01-15-2010 01:46 PM
Has any one created a role for just SAN guys to come in and config the zone information? ANd are there any good places out there that can help me to define what I can and cannot add to a role. Thanks
01-16-2010 02:48 AM
Hi,
Check out the below link hope that clears out query!!
If helpful do rate the valueable post !!
Regards
Ganesh.H
02-10-2010 07:36 AM
I am in a similar position. I need to define four roles - Network admin/operators and San admin/operators. The document on RBAC is one of those that is probably accurate, but not a great deal of use - what it really needs is a few examples that we could use as start points.
So, has anyone set up RBAC yet, and would they mind sharing what they did?
Thanks,
Paul.
02-15-2010 01:06 AM
I have soldiered on and mde a first stab at RBAC. It might help you get a start. I am fully expecting that once we try using theroles there are glaring errors. We are taking the position that initially we will have three users, and everyone knows all the passwords while we sort out the roles properly. The standard admin, a san-admin and net-admin, so that not having access does not delay things. Once we are happy, the main admin will be a "sealed envelope" job.
I would appreciate anyone pointing out any glaring omissions!
role feature-group name My-SAN-Features
feature license
feature fc-qos
feature fcanalyzer
feature fcns
feature fcsp
feature fdmi
feature ficon
feature fspf
feature iscsi
feature isns
feature ivr
feature rlir
feature rscn
feature san-ext-tuner
feature sfm
feature sme
feature sme-kmc-admin
feature sme-recovery-officer
feature sme-stg-admin
feature vsan
feature wwnm
feature zone
role feature-group name My-NET-Features
feature aaa
feature access-list
feature arp
feature callhome
feature cdp
feature install
feature l3vm
feature license
feature ping
feature platform
feature radius
feature snmp
feature syslog
feature tacacs
feature eth-span
feature ethanalyzer
feature spanning-tree
feature svi
feature vlan
feature acl
feature cloud
feature mpls-tunnel
feature span
role name default-role
description This is a system defined role and applies to all users.
role name My-net-admin
description This role is read-write for network staff
rule 100 permit read-write feature-group FJ-NET-Features
rule 90 permit command configure terminal ; interface *
rule 10 permit read
vsan policy deny
interface policy deny
permit interface mgmt0
permit interface port-channel1-4096
permit interface Ethernet1/1-40
role name My-san-admin
description This role is read-write for SMS staff
rule 100 permit read-write feature-group FJ-SAN-Features
rule 90 permit command configure terminal ; interface *
rule 10 permit read
interface policy deny
permit interface fc2/1-4
permit interface san-port-channel 1-256
02-17-2010 06:37 AM
Sorry for the delay this is what I did to create a SAN admin for the storage guys. And it is working pretty well.
role name SAN_ADMIN
rule 3 permit read-write feature zone
rule 2 permit command show zone *; device-alias *; zoneset *
rule 1 permit command sho running-config
It is pretty simple but lets them add their zone and device info without having to enlist our temas help
03-11-2010 12:40 PM
This is excelent. I have just one question, how RBAC works with TACACS? Or this is just for users doing local authentication? Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: