Understanding Admin Domain Restrictions; Determining Rbac Permissions For A Specific Command - Brocade Communications Systems StoreFabric SN6500B Command Reference Manual

•
For a listing of RBAC permissions for cryptoCfg subcommands, refer to the Fabric OS Encryption
Adminsitrator's Guide.
Understanding Virtual Fabric restrictions
All Fabric OS commands are subject to additional RBAC enforcement with regard to Virtual Fabric
contexts and switch types. Commands can be executed in one or more of the contexts described in
Table
TABLE 3
Context type
Switch context
Chassis context
Switch and chassis
context
Disallowed
Switch commands are further defined by the switch type restrictions as described in
restrictions are not applicable to commands that require chassis permissions.
TABLE 4
Switch type
All Switches
Base Switch Only
Default Switch Only
N/A
In a Virtual Fabric environment where contexts are enforced, the following Virtual Fabric restrictions
apply to the RBAC permissions specified in
information on configuring user account access permissions in a Virtual Fabric environment.
•
•
Fabric OS Command Reference
53-1002746-01
-
Create and register recovery share.
-
Encryption group- and clustering-related operations.
-
Manage keys, including creation, recovery, and archiving functions.
Admin and FabricAdmin
Users authenticated with the Admin and FabricAdmin RBAC roles may perform routine encryption
switch management functions including the following:
-
Configure virtual devices and crypto LUN.
-
Configure LUN/tape associations.
-
Perform re-keying operations.
-
Perform firmware download.
-
Perform regular Fabric OS management functions.
3. Execution of chassis commands requires chassis permissions.
Virtual Fabric contexts
Definition
Command applies to the current logical switch only, or to a specified
logical switch.
Command applies to the chassis on which it is executed.
Command can be executed in a logical switch context or in a chassis
context.
Command is not supported in Virtual Fabric mode.
Switch types
Definition
Command can be executed in any switch context.
Command can be executed only on the base switch.
Command can be executed only on the default switch.
Command is a chassis command or not supported in Virtual Fabric
mode.
Any given role is allowed to execute all switch commands to which the role is authorized in the
account's home context. The default home context is the default logical fabric FID 128.
You can change an account's home context to a specified FID and configure the account
permissions to access additional logical switches specified in the user's Fabric ID list.
Understanding Virtual Fabric restrictions
Table 2. Refer to the userConfig command for more
1
Table 4. Switch type
3