Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)
84 Fabric OS Administrator’s Guide
53-1002148-02
User accounts overview
5
Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP
service, and the local switch user database. All options allow users to be centrally managed using
the following methods:
• Remote RADIUS server: Users are managed in a remote RADIUS server. All switches in the
fabric can be configured to authenticate against the centralized remote database.
• Remote LDAP server: Users are managed in a remote LDAP server. All switches in the fabric
can be configured to authenticate against the centralized remote database.
• Local user database: Users are managed using the local user database. The local user
database is manually synchronized using the distribute command to push a copy of the
switch’s local user database to all other Fabric OS v5.3.0 and later switches in the fabric, but
the distribute command is blocked if users with user-defined roles exist on the sending switch
or on any remote, receiving switch.
Role-Based Access Control
Role-Based Action Control (RBAC) specifies the permissions that a user account has based on the
role the account has been assigned. For each role, there is a set of predefined permissions on the
jobs and tasks that can be performed on a fabric and its associated fabric elements. Fabric OS
uses RBAC to determine which commands a user has access to.
When you log in to a switch, your user account is associated with a predefined role or a
user-defined role. The role that your account is associated with determines the level of access you
have on that switch and in the fabric. The chassis role can also be associated with user defined
roles; it has permissions for RBAC classes of commands which are configured during user-defined
role creation. The chassis role is similar to a switch-level role except that it affects a different
subset of commands.You can use the userConfig command to add this permission to a user
account.
Table 11 outlines the Fabric OS predefined roles.
Admin Domain considerations: Legacy users with no Admin Domain specified and their current role
is admin will have access to AD 0 through 255 (physical fabric admin); otherwise, they will have
access to AD0 only.
TABLE 11 Default Fabric OS roles
Role name Duties Description
Admin All administration All administrative commands.
BasicSwitchAdmin Restricted switch administration Mostly monitoring with limited switch (local)
commands.
FabricAdmin Fabric and switch administration All switch and fabric commands, excludes user
management and Admin Domains commands.
Operator General switch administration Routine switch maintenance commands.
SecurityAdmin Security administration All switch security and user management functions.
SwitchAdmin Local switch administration Most switch (local) commands, excludes security, user
management, and zoning commands.
User Monitoring only Nonadministrative use, such as monitoring system
activity.
ZoneAdmin Zone administration Zone management commands only.