Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2238
Views
5
Helpful
3
Replies

UCS Manager KVM Sub-Org access without seeing global configuration

Presidio HS-Cloud
Level 1
Level 1

‎12-01-2017 07:56 AM - edited ‎03-01-2019 01:22 PM

Hi All,

anyone knows if there are news about the configuration, in UCS Manager, of limited KVM access?

We have a lot of service profiles in the root tree and 10 in the Sub-Organizations and want to configure the access to manage poweron, poweroff and console, with this considerations:

1) The users assigned to the Sub-Org are on a dedicated network, for example 192.168.110.0/26;

2) The UCS mgmt is on the ex. 192.168.100.9;

3) Inband or outband? I think first because users are on another network configured in the vNICs and shouldn't have access to the UCS management network;

4) The users (Sub-Org) shouldn't see the global configuration and other Service Profiles;

5) KVM launches a JNLP on the mgmt network, how can we avoid this for external users?

 

Kind Regards

Roger

 

0 Helpful
3 Replies 3

Qiese Dides
Cisco Employee
Cisco Employee

‎12-06-2017 04:30 AM

Hi Presidio,

 

If you are looking to grant users just KVM access you would want to allow them "service-profile-ext-access" that should be enough to grant just KVM access.

 

If you do this then the users won't be able to "Shutdown", "Boot-Up", and "Reset" the servers. If you want them to also be included in that you would need to add the "Power-mgmt"and "Server-Equipment" access which has Read and Write access to power management options.

 

Below is a guide regarding user roles and permissions.

 

http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/cli/config/guide/2-2/b_UCSM_CLI_Configuration_Guide_2_2/b_UCSM_CLI_Configuration_Guide_2_2_chapter_01010.html

 

- Please rate and mark all helpful answers so other members can find them more easily.

 

- Qiese Dides

 

Presidio HS-Cloud
Level 1
Level 1
In response to Qiese Dides

‎12-06-2017 05:58 AM

Thanks, but doing so will give the user read access to the entire UCS configuration instead of only to the SUB-ORG or the profiles associated with the user.
Regards
0 Helpful

Qiese Dides
Cisco Employee
Cisco Employee
In response to Presidio HS-Cloud

‎12-06-2017 06:15 AM

Hi Presidio,

 

If you would like to person to just be able to launch KVM without any UCS Manager access you could give them the follow steps to launch KVM only.

 

- Launch KVM using the kvm.jnlp file via http:///ucsm/kvm.jnlp
- Launch KVM using the launchkvm.bat or launchkvm.sh from http:///kvm.zip

 

However, the UCS RBAC system does not allow that level of granular control in which the user would not be able to launch UCS Manager or see other items.

 

Now if you would like to restrict the user to ONLY access that blade, you will have to create a Locale that limits the access to a Sub-Organization.(Shown in links below - This will still give them read-only access and no changes).


Cisco UCS Manager GUI Configuration Guide, Release 2.2 - Configuring Role-Based Access Control

User Locales
  https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_2_chapter_01010.html#concept_5D024749129F4B518E0C394637D34E8C

Creating a Locale
  https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/sw/gui/config/guide/2-2/b_UCSM_GUI_Configuration_Guide_2_2/b_UCSM_GUI_Configuration_Guide_2_2_chapter_01010.html#d60403e2080a1635

 

- Please rate all helpful solutions and mark answers that are correct so other members can find them more easily.

 

- Qiese Dides

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card