Solved: Re: Will UCS Central 2.0 User Management control access privileges to local policies?

jmunk · ‎06-07-2017

I have a UCS Central 2.0 where UCS Central controls User Management on registered UCS Domains (on UCS Domain I have set UCS Central Policy Resolution Control to "Global").

Let us say, I have defined the following in UCS Central:

- some global policies applied to Suborg "org-root/org-Suborg1". These policies will as usual be pushed down to any UCS Domain, where a Global Service Profile using these policies gets instantiated.

- a locale "localeSuborg1", which is "linked" to Suborg "org-root/org-Suborg1" (and only to that Suborg)

- a LDAP group map for UCS Domain authentication and autorisation (under the appropriate Domain Group) which "links" role "admin" to locale "localeSuborg1" for a given Active Directory Group "ucs-admins"

Now a user belonging to above Active Directory Group "ucs-admins" logs in directly to a UCS Domain, which is covered by the above UCS Central LDAP Group Map policy. This user will then get "admin" privileges to all *global* policies under SubOrg "org-root/org-Suborg1", and will not get privileges to access any global policies under any other parts of the Org Hierarchy.

And now: what about this user's privileges to *local* UCS Domain policies?:

- A: will this user have "admin" privileges only for local policies under Suborg "org-root/org-Suborg1"? (the user may have to create such local policies himself since they are not created from UCS Central)

- B: or will this user have "admin" privileges to local policies at "global" level within the UCS Domain, including all parts of the Org Hierarchy?

If the answer to the above is A, is the following then consequently correct?:

- If my above UCS Central LDAP Group Map in stead gets linked to *no* locale, then my above user will have "admin" privileges to local policies at "global" level within the UCS Domain.

(I currently have access only to UCS Platform emulators, so it is hard to test the above in this environment).

BR

Jesper

Matthew Faiello · ‎06-08-2017

You rationale is correct. Assuming your group mappings to user accounts is correct. Also, proper Locale creation and configuration. A Locale links the User ID to a particular portion of the Org Structure and Domain Group (set of UCS Domains).

Remember, Permissions and access are set to the Org/sub-org, whether Global or Local. However, Global Objects can ONLY be created/edited/deleted from UCS Central. Local Objects can only be created/edited/deleted from UCS Manager.

Also, remember that Global Service Profiles can ONLY consume Global Objects. Whereas, Local Service Profiles can consume both Local Objects as well as Global Objects.

In other Words…a Local SP can consume a Local MAC Pool, or “Look-up” and access a Global MAC Pool. Assuming the pool is assessable though Org Resolution.

The Global SP can only consume from a Global MAC Pool….it CANNOT “Look-down” to access a Local MAC Pool.

If you elect Global Policy Resolution for User Authentication…then the policy map in UCS Central will define the access to Orgs, regardless if Local or Global Objects. From Central, it’s one Grand Org Structure.

For instance, Say you have the following Org Structure….with Mixed Global SP’s and Local SP’s BOTH within /root/sub-org-1

/root

|__/sub-org-1

|_GSP-1

|_GSP-2

|_GSP-3

|_LSP-1

|_LSP-2

|_LSP-3

Access given though Roles/Locals/LDAP Group Mappings (assuming Global Resolution for User Authentication)….will permit an admin to have access to sub-org-1 for a given set of UCS Domains (Domain Group component of the Locale)……from UCS Central, they can edit any/all Global Objects (GSPs). The Same admin would have to log into UCSM to manage the Local Objects (LSPs)

For an Account with No Locale Defined, then by default that Account would have access to all Orgs and All Domain Groups. The Locale object works on a “restrictive” basis.

Matthew Faiello | UCS Technical Marketing Engineer | .:|:.:|:. Cisco Systems, Inc.

mfaiello@cisco.com<mailto:mfaiello@cisco.com>| Phone: 727-540-1432 | Twitter: @mfaiello

UCS Communities: http://communities.cisco.com/ucs

UCS Platform Emulator: http://communities.cisco.com/ucspe

UCS Developed Integrations: http://communities.cisco.com/ucsintegrations

Please Join me at CiscoLive 2017 – Vegas<https://www.ciscolive.com/us/learn/sessions/session-catalog/>

BRKINI-2205 UCS Central Advanced Principles - Managing UCS at Scale

View solution in original post

Matthew Faiello · ‎06-07-2017

I’ll provide a lengthy reply by COB.

Regards,

Matt

Matthew Faiello | UCS Technical Marketing Engineer | .:|:.:|:. Cisco Systems, Inc.

mfaiello@cisco.com<mailto:mfaiello@cisco.com>| Phone: 727-540-1432 | Twitter: @mfaiello

UCS Communities: http://communities.cisco.com/ucs

UCS Platform Emulator: http://communities.cisco.com/ucspe

UCS Developed Integrations: http://communities.cisco.com/ucsintegrations

Please Join me at CiscoLive 2017 – Vegas<https://www.ciscolive.com/us/learn/sessions/session-catalog/>

BRKINI-2205 UCS Central Advanced Principles - Managing UCS at Scale

Matthew Faiello · ‎06-08-2017

You rationale is correct. Assuming your group mappings to user accounts is correct. Also, proper Locale creation and configuration. A Locale links the User ID to a particular portion of the Org Structure and Domain Group (set of UCS Domains).

Remember, Permissions and access are set to the Org/sub-org, whether Global or Local. However, Global Objects can ONLY be created/edited/deleted from UCS Central. Local Objects can only be created/edited/deleted from UCS Manager.

Also, remember that Global Service Profiles can ONLY consume Global Objects. Whereas, Local Service Profiles can consume both Local Objects as well as Global Objects.

In other Words…a Local SP can consume a Local MAC Pool, or “Look-up” and access a Global MAC Pool. Assuming the pool is assessable though Org Resolution.

The Global SP can only consume from a Global MAC Pool….it CANNOT “Look-down” to access a Local MAC Pool.

If you elect Global Policy Resolution for User Authentication…then the policy map in UCS Central will define the access to Orgs, regardless if Local or Global Objects. From Central, it’s one Grand Org Structure.

For instance, Say you have the following Org Structure….with Mixed Global SP’s and Local SP’s BOTH within /root/sub-org-1

/root

|__/sub-org-1

|_GSP-1

|_GSP-2

|_GSP-3

|_LSP-1

|_LSP-2

|_LSP-3

Access given though Roles/Locals/LDAP Group Mappings (assuming Global Resolution for User Authentication)….will permit an admin to have access to sub-org-1 for a given set of UCS Domains (Domain Group component of the Locale)……from UCS Central, they can edit any/all Global Objects (GSPs). The Same admin would have to log into UCSM to manage the Local Objects (LSPs)

For an Account with No Locale Defined, then by default that Account would have access to all Orgs and All Domain Groups. The Locale object works on a “restrictive” basis.

Matthew Faiello | UCS Technical Marketing Engineer | .:|:.:|:. Cisco Systems, Inc.

mfaiello@cisco.com<mailto:mfaiello@cisco.com>| Phone: 727-540-1432 | Twitter: @mfaiello

UCS Communities: http://communities.cisco.com/ucs

UCS Platform Emulator: http://communities.cisco.com/ucspe

UCS Developed Integrations: http://communities.cisco.com/ucsintegrations

Please Join me at CiscoLive 2017 – Vegas<https://www.ciscolive.com/us/learn/sessions/session-catalog/>

BRKINI-2205 UCS Central Advanced Principles - Managing UCS at Scale

jmunk · ‎06-09-2017

Matt,

great with in depth answer, which gives me the information I need!

BR

Jesper