Role-based access control (rbac), Table 10, Role-based access control – Dell POWEREDGE M1000E User Manual

84

Fabric OS Administrator’s Guide

53-1001763-02

User accounts overview

5

Fabric OS provides three options for authenticating users—remote RADIUS services, remote LDAP
service, and the local switch user database. All options allow users to be centrally managed using
the following methods:

•

Remote RADIUS server: Users are managed in a remote RADIUS server. All switches in the
fabric can be configured to authenticate against the centralized remote database.

•

Remote LDAP server: Users are managed in a remote LDAP server. All switches in the fabric
can be configured to authenticate against the centralized remote database.

•

Local user database: Users are managed using the local user database. The local user
database is manually synchronized using the distribute command to push a copy of the
switch’s local user database to all other Fabric OS v5.3.0 and later switches in the fabric.

Role-Based Access Control (RBAC)

Role-Based Action Control (RBAC) defines the capabilities that a user account has based on the
role the account has been assigned. For each role, there is a set of predefined permissions on the
jobs and tasks that can be performed on a fabric and its associated fabric elements. Fabric OS
uses RBAC to determine which commands a user can issue.

When you log in to a switch, your user account is associated with a predefined role. The role that
your account is associated with determines the level of access you have on that switch and in the
fabric. The chassis-role permission is not a role like the other role types, but a permission that is
applied to a user account. You can use the userConfig command to add this permission to a user
account. For clarity, this permission has been added to

Table 10

, which outlines the Fabric OS

predefined roles.

Admin Domain considerations: Legacy users with no Admin Domain specified and their current role
is admin will have access to AD 0 through 255 (physical fabric admin); otherwise, they will have
access to AD0 only.

If some Admin Domains have been defined for the user and all of them are inactive, the user will
not be allowed to log in to any switch in the fabric. If no Home Domain is specified for a user, the
system provides a default home domain.

TABLE 10

Fabric OS roles

Role name

Duties

Description

Admin

All administration

All administrative commands excluding
chassis-specific commands.

BasicSwitchAdmin

Restricted switch administration

Mostly monitoring with limited switch (local)
commands.

FabricAdmin

Fabric and switch administration All switch and fabric commands, excludes user

management and Admin Domains commands.

Operator

General switch administration

Routine switch maintenance commands.

SecurityAdmin

Security administration

All switch security and user management functions.

SwitchAdmin

Local switch administration

Most switch (local) commands, excludes security, user
management, and zoning commands.

User

Monitoring only

Nonadministrative use, such as monitoring system
activity.

ZoneAdmin

Zone administration

Zone management commands only.