Understanding role-based access control, Encryption commands and permissions – Dell POWEREDGE M1000E User Manual

2

Fabric OS Command Reference

53-1002746-01

Understanding Role-Based Access Control

1

Understanding Role-Based Access Control

Fabric OS implements Role-Based Access Control (RBAC) to control access to all Fabric OS operations.

Seven predefined roles are supported, as described in

Table 2

. These predefined role definitions are

guided by perceived common operational situations and the operations and effects a role is permitted to
have on a fabric and individual fabric elements.

In addition to these predefined roles, Fabric OS v7.0.0 and later provides support for creating
user-defined roles. Refer to the roleConfig command for more information.

Additional command restrictions apply depending on whether Virtual Fabrics or Admin Domains are
enabled in a fabric. Refer to

Appendix A, “Command Availability”

,

NOTE

Virtual Fabrics and Admin Domains are mutually exclusive and are not supported at the same time on a
switch. To use Admin Domains, you must first disable Virtual Fabrics; to use Virtual Fabrics, you must first
delete all Admin Domains. Use ad --clear -f to remove all Admin Domains. Refer to the Fabric OS
Administrator’s Guide for more information.

Encryption commands and permissions

There are two system RBAC roles that are permitted to perform encryption operations.

•

Admin and SecurityAdmin
Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic
functions assigned to the FIPS Crypto Officer, including the following:

-

Perform encryption node initialization.

-

Enable cryptographic operations.

-

Manage critical security parameters (CSPs) input and output functions.

-

Zeroize encryption CSPs.

-

Register and configure a key vault.

-

Configure a recovery share policy.

TABLE 2

Role definitions

Role name

Definition

User

Non-administrative use, such as monitoring system activity. In Fabric
OS v6.2.0 and later, the user account gains access to Fabric ID 128.
This is the default logical fabric after a firmware upgrade.

Operator

A subset of administrative tasks typically required for routine
maintenance operations.

SwitchAdmin

Administrative use excluding security, user management, and zoning.

ZoneAdmin

Zone management only.

FabricAdmin

Administrative use excluding user management and Admin Domain
management.

BasicSwitchAdmin

A subset of administrative tasks, typically of a more limited scope and
effect.

Admin

All administrative tasks, including encryption and chassis commands.

SecurityAdmin

Administrative use including admin, encryption, security, user
management, and zoning.