Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Creating Roles in Nexus 5000

Has any one created a role for just SAN guys to come in and config the zone information?  ANd are there any good places out there that can help me to define what I can and cannot add to a role.  Thanks

5 REPLIES

Re: Creating Roles in Nexus 5000

Hi,

Check out the below link hope that clears out query!!

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/sec_rbac.html

If helpful do rate the valueable post !!

Regards

Ganesh.H

Re: Creating Roles in Nexus 5000

I am in a similar position. I need to define four roles -  Network admin/operators and San admin/operators. The document on RBAC is one of those that is probably accurate, but not a great deal of use - what it really needs is a few examples that we could use as start points.

So, has anyone set up RBAC yet, and would they mind sharing what they did?

Thanks,

Paul.

Re: Creating Roles in Nexus 5000

I have soldiered on and mde a first stab at RBAC. It might help you get a start. I am fully expecting that once we try using theroles there are glaring errors. We are taking the position that initially we will have three users, and everyone knows all the passwords while we sort out the roles properly. The standard admin, a san-admin and net-admin, so that not having access does not delay things. Once we are happy, the main admin will be a  "sealed envelope" job.

I would appreciate anyone pointing out any glaring omissions!


role feature-group name My-SAN-Features
  feature license
  feature fc-qos
  feature fcanalyzer
  feature fcns
  feature fcsp
  feature fdmi
  feature ficon
  feature fspf
  feature iscsi
  feature isns
  feature ivr
  feature rlir
  feature rscn
  feature san-ext-tuner
  feature sfm
  feature sme
  feature sme-kmc-admin
  feature sme-recovery-officer
  feature sme-stg-admin
  feature vsan
  feature wwnm
  feature zone
role feature-group name My-NET-Features
  feature aaa
  feature access-list
  feature arp
  feature callhome
  feature cdp
  feature install
  feature l3vm
  feature license
  feature ping
  feature platform
  feature radius
  feature snmp
  feature syslog
  feature tacacs
  feature eth-span
  feature ethanalyzer
  feature spanning-tree
  feature svi
  feature vlan
  feature acl
  feature cloud
  feature mpls-tunnel
  feature span
role name default-role
  description This is a system defined role and applies to all users.

role name My-net-admin
  description This role is read-write for network staff
  rule 100 permit read-write feature-group FJ-NET-Features
  rule 90 permit command configure terminal ; interface *
  rule 10 permit read
  vsan policy deny
  interface policy deny
    permit interface mgmt0
    permit interface port-channel1-4096
    permit interface Ethernet1/1-40
role name My-san-admin
  description This role is read-write for SMS  staff
  rule 100 permit read-write feature-group FJ-SAN-Features
  rule 90 permit command configure terminal ; interface *
  rule 10 permit read
  interface policy deny
    permit interface fc2/1-4
    permit interface san-port-channel 1-256

Community Member

Re: Creating Roles in Nexus 5000

Sorry for the delay this is what I did to create a SAN admin for the storage guys. And it is working pretty well.

role name SAN_ADMIN

     rule 3 permit read-write feature zone

     rule 2 permit command show zone *; device-alias *; zoneset *

     rule 1 permit command sho running-config

It is pretty simple but lets them add their zone and device info without having to enlist our temas help

Community Member

Re: Creating Roles in Nexus 5000

This is excelent. I have just one question, how RBAC works with TACACS? Or this is just for users doing local authentication? Thanks

1543
Views
0
Helpful
5
Replies
CreatePlease to create content