Managing User Accounts; User Accounts Overview; Role-Based Access Control (Rbac) - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

2

Managing user accounts

This chapter provides information and procedures on managing authentication and user accounts for the
switch management channel.

User accounts overview

In addition to the default accounts—root, factory, admin, and user—Fabric OS supports up to 252
additional user-defined accounts in each Logical Switch (domain). These accounts expand your ability to
track account access and audit administrative activities.
Each user-defined account is associated with the following:
• Admin Domain list, which specifies the Administrative Domains a user account is allowed to log in to.
• Home Admin Domain, which specifies the Admin Domain that the user is logged in to by default. The
home Admin Domain must be a member of the user's Admin Domain list.
• Virtual Fabric list, which specifies the Virtual Fabric a user account is allowed to log in to.
• Home Virtual Fabric, which specifies the Virtual Fabric that the user is logged in to by default. The home
Virtual Fabric must be a member of the user's Virtual Fabric list.
• Role, which determines functional access levels within the bounds of the user's current Admin Domain.
NOTE: Admin Domains are mutually exclusive from Virtual Fabrics permissions when setting up user
accounts. You will need to set up different user accounts for each feature.
For more information about Admin Domains, see Chapter 7,
page 191.
For more information about Virtual Fabrics, see Chapter 6,
Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP service,
and the local switch user database. All options allow users to be centrally managed using the following
methods:
• Remote RADIUS server: Users are managed in a remote RADIUS server. All switches in the fabric can be
configured to authenticate against the centralized remote database.
• Remote LDAP server: Users are managed in a remote LDAP server. All switches in the fabric can be
configured to authenticate against the centralized remote database.
• Local user database: Users are managed using the local user database. The local user database is
manually synchronized using the distribute command to push a copy of the switch's local user
database to all other Fabric OS 5.3.0 and later switches in the fabric.

Role-Based Access Control (RBAC)

Role-Based Action Control (RBAC) defines the capabilities that a user account has based on the role the
account has been assigned. For each role, there is a set of predefined permissions for the jobs and tasks
that can be performed on a fabric and its associated fabric elements. Fabric OS 6.1.0 and later uses RBAC
to determine which commands a user can enter.
When you log in to a switch, your user account is associated with a predefined role. The role that your
account is associated with determines the level of access you have on that switch and in the fabric. The
chassis-role permission is not a role like the other role types, but a permission that is applied to a user
"Managing administrative
"Managing virtual fabrics" on page 173.
Fabric OS 6.2 administrator guide
domains" on
67