Reference Guide
Fabric OS Command Reference 5
53-1002921-02
Determining RBAC permissions for a specific command
1
2. Enter the classconfig --showroles command and specify the RBAC class of the command
option you want to look up.
The command displays the default roles and the permissions they have to access commands
in the specified RBAC class.
The following example shows how you can obtain permission information for the zone command.
Suppose you want to know if a user with the SwitchAdmin role can create a zone. You issue the
classconfig --showcli command for the zone command, which shows that the zone --add command
belongs to the RBAC class “zoning”. You then issue the classconfig --showroles command for the
zoning RBAC class. The output shows that the SwitchAdmin role has ‘Observe” (O) permissions only
for any command in the zoning class. This means that the user with the SwitchAdmin role is not
allowed to create zones. To allow this user to create a zone, you must change the user’s access to
any of the roles that have “observe and modify” (OM) access. Use the userConfig command to
change the user’s role or use the roleConfig command to create a custom role.
switch:admin> classconfig --showcli zone
CLI Option Permission RBAC Class Context
----------------------------------------------------------
zone Killall OM Debug vf
zone evlogclear OM Debug vf
zone evlogshow O Debug vf
zone evlogtoggle OM Debug vf
zone mergeshow O Debug vf
zone stateshow O Debug vf
zone activate OM Zoning vf
zone add OM Zoning vf
zone copy OM Zoning vf
zone create OM Zoning vf
zone deactivate OM Zoning vf
(output truncated)
switch:admin> classconfig --showroles zoning
Roles that have access to the RBAC Class 'zoning' are:
Role Name Permission
--------- ----------
User O
Admin OM
Factory OM
Root OM
Operator O
SwitchAdmin O
ZoneAdmin OM
FabricAdmin OM
BasicSwitchAdmin O
SecurityAdmin O