Technical data
Fabric OS Encryption Administrator’s Guide (DPM) 127
53-1002720-02
Command RBAC permissions and AD types
3
5. PortMember: allows all control operations only if the port or the local switch is part of the
current AD. View access is allowed if the device attached to the port is part of the current AD.
Command RBAC permissions and AD types
Two RBAC roles are permitted to perform Encryption operations.
• Admin and SecurityAdmin
Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic
functions assigned to the FIPS Crypto Officer, including the following:
- Perform encryption node initialization.
- Enable cryptographic operations.
- Manage I/O functions for critical security parameters (CSPs).
- Zeroize encryption CSPs.
- Register and configure a key vault.
- Configure a recovery share policy.
- Create and register recovery share.
- Perform encryption group- and clustering-related operations.
- Manage keys, including creation, recovery, and archive functions.
• Admin and FabricAdmin
Users authenticated with the Admin and FabricAdmin RBAC roles may perform routine
Encryption Switch management functions, including the following:
- Configure virtual devices and crypto LUNs.
- Configure LUN and tape associations.
- Perform rekeying operations.
- Perform firmware download.
- Perform regular Fabric OS management functions.
See Table 4 for the RBAC permissions when using the encryption configuration commands.
TABLE 4 Encryption command RBAC availability and admin domain type
1
Command name User Admin Operator Switch
Admin
Zone
Admin
Fabric
Admin
Basic
Switch
Admin
Security
Admin
Admin Domain
addmembernode
NOMNNNN N OMDisallowed
addhaclustermember
NOMN N N OMN NDisallowed
addinitiator
NOMN N N OMN NDisallowed
addLUN
NOMN N N OMN NDisallowed
commit
NOMN N N OMN NDisallowed
createcontainer
NOMN N N OMN NDisallowed
createencgroup
NOMNNNN N OMDisallowed