I have soldiered on and mde a first stab at RBAC. It might help you get a start. I am fully expecting that once we try using theroles there are glaring errors. We are taking the position that initially we will have three users, and everyone knows all the passwords while we sort out the roles properly. The standard admin, a san-admin and net-admin, so that not having access does not delay things. Once we are happy, the main admin will be a "sealed envelope" job.
I would appreciate anyone pointing out any glaring omissions!
role feature-group name My-SAN-Features
feature license
feature fc-qos
feature fcanalyzer
feature fcns
feature fcsp
feature fdmi
feature ficon
feature fspf
feature iscsi
feature isns
feature ivr
feature rlir
feature rscn
feature san-ext-tuner
feature sfm
feature sme
feature sme-kmc-admin
feature sme-recovery-officer
feature sme-stg-admin
feature vsan
feature wwnm
feature zone
role feature-group name My-NET-Features
feature aaa
feature access-list
feature arp
feature callhome
feature cdp
feature install
feature l3vm
feature license
feature ping
feature platform
feature radius
feature snmp
feature syslog
feature tacacs
feature eth-span
feature ethanalyzer
feature spanning-tree
feature svi
feature vlan
feature acl
feature cloud
feature mpls-tunnel
feature span
role name default-role
description This is a system defined role and applies to all users.
role name My-net-admin
description This role is read-write for network staff
rule 100 permit read-write feature-group FJ-NET-Features
rule 90 permit command configure terminal ; interface *
rule 10 permit read
vsan policy deny
interface policy deny
permit interface mgmt0
permit interface port-channel1-4096
permit interface Ethernet1/1-40
role name My-san-admin
description This role is read-write for SMS staff
rule 100 permit read-write feature-group FJ-SAN-Features
rule 90 permit command configure terminal ; interface *
rule 10 permit read
interface policy deny
permit interface fc2/1-4
permit interface san-port-channel 1-256
