Access Control

User Locales
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_2_chapter_01010.html#concept_5D024749129F4B518E0C394637D34E8C

Creating a Locale
https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_2_chapter_01010.html#d60403e2080a1635

- Please rate all helpful solutions and mark answers that are correct so other members can find them more easily.

- Qiese Dides