
User Role Policies – Cisco Storage Security
You can define user role policies to limit the switch resources that the user can access, or to limit access to interfaces, VLANs, and VSANs.
User role policies are constrained by the rules defined for the role. For example, if you define an interface policy to permit access to specific interfaces, the user does not have access to the interfaces unless you configure a command rule for the role to permit the interface command.
If a command rule permits access to specific resources (interfaces, VLANs, or VSANs), the user is permitted to access these resources, even if the user is not listed in the user role policies associated with that user.
Configuring the VSAN policy on Cisco MDS 9000 Series Switches requires the ENTERPRISE_PKG license.
You can configure a role so that it allows tasks to be performed only for a selected set of VSANs. By default, the VSAN policy for any role is permit, which allows tasks to be performed for all VSANs. To selectively allow VSANs for a role, set the VSAN policy to deny and then set the configuration to permit or the appropriate VSANs.
Users configured in roles where the VSAN policy is set to deny cannot modify the configuration for E ports. They can only modify the configuration for F or FL ports (depending on whether the configured rules allow such configuration to be made). This is to prevent such users from modifying configurations that may impact the core topology of the fabric.
RBAC Sample Configuration
Example 20-4 shows the steps required to configure RBAC on an MDS switch.
Example 20-4 RBAC Configuration on MDS Switch
! Entering configuration mode.
switch# config terminal
! Creating a role and entering role submode to configure description for the
role.
switch(config)# role name sangroup
switch(config-role)# description Selective SAN group
! Configuring rules for the sangroup role. Allowing users belonging to the
sangroup role to perform all configuration commands except fspf config
commands.
switch(config-role)# rule 1 permit config
switch(config-role)# rule 2 deny config feature fspf
switch(config-role)# rule 3 permit debug feature zone
switch(config-role)# rule 4 permit exec feature fcping
! Deleting rule 3
switch(config-role)# no rule 3
! Configuring VSAN policy for sangroup role to deny and permitting selective
VSANs from VSAN 15 through 20.
switch(config-role)# vsan policy deny
switch(config-role-vsan)# permit vsan 15-20
switch(config-role-vsan)# end
! Verifying sangroup role
switch# show role name sangroup
Role: sangroup
Description: Selective SAN group
Vsan policy: deny
Permitted vsans: 15-20
————————————————-
Rule Type Command-type Feature
————————————————-
1 permit config *
2 deny config fspf
4 permit exec fcping