Table of Contents
Advertisement
Chapter 26
Configuring Users and Common Roles
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
Command
Step 3
switch(config-role)# rule 1 permit config
switch(config-role)# rule 2 deny config
feature fspf
switch(config-role)# rule 3 permit debug
feature zone
switch(config-role)# rule 4 permit exec
feature fcping
Step 4
switch(config-role)# no rule 4
In Step 3, rule 1 is applied first, thus permitting sangroup users access to all config commands. Rule 2
is applied next, denying FSPF configuration to sangroup users. As a result, sangroup users can perform
all other config commands, except fspf configuration commands.
The order of rule placement is important. If you had swapped these two rules and issued the deny config
Note
feature fspf rule first and issued the permit config rule next, you would be allowing all sangroup users
to perform all configuration commands because the second rule globally overrode the first rule.
Configuring the VSAN Policy
Configuring the VSAN policy requires the ENTERPRISE_PKG license (see
Installing
You can configure a role so that it only allows tasks to be performed for a selected set of VSANs. By
default, the VSAN policy for any role is permit, which allows tasks to be performed for all VSANs. You
can configure a role that only allows tasks to be performed for a selected set of VSANs. To selectively
allow VSANs for a role, set the VSAN policy to deny, and then set the configuration to permit or the
appropriate VSANs.
Users configured in roles where the VSAN policy is set to deny cannot modify the configuration for E
Note
ports. They can only modify the configuration for F or FL ports (depending on whether the configured
rules allow such configuration to be made). This is to prevent such users from modifying configurations
that may impact the core topology of the fabric.
Roles can be used to create VSAN administrators. Depending on the configured rules, these VSAN
Tip
administrators can configure MDS features (for example, zone, fcdomain, or VSAN properties) for their
VSANs without affecting other VSANs. Also, if the role permits operations in multiple VSANs, then the
VSAN administrators can change VSAN membership of F or FL ports among these VSANs.
Users belonging to roles in which the VSAN policy is set to deny are referred to as VSAN-restricted
users. These users cannot perform commands that require the startup configuration to be viewed or
modified.
These commands include the copy running-config startup-config, show startup-config, show
running-config diff, and copy startup-config running-config commands. For information on these
commands, see
OL-6973-03, Cisco MDS SAN-OS Release 2.x
Licenses").
Chapter 2, "Before You Begin."
Purpose
Allows users belonging to the sangroup role to
perform all configuration commands except fspf
config commands. They can also perform zone debug
commands and the fcping EXEC mode command.
Deletes rule 4, which no longer permits the sangroup
to perform the fcping command.
Cisco MDS 9000 Family Configuration Guide
Role-Based Authorization
Chapter 3, "Obtaining and
26-3
Advertisement
Table of Contents
