Configuring Users and Common Roles
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
The rule command specifies operations that can be performed by a specific role. Each rule consists of a
rule number, a rule type (permit or deny), a command type (for example, config, clear, show, exec,
debug), and an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface).
In this case, exec commands refer to all commands in the EXEC mode that do not fall in the show,
debug, and clear command categories.
To modify the profile for an existing role, follow these steps:
switch# config t
switch(config)# role name sangroup
switch(config-role)# rule 1 permit config
switch(config-role)# rule 2 deny config
switch(config-role)# rule 3 permit debug
switch(config-role)# rule 4 permit exec
switch(config-role)# no rule 4
In Step 3, rule 1 is applied first, thus permitting sangroup users access to all config commands. Rule 2
is applied next, denying FSPF configuration to sangroup users. As a result, sangroup users can perform
all other config commands, except fspf configuration commands.
The order of rule placement is important. If you had swapped these two rules and issued the deny config
feature fspf rule first and issued the permit config rule next, you would be allowing all sangroup users
to perform all configuration commands because the second rule globally overrode the first rule.
Configuring the VSAN Policy
Configuring the VSAN policy requires the ENTERPRISE_PKG license (see
You can configure a role so that it only allows tasks to be performed for a selected set of VSANs. By
default, the VSAN policy for any role is permit, which allows tasks to be performed for all VSANs. You
can configure a role that only allows tasks to be performed for a selected set of VSANs. To selectively
allow VSANs for a role, set the VSAN policy to deny, and then set the configuration to permit or the
Users configured in roles where the VSAN policy is set to deny cannot modify the configuration for E
ports. They can only modify the configuration for F or FL ports (depending on whether the configured
rules allow such configuration to be made). This is to prevent such users from modifying configurations
that may impact the core topology of the fabric.
OL-16184-01, Cisco MDS SAN-OS Release 3.x
Enters configuration mode.
Places you in role configuration submode for the
existing role sangroup.
Allows users belonging to the sangroup role to
perform all configuration commands except fspf
config commands. They can also perform zone debug
commands and the fcping EXEC mode command.
Deletes rule 4, which no longer permits the sangroup
to perform the fcping command.
Cisco MDS 9000 Family CLI Configuration Guide
Chapter 3, "Obtaining and