Modifying The Vsan Policy; About Rules And Features For Each Role - Cisco AP775A - Nexus Converged Network Switch 5010 Configuration Manual

Role-Based Authorization
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
You can configure a role so that it only allows tasks to be performed for a selected set of VSANs. By
default, the VSAN policy for any role is permit, which allows tasks to be performed for all VSANs. You
can configure a role that only allows tasks to be performed for a selected set of VSANs. To selectively
allow VSANs for a role, set the VSAN policy to deny, and then set the configuration to permit or the
appropriate VSANs.
Users configured in roles where the VSAN policy is set to deny cannot modify the configuration for E
Note
ports. They can only modify the configuration for F or FL ports (depending on whether the configured
rules allow such configuration to be made). This is to prevent such users from modifying configurations
that may impact the core topology of the fabric.
Roles can be used to create VSAN administrators. Depending on the configured rules, these VSAN
Tip
administrators can configure MDS features (for example, zone, fcdomain, or VSAN properties) for their
VSANs without affecting other VSANs. Also, if the role permits operations in multiple VSANs, then the
VSAN administrators can change VSAN membership of F or FL ports among these VSANs.
Users belonging to roles in which the VSAN policy is set to deny are referred to as VSAN-restricted
users.

Modifying the VSAN Policy

To modify the VSAN policy for an existing role using Fabric Manager, follow these steps:
Expand Switches > Security and then select Users and Roles from the Physical Attributes pane. Click
Step 1
the Roles tab in the Information pane.
Check the Scope Enable check box if you want to enable the VSAN scope and restrict this role to a
Step 2
subset of VSANs.
Enter the list of VSANs in the Scope VSAN Id List field that you want to restrict this role to.
Step 3
Click Apply Changes to save these changes or click Undo Changes to discard any unsaved changes.
Step 4

About Rules and Features for Each Role

Up to 16 rules can be configured for each role. These rules reflect what CLI commands are allowed. The
user-specified rule number determines the order in which the rules are applied. For example, rule 1 is
applied before rule 2, which is applied before rule 3, and so on. A user not belonging to the
network-admin role cannot perform commands related to roles.
For example, if user A is permitted to perform all show CLI commands, user A cannot view the output
of the show role CLI command if user A does not belong to the network-admin role.
A rule specifies operations that can be performed by a specific role. Each rule consists of a rule number,
a rule type (permit or deny), a CLI command type (for example, config, clear, show, exec, debug), and
an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface).
Cisco MDS 9000 Family Fabric Manager Configuration Guide
39-4
Chapter 39 Configuring Users and Common Roles
OL-17256-03, Cisco MDS NX-OS Release 4.x