Configuring The Vsan Policy; Modifying The Vsan Policy - Cisco MDS 9000 Series Configuration Manual

Common Roles
Allows users belonging to the sangroup role to perform all configuration commands except fspf config
commands. They can also perform zone debug commands and the fcping EXEC mode command.
Step 4 switch(config-role)# no rule 4
Deletes rule 4, which no longer permits the sangroup to perform the fcping command.
Example
In Step 3, rule 1 is applied first, thus permitting sangroup users access to all config commands. Rule
2 is applied next, denying FSPF configuration to sangroup users. As a result, sangroup users can
perform all other config commands, except fspf configuration commands.

Configuring the VSAN Policy

Configuring the VSAN policy requires the ENTERPRISE_PKG license (for more information, see the Cisco
MDS 9000 Family NX-OS Licensing Guide).
You can configure a role so that it only allows tasks to be performed for a selected set of VSANs. By default,
the VSAN policy for any role is permit, which allows tasks to be performed for all VSANs. You can configure
a role that only allows tasks to be performed for a selected set of VSANs. To selectively allow VSANs for a
role, set the VSAN policy to deny, and then set the configuration to permit or the appropriate VSANs.
Note
Users configured in roles where the VSAN policy is set to deny cannot modify the configuration for E ports.
They can only modify the configuration for F or FL ports (depending on whether the configured rules allow
such configuration to be made). This is to prevent such users from modifying configurations that may impact
the core topology of the fabric.
Tip Roles can be used to create VSAN administrators. Depending on the configured rules, these VSAN
administrators can configure MDS features (for example, zone, fcdomain, or VSAN properties) for their
VSANs without affecting other VSANs. Also, if the role permits operations in multiple VSANs, then the
VSAN administrators can change VSAN membership of F or FL ports among these VSANs.
Users belonging to roles in which the VSAN policy is set to deny are referred to as VSAN-restricted users.

Modifying the VSAN Policy

To modify the VSAN policy for an existing role, follow these steps:
Note • Beginning with NX-OS Release 4.x, the VSAN enforcement is done only for non-show commands. The
• In SAN-OS Release 3.x and lower, the VSAN enforcement is done for non-show commands, but, not
show commands are excluded.
all the show commands are enforced.
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
Configuring the VSAN Policy
15