Dell Brocade 6510 Fabric OS Command Reference v7.1.0 - Page 32
Understanding Admin Domain restrictions, Determining RBAC permissions for a specific command
View all Dell Brocade 6510 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 32 highlights
1 Understanding Admin Domain restrictions • Accounts with user or admin permissions can be granted chassis permissions. A user account with the chassis role can execute chassis-level commands at the user RBAC access level. An admin account with the chassis role can execute chassis-level commands at the admin RBAC access level. Use the classConfig --showcli command to look up the Virtual Fabrics contexqt for a specified command. Refer to Appendix Appendix A, "Command Availability," for a complete listing of Virtual Fabric restrictions that apply to the commands included in this manual. Understanding Admin Domain restrictions A subset of Fabric OS commands is subject to Admin Domain (AD) restrictions that may be in place. In order to execute an AD-restricted command on a switch or device, the switch or device must be part of a given Admin Domain, and the user must be logged in to that Admin Domain. Six Admin Domain types are supported, as defined in Table 5. TABLE 5 AD types AD Type Definition Allowed PhysFabricOnly Disallowed PortMember AD0Disallowed AD0Only Allowed to execute in all ADs. Allowed to execute only in AD255 context (and the user should own access to AD0-AD255 and have admin RBAC privilege). Allowed to execute only in AD0 or AD255 context; not allowed in AD1-AD254 context. All control operations allowed only if the port or the local switch is part of the current AD. View access allowed if the device attached to the port is part of current AD. Allowed to execute only in AD255 and AD0 (if no ADs are configured). Allowed to execute only in AD0 when ADs are not configured. Refer to Appendix Appendix A, "Command Availability," for a listing of Admin Domain restrictions that apply to the commands included in this manual. Determining RBAC permissions for a specific command To determine RBAC permission for a specific command, use the classconfig --showcli command. 1. Enter the classconfig --showcli command for a specified command. The command displays the RBAC class and access permissions for each of the command options. Note that options for a single command option can belong to different classes. 2. Enter the classconfig --showroles command and specify the RBAC class of the command option you want to look up. The command displays the default roles and the permissions they have to access commands in the specified RBAC class. The following example shows how you can obtain permission information for the zone command. Suppose you want to know if a user with the SwitchAdmin role can create a zone. You issue the classconfig --showcli command for the zone command, which shows that the zone --add command belongs to the RBAC class "zoning". You then issue the classconfig --showroles command for the zoning RBAC class. The output shows that the SwitchAdmin role has 'Observe" permissions only for any 4 Fabric OS Command Reference 53-1002746-01