Chapter 13
Configuring Roles and Profiles

The following Understanding Cisco Cloud Administration CLDADM (210-455) Exam Objectives are covered in this chapter:

✓ 1.1 Configure users/groups and role-based access control in the portal, including basic troubleshooting

  • 1.1.a Describe default roles
  • 1.1.b Configure new user with single role
  • 1.1.c Describe multirole user profiles
  • 1.1.d Configure a user profile

CLDFND Exam 210-455 Overview

This chapter begins the second section of the CCNA Cloud Study Guide and is focused on preparing you for the second of the two exams required to become a certified CCNA Cloud professional. In the first section, you learned about cloud types and deployment models, virtualization, storage, converged networks, and more. This allowed you to gain a foundational understanding of cloud computing. The second exam has a greater focus on cloud operations and how to manage and run the day-to-day tasks that a certified CCNA Cloud professional will be responsible for when working in the field.

For the rest of the book, we will focus primarily on the Cisco ONE Enterprise Cloud suite of applications since the CLDADM 210-455 exam tests on the applications that make up the Cisco ONE product family. The following are the applications that are included in Cisco ONE:

  • UCS Director
  • Prime Service Catalog
  • Intercloud Fabric for Business
  • Virtual Application Cloud Segmentation

We will also cover the Cisco Intelligent Automation for the Cloud at a high level.

An Introduction to Cisco Cloud Administration

Cisco offers a complete suite of cloud management applications that cover all aspects of operations in a hybrid, public, community, or private cloud environment. The CCNA CLDFND 210-455 exam has a heavy focus on cloud administration using the Cisco ONE family of management applications. With the Cisco ONE centralized and integrated suite of software, maintaining cloud operations can be optimized.

You will learn about the various Cisco cloud management software products throughout the rest of this study guide and will be introduced to the Prime Service Catalog, which is a self-service portal to order cloud services and acts as a “storefront” for IT and cloud services. You will also be introduced to UCS Director (UCSD), which provides integrated infrastructure management for cloud services such as services automation, compute, storage, networking, billing, and much more. The Cisco Intercloud Fabric for Business offers hybrid cloud management and interconnection services, and the Virtual Application Container Services (VACS) is used to secure applications by applying segmentation and offers streamlined provisioning of containers and interoperability between clouds.

UCS Director

In the Cisco ONE Enterprise Cloud suite of applications, the core automation application is UCS Director, or more frequently called UCSD, which was developed to provide automation in the cloud. In traditional data centers today, operations are maintained by separate administrative groups that include servers, operating systems, storage, networking, security, and often virtualization. These separate groups must work together but at the same time perform their duties apart from one another to operate a modern enterprise data center. As we have discussed throughout this book, this is very time-consuming, error-prone, and inefficient. This separation of duties into discrete operational groups is sometimes called a silo, which means each group performs a specialized duty, and there may not be very efficient communications, hand-offs, support, and troubleshooting when the groups are operating in their own world, or silo. The silo structure creates a long deployment timeline that has been overcome using automation in the cloud with applications such as UCS Director. When you remove the manual processes and implement UCSD, productivity increases, much of the complexity is removed to do replicated processes offered by UCSD, operations are more consistent, and, best of all, the IT staff is freed up to work on more interesting projects!

The UCS Director is the application that provides on-demand delivery, cloud automation, end-to-end management, and support of the cloud infrastructure and complete management of your company’s cloud life cycle. The end result is that deployments are much faster than the traditional silo structure of enterprise operations. UCSD automation processes takes the hardware and software configuration tasks and converts them to programmable modules. These modules are then used to create a workflow that is automated. By using the workflow approach, complete projects can be automated across all of the functional areas of the cloud operations. UCSD uses an object approach, as compared to the script-based architecture, with a graphical design interface (scripting support is available if desired, though). With more than 2,000 tasks included in the UCSD release, the broad base of preconfigured objects allows for fast deployment times. The tool also includes support for versioning and allows conditionals and process loops. The Cisco APIC ACI controller integrates with UCSD and provides support for tenants, bridge domains, endpoint groups, contracts, L4-7 services, router peering, and VMM domains.

UCSD can discover and provide mapping of your infrastructure because workflows are defined to facilitate timely deployments that are mapped to company operational standards, policies, and procedures. UCSD is not specific to Cisco products; it can operate in a multivendor deployment. Since all environments are multivendor, this is a critical requirement. UCSD comes prepackaged with more than 2,000 workflows that are configured to allow for quick automation, orchestration, and deployment of common IT and cloud operational tasks. UCSD can, without APIC integration, automate and manage firewalls, servers, load balancers, virtual machines, storage, networking, and many other services by replacing manual processes with automation.

The UCS Director comprised different software modules that include an Infrastructure portal for self-service for ordering IT services and resources from a “catalog” of packaged offerings. Think of this as a menu in a restaurant. The cloud administrators package offerings into a menu and publish them online in the services catalog. This “menu” is where the cloud customers order their desired services. Catalogs keep services and offerings uniform, which prevents a sprawl of products to support if the offerings were not structured in a services catalog. The services offered in the catalog can be pretested and configured and can be determined to meet all corporate governance and regulatory requirements.

There is a section in UCSD dedicated to infrastructure orchestration, which defines the workflow that provisions the services ordered from the service catalog. If there are any resource limitations or constraints, another UCSD module dynamically monitors and remediates any capacity limitations. UCSD includes a monitoring application that allows for chargeback billing and resource accounting. UCSD offers the standard administration and management capabilities for cloud operations, which includes reporting modules for all aspects of your cloud consumption with reports in either graphical or spreadsheet formats. Cisco has published an open automation software development kit and sample code for developers to integrate applications with UCSD. Finally, UCSD is far from being a stand-alone application and allows for integration to many other applications.

Configure Users/Groups and Role-Based Access Control in the Portal, Including Basic Troubleshooting

This next section will focus on the exam objectives of managing users and roles. Now that you have a basic understanding of the UCD Director, you will learn how to create roles, groups, and users using the application. It is important to note that UCSD supports external directory systems such as Active Directory from Microsoft. The exam will only focus on its own local data and not that of any external directories.

The UCSD portal is where users are created to access all the features of the Cisco ONE cloud ecosystem. These include administrative roles, rights to the catalog to order services, and many other capabilities that will be introduced throughout the rest of this book.

When a user is created, the user can either be assigned a role or be placed in a group of users, and then the group will be assigned a role. The application allows you to create groups to meet your needs, and while there are 11 default roles, you can create additional roles as needed. Additional roles can be created or modified with the rights granted in the Group and Systems Administrator accounts.

Default Roles in UCS Director

The management of user accounts is performed using the UCS Director converged infrastructure management application. The UCSD user profiles utilize role-based access control (RBAC) that is defined as a method of allowing or restricting user access to network services based on the user’s role or location in the organization. The RBAC role grants users privileges when a user is assigned to the role. Additionally, a user can be assigned to a group, such as computing administrators, and then that user group can be assigned to a role. It is important to understand that privileges are assigned to the roles, and the users are granted rights by being a member of a role. Users do not get assigned rights directly; user rights are inherited by being a member of a role.

The UCSD user and role management architecture allows the cloud administrator great flexibility in designing access rights for any conceivable use case. Users can be granted the proper permissions for any needs they may require, such as to order services, monitor, manage, create reports, and administer billing or accounting functions in addition to any custom-created profiles.

UCS Director ships with predefined or default user roles that reduce deployment times. UCS Director can support up to 48 defined roles. There are 11 preconfigured roles that are included in the application.

All Policy Administrator Manages policies and service request operations (Table 13.1)

Table 13.1 All Policy Administrator role

Operations Permissions Read Permission Write Permission
Approver Service Request Yes Yes
Assign VM to vDC No Yes
Budgeting Yes No
Catalogs Yes No
Chargeback Yes No
Cloudsense Assessment reports Yes No
Cloudsense Reports Yes No
Computing Policy Yes Yes
Create Service Request No Yes
CS Shared Assessments No No
CS Shared Reports No No
Deployment Policy No Yes
Discovery Yes No
End-User Chargeback No No
Group Service Request Yes Yes
Group Users Yes No
Mobile Access Settings No No
Network Policy Yes Yes
Open Automation Modules No No
Orchestration Yes Yes
Physical Computing Yes Yes
Physical Network Yes Yes
Physical Storage Yes Yes
Remote VM Access No No
Resource Accounting Yes No
Resource Groups No No
Resource Limit Report Yes No
Service Delivery Yes Yes
Storage Policy Yes Yes
System Admin Yes No
Tag Library No No
UCSD Cluster No No
Users and Groups Yes No
vDC Yes No
Virtual Accounts Yes No
Virtual Computing Yes No
Virtual Network Yes No
Virtual Storage Yes No
VM Label No Yes
Write Resource Accounting No No

Billing Administrator Manages accounting and billing operations (Table 13.2)

Table 13.2 Billing Administrator role

Operations Permissions Read Permission Write Permission
Approver Service Request No No
Assign VM to vDC No No
Budgeting Yes Yes
Catalogs No No
Chargeback Yes No
Cloudsense Assessment reports Yes Yes
Cloudsense Reports Yes Yes
Computing Policy No No
Create Service Request No No
CS Shared Assessments No No
CS Shared Reports No No
Deployment Policy No No
Discovery Yes No
End-User Chargeback No No
Group Service Request Yes No
Group Users No No
Mobile Access Settings No No
Network Policy No No
Open Automation Modules No No
Orchestration No No
Physical Computing No No
Physical Network No No
Physical Storage No No
Remote VM Access No No
Resource Accounting Yes No
Resource Groups No No
Resource Limit Report Yes No
Service Delivery No No
Storage Policy No No
System Admin No No
Tag Library No No
UCSD Cluster No No
Users and Groups No No
vDC No No
Virtual Accounts No No
Virtual Computing No No
Virtual Network No No
Virtual Storage No No
VM Label No No
Write Resource Accounting No Yes

Computing Administrator Manages compute-related operations (Table 13.3)

Table 13.3 Computing Administrator role

Operations Permissions Read Permission Write Permission
Approver Service Request Yes Yes
Assign VM to vDC No No
Budgeting Yes No
Catalogs Yes No
Chargeback Yes No
Cloudsense Assessment reports Yes No
Cloudsense Reports Yes No
Computing Policy Yes Yes
Create Service Request Yes No
CS Shared Assessments No No
CS Shared Reports No No
Deployment Policy Yes No
Discovery Yes No
End-User Chargeback No No
Group Service Request Yes No
Group Users Yes No
Mobile Access Settings No No
Network Policy Yes No
Open Automation Modules No No
Orchestration Yes Yes
Physical Computing Yes Yes
Physical Network Yes No
Physical Storage Yes No
Remote VM Access No No
Resource Accounting Yes No
Resource Groups Yes Yes
Resource Limit Report Yes No
Service Delivery Yes No
Storage Policy Yes No
System Admin Yes No
Tag Library Yes Yes
UCSD Cluster No No
Users and Groups Yes No
vDC Yes No
Virtual Accounts Yes No
Virtual Computing Yes No
Virtual Network Yes No
Virtual Storage Yes No
VM Label No Yes
Write Resource Accounting No No

Group Administrator Is an end user with the privilege of adding users (Table 13.4)

Table 13.4 Group Administrator role

Operations Permissions Read Permission Write Permission
Approver Service Request Yes Yes
Assign VM to vDC No No
Budgeting No No
Catalogs Yes No
Chargeback Yes No
Cloudsense Assessment No No
Cloudsense Reports Yes Yes
Computing Policy No No
Create Service Request No Yes
CS Shared Assessments No No
CS Shared Reports Yes Yes
Deployment Policy No No
Discovery No No
End-User Chargeback Yes No
Group Service Request Yes Yes
Group Users Yes Yes
Mobile Access Settings No No
Network Policy No No
Open Automation Modules No No
Orchestration No No
Physical Computing No No
Physical Network No No
Physical Storage No No
Remote VM Access No No
Reports No No
Resource Accounting Yes No
Resource Groups No No
Resource Limit Report Yes No
Service Delivery No No
Storage Policy No No
System Admin No No
Tag Library No No
UCSD Cluster No No
Users and Groups No No
vDC Yes No
Virtual Accounts No No
Virtual Computing Yes Yes
Virtual Network No No
Virtual Storage No No
VM Label No Yes
Write Resource Accounting No No

IS Administrator Administers policy, orchestration, storage, and other IT operations (Table 13.5)

Table 13.5 IS Administrator role

Operations Permissions Read Permission Write Permission
Approver Service Request Yes Yes
Assign VM to vDC No Yes
Budgeting Yes No
Catalogs Yes Yes
Chargeback Yes No
Cloudsense Assessment Reports No No
Cloudsense Reports No No
Computing Policy Yes No
Create Service Request Yes No
CS Shared Assessments No No
CS Shared Reports No No
Deployment Policy Yes No
Discovery No No
End-User Chargeback No No
Group Service Request Yes No
Group Users Yes No
Mobile Access Settings No No
Network Policy Yes Yes
Open Automation Modules No No
Orchestration Yes Yes
Physical Computing Yes No
Physical Network Yes No
Physical Storage Yes No
Remote VM Access No No
Resource Accounting Yes No
Resource Groups Yes Yes
Resource Limit Report Yes No
Service Delivery Yes No
Storage Policy Yes Yes
System Admin Yes No
Tag Library Yes Yes
UCSD Cluster No No
Users and Groups Yes No
vDC Yes No
Virtual Accounts Yes No
Virtual Computing Yes No
Virtual Network Yes No
Virtual Storage Yes No
VM Label No Yes
Write Resource Accounting No No

MSP Administrator Manages service provider administration (Table 13.6)

Table 13.6 MSP Administrator role

Operations Permissions Read Permission Write Permission
Virtual Computing No Yes
VM Label No Yes
Assign VM to vDC No No
VirtualStorage No No
VirtualNetwork No No
Physical Computing No No
Physical Storage No No
Physical Network No No
Group Service Request Yes Yes
Create Service Request No Yes
Approver ServiceRequest Yes Yes
Budgeting Yes Yes
Resource Accounting Yes No
Chargeback Yes No
System Admin No No
Users and Groups No No
Virtual Accounts No No
Catalogs Yes No
vDC Yes No
Computing Policy No No
Storage Policy No No
Managing Users and Groups No No
All Policy Admin No No
Permissions Operations Deployment Policy No No
Network Policy No No
Service Delivery No No
Resource Limit Report Yes No
Group Users Yes Yes
Cloudsense Reports No No
Cloudsense Assessment Reports No No
Orchestration No No
Discovery No No
Open Automation Modules No No
CS Shared Reports Yes No
CS Shared Assessments No No
Remote VM Access No No
Mobile Access Settings No No
End-User Chargeback Yes No
Write Resource Accounting No No
UCSD Cluster No No
Resource Groups No No
Tag Library No No

Network Administrator Manages networking operations (Table 13.7)

Table 13.7 Network Administrator role

Operations Permissions Read Permission Write Permission
Virtual Computing Yes No
VM Label No Yes
Assign VM to vDC No No
Virtual Storage Yes No
Virtual Network Yes No
Physical Computing Yes No
Physical Storage Yes No
Physical Network Yes Yes
Group Service Request Yes No
Create Service Request Yes No
Approver Service Request Yes Yes
Budgeting Yes No
Resource Accounting Yes No
Chargeback Yes No
System Admin Yes No
Users and Groups Yes No
Virtual Accounts Yes No
Catalogs Yes No
vDC Yes No
Computing Policy Yes No
Storage Policy Yes No
Deployment Policy Yes No
Network Policy Yes Yes
Service Delivery Yes No
Resource Limit Report Yes No
Group Users Yes No
Cloudsense Reports Yes No
Cloudsense Assessment Yes Yes
Orchestration Yes Yes
Discovery Yes No
Open Automation Modules No No
CS Shared Reports No No
CS Shared Assessments No No
Remote VM Access No No
Mobile Access Settings No No
End-User Chargeback No No
Write Resource Accounting No No
UCSD Cluster No No
Resource Groups Yes Yes
Tag Library Yes Yes

Operator Manages cloud operations (Table 13.8)

Table 13.8 Operator role

Operations Permissions Read Permission Write Permission
Approver Service Request Yes Yes
Assign VM to vDC No Yes
Budgeting Yes No
Catalogs Yes No
Chargeback Yes No
Cloudsense Assessment Yes No
Cloudsense Reports Yes No
Computing Policy Yes No
Create Service Request No Yes
CS Shared Assessments No No
CS Shared Reports No No
Deployment Policy Yes No
Discovery No No
End-User Chargeback No No
Group Service Request Yes Yes
Group Users Yes No
Mobile Access Settings No No
Network Policy Yes No
Open Automation Modules No No
Orchestration No No
Physical Computing Yes No
Physical Network Yes No
Physical Storage Yes No
Remote VM Access No No
Resource Accounting Yes No
Resource Groups No No
Resource Limit Report Yes No
Service Delivery Yes No
Storage Policy Yes No
System Admin Yes No
Tag Library No No
UCSD Cluster No No
Users and Groups Yes No
vDC Yes No
Virtual Accounts Yes No
Virtual Computing Yes No
Virtual Network Yes No
Virtual Storage Yes No
VM Label No Yes
Write Resource Accounting No No

Services End User Allows only for viewing and use of the self-service portal (Table 13.9)

Table 13.9 Service End-User role

Operations Permissions Read Permission Write permission
Approver Service Request Yes Yes
Assign VM to vDC No No
Budgeting No No
Catalogs Yes No
Chargeback Yes No
Cloudsense Assessment No No
Cloudsense Reports Yes No
Computing Policy No No
Create Service Request No Yes
CS Shared Assessments No No
CS Shared Reports Yes No
Deployment Policy No No
Discovery No No
End-User Chargeback Yes No
Group Service Request Yes Yes
Group Users No No
Mobile Access Settings No No
Network Policy No No
Open Automation Modules No No
Orchestration No No
Physical Computing Yes No
Physical Network No No
Physical Storage Yes No
Remote VM Access No No
Resource Accounting Yes No
Resource Groups No No
Resource Limit Report Yes No
Service Delivery No No
Storage Policy No No
System Admin No No
Tag Library No No
UCSD Cluster No No
Users and Groups No No
vDC Yes No
Virtual Accounts No No
Virtual Computing Yes Yes
Virtual Network Yes No
Virtual Storage No No
VM Label No Yes
Write Resource Accounting No No

Storage Administrator Manages storage operations (Table 13.10)

Table 13.10 Storage Administrator role

Operations Permissions Read Permission Write Permission
Approver Service Request Yes Yes
Assign VM to vDC No No
Budgeting Yes No
Catalogs Yes No
Chargeback Yes No
Cloudsense Assessment Yes Yes
Cloudsense Reports Yes No
Computing Policy Yes No
Create Service Request Yes No
CS Shared Assessments No No
CS Shared Reports No No
Deployment Policy Yes No
Discovery Yes No
End-User Chargeback No No
Group Service Request Yes No
Group Users Yes No
Mobile Access Settings No No
Network Policy Yes No
Open Automation Modules No No
Orchestration Yes Yes
Physical Computing Yes No
Physical Network Yes No
Physical Storage Yes Yes
Remote VM Access No No
Resource Accounting Yes No
Resource Groups Yes Yes
Resource Limit Report Yes No
Service Delivery Yes No
Storage Policy Yes Yes
System Admin Yes No
Tag Library Yes Yes
UCSD Cluster No No
Users and Groups Yes No
vDC Yes No
Virtual Accounts Yes No
Virtual Computing Yes No
Virtual Network Yes No
Virtual Storage Yes No
VM Label No Yes
Write Resource Accounting No No

Systems Administrator UCS Director systems operations, superuser account (Table 13.11)

Table 13.11 System Administrator role

Operations Permissions Read Permission Write Permission
Virtual Computing Yes Yes
VM Label Yes Yes
Assign VM to vDC Yes Yes
VirtualStorage Yes Yes
VirtualNetwork Yes Yes
Physical Computing Yes Yes
Physical Storage Yes Yes
Physical Network Yes Yes
Group Service Request Yes Yes
Create Service Request Yes Yes
Approver ServiceRequest Yes Yes
Budgeting Yes Yes
Resource Accounting Yes Yes
Chargeback Yes Yes
System Admin Yes Yes
Users and Groups Yes Yes
Virtual Accounts Yes Yes
Catalogs Yes Yes
vDC Yes Yes
Computing Policy Yes Yes
Storage Policy Yes Yes
Managing Users and Groups Yes Yes
All Policy Admin Yes Yes
Permissions Operations Deployment Policy Yes Yes
Network Policy Yes Yes
Service Delivery Yes Yes
Resource LimitReport Yes Yes
Group Users Yes Yes
Cloudsense Reports Yes Yes
Cloudsense Assessment Reports Yes Yes
Orchestration Yes Yes
Discovery Yes Yes
Open Automation Modules Yes Yes
CS Shared Reports Yes Yes
CS Shared Assessments Yes Yes
Remote VM Access Yes Yes
Mobile Access Settings Yes Yes
End-User Chargeback Yes Yes
Write Resource Accounting Yes Yes
UCSD Cluster Yes Yes
Resource Groups Yes Yes
Tag Library Yes Yes

RBAC privileges are defined as what you are able to see and do inside of the UCS Director application based on your assigned roles and the privileges granted to that role. This defines the menu systems presented to the user. For example, the systems administrator will have access to the systems administration menu system, and the storage administrator would not be presented with this menu option. Within each role, the permissions can be customized to include basic file permissions such as read-only, write, and read-write.

Roles are stand alone in nature, which is to say they cannot be embedded or placed inside of another role.

It is a recommended practice that when creating a new role to copy an existing default role and using that as a template to make changes, it is not advised that you make any changes to the default roles. With a total of 48 roles available, there should be ample capacity to create new roles instead of modifying the defaults.

Creating and Managing Users

In this section, you will learn to create and manage users in UCSD. As you learned, UCSD users either can be locally created in the application or can access an external user database such as Active Directory. We will focus exclusively on creating local users.

Creating a New User with a Single Role

In this section, you will learn how to create a new user in UCS Director and assign that user to a role. This is a basic administrator function, and all users must have an account and belong to a role to use the applications included in UCS Director.

Perform the following steps to create a new user in UCS Director:

  1. Log into UCS Director with an account that has administrative privileges.
  2. In the top-center drop-down menu, select Administration and then Users And Groups. The Users And Groups screen will appear.
  3. Click the Users tab (from the top menu, second from the left).
  4. Click the Add User icon near the top of the screen, and the Add User pop-up dialog box will appear.
  5. Select the role for the user using the drop-down menu at the top.
  6. Select a login name.
  7. Enter and confirm the user password.
  8. In the User Contact Email field, input the user’s e-mail address.
  9. The remaining fields are optional, but it is always a good idea to complete these. Enter the user’s first and last name and the phone number. The Address field can be used for any notes or comments.
  10. To complete the process, click the + Add icon at the bottom of the dialog box, and you will be returned to the main Users And Groups screen. This completes the steps for creating a user locally in UCS Director.

Creating Local Groups

This section demonstrates how to create a user group using UCS Director. Just as it sounds, groups are created for each specific function you may require, and then users are placed in a group. This allows for ease of administration since groups can be assigned roles. When a new user is added to a group, the user can inherit the role assigned to the group.

Perform the following steps to create a new group in UCS Director:

  1. Log into UCS Director with an account that has administrative privileges.
  2. In the top-center drop-down menu, select Administration and then Users And Groups. The Users And Groups screen will appear, and you will be on the User Groups screen by default; otherwise, select the top-left tab labeled User Groups.
  3. Click the +Add icon near the top of the screen, and the Edit Group pop-up dialog box will appear.
  4. Add a descriptive name of your choice for the new group.
  5. Enter the group’s primary e-mail address (used for group updates and messages). All other fields are optional and include the description, code, cost center, first and last names, phone number, address, and group share policy.
  6. To complete the process, click the Save icon at the bottom of the dialog box, and you will be returned to the main Users And Groups menu. This completes the steps for creating a group locally in UCS Director.

Notice that the group is saved as a local group. If UCSD were connected to a directory service such as Active Directory from Microsoft, it would appear as an external group.

Creating Multirole Access User Profiles

What if a user needs to be in more than one role? That is actually a common requirement, and it is often appropriate to assign a user to multiple access profiles. For example, an individual may require the management rights in the network administrator’s role to perform networking operations and also have duties as an operator. This is accomplished with multirole access profiles. Access profiles allow the user to access the resources you grant to them. UCSD allows a user to belong to multiple profiles to accomplish this requirement.

Configuring User Profiles

To create a user access profile, perform the following steps using UCSD:

  1. Log into UCS Director with an account that has administrative privileges.
  2. In the top-center drop-down menu, select Administration and then Users And Groups.
  3. The Users And Groups screen will appear, and you will be on the User Groups screen by default; select the Login User tab.
  4. Choose a user from the list.
  5. Click Manage Profiles.
  6. In the Manage Profile window, click + Add.
  7. The Add Entry To Access Profiles dialog box will appear; complete the following fields:

  • Name: The profile name
  • Description: A descriptive name for the profile
  • Type: This is a drop-down list. Select the role type.
  • Customer Organizations: Select the organization this profile will belong to.
  • Show Resources From All Other Groups The User Has Access: This is a checkbox that allows the user to be able to access all the resources in the selected groups.
  • Shared Groups: Click Select to choose the groups the user profile belongs to. The user will then have access to all the rights associated with the groups you selected.

  1. Click Submit.

If a user has multiple profiles, the profile required can be selected when logging into UCSD. When presented with the login dialog box, enter your username in the following format:

  • Username: access profile name

For example, you’d enter todd: SANAdmin and then enter your password to authenticate and gain access to that specific profile.

Summary

The second section of this certification guide begins with this chapter on Cisco cloud administration and creating users and roles. The rest of the chapters in the guide will prepare you for the CLDADM 210-455 exam. To get started on that journey, we began with covering the objective related to configuring user role-based access control in the Cisco ONE management framework.

Prior to covering these objectives, you were introduced to the management applications where the users and roles are defined. You learned about the Cisco ONE family of cloud operation applications that will be a focus of the CLDFND exam. The UCS Director was introduced as the central management application in the Cisco ONE suite. UCSD is where users and roles are defined, and you learned about the many modules included and its role in the cloud ecosystem.

With the fundamentals of UCS Director covered, you learned that here are 48 user roles that can be defined of which there are 11 default or preconfigured roles.

While it is not required for the exam to know the hundreds of objects rights that are in the roles, it is important to understand that roles determine rights to perform actions in the cloud and that these rights are defined in the role profiles. The default roles are All Policy Admin, Billing Admin, Computing Admin, Group Admin, IS Admin, MSP Admin, Network Admin, Operator, Service End User, Storage Admin, and the superuser role of System Administrator. The System account can be thought of as the root account for UCS Director. New roles can be defined by the system administrator as required. It is suggested that an existing role be copied and modified to create new roles but to never modify the default role permissions without creating a new role. Users are granted these rights by being members of the roles.

You then learned how to create single role users using the UCSD application. The steps to fill out the required and optional fields were outlined.

Next the steps to create user groups were explained. By creating groups for specific functions and operations, the users can be placed in these groups, and then the group will be assigned to the role that eases management for large user communities.

Finally, we ended the chapter by introducing the multirole access user profile that allows users to belong to more than one role.

Exam Essentials

Understand the role of UCS Director in creating profiles for users, groups, and roles. UCSD contains the depository for users, groups, and roles. These objects can be created either locally in the application or accessed from external directories. When users log into UCSD, they will inherit the appropriate roles assigned to their accounts.

Know how to create local users using UCS Director. Review the process to create a local user in UCSD using the graphical interface. External users accessed via directory services are beyond the scope of the exam.

Understand what local groups are in UCS Director. Local groups are rights assigned to users to access and perform defined roles in UCSD.

Understand the steps required to create a local group using the GUI in UCSD. Groups are created for each specific function you may require, and then users are placed in a group. This allows for ease of administration since groups can be assigned roles. When a new user is added to a group, the user can inherit the role assigned to the group.

Know how to create a new user in a single role. Using the UCSD user administration configuration dialog, know the steps required to create a local user account.

Understand what multirole access user profiles are. The multirole access user profile allows a user to belong to more than one role and is defined in UCSD administrator users and groups.

Written Lab

Fill in the blanks for the questions provided in the written lab. You can find the answers to the written labs in Appendix B.

  1. UCS Director can support up to ________ roles with ________ predefined.

  2. ________ ________ ________ ________ is the method to allow users access to defined roles in an organization.

  3. In UCSD,________ are assigned to ________.

  4. Users can be placed into ________ that are then assigned roles.

  5. The ________ ________ account allows for full control of UCSD.

  6. If the user is created in the UCSD users and roles application, it is considered to be ________.

  7. A user can belong to more than one role by creating ________ ________ ________ profiles.

  8. To create a new user, go to the ________ tab and select ________ ________ ________.

  9. Object read-write access is defined in the ________ configuration area.

  10. The ________ ________ ________ allows you to view and use the self-service portal.

Review Questions

The following questions are designed to test your understanding of this chapter’s material. You can find the answers to the questions in Appendix A. For more information on how to obtain additional questions, please see this book’s Introduction.

  1. What allows a user to belong to more than one role?

    1. Multirole systems admin
    2. MSP groups
    3. Multirole access user profiles
    4. Group role catalog
  2. If a user is created in UCSD, what are they considered to be?

    1. Admin
    2. Local
    3. AD
    4. LDAP
  3. A user can be placed into what container for responsibility grouping?

    1. Roles
    2. Groups
    3. MSP
    4. IT administrators
  4. What role allows orchestration to be defined between initiators and targets?

    1. IT Admins
    2. Storage Administrators
    3. Network Administrators
    4. Global Admins
  5. What role allows read-write access to all role-based objects?

    1. IT admins
    2. System Administrator
    3. All Policy Administrators
    4. Global Admins
  6. Each user account can belong to how many roles?

    1. Single
    2. Multi
    3. 4
    4. 11
  7. The UC Director default roles offer what advantages? (Choose two.)

    1. Quick deployment times
    2. Read-write access
    3. Service catalog definitions
    4. Are predefined default roles for ease of use
  8. Which of the following is the primary application to define users for Cisco cloud administration?

    1. Prime Services
    2. Cisco ONE
    3. UCS Director
    4. Intercloud Fabric for Business
  9. UCSD supports specifically Cisco cloud, storage, compute, and networking products.

    1. True
    2. False
  10. Name two roles that allow for role creation.

    1. All policy
    2. System admin
    3. Group admin
    4. MSP admin
  11. A user can belong to more than one profile.

    1. True
    2. False
  12. What of the following are created for each specific function in UCSD?

    1. User groups
    2. User accounts
    3. Service catalogs
    4. Local groups
  13. A user can be assigned to multiple user profiles for what reasons? (Choose two.)

    1. Requires system admin rights
    2. Requires multirole access
    3. Needs additional service catalog rights
    4. The user performs several different functions in the organization.
  14. What is optional information when creating a single role user in UCSD? (Choose three.)

    1. Address
    2. Phone number
    3. First and last names
    4. Username
    5. E-mail address
  15. What process is required to log into a secondary role in UCSD?

    1. Log in as username profile_name.
    2. No separate login is required; rights are automatically assigned.
    3. Single-sign on supports all roles.
    4. Log in as username/profile_name.
  16. What are optional fields when creating a user group? (Choose three.)

    1. Group Name
    2. E-mail Address
    3. Cost Center
    4. Phone Number
    5. Group Share Policy
  17. Users are assigned to what to gain access to services?

    1. Service catalogs
    2. Roles
    3. RBAC
    4. Access profiles
  18. Which UCSD role acts as the superuser account?

    1. All Access Administrators
    2. All Policy Administrators
    3. Systems Administrator
    4. Operator
  19. Which UCSD default role is used to allow an end user to add users?

    1. All Access Administrators
    2. Group Administrator
    3. Systems Administrator
    4. Operator
  20. Groups can be created in which two locations?

    1. Local data based
    2. SQL database
    3. Directory services
    4. Service catalog
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.228.19