Showing results for 
Search instead for 
Did you mean: 
Field Notice 70545
Kassim Ismail

restrict access to blade via kvm/kvm manager

Hi All,

is it possible to restrict access for certain users to a specific blade on the UCS either via KVM or another method? 

we have AD integration enabled but i guess the problem will be that i give them access, then they will be able to access all the blades & not 1 specific one.

any suggestions.



Cisco Employee


First, make sure that TCP Port 2068 is not being blocked.

Following options are available to grant access only to KVM. 

Method #1  -- Access as IPMI user

Method #2  -- Standalone KVM tool

Method #3  -- KVM Viewer

Method #4  -- KVM Manager

For method #1 and #2, configure IPMI policy with a IPMI user having admin role and then associate it to required service-profiles / blades.This is non-disruptive configuration.

Method #1 -- as IPMI user

Access KVM via one of the following URLs

## Enter user name, password & blade's management IP address


## OR we can include IP address of the specific blade in URL as a parameter


Method #2  -- Standalone KVM tool

Tool is available for both Windows and Linux systems.

To run a standalone KVM, download file from the Fabric Interconnect ( FI )


and extract the contents to a folder.

On Windows, double click launchkvm.bat file to launch the KVM.

On Linux, enable the execute permission by " chmod 777 "  and then launch it by running " ./ "

For method #3 and #4,  access can be restricted to specific blades by associating appropriate role,locale and organization.

#1 Map blades to an organization

#2 Create a locale and include the organization

#3 Assign the user with " server-profile " role and assign it to appropriate locale

Method #3  -- KVM Viewer

To launch KVM viewer



Method #4 -- KVM Manager

Access the KVM launch manager via FI ip address or use the following direct link


In this view, user will be able to see all blades but only will be allowed access to blades associated with organization and locale.

NOTE :- This was based on UCSM 1.4.3 and for locally authenticated users.  Need to  check out options for users authenticated through LDAP.



Hi Padma,

Thanks for the info. I will give it a go.


Hi Padramas,have you tried with the latest firmware 2.0.1w to use local authentication with locale to specific organisation and only seeing their server in the kvm manager ? Or have you found another way to accomplish this ?


I just did quick test ( 2.0.1t ) in lab where I associated a user to custom role that has only " service-profile-ext-access " privilege in it and mapped with corresponding locale ( organization )

With this configuration, user will be able to access KVM for blades within the locale.

For other blades, it will launch a login window and will fail when you try to authenticate.




even in sw version 2.1, KVM user role (service profile ext access) still have read-only access to management. I really don't want to let my kvm users see all the equipment, server profiles, etc.

Any clue to create KVM role ONLY ? Without RO access to management ?




It's another request that's in the pipe.  No commit timeframe yet.


We are at UCSM2.2.8g and we would like to restrict some GROUP to just have KVM. i think above post is OLD & may be still valid but could someone help in details please? thank you

To be able to assign different permission to a particular blades you need to put the blades under the different organizations.
However UCS Manager does not allow one user to have different roles/privileges in different organizations. There is no direct option configure this functionality.
Therefore only option we see here to achieve your task is to create separate users and assign them a different roles under organizations.
You can create your own role with defined privileges. Depending the tasks you want to allow for user, you need to enable particular privileges for him.
Below is the list of the privileges which contain KVM access and can't be used for the role, to whom you want to disable KVM access:
- Admin
- Service profile Config
- Service profile Config Policy
- Service profile Server
- Service profile Compute
- Service profile Server Policy
- Service profile Ext Access
- Service profile Server Oper
- Server Equipment
- Server Maintenance
- Server Policy

Below link provides configuration guide for configuring UCSM user roles:
At the following link you can see the explanation of each privilege to understand which operations are allowed for them:

Thanks Pranav, but with that they CAN login to UCSM and see other business HW< configurations<  and global policies etc, which we would like to restrict.


we already have the ORG & Local created for this business UNIT but with that they have some access to that ORG-locale but have READONLY rights to the UCSM as whole.


WE want to restrict the UCSM access completely, and give only KVM with KVM-IP (like rack server mgmt.).

we are OK with local user but AD is preferred...

Recognize Your Peers
Content for Community-Ad