Common Roles
The CLI and SNMP use common roles in all Cisco MDS 9000 Series Switches. You can use the CLI to modify
a role that was created using SNMP and vice versa.
Users, passwords, and roles for all CLI and SNMP users are the same. A user configured through the CLI can
access the switch using SNMP (for example, the Fabric Manager or the Device Manager) and vice versa.
This chapter includes the following sections:
•
•
•
•
•
Role-Based Authorization
Switches in the Cisco MDS 9000 Family perform authentication based on roles. Role-based authorization
limits access to switch operations by assigning users to roles. This kind of authentication restricts you to
management operations based on the roles to which you have been added.
When you execute a command, perform command completion, or obtain context sensitive help, the switch
software allows the operation to progress if you have permission to access that command.
About Roles
Each role can contain multiple users and each user can be part of multiple roles. For example, if role1 users
are only allowed access to configuration commands, and role2 users are only allowed access to debug
commands, then if Joe belongs to both role1 and role2, he can access configuration as well as debug commands.
Note
If you belong to multiple roles, you can execute a union of all the commands permitted by these roles. Access
to a command takes priority over being denied access to a command. For example, suppose you belong to a
TechDocs group and you were denied access to configuration commands. However, you also belong to the
engineering group and have access to configuration commands. In this case, you will have access to
configuration commands.
Role-Based Authorization, on page 11
Role Distributions, on page 16
Configuring Common Roles, on page 22
Configuring User Accounts, on page 24
Default Settings, on page 27
C H A P T E R
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
4
11