Role-based access control, Table 12 – Dell POWEREDGE M1000E User Manual

134

Fabric OS Administrator’s Guide

53-1002745-02

User accounts overview

5

Fabric OS provides four options for authenticating users: remote RADIUS service, remote LDAP
service, remote TACACS+ service, and the local-switch user database. All options allow users to be
managed centrally by means of the following methods:

•

Remote RADIUS service: Users are managed in a remote RADIUS server. All switches in the
fabric can be configured to authenticate against the centralized remote database.

•

Remote LDAP service: Users are managed in a remote LDAP server. All switches in the fabric
can be configured to authenticate against the centralized remote database. The remote LDAP
server can run Microsoft Active Directory or OpenLDAP.

•

Remote TACACS+ service. Users are managed in a remote TACACS+ server. All switches in the
fabric can be configured to authenticate against the centralized remote database.

•

Local user database: Users are managed by means of the local user database. The local user
database is manually synchronized by means of the distribute command to push a copy of the
switch’s local user database to all other switches in the fabric running Fabric OS v5.3.0 and
later, but the distribute command is blocked if users with user-defined roles exist on the
sending switch or on any remote, receiving switch.

Role-Based Access Control

Role-Based Access Control (RBAC) specifies the permissions that a user account has on the basis
of the role the account has been assigned. For each role, a set of predefined permissions
determines the jobs and tasks that can be performed on a fabric and its associated fabric
elements. Fabric OS uses RBAC to determine which commands a user is allowed to access.

When you log in to a switch, your user account is associated with a predefined role or a
user-defined role. The role that your account is associated with determines the level of access you
have on that switch and in the fabric. The chassis role can also be associated with user-defined
roles; it has permissions for RBAC classes of commands that are configured when user-defined
roles are created. The chassis role is similar to a switch-level role, except that it affects a different
subset of commands. You can use the userConfig command to add this permission to a user
account.

Table 12

outlines the Fabric OS predefined (default) roles.

TABLE 12

Default Fabric OS roles

Role name

Duties

Description

Admin

All administration

All administrative commands

BasicSwitchAdmin

Restricted switch administration

Mostly monitoring with limited switch (local) commands

FabricAdmin

Fabric and switch administration All switch and fabric commands, excluding user

management and Admin Domains commands

Operator

General switch administration

Routine switch-maintenance commands.

SecurityAdmin

Security administration

All switch security and user management functions

SwitchAdmin

Local switch administration

Most switch (local) commands, excluding security, user
management, and zoning commands

User

Monitoring only

Nonadministrative use, such as monitoring system
activity

ZoneAdmin

Zone administration

Zone management commands only