Command RBAC permissions and AD types
Two RBAC roles are permitted to perform Encryption operations.
•
•
See
TABLE 4
Encryption command RBAC availability and admin domain type
Command name
addmembernode
addhaclustermember
addinitiator
addLUN
commit
create --container
create --encgroup
create --hacluster
create --tapepool
Fabric OS Encryption Administrator's Guide
53-1002159-03
Admin and SecurityAdmin
Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic
functions assigned to the FIPS Crypto Officer, including the following:
•
Perform encryption node initialization.
•
Enable cryptographic operations.
•
Manage I/O functions for critical security parameters (CSPs).
•
Zeroize encryption CSPs.
•
Register and configure a key vault.
•
Configure a recovery share policy.
•
Create and register recovery share.
•
Perform encryption group- and clustering-related operations.
•
Manage keys, including creation, recovery, and archive functions.
Admin and FabricAdmin
Users authenticated with the Admin and FabricAdmin RBAC roles may perform routine
Encryption Switch management functions, including the following:
•
Configure virtual devices and crypto LUNs.
•
Configure LUN and tape associations.
•
Perform re-keying operations.
•
Perform firmware download.
•
Perform regular Fabric OS management functions.
Table 4
for the RBAC permissions when using the encryption configuration commands.
User
Admin
Operator
N
OM
N
N
OM
N
N
OM
N
N
OM
N
N
OM
N
N
OM
N
N
OM
N
N
OM
N
N
OM
N
Command RBAC permissions and AD types
1
Switch
Zone
Fabric
Admin
Admin
Admin
N
N
O
N
N
OM
N
N
OM
N
N
OM
N
N
OM
N
N
OM
N
N
O
N
N
OM
N
N
OM
Basic
Security
Admin Domain
Switch
Admin
Admin
N
OM
Disallowed
N
O
Disallowed
N
O
Disallowed
N
O
Disallowed
N
O
Disallowed
N
O
Disallowed
N
OM
Disallowed
N
O
Disallowed
N
O
Disallowed
3
113