Role-based access control, Admin domain considerations – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

• Remote TACACS+ service : Users are managed in a remote TACACS+ server. All switches in the

fabric can be configured to authenticate against the centralized remote database.

• Local user database : Users are managed by means of the local user database. The local user

database is manually synchronized by means of the distribute command to push a copy of the
switch’s local user database to all other switches in the fabric running Fabric OS v5.3.0 and later,
but the distribute command is blocked if users with user-defined roles exist on the sending switch
or on any remote, receiving switch.

Role-Based Access Control

Role-Based Access Control (RBAC) specifies the permissions that a user account has on the basis of
the role the account has been assigned. For each role, a set of predefined permissions determines the
jobs and tasks that can be performed on a fabric and its associated fabric elements. Fabric OS uses
RBAC to determine which commands a user is allowed to access.

When you log in to a switch, your user account is associated with a predefined role or a user-defined
role. The role that your account is associated with determines the level of access you have on that
switch and in the fabric. The chassis role can also be associated with user-defined roles; it has
permissions for RBAC classes of commands that are configured when user-defined roles are created.
The chassis role is similar to a switch-level role, except that it affects a different subset of commands.
You can use the userConfig command to add this permission to a user account.

The following table outlines the Fabric OS predefined (default) roles.

Default Fabric OS roles

TABLE 19

Role name

Duties

Description

Admin

All administration

All administrative commands

BasicSwitchAdmin Restricted switch administration Mostly monitoring with limited switch (local) commands

FabricAdmin

Fabric and switch administration All switch and fabric commands, excluding user

management and Admin Domains commands

Operator

General switch administration

Routine switch-maintenance commands.

SecurityAdmin

Security administration

All switch security and user management functions

SwitchAdmin

Local switch administration

Most switch (local) commands, excluding security, user
management, and zoning commands

User

Monitoring only

Nonadministrative use, such as monitoring system activity

ZoneAdmin

Zone administration

Zone management commands only

Admin Domain considerations

Legacy users with no Admin Domain specified and whose current role is admin will have access to
AD0 through AD255 (physical fabric admin); otherwise, they will have access to AD0 only.

If some Admin Domains have been defined for the user and all of them are inactive, the user will not
be allowed to log in to any switch in the fabric. If no home domain is specified for a user, the system
provides a default home domain.

Role-Based Access Control

134

Fabric OS Administrators Guide

53-1003130-01