Creating Roles in Nexus 5000

Unanswered Question
Jan 15th, 2010

Has any one created a role for just SAN guys to come in and config the zone information?  ANd are there any good places out there that can help me to define what I can and cannot add to a role.  Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
paul.matthews Wed, 02/10/2010 - 07:36

I am in a similar position. I need to define four roles -  Network admin/operators and San admin/operators. The document on RBAC is one of those that is probably accurate, but not a great deal of use - what it really needs is a few examples that we could use as start points.

So, has anyone set up RBAC yet, and would they mind sharing what they did?



paul.matthews Mon, 02/15/2010 - 01:06

I have soldiered on and mde a first stab at RBAC. It might help you get a start. I am fully expecting that once we try using theroles there are glaring errors. We are taking the position that initially we will have three users, and everyone knows all the passwords while we sort out the roles properly. The standard admin, a san-admin and net-admin, so that not having access does not delay things. Once we are happy, the main admin will be a  "sealed envelope" job.

I would appreciate anyone pointing out any glaring omissions!

role feature-group name My-SAN-Features
  feature license
  feature fc-qos
  feature fcanalyzer
  feature fcns
  feature fcsp
  feature fdmi
  feature ficon
  feature fspf
  feature iscsi
  feature isns
  feature ivr
  feature rlir
  feature rscn
  feature san-ext-tuner
  feature sfm
  feature sme
  feature sme-kmc-admin
  feature sme-recovery-officer
  feature sme-stg-admin
  feature vsan
  feature wwnm
  feature zone
role feature-group name My-NET-Features
  feature aaa
  feature access-list
  feature arp
  feature callhome
  feature cdp
  feature install
  feature l3vm
  feature license
  feature ping
  feature platform
  feature radius
  feature snmp
  feature syslog
  feature tacacs
  feature eth-span
  feature ethanalyzer
  feature spanning-tree
  feature svi
  feature vlan
  feature acl
  feature cloud
  feature mpls-tunnel
  feature span
role name default-role
  description This is a system defined role and applies to all users.

role name My-net-admin
  description This role is read-write for network staff
  rule 100 permit read-write feature-group FJ-NET-Features
  rule 90 permit command configure terminal ; interface *
  rule 10 permit read
  vsan policy deny
  interface policy deny
    permit interface mgmt0
    permit interface port-channel1-4096
    permit interface Ethernet1/1-40
role name My-san-admin
  description This role is read-write for SMS  staff
  rule 100 permit read-write feature-group FJ-SAN-Features
  rule 90 permit command configure terminal ; interface *
  rule 10 permit read
  interface policy deny
    permit interface fc2/1-4
    permit interface san-port-channel 1-256

pndennie93 Wed, 02/17/2010 - 06:37

Sorry for the delay this is what I did to create a SAN admin for the storage guys. And it is working pretty well.

role name SAN_ADMIN

     rule 3 permit read-write feature zone

     rule 2 permit command show zone *; device-alias *; zoneset *

     rule 1 permit command sho running-config

It is pretty simple but lets them add their zone and device info without having to enlist our temas help

pzpgd1mlf Thu, 03/11/2010 - 12:40

This is excelent. I have just one question, how RBAC works with TACACS? Or this is just for users doing local authentication? Thanks


This Discussion