Filter
Top Products
134 Fabric OS Administrator’s Guide
53-1002745-02
User accounts overview
5
Fabric OS provides four options for authenticating users: remote RADIUS service, remote LDAP
service, remote TACACS+ service, and the local-switch user database. All options allow users to be
managed centrally by means of the following methods:
• Remote RADIUS service: Users are managed in a remote RADIUS server. All switches in the
fabric can be configured to authenticate against the centralized remote database.
• Remote LDAP service: Users are managed in a remote LDAP server. All switches in the fabric
can be configured to authenticate against the centralized remote database. The remote LDAP
server can run Microsoft Active Directory or OpenLDAP.
• Remote TACACS+ service. Users are managed in a remote TACACS+ server. All switches in the
fabric can be configured to authenticate against the centralized remote database.
• Local user database: Users are managed by means of the local user database. The local user
database is manually synchronized by means of the distribute command to push a copy of the
switch’s local user database to all other switches in the fabric running Fabric OS v5.3.0 and
later, but the distribute command is blocked if users with user-defined roles exist on the
sending switch or on any remote, receiving switch.
Role-Based Access Control
Role-Based Access Control (RBAC) specifies the permissions that a user account has on the basis
of the role the account has been assigned. For each role, a set of predefined permissions
determines the jobs and tasks that can be performed on a fabric and its associated fabric
elements. Fabric OS uses RBAC to determine which commands a user is allowed to access.
When you log in to a switch, your user account is associated with a predefined role or a
user-defined role. The role that your account is associated with determines the level of access you
have on that switch and in the fabric. The chassis role can also be associated with user-defined
roles; it has permissions for RBAC classes of commands that are configured when user-defined
roles are created. The chassis role is similar to a switch-level role, except that it affects a different
subset of commands. You can use the userConfig command to add this permission to a user
account.
Table 12 outlines the Fabric OS predefined (default) roles.
TABLE 12 Default Fabric OS roles
Role name Duties Description
Admin All administration All administrative commands
BasicSwitchAdmin Restricted switch administration Mostly monitoring with limited switch (local) commands
FabricAdmin Fabric and switch administration All switch and fabric commands, excluding user
management and Admin Domains commands
Operator General switch administration Routine switch-maintenance commands.
SecurityAdmin Security administration All switch security and user management functions
SwitchAdmin Local switch administration Most switch (local) commands, excluding security, user
management, and zoning commands
User Monitoring only Nonadministrative use, such as monitoring system
activity
ZoneAdmin Zone administration Zone management commands only