beautypg.com

Encryption commands and permissions – Brocade Fabric OS Command Reference (Supporting Fabric OS v7.3.0) User Manual

Page 32

background image

2

Fabric OS Command Reference

53-1003131-01

Understanding Role-Based Access Control

1

In addition to these predefined roles, Fabric OS v7.0.0 and later provides support for creating
user-defined roles. Refer to the roleConfig command for more information.

Additional command restrictions apply depending on whether Virtual Fabrics or Admin Domains are
enabled in a fabric. Refer to

Appendix A, “Command Availability”

.

NOTE

Virtual Fabrics and Admin Domains are mutually exclusive and are not supported at the same time
on a switch. To use Admin Domains, you must first disable Virtual Fabrics; to use Virtual Fabrics, you
must first delete all Admin Domains. Use ad --clear -f to remove all Admin Domains. Refer to the
Fabric OS Administrator’s Guide for more information.

Encryption commands and permissions

There are two system RBAC roles that are permitted to perform encryption operations.

Admin and SecurityAdmin

Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic
functions assigned to the FIPS Crypto Officer, including the following:

Perform encryption node initialization.

Enable cryptographic operations.

Manage critical security parameters (CSPs) input and output functions.

Zeroize encryption CSPs.

Register and configure a key vault.

Configure a recovery share policy.

Create and register recovery share.

Encryption group and clustering-related operations.

Manage keys, including creation, recovery, and archiving functions.

Admin and FabricAdmin

Users authenticated with the Admin and FabricAdmin RBAC roles may perform routine
encryption switch management functions including the following:

Configure virtual devices and crypto LUN.

Configure LUN/tape associations.

Perform re-keying operations.

ZoneAdmin

Zone management only.

FabricAdmin

Administrative use excluding user management and Admin Domain
management.

BasicSwitchAdmin

A subset of administrative tasks, typically of a more limited scope and
effect.

Admin

All administrative tasks, including encryption and chassis commands.

SecurityAdmin

Administrative use including admin, encryption, security, user
management, and zoning.

TABLE 2

Role definitions (Continued)

Role name

Definition

See also other documents in the category Brocade Computer Accessories: