Chapter 32 Configuring User And Common Role; Modifying Profiles; Configuring The Vsan Policy - Cisco AP776A - Nexus Converged Network Switch 5020 Configuration Manual
Cisco mds 9000 family cli configuration guide - release 4.x (ol-18084-01, february 2009)
Hide thumbs
Also See for AP776A - Nexus Converged Network Switch 5020:
- Command reference manual (1640 pages) ,
- Configuration manual (1486 pages) ,
- Reference (886 pages)
Table of Contents
Advertisement
Chapter 32
Configuring Users and Common Roles
S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
The rule command specifies operations that can be performed by a specific role. Each rule consists of a
rule number, a rule type (permit or deny), a command type (for example, config, clear, show, exec,
debug), and an optional feature name (for example, FSPF, zone, VSAN, fcping, or interface).
In this case, exec commands refer to all commands in the EXEC mode that do not fall in the show,
Note
debug, and clear command categories.
Modifying Profiles
To modify the profile for an existing role, follow these steps:
Command
Step 1
switch# config t
Step 2
switch(config)# role name sangroup
switch(config-role)#
Step 3
switch(config-role)# rule 1 permit config
switch(config-role)# rule 2 deny config
feature fspf
switch(config-role)# rule 3 permit debug
feature zone
switch(config-role)# rule 4 permit exec
feature fcping
Step 4
switch(config-role)# no rule 4
In Step 3, rule 1 is applied first, thus permitting sangroup users access to all config commands. Rule 2
is applied next, denying FSPF configuration to sangroup users. As a result, sangroup users can perform
all other config commands, except fspf configuration commands.
The order of rule placement is important. If you had swapped these two rules and issued the deny config
Note
feature fspf rule first and issued the permit config rule next, you would be allowing all sangroup users
to perform all configuration commands because the second rule globally overrode the first rule.
Configuring the VSAN Policy
Configuring the VSAN policy requires the ENTERPRISE_PKG license (see
Installing
You can configure a role so that it only allows tasks to be performed for a selected set of VSANs. By
default, the VSAN policy for any role is permit, which allows tasks to be performed for all VSANs. You
can configure a role that only allows tasks to be performed for a selected set of VSANs. To selectively
allow VSANs for a role, set the VSAN policy to deny, and then set the configuration to permit or the
appropriate VSANs.
Users configured in roles where the VSAN policy is set to deny cannot modify the configuration for E
Note
ports. They can only modify the configuration for F or FL ports (depending on whether the configured
rules allow such configuration to be made). This is to prevent such users from modifying configurations
that may impact the core topology of the fabric.
OL-18084-01, Cisco MDS NX-OS Release 4.x
Licenses").
Purpose
Enters configuration mode.
Places you in role configuration submode for the
existing role sangroup.
Allows users belonging to the sangroup role to
perform all configuration commands except fspf
config commands. They can also perform zone debug
commands and the fcping EXEC mode command.
Deletes rule 4, which no longer permits the sangroup
to perform the fcping command.
Cisco MDS 9000 Family CLI Configuration Guide
Role-Based Authorization
Chapter 3, "Obtaining and
32-3
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
