Fabric OS Encryption Administrator's Guide
Fabric OS Encryption Administrator’s Guide 113
53-1002159-03
Command RBAC permissions and AD types
3
Command RBAC permissions and AD types
Two RBAC roles are permitted to perform Encryption operations.
• Admin and SecurityAdmin
Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic
functions assigned to the FIPS Crypto Officer, including the following:
• Perform encryption node initialization.
• Enable cryptographic operations.
• Manage I/O functions for critical security parameters (CSPs).
• Zeroize encryption CSPs.
• Register and configure a key vault.
• Configure a recovery share policy.
• Create and register recovery share.
• Perform encryption group- and clustering-related operations.
• Manage keys, including creation, recovery, and archive functions.
• Admin and FabricAdmin
Users authenticated with the Admin and FabricAdmin RBAC roles may perform routine
Encryption Switch management functions, including the following:
• Configure virtual devices and crypto LUNs.
• Configure LUN and tape associations.
• Perform re-keying operations.
• Perform firmware download.
• Perform regular Fabric OS management functions.
See Table 4 for the RBAC permissions when using the encryption configuration commands.
TABLE 4 Encryption command RBAC availability and admin domain type
1
Command name User Admin Operator Switch
Admin
Zone
Admin
Fabric
Admin
Basic
Switch
Admin
Security
Admin
Admin Domain
addmembernode
NOMNNNO N OMDisallowed
addhaclustermember
NOMNNNOMN ODisallowed
addinitiator
NOMNNNOMN ODisallowed
addLUN
NOMNNNOMN ODisallowed
commit
NOMNNNOMN ODisallowed
create --container
NOMNNNOMN ODisallowed
create --encgroup
NOMNNNO N OMDisallowed
create --hacluster
NOMNNNOMN ODisallowed
create --tapepool
NOMNNNOMN ODisallowed