Skip to main content
Converged Systems Advisor

Create accounts for FlexPod devices

Contributors netapp-thomi netapp-rlithman

Create a read-only account for Cisco UCS Manager

  1. Log in to Cisco UCS Manager.

  2. Create a locally authenticated user named csa-readonly.

    Tip All new users are read-only by default.

Create a read-only account for Nexus switches

  1. Log in to each Nexus switch using SSH or Telnet.

  2. Enter global configuration mode:

     configure terminal
    .. Create a new user:
     username [name] password [password] role network-operator
    .. Save the configuration:
    copy running configuration startup configuration

If you are using a TACACS+ server and you need to grant CSA user privileges, go to Granting CSA user privileges using a TACACS+ server.

Create an admin account for ONTAP

  1. Log in to OnCommand System Manager and click the settings icon:

    The settings icon in System Manager..

  2. On the Users page, click Add.

  3. Enter a user name and password and add ssh, ontapi and console as user login methods with admin access.

    Shows the Add User screen in System Manager

Create a read-only account for VMware

  1. Log in to vCenter.

  2. In the vCenter menu, choose Administration.

  3. Under roles, choose Read-only.

  4. Click the icon for Clone role action and change the name to CSA.

  5. Select the newly created CSA role.

  6. Click the Edit role icon.

  7. Under Edit role, choose Global and then check Licenses.

  8. On the sidebar, select Single sign on→Users and groups→Create a new user.

  9. Name the new user CSARO under DOMAIN vpshere.local.

  10. On the sidebar, select Global Permissions under Access Control.

  11. Choose the user CSARO and assign ROLE CSA.

  12. Log in to the Web Client.

    Use user ID: CSARO@vsphere.local and previously created password.

Create a read-only account on the APIC

  1. Click Admin.

  2. Click Create new local users.

  3. Under User Identity, enter the user information.

  4. Under Security select all security domain options.

  5. Click + to add user certificates and SSH keys if needed.

  6. Click Next.

  7. Click + to add roles for your domain.

  8. Select the Role Name from the dropdown menu.

  9. Select Read for the Role Privilege Type.

  10. Click Finish.

Grant CSA user privileges using a TACACS+ server

If you are using a TACACS+ server and you need to grant CSA user privileges for your switches, you should create a user privilege group and grant the group access to the specific setup commands needed by CSA.

The following commands should be written into the configuration file for your TACACS+ server.

  1. Enter the following to create a user privilege group with read-only access:

  group=group_name {
    default service=deny
  1. Enter the following to grant access to commands needed by CSA:

  cmd=show {
    permit "environment"
    permit "version"
    permit "feature"
    permit "feature-set"
    permit hardware.*
    permit "interface"
    permit "interface"
    permit "interface transceiver"
    permit "inventory"
    permit "license"
    permit "module"
    permit "port-channel database"
    permit "ntp peers"
    permit "license usage"
    permit "port-channel summary"
    permit "running-config"
    permit "startup-config"
    permit "running-config diff"
    permit "switchname"
    permit "int mgmt0"
    permit "cdp neighbors detail"
    permit "vlan"
    permit "vpc"
    permit "vpc peer-keepalive"
    permit "mac address-table"
    permit "lacp port-channel"
    permit "policy-map"
    permit "policy-map system type qos"
    permit "policy-map system type queuing"
    permit "policy-map system type network-qos"
    permit "zoneset active"
    permit "san-port-channel summary"
    permit "flogi database"
    permit "fcns database detail"
    permit "fcns database detail"
    permit "zoneset active"
    permit "vsan"
    permit "vsan usage"
    permit "vsan membership"
  1. Enter the following to add your CSA user account to the newly created group: