Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8150
Views
0
Helpful
10
Replies

restrict access to blade via kvm/kvm manager

Kassim Ismail
Level 1
Level 1

‎07-08-2011 03:09 AM - edited ‎03-01-2019 09:58 AM

Hi All,

is it possible to restrict access for certain users to a specific blade on the UCS either via KVM or another method? 

we have AD integration enabled but i guess the problem will be that i give them access, then they will be able to access all the blades & not 1 specific one.

any suggestions.

Thanks

Kassim

0 Helpful
10 Replies 10

padramas
Cisco Employee
Cisco Employee

‎07-09-2011 10:02 AM

Kassim,

First, make sure that TCP Port 2068 is not being blocked.

Following options are available to grant access only to KVM. 

Method #1  -- Access as IPMI user

Method #2  -- Standalone KVM tool

Method #3  -- KVM Viewer

Method #4  -- KVM Manager

For method #1 and #2, configure IPMI policy with a IPMI user having admin role and then associate it to required service-profiles / blades.This is non-disruptive configuration.

Method #1 -- as IPMI user

Access KVM via one of the following URLs

## Enter user name, password & blade's management IP address

http:///ucsm/kvm.jnlp

## OR we can include IP address of the specific blade in URL as a parameter

http:///ucsm/kvm.jnlp?kvmIpAddr=a.b.c.d

Method #2  -- Standalone KVM tool

Tool is available for both Windows and Linux systems.

To run a standalone KVM, download kvm.zip file from the Fabric Interconnect ( FI )

        http:///kvm.zip

and extract the contents to a folder.

On Windows, double click launchkvm.bat file to launch the KVM.

On Linux, enable the execute permission by " chmod 777 launchkvm.sh "  and then launch it by running " ./launchkvm.sh "

For method #3 and #4,  access can be restricted to specific blades by associating appropriate role,locale and organization.

#1 Map blades to an organization

#2 Create a locale and include the organization

#3 Assign the user with " server-profile " role and assign it to appropriate locale

Method #3  -- KVM Viewer

To launch KVM viewer

    http:///ucsm/kvm.jnlp

    http:///ucsm/kvm.jnlp?kvmIpAddr=a.b.c.d

Method #4 -- KVM Manager

Access the KVM launch manager via FI ip address or use the following direct link

http:///ucsm/kvm.html

In this view, user will be able to see all blades but only will be allowed access to blades associated with organization and locale.

NOTE :- This was based on UCSM 1.4.3 and for locally authenticated users.  Need to  check out options for users authenticated through LDAP.

HTH

Padma

0 Helpful

Kassim Ismail
Level 1
Level 1
In response to padramas

‎07-12-2011 02:33 AM

Hi Padma,

Thanks for the info. I will give it a go.

Kassim

0 Helpful

David Rodriguez
Level 1
Level 1
In response to padramas

‎03-07-2012 09:54 PM

Hi Padramas,have you tried with the latest firmware 2.0.1w to use local authentication with locale to specific organisation and only seeing their server in the kvm manager ? Or have you found another way to accomplish this ?

0 Helpful

padramas
Cisco Employee
Cisco Employee
In response to David Rodriguez

‎03-08-2012 12:15 AM

David,

I just did quick test ( 2.0.1t ) in lab where I associated a user to custom role that has only " service-profile-ext-access " privilege in it and mapped with corresponding locale ( organization )

With this configuration, user will be able to access KVM for blades within the locale.

For other blades, it will launch a login window and will fail when you try to authenticate.

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/gui/config/guide/2.0/b_UCSM_GUI_Configuration_Guide_2_0_chapter_01001.html

HTH

Padma

0 Helpful

pavel.jenicek
Level 1
Level 1
In response to padramas

‎02-05-2013 03:08 AM

Hello,

even in sw version 2.1, KVM user role (service profile ext access) still have read-only access to management. I really don't want to let my kvm users see all the equipment, server profiles, etc.

Any clue to create KVM role ONLY ? Without RO access to management ?

Thanks

Regards,

Pavel

0 Helpful

Robert Burns
Cisco Employee
Cisco Employee
In response to pavel.jenicek

‎02-05-2013 06:19 AM

It's another request that's in the pipe.  No commit timeframe yet.

Robert

0 Helpful

NarendraChawda
Level 1
Level 1
In response to padramas

‎04-18-2018 08:19 AM

We are at UCSM2.2.8g and we would like to restrict some GROUP to just have KVM. i think above post is OLD & may be still valid but could someone help in details please? thank you

0 Helpful

pranavgu
Level 1
Level 1
In response to NarendraChawda

‎04-18-2018 08:35 AM

To be able to assign different permission to a particular blades you need to put the blades under the different organizations.
However UCS Manager does not allow one user to have different roles/privileges in different organizations. There is no direct option configure this functionality.
Therefore only option we see here to achieve your task is to create separate users and assign them a different roles under organizations.
You can create your own role with defined privileges. Depending the tasks you want to allow for user, you need to enable particular privileges for him.
Below is the list of the privileges which contain KVM access and can't be used for the role, to whom you want to disable KVM access:
- Admin
- Service profile Config
- Service profile Config Policy
- Service profile Server
- Service profile Compute
- Service profile Server Policy
- Service profile Ext Access
- Service profile Server Oper
- Server Equipment
- Server Maintenance
- Server Policy

Below link provides configuration guide for configuring UCSM user roles:
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/configuring_role_based_access_control.html#concept_E41FB2D2F363406EAC1011CC59B5D4BB
At the following link you can see the explanation of each privilege to understand which operations are allowed for them:
http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/ucsm_privileges/CiscoUCSManager_Privileges_release21.html
0 Helpful

NarendraChawda
Level 1
Level 1
In response to pranavgu

‎04-18-2018 08:57 AM

Thanks Pranav, but with that they CAN login to UCSM and see other business HW< configurations<  and global policies etc, which we would like to restrict.

 

we already have the ORG & Local created for this business UNIT but with that they have some access to that ORG-locale but have READONLY rights to the UCSM as whole.

 

WE want to restrict the UCSM access completely, and give only KVM with KVM-IP (like rack server mgmt.).

we are OK with local user but AD is preferred...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card