Reference Guide
2 Brocade Fabric OS Command Reference
53-1004112-02
Understanding Role-Based Access Control
In addition to these predefined roles, Fabric OS v7.0.0 and later provides support for creating user-defined roles. Refer to the roleConfig
command for more information.
Additional command restrictions apply depending on whether Virtual Fabrics are enabled in a fabric. Refer to “Command Availability”.
Encryption commands and permissions
There are two system RBAC roles that are permitted to perform encryption operations.
• Admin and SecurityAdmin
Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic functions assigned to the FIPS
Crypto Officer, including the following:
• Perform encryption node initialization.
• Enable cryptographic operations.
• Manage critical security parameters (CSPs) input and output functions.
• Zeroize encryption CSPs.
• Register and configure a key vault.
• Configure a recovery share policy.
• Create and register recovery share.
• Encryption group and clustering-related operations.
• Manage keys, including creation, recovery, and archiving functions.
• Admin and FabricAdmin
Users authenticated with the Admin and FabricAdmin RBAC roles may perform routine encryption switch management
functions including the following:
• Configure virtual devices and crypto LUN.
• Configure LUN/tape associations.
• Perform re-keying operations.
• Perform firmware download.
• Perform regular Fabric OS management functions.
For a listing of RBAC permissions for cryptoCfg subcommands, refer to the Fabric OS Encryption Adminsitrator’s Guide.
FabricAdmin Administrative use excluding user management management.
BasicSwitchAdmi
n
A subset of administrative tasks, typically of a more limited scope and effect.
Admin All administrative tasks, including encryption and chassis commands.
SecurityAdmin Administrative use including admin, encryption, security, user management, and zoning.
TABLE 1 Role definitions (Continued)
Role name Definition