beautypg.com

Understanding admin domain restrictions – Brocade Fabric OS Command Reference (Supporting Fabric OS v7.3.0) User Manual

Page 34

background image

4

Fabric OS Command Reference

53-1003131-01

Understanding Admin Domain restrictions

1

Understanding Admin Domain restrictions

A subset of Fabric OS commands is subject to Admin Domain (AD) restrictions that may be in place.
In order to execute an AD-restricted command on a switch or device, the switch or device must be
part of a given Admin Domain, and the user must be logged in to that Admin Domain.

Six Admin Domain types are supported, as defined in

Table 5

.

Refer to

Appendix A, “Command Availability,”

for a listing of Admin Domain restrictions that apply to

the commands included in this manual.

Determining RBAC permissions for a specific command

To determine RBAC permission for a specific command, use the classconfig --showcli command.

1. Enter the classconfig --showcli command for a specified command.

The command displays the RBAC class and access permissions for each of the command
options. Note that options for a single command option can belong to different classes.

2. Enter the classconfig --showroles command and specify the RBAC class of the command

option you want to look up.

The command displays the default roles and the permissions they have to access commands
in the specified RBAC class.

The following example shows how you can obtain permission information for the zone command.
Suppose you want to know if a user with the SwitchAdmin role can create a zone. You issue the
classconfig --showcli command for the zone command, which shows that the zone --add command
belongs to the RBAC class “zoning”. You then issue the classconfig --showroles command for the
zoning RBAC class. The output shows that the SwitchAdmin role has ‘Observe” (O) permissions only
for any command in the zoning class. This means that the user with the SwitchAdmin role is not
allowed to create zones. To allow this user to create a zone, you must change the user’s access to
any of the roles that have “observe and modify” (OM) access. Use the userConfig command to
change the user’s role or use the roleConfig command to create a custom role.

TABLE 5

AD types

AD Type

Definition

Allowed

Allowed to execute in all ADs.

PhysFabricOnly

Allowed to execute only in AD255 context (and the user should own
access to AD0-AD255 and have admin RBAC privilege).

Disallowed

Allowed to execute only in AD0 or AD255 context; not allowed in
AD1-AD254 context.

PortMember

All control operations allowed only if the port or the local switch is part
of the current AD. View access allowed if the device attached to the
port is part of current AD.

AD0Disallowed

Allowed to execute only in AD255 and AD0 (if no ADs are configured).

AD0Only

Allowed to execute only in AD0 when ADs are not configured.

See also other documents in the category Brocade Computer Accessories: