Understanding admin domain restrictions – Dell POWEREDGE M1000E User Manual

Page 32

Advertising
background image

4

Fabric OS Command Reference

53-1002746-01

Understanding Admin Domain restrictions

1

Accounts with user or admin permissions can be granted chassis permissions. A user account with
the chassis role can execute chassis-level commands at the user RBAC access level. An admin
account with the chassis role can execute chassis-level commands at the admin RBAC access
level.

Use the classConfig --showcli command to look up the Virtual Fabrics contexqt for a specified
command. Refer to

Appendix Appendix A, “Command Availability,”

for a complete listing of Virtual Fabric

restrictions that apply to the commands included in this manual.

Understanding Admin Domain restrictions

A subset of Fabric OS commands is subject to Admin Domain (AD) restrictions that may be in place. In
order to execute an AD-restricted command on a switch or device, the switch or device must be part of a
given Admin Domain, and the user must be logged in to that Admin Domain.

Six Admin Domain types are supported, as defined in

Table 5

.

Refer to

Appendix Appendix A, “Command Availability,”

for a listing of Admin Domain restrictions that

apply to the commands included in this manual.

Determining RBAC permissions for a specific command

To determine RBAC permission for a specific command, use the classconfig --showcli command.

1.

Enter the classconfig --showcli command for a specified command.

The command displays the RBAC class and access permissions for each of the command options.
Note that options for a single command option can belong to different classes.

2.

Enter the classconfig --showroles command and specify the RBAC class of the command option
you want to look up.

The command displays the default roles and the permissions they have to access commands in the
specified RBAC class.

The following example shows how you can obtain permission information for the zone command.
Suppose you want to know if a user with the SwitchAdmin role can create a zone. You issue the
classconfig --showcli command for the zone command, which shows that the zone --add command
belongs to the RBAC class “zoning”. You then issue the classconfig --showroles command for the
zoning RBAC class. The output shows that the SwitchAdmin role has ‘Observe” permissions only for any

TABLE 5

AD types

AD Type

Definition

Allowed

Allowed to execute in all ADs.

PhysFabricOnly

Allowed to execute only in AD255 context (and the user should own
access to AD0-AD255 and have admin RBAC privilege).

Disallowed

Allowed to execute only in AD0 or AD255 context; not allowed in
AD1-AD254 context.

PortMember

All control operations allowed only if the port or the local switch is part
of the current AD. View access allowed if the device attached to the
port is part of current AD.

AD0Disallowed

Allowed to execute only in AD255 and AD0 (if no ADs are configured).

AD0Only

Allowed to execute only in AD0 when ADs are not configured.

Advertising
Popular Brands
Popular manuals