The following Understanding Cisco Cloud Administration CLDADM (210-455) Exam Objectives are covered in this chapter:
✓ 1.1 Configure users/groups and role-based access control in the portal, including basic troubleshooting
1.1.a Describe default roles
1.1.b Configure new user with single role
1.1.c Describe multirole user profiles
1.1.d Configure a user profile
CLDFND Exam 210-455 Overview
This chapter begins the second section of the CCNA Cloud Study Guide and is focused on preparing you for the second of the two exams required to become a certified CCNA Cloud professional. In the first section, you learned about cloud types and deployment models, virtualization, storage, converged networks, and more. This allowed you to gain a foundational understanding of cloud computing. The second exam has a greater focus on cloud operations and how to manage and run the day-to-day tasks that a certified CCNA Cloud professional will be responsible for when working in the field.
For the rest of the book, we will focus primarily on the Cisco ONE Enterprise Cloud suite of applications since the CLDADM 210-455 exam tests on the applications that make up the Cisco ONE product family. The following are the applications that are included in Cisco ONE:
UCS Director
Prime Service Catalog
Intercloud Fabric for Business
Virtual Application Cloud Segmentation
We will also cover the Cisco Intelligent Automation for the Cloud at a high level.
An Introduction to Cisco Cloud Administration
Cisco offers a complete suite of cloud management applications that cover all aspects of operations in a hybrid, public, community, or private cloud environment. The CCNA CLDFND 210-455 exam has a heavy focus on cloud administration using the Cisco ONE family of management applications. With the Cisco ONE centralized and integrated suite of software, maintaining cloud operations can be optimized.
You will learn about the various Cisco cloud management software products throughout the rest of this study guide and will be introduced to the Prime Service Catalog, which is a self-service portal to order cloud services and acts as a “storefront” for IT and cloud services. You will also be introduced to UCS Director (UCSD), which provides integrated infrastructure management for cloud services such as services automation, compute, storage, networking, billing, and much more. The Cisco Intercloud Fabric for Business offers hybrid cloud management and interconnection services, and the Virtual Application Container Services (VACS) is used to secure applications by applying segmentation and offers streamlined provisioning of containers and interoperability between clouds.
UCS Director
In the Cisco ONE Enterprise Cloud suite of applications, the core automation application is UCS Director, or more frequently called UCSD, which was developed to provide automation in the cloud. In traditional data centers today, operations are maintained by separate administrative groups that include servers, operating systems, storage, networking, security, and often virtualization. These separate groups must work together but at the same time perform their duties apart from one another to operate a modern enterprise data center. As we have discussed throughout this book, this is very time-consuming, error-prone, and inefficient. This separation of duties into discrete operational groups is sometimes called a silo, which means each group performs a specialized duty, and there may not be very efficient communications, hand-offs, support, and troubleshooting when the groups are operating in their own world, or silo. The silo structure creates a long deployment timeline that has been overcome using automation in the cloud with applications such as UCS Director. When you remove the manual processes and implement UCSD, productivity increases, much of the complexity is removed to do replicated processes offered by UCSD, operations are more consistent, and, best of all, the IT staff is freed up to work on more interesting projects!
The UCS Director is the application that provides on-demand delivery, cloud automation, end-to-end management, and support of the cloud infrastructure and complete management of your company’s cloud life cycle. The end result is that deployments are much faster than the traditional silo structure of enterprise operations. UCSD automation processes takes the hardware and software configuration tasks and converts them to programmable modules. These modules are then used to create a workflow that is automated. By using the workflow approach, complete projects can be automated across all of the functional areas of the cloud operations. UCSD uses an object approach, as compared to the script-based architecture, with a graphical design interface (scripting support is available if desired, though). With more than 2,000 tasks included in the UCSD release, the broad base of preconfigured objects allows for fast deployment times. The tool also includes support for versioning and allows conditionals and process loops. The Cisco APIC ACI controller integrates with UCSD and provides support for tenants, bridge domains, endpoint groups, contracts, L4-7 services, router peering, and VMM domains.
UCSD can discover and provide mapping of your infrastructure because workflows are defined to facilitate timely deployments that are mapped to company operational standards, policies, and procedures. UCSD is not specific to Cisco products; it can operate in a multivendor deployment. Since all environments are multivendor, this is a critical requirement. UCSD comes prepackaged with more than 2,000 workflows that are configured to allow for quick automation, orchestration, and deployment of common IT and cloud operational tasks. UCSD can, without APIC integration, automate and manage firewalls, servers, load balancers, virtual machines, storage, networking, and many other services by replacing manual processes with automation.
The UCS Director comprised different software modules that include an Infrastructure portal for self-service for ordering IT services and resources from a “catalog” of packaged offerings. Think of this as a menu in a restaurant. The cloud administrators package offerings into a menu and publish them online in the services catalog. This “menu” is where the cloud customers order their desired services. Catalogs keep services and offerings uniform, which prevents a sprawl of products to support if the offerings were not structured in a services catalog. The services offered in the catalog can be pretested and configured and can be determined to meet all corporate governance and regulatory requirements.
There is a section in UCSD dedicated to infrastructure orchestration, which defines the workflow that provisions the services ordered from the service catalog. If there are any resource limitations or constraints, another UCSD module dynamically monitors and remediates any capacity limitations. UCSD includes a monitoring application that allows for chargeback billing and resource accounting. UCSD offers the standard administration and management capabilities for cloud operations, which includes reporting modules for all aspects of your cloud consumption with reports in either graphical or spreadsheet formats. Cisco has published an open automation software development kit and sample code for developers to integrate applications with UCSD. Finally, UCSD is far from being a stand-alone application and allows for integration to many other applications.
Configure Users/Groups and Role-Based Access Control in the Portal, Including Basic Troubleshooting
This next section will focus on the exam objectives of managing users and roles. Now that you have a basic understanding of the UCD Director, you will learn how to create roles, groups, and users using the application. It is important to note that UCSD supports external directory systems such as Active Directory from Microsoft. The exam will only focus on its own local data and not that of any external directories.
The UCSD portal is where users are created to access all the features of the Cisco ONE cloud ecosystem. These include administrative roles, rights to the catalog to order services, and many other capabilities that will be introduced throughout the rest of this book.
When a user is created, the user can either be assigned a role or be placed in a group of users, and then the group will be assigned a role. The application allows you to create groups to meet your needs, and while there are 11 default roles, you can create additional roles as needed. Additional roles can be created or modified with the rights granted in the Group and Systems Administrator accounts.
Default Roles in UCS Director
The management of user accounts is performed using the UCS Director converged infrastructure management application. The UCSD user profiles utilize role-based access control (RBAC) that is defined as a method of allowing or restricting user access to network services based on the user’s role or location in the organization. The RBAC role grants users privileges when a user is assigned to the role. Additionally, a user can be assigned to a group, such as computing administrators, and then that user group can be assigned to a role. It is important to understand that privileges are assigned to the roles, and the users are granted rights by being a member of a role. Users do not get assigned rights directly; user rights are inherited by being a member of a role.
The UCSD user and role management architecture allows the cloud administrator great flexibility in designing access rights for any conceivable use case. Users can be granted the proper permissions for any needs they may require, such as to order services, monitor, manage, create reports, and administer billing or accounting functions in addition to any custom-created profiles.
UCS Director ships with predefined or default user roles that reduce deployment times. UCS Director can support up to 48 defined roles. There are 11 preconfigured roles that are included in the application.
All Policy Administrator Manages policies and service request operations (Table 13.1)
RBAC privileges are defined as what you are able to see and do inside of the UCS Director application based on your assigned roles and the privileges granted to that role. This defines the menu systems presented to the user. For example, the systems administrator will have access to the systems administration menu system, and the storage administrator would not be presented with this menu option. Within each role, the permissions can be customized to include basic file permissions such as read-only, write, and read-write.
Roles are stand alone in nature, which is to say they cannot be embedded or placed inside of another role.
It is a recommended practice that when creating a new role to copy an existing default role and using that as a template to make changes, it is not advised that you make any changes to the default roles. With a total of 48 roles available, there should be ample capacity to create new roles instead of modifying the defaults.
Creating and Managing Users
In this section, you will learn to create and manage users in UCSD. As you learned, UCSD users either can be locally created in the application or can access an external user database such as Active Directory. We will focus exclusively on creating local users.
Creating a New User with a Single Role
In this section, you will learn how to create a new user in UCS Director and assign that user to a role. This is a basic administrator function, and all users must have an account and belong to a role to use the applications included in UCS Director.
Perform the following steps to create a new user in UCS Director:
Log into UCS Director with an account that has administrative privileges.
In the top-center drop-down menu, select Administration and then Users And Groups. The Users And Groups screen will appear.
Click the Users tab (from the top menu, second from the left).
Click the Add User icon near the top of the screen, and the Add User pop-up dialog box will appear.
Select the role for the user using the drop-down menu at the top.
Select a login name.
Enter and confirm the user password.
In the User Contact Email field, input the user’s e-mail address.
The remaining fields are optional, but it is always a good idea to complete these. Enter the user’s first and last name and the phone number. The Address field can be used for any notes or comments.
To complete the process, click the + Add icon at the bottom of the dialog box, and you will be returned to the main Users And Groups screen. This completes the steps for creating a user locally in UCS Director.
Creating Local Groups
This section demonstrates how to create a user group using UCS Director. Just as it sounds, groups are created for each specific function you may require, and then users are placed in a group. This allows for ease of administration since groups can be assigned roles. When a new user is added to a group, the user can inherit the role assigned to the group.
Perform the following steps to create a new group in UCS Director:
Log into UCS Director with an account that has administrative privileges.
In the top-center drop-down menu, select Administration and then Users And Groups. The Users And Groups screen will appear, and you will be on the User Groups screen by default; otherwise, select the top-left tab labeled User Groups.
Click the +Add icon near the top of the screen, and the Edit Group pop-up dialog box will appear.
Add a descriptive name of your choice for the new group.
Enter the group’s primary e-mail address (used for group updates and messages). All other fields are optional and include the description, code, cost center, first and last names, phone number, address, and group share policy.
To complete the process, click the Save icon at the bottom of the dialog box, and you will be returned to the main Users And Groups menu. This completes the steps for creating a group locally in UCS Director.
Notice that the group is saved as a local group. If UCSD were connected to a directory service such as Active Directory from Microsoft, it would appear as an external group.
Creating Multirole Access User Profiles
What if a user needs to be in more than one role? That is actually a common requirement, and it is often appropriate to assign a user to multiple access profiles. For example, an individual may require the management rights in the network administrator’s role to perform networking operations and also have duties as an operator. This is accomplished with multirole access profiles. Access profiles allow the user to access the resources you grant to them. UCSD allows a user to belong to multiple profiles to accomplish this requirement.
Configuring User Profiles
To create a user access profile, perform the following steps using UCSD:
Log into UCS Director with an account that has administrative privileges.
In the top-center drop-down menu, select Administration and then Users And Groups.
The Users And Groups screen will appear, and you will be on the User Groups screen by default; select the Login User tab.
Choose a user from the list.
Click Manage Profiles.
In the Manage Profile window, click + Add.
The Add Entry To Access Profiles dialog box will appear; complete the following fields:
Name: The profile name
Description: A descriptive name for the profile
Type: This is a drop-down list. Select the role type.
Customer Organizations: Select the organization this profile will belong to.
Show Resources From All Other Groups The User Has Access: This is a checkbox that allows the user to be able to access all the resources in the selected groups.
Shared Groups: Click Select to choose the groups the user profile belongs to. The user will then have access to all the rights associated with the groups you selected.
Click Submit.
If a user has multiple profiles, the profile required can be selected when logging into UCSD. When presented with the login dialog box, enter your username in the following format:
Username: access profile name
For example, you’d enter todd: SANAdmin and then enter your password to authenticate and gain access to that specific profile.
Summary
The second section of this certification guide begins with this chapter on Cisco cloud administration and creating users and roles. The rest of the chapters in the guide will prepare you for the CLDADM 210-455 exam. To get started on that journey, we began with covering the objective related to configuring user role-based access control in the Cisco ONE management framework.
Prior to covering these objectives, you were introduced to the management applications where the users and roles are defined. You learned about the Cisco ONE family of cloud operation applications that will be a focus of the CLDFND exam. The UCS Director was introduced as the central management application in the Cisco ONE suite. UCSD is where users and roles are defined, and you learned about the many modules included and its role in the cloud ecosystem.
With the fundamentals of UCS Director covered, you learned that here are 48 user roles that can be defined of which there are 11 default or preconfigured roles.
While it is not required for the exam to know the hundreds of objects rights that are in the roles, it is important to understand that roles determine rights to perform actions in the cloud and that these rights are defined in the role profiles. The default roles are All Policy Admin, Billing Admin, Computing Admin, Group Admin, IS Admin, MSP Admin, Network Admin, Operator, Service End User, Storage Admin, and the superuser role of System Administrator. The System account can be thought of as the root account for UCS Director. New roles can be defined by the system administrator as required. It is suggested that an existing role be copied and modified to create new roles but to never modify the default role permissions without creating a new role. Users are granted these rights by being members of the roles.
You then learned how to create single role users using the UCSD application. The steps to fill out the required and optional fields were outlined.
Next the steps to create user groups were explained. By creating groups for specific functions and operations, the users can be placed in these groups, and then the group will be assigned to the role that eases management for large user communities.
Finally, we ended the chapter by introducing the multirole access user profile that allows users to belong to more than one role.
Exam Essentials
Understand the role of UCS Director in creating profiles for users, groups, and roles. UCSD contains the depository for users, groups, and roles. These objects can be created either locally in the application or accessed from external directories. When users log into UCSD, they will inherit the appropriate roles assigned to their accounts.
Know how to create local users using UCS Director. Review the process to create a local user in UCSD using the graphical interface. External users accessed via directory services are beyond the scope of the exam.
Understand what local groups are in UCS Director. Local groups are rights assigned to users to access and perform defined roles in UCSD.
Understand the steps required to create a local group using the GUI in UCSD. Groups are created for each specific function you may require, and then users are placed in a group. This allows for ease of administration since groups can be assigned roles. When a new user is added to a group, the user can inherit the role assigned to the group.
Know how to create a new user in a single role. Using the UCSD user administration configuration dialog, know the steps required to create a local user account.
Understand what multirole access user profiles are. The multirole access user profile allows a user to belong to more than one role and is defined in UCSD administrator users and groups.
Written Lab
Fill in the blanks for the questions provided in the written lab. You can find the answers to the written labs in Appendix B.
UCS Director can support up to ________ roles with ________ predefined.
________ ________ ________ ________ is the method to allow users access to defined roles in an organization.
In UCSD,________ are assigned to ________.
Users can be placed into ________ that are then assigned roles.
The ________ ________ account allows for full control of UCSD.
If the user is created in the UCSD users and roles application, it is considered to be ________.
A user can belong to more than one role by creating ________ ________ ________ profiles.
To create a new user, go to the ________ tab and select ________ ________ ________.
Object read-write access is defined in the ________ configuration area.
The ________ ________ ________ allows you to view and use the self-service portal.
Review Questions
The following questions are designed to test your understanding of this chapter’s material. You can find the answers to the questions in Appendix A. For more information on how to obtain additional questions, please see this book’s Introduction.
What allows a user to belong to more than one role?
Multirole systems admin
MSP groups
Multirole access user profiles
Group role catalog
If a user is created in UCSD, what are they considered to be?
Admin
Local
AD
LDAP
A user can be placed into what container for responsibility grouping?
Roles
Groups
MSP
IT administrators
What role allows orchestration to be defined between initiators and targets?
IT Admins
Storage Administrators
Network Administrators
Global Admins
What role allows read-write access to all role-based objects?
IT admins
System Administrator
All Policy Administrators
Global Admins
Each user account can belong to how many roles?
Single
Multi
4
11
The UC Director default roles offer what advantages? (Choose two.)
Quick deployment times
Read-write access
Service catalog definitions
Are predefined default roles for ease of use
Which of the following is the primary application to define users for Cisco cloud administration?
Prime Services
Cisco ONE
UCS Director
Intercloud Fabric for Business
UCSD supports specifically Cisco cloud, storage, compute, and networking products.
True
False
Name two roles that allow for role creation.
All policy
System admin
Group admin
MSP admin
A user can belong to more than one profile.
True
False
What of the following are created for each specific function in UCSD?
User groups
User accounts
Service catalogs
Local groups
A user can be assigned to multiple user profiles for what reasons? (Choose two.)
Requires system admin rights
Requires multirole access
Needs additional service catalog rights
The user performs several different functions in the organization.
What is optional information when creating a single role user in UCSD? (Choose three.)
Address
Phone number
First and last names
Username
E-mail address
What process is required to log into a secondary role in UCSD?
Log in as username profile_name.
No separate login is required; rights are automatically assigned.
Single-sign on supports all roles.
Log in as username/profile_name.
What are optional fields when creating a user group? (Choose three.)
Group Name
E-mail Address
Cost Center
Phone Number
Group Share Policy
Users are assigned to what to gain access to services?
Service catalogs
Roles
RBAC
Access profiles
Which UCSD role acts as the superuser account?
All Access Administrators
All Policy Administrators
Systems Administrator
Operator
Which UCSD default role is used to allow an end user to add users?