HP 8/24 Brocade Fabric OS Administrator's Guide v6.3.0 (53-1001336-01, July 20 - Page 112
Role-Based Access Control (RBAC), Fabric OS roles
View all HP 8/24 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 112 highlights
5 User accounts overview Fabric OS provides three options for authenticating users-remote RADIUS services, remote LDAP service, and the local switch user database. All options allow users to be centrally managed using the following methods: • Remote RADIUS server: Users are managed in a remote RADIUS server. All switches in the fabric can be configured to authenticate against the centralized remote database. • Remote LDAP server: Users are managed in a remote LDAP server. All switches in the fabric can be configured to authenticate against the centralized remote database. • Local user database: Users are managed using the local user database. The local user database is manually synchronized using the distribute command to push a copy of the switch's local user database to all other Fabric OS v5.3.0 and later switches in the fabric. Role-Based Access Control (RBAC) Role-Based Action Control (RBAC) defines the capabilities that a user account has based on the role the account has been assigned. For each role, there is a set of predefined permissions on the jobs and tasks that can be performed on a fabric and its associated fabric elements. Fabric OS v6.1.0 and later use RBAC to determine which commands a user can issue. When you log in to a switch, your user account is associated with a predefined role. The role that your account is associated with determines the level of access you have on that switch and in the fabric. The chassis-role permission is not a role like the other role types, but a permission that is applied to a user account. You can use the userConfig command to add this permission to a user account. For clarity, this permission has been added to Table 8, which outlines the Fabric OS predefined roles. TABLE 8 Fabric OS roles Role name Duties Description Admin BasicSwitchAdmin Chassis-role permission FabricAdmin Operator SecurityAdmin SwitchAdmin User ZoneAdmin All administration All administrative commands excluding chassis-specific commands. Restricted switch administration Mostly monitoring with limited switch (local) commands. Chassis-specific configuration This is a role-permission only and this permission is applied to the user account through the userConfig command. Fabric and switch administration All switch and fabric commands, excludes user management and Admin Domains commands. General switch administration Routine switch maintenance commands. Security administration All switch security and user management functions. Local switch administration Most switch (local) commands, excludes security, user management, and zoning commands. Monitoring only Nonadministrative use, such as monitoring system activity. Zone administration Zone management commands only. Admin Domain considerations: Legacy users with no Admin Domain specified and their current role is admin will have access to AD 0 through 255 (physical fabric admin); otherwise, they will have access to AD0 only. 70 Fabric OS Administrator's Guide 53-1001336-01