Creating a fcoe administrator role and account, Understanding and managing command access rules – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Creating a VCS Fabric security administrator role and account

The following steps create and configure a typical Brocade VCS Fabric security administrator role.

1. Create a role for a Brocade VCS Fabric security administrator.

switch(config)# role name NetworkSecurityAdmin desc "Manages security CLIs"

2. Create a user account associated with the newly created role.

switch(config)# username SecAdminUser role NetworkSecurityAdmin password

testpassword

3. Create the rules to specify the RBAC permissions for the NetworkSecurityAdmin role.

switch(config)# rule 30 action accept operation read-write role

NetworkSecurityAdmin command role

switch(config-rule-30)# exit

switch(config)# rule 31 action accept operation read-write role

NetworkSecurityAdmin command rule

switch(config-rule-31)# exit

switch(config)# rule 32 action accept operation read-write role

NetworkSecurityAdmin command username

switch(config-rule-32)# exit

switch(config)# rule 33 action accept operation read-write role

NetworkSecurityAdmin command aaa

switch(config-rule-33)# exit

switch(config)# rule 34 action accept operation read-write role

NetworkSecurityAdmin command radius-server

switch(config-rule-34)# exit

switch(config)# rule 35 action accept operation read-write role

NetworkSecurityAdmin command config

switch(config-rule-35)# exit

The SecAdminUser account has been granted operational access to the configuration-level
commands role, rule, username, aaa, and radius-server. Any account associated with the
NetworkSecurityAdmin role can now create and modify user accounts, manage roles, and define
rules. In addition, the role permits configuring a RADIUS server and set the login sequence.

Creating a FCoE administrator role and account

1. Create an FCoE administrator role.

switch(config)# role name FCOEAdmin desc "Manages FCOE"

2. Create an FCoE admin user account.

switch(config)# username FCOEAdmUser role FCOEAdmin password testpassword

3. Create the rules defining the access permissions for the FCoE administrator role.

switch(config)# rule 40 action accept operation read-write role FCOEAdmin

command interface fcoe

The FCOEAdmUser account that is associated with the FCoEAdmin role can now perform the FCoE
operations.

Understanding and managing command access rules

Command authorization is defined in terms of an ordered set of rules that are associated with a role.
Rules define and restrict a role to access modes (read-only or read-write access), and beyond that can
define permit or reject on specified command groups or individual commands. You can associate
multiple rules with a given user-defined role, but you can associate only one role with any given user
account.

To specify a rule, you must specify at least three mandatory attributes: a rule index number, the role to
which the rule should apply, and the command that is defined by the rule. The following table describes
the rule attribute details.

Creating a VCS Fabric security administrator role and account

Network OS Administrator’s Guide

271

53-1003225-04