Skip to main content

Commands and user authority

Some CMM CLI commands can be executed only by users who are assigned a required level of authority.

Users are assigned authority levels according to user permission groups that are set up for the CMM.

Users with Supervisor command authority can execute all commands. Commands that display information do not require any special command authority; however, users can be assigned restricted read-only access, as follows:

  • Users with Operator command authority can execute all commands that display information.
  • Users with Chassis Operator custom command authority can execute commands that display information about the common Flex System chassis components.
  • Users with Blade Operator custom command authority can execute commands that display information about the node devices, such as compute nodes.
  • Users with Switch Operator custom command authority can execute commands that display information about the I/O modules.
Table 1 shows the command-line interface commands and their required authority levels. To use the table, observe the following guidelines:
  • The commands in this table apply only to the command variants that set values or cause an action and require a special command authority: display variants of the commands do not require any special command authority.
  • If a command requires only one command authority at a time, each of the applicable command authorities is indicated by a dot (·). If a command requires a combination of two or more command authorities, the applicable command authorities are indicated by a . For example, the cin command is available to a user with the Supervisor command authority and to a user with both the Chassis Account Management and Chassis Configuration command authorities.
Important
Users and permission groups for the Flex System chassis are controlled by the CMM in each chassis, using the CMM CLI users command and the permgroups command or the CMM web interface. If your Flex System configuration includes the optional Lenovo XClarity Administrator or Flex System Manager management node, users and permission groups for each optional management device are controlled by the optional management software (see Lenovo XClarity Administrator information page for information about the Lenovo XClarity Administrator or documentation for information about the Flex System Manager).
Note
  1. LDAP authority levels are not supported by the CMM web interface. If you enable the enhanced role-based security using the CMM web interface, you must configure the external LDAP server using an LDAP snap-in tool that is available for Microsoft Windows operating systems.
  2. To use the LDAP authority levels, you must make sure that the version of LDAP security that is used by the CMM is set to v2 (enhanced role-based security model). See ldapcfg command for information.
Table 1. Command authority relationships.

The command authority relationship table is a multi-row, multi-column complex table where each row lists the command authorities needed to run a CMM CLI command option. Column one lists the command option and columns two through eleven indicate the command authorities. Required command authorities are indicated by a symbol placed in the appropriate column, with special symbols denoting multiple authority dependencies. Symbols used are explained in the text preceding the table.

CommandCommand Authority

Supervisor

Chassis Account Management

Chassis Log Management

Chassis Administration

Chassis Configuration

Blade Administration

Blade Configuration

Blade Remote Presence

I/O Module Administration

I/O Module Configuration

accesscontrol··········
accseccfg·   ·     
advfailover·   ·     
airfilter·····     

alarm

(system, CMM, power supply, or blower target)		·   ·     

alarm

(compute node target)		·     ·   

alarm

(I/O module target)		·        ·
alertcfg·   ·     
alertentries·····     
baydata·     ·   
bootmode·     ·   
chconfig·   ·     
chlog·   ·     
chmanual··········
cimsub·   ·     
cin·       
clear·     
clearlog· ·       

config

(compute node target)		·     ·   

config

(CMM or system target)		·   ·     
console·      ·  
crypto·   ·     
date·   ·     
dns·   ·     
events -che··········
events -che -add -rm·   ·     
files -d·  ···· ··
fsmcm··        
fuelg·   ·     
groups·   ·     
ifconfig (compute node target)·     ·   
ifconfig (compute node ISMP, CMM, and system targets)·   ·     
ifconfig (I/O module target)·        ·
ifconfig -pip (I/O module target)·       ··
ldapcfg·   ·     

led -info, -loc

(system target)		·  ·      

led -info, -loc

(compute node target)		·    ·    

led -loc

(I/O module target)		·       · 
monalerts·   ·     
ntp·   ·     
permgroups· ·       
pmpolicy·   ·     
portcfg·   ·     
ports·   ·     
ports (I/O module target)         ·
power -on, -off, -softoff, -cycle·    ·  · 
power -on -c, -cycle -c·       
power -ap, -aux, -d·   · ·   
power -local, -wol·     ·   
pwrprofile·····     
read1·   ·     

reset

(compute node or ISMP target)		·    ·    

reset

(I/O module target)		·       · 

reset

(CMM target)		·  ·      

reset -c, -sft,

(compute node target)		·       

reset -exd, -full, -std

(I/O module target)		·       · 

reset -f, -standby

(CMM target)		·  ·      
sddump·    ·    
sdemail··········
security·   ·     

service

(CMM target)		·  ··     

service

(compute node or storage node target)		·    ··   

service

(compute node system-management processor target)		·     ·   

service

(I/O module target)		·       · 
smtp·   ·     
snmp·   ·     
sol·   · ·   
sshcfg·   ·     
sslcfg·   ·     
syslog·····     
tcpcmdmode·   ·     
trespass·   ·     
uicfg·   ·     
update (CMM target)·  ·      
update (I/O module target)·       · 
uplink·   ·     
users··        
vlan (CMM target)·   ·     
vlan (system target)·     ·   
Note
  1. To successfully restore all settings, a user running the read command must have permission to modify any settings controlled by individual commands in the configuration being restored.