Using the Predefined SAN Administrator Role [Cisco Nexus 5000 Series Switches]

The current Role-Based Access Control (RBAC) model in the Cisco Nexus 5000 Series device allows you to configure custom access roles that are based on rules. A rule can permit or deny access to a certain feature, interface, or command. For more information about RBAC, see the Cisco Nexus 5000 Series NX-OS System Management Configuration Guide, Release 5.x.

Limitations with the RBAC implementation previous to Release 5.2(1)N1(1) prompted the creation of a predefined SAN administrator role. These limitations were as follows:

•Some RBAC features that could be used for rule creation were not defined. This restriction caused the user to have to configure multiple rules for permitting or denying access to a certain feature.

•Mapping between the System Network Management Protocol (SNMP) object ID and the RBAC feature was missing for certain storage-area network (SAN) features. This restriction blocked SNMP management even if the role was configured to allow it.

•There was no role separation between LAN and SAN administrators.

To allow separation between SAN and local-area network (LAN) administrator responsibility, a new predefined SAN administrator role, called san-admin, has been created. You cannot modify this role, but you can use it to create your own custom role with custom defined rules that are appropriate for your specific organization. The RBAC model has also been enhanced and some new RBAC features have been defined to make rule creation easier.

SAN Administrator Role

The SAN administrator (san-admin) role allows a separation of SAN and LAN administrative tasks. With this role you can perform only Fibre Channel (FC) and Fibre Channel over Ethernet (FCoE) configuration tasks using SNMP or the command line interface (CLI), without impact any Ethernet capabilities.

With the san-admin role, you can do the following tasks:

•Configure all interfaces. There is no restriction to only Fibre Channel (FC) interfaces.

•Configure all attributes of FC unified ports other than creating or deleting ports

•Configure all virtual SAN (VSAN) information, including database and membership

•Map preconfigured virtual LANs (VLANs) for FCoE to VSANs

•Configure zoning

•Configure and manage the following SAN features:

– FC-SP

– FC-PORT-SECURITY

– FCoE

– FCoE-NPV

– FPORT-CHANNEL-TRUNK

– PORT-TRACK

– FABRIC-BINDING

•Configure SNMP-related parameters, except SNMP community and SNMP users.

•Save the entire running configuration, including FC/FCoE, Ethernet interface, and other non-default configurations.

•View all other configurations (read-only privileges).

Role-Feature Mapping

The san-admin role has role-feature mapping capabilities that you can used to permit or deny access to that feature. The features that can be mapped are as follows:

•copy (copy-related commands)

•trapRegEntry (SNMP trap registry command)

•snmpTargetAddrEntry (SNMP trap target command)

•snmpTargetParamsEntry (SNMP trap target parameters command)

•fcfe (FC fe related commands)

•fcoe (FCoE related commands)

•trunk (FC port channel trunk related commands)

•fcmgmt (FC management related commands)

•port-track (Port-track related commands)

•port-security (FC port security related commands)

•fabric-binding (Fabric binding commands)

Examples

The examples in the following sections show you how to perform various tasks for the SAN administrator role:

•Configuring a User with the SAN Administrator Role

•Verifying the SAN Administrator Role Configuration

•Enabling the FCoE Feature for the SAN Administrator User

•Modifying the SAN Administrator Default Role

•Verifying the New SAN Administrator Role Configuration

•Displaying the User Role Configurations

Configuring a User with the SAN Administrator Role

This example shows how to create a new user-id called "mynewuser" and assign that user to the san-admin role.

switch# configuration terminal

Enter configuration commands, one per line.  End with CNTL/Z.

switch(config)# username mynewuser role san-admin password cisco123

switch(config)# show user-account

user:admin

        this user account has no expiry date

        roles:network-admin

user:mynewuser

        this user account has no expiry date

        roles:san-admin

Verifying the SAN Administrator Role Configuration

This example shows how to verify the "mynewuser" SAN administrator role. It also shows this user's restricted command list, compared with the default command list.

Nexus 5000 Switch

login: mynewuser

Password:

Bad terminal type: "xterm-256color". Will assume vt100.

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNU

Lesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.php

switch# ?

  clear      Reset functions

  configure  Enter configuration mode

  copy       Copy from one file to another

  debug      Debugging functions

  show       Show running system information

  end        Go to exec mode

  exit       Exit from command interpreter

Enabling the FCoE Feature for the SAN Administrator User

This example shows how to enable the FCoE feature for the "mynewuser" SAN administrator user. (You can enable only FC-related features for a SAN administrator user role.)

switch# configuration terminal

Enter configuration commands, one per line.  End with CNTL/Z.

switch(config)# feature ?

  fcoe      Enable/Disable FCoE/FC feature

  fcoe-npv  Enable/Disable FCoE NPV feature

switch(config)# feature fcoe

FC license checked out successfully

fc_plugin extracted successfully

FC plugin loaded successfully

FCoE manager enabled successfully

FC enabled on all modules successfully

Enabled FCoE QoS policies successfully

Modifying the SAN Administrator Default Role

The san-admin role is a predefined system-based role that cannot be modified. However, you can use it as a model to create a new SAN administrator role.

This example shows how to create a new SAN administrator role, called "newsan-admin" and modify the role to allow the following capabilities:

•Upgrade and downgrade of the Cisco NX-OS system and kickstart image.

•Configuration of the 5548UP base ports to Ethernet or native FC type. (A reload of the module is still required to change the port-type assignment.)

switch# configuration terminal

Enter configuration commands, one per line.  End with CNTL/Z.

switch(config)# role name newsan-admin

switch(config-role)# rule 1 permit read-write feature snmp

switch(config-role)# rule 2 permit read-write feature snmpTargetParamsEntry

switch(config-role)# rule 3 permit read-write feature snmpTargetAddrEntry

switch(config-role)# rule 4 permit read-write feature trapRegEntry

switch(config-role)# rule 5 permit read-write feature interface

switch(config-role)# rule 6 permit read-write feature fabric-binding

switch(config-role)# rule 7 permit read-write feature vsanIfvsan

switch(config-role)# rule 8 permit read-write feature vsan

switch(config-role)# rule 9 permit read-write feature wwnm

switch(config-role)# rule 10 permit read-write feature zone

switch(config-role)# rule 11 permit read-write feature span

switch(config-role)# rule 12 permit read-write feature fcns

switch(config-role)# rule 13 permit read-write feature fcsp

switch(config-role)# rule 14 permit read-write feature fdmi

switch(config-role)# rule 15 permit read-write feature fspf

switch(config-role)# rule 16 permit read-write feature rscn

switch(config-role)# rule 17 permit read-write feature rmon

switch(config-role)# rule 18 permit read-write feature copy

switch(config-role)# rule 19 permit read-write feature port-security

switch(config-role)# rule 20 permit read-write feature fcoe

switch(config-role)# rule 21 permit read-write feature port-track

switch(config-role)# rule 22 permit read-write feature fcfe

switch(config-role)# rule 23 permit read-write feature fcmgmt

switch(config-role)# rule 24 permit read-write feature trunk

switch(config-role)# rule 25 permit read-write feature rdl

switch(config-role)# rule 26 permit read-write feature fcdomain

switch(config-role)# rule 27 permit read-write feature install

switch(config-role)# rule 28 permit command configuration terminal; slot 1

switch(config-role)# rule 29 permit read

Verifying the New SAN Administrator Role Configuration

This example assumes that a new user was created called "newsanadmin" and it was assigned the newsan-admin role. This example shows how to verify the newsan-admin RBAC role using the newsanadmin user:

Nexus 5000 Switch

login: newsanadmin

Password:

Bad terminal type: "xterm-256color". Will assume vt100.

Cisco Nexus Operating System (NX-OS) Software

TAC support: http://www.cisco.com/tac

Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved.

The copyrights to certain works contained in this software are

owned by other third parties and used and distributed under

license. Certain components of this software are licensed under

the GNU General Public License (GPL) version 2.0 or the GNU

Lesser General Public License (LGPL) Version 2.1. A copy of each

such license is available at

http://www.opensource.org/licenses/gpl-2.0.php and

http://www.opensource.org/licenses/lgpl-2.1.php

switch# configuration terminal

Enter configuration commands, one per line.  End with CNTL/Z.

switch(config)# slot 1

switch(config-slot)# port 16-32 type fc

switch(config-slot)# copy running-config startup-config

[########################################] 100%

Copy complete, now saving to disk (please wait)...

switch(config-slot)# install all kickstart 
bootflash:n5000-uk9-kickstart.5.2.1.N1.0.211.bin system 
bootflash:n5000-uk9.5.2.1.N1.0.211.bin

Verifying image bootflash:/n5000-uk9-kickstart.5.2.1.N1.0.211.bin for boot variable 
"kickstart".

[####################] 100% -- SUCCESS

Verifying image bootflash:/n5000-uk9.5.2.1.N1.0.211.bin for boot variable "system".

Displaying the User Role Configurations

This example shows how to display the user roles and their configurations:

switch# show role

Role: network-admin

  Description: Predefined network admin role has access to all commands

  on the switch

  -------------------------------------------------------------------

  Rule    Perm    Type        Scope               Entity

  -------------------------------------------------------------------

  1       permit  read-write

Role: network-operator

  Description: Predefined network operator role has access to all read

  commands on the switch

  -------------------------------------------------------------------

  Rule    Perm    Type        Scope               Entity

  -------------------------------------------------------------------

  1       permit  read

Role: vdc-admin

  Description: Predefined vdc admin role has access to all commands within

  a VDC instance

  -------------------------------------------------------------------

  Rule    Perm    Type        Scope               Entity

  -------------------------------------------------------------------

  1       permit  read-write

Role: vdc-operator

  Description: Predefined vdc operator role has access to all read commands

  within a VDC instance

  -------------------------------------------------------------------

  Rule    Perm    Type        Scope               Entity

  -------------------------------------------------------------------

  1       permit  read

Role: san-admin

  Description: Predefined system role for san administrators. This role

  cannot be modified.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm    Type        Scope               Entity

  -------------------------------------------------------------------

  27      permit  read

  26      permit  read-write  feature             fcdomain

  25      permit  read-write  feature             rdl

  24      permit  read-write  feature             trunk

  23      permit  read-write  feature             fcmgmt

  22      permit  read-write  feature             fcfe

  21      permit  read-write  feature             port-track

  20      permit  read-write  feature             fcoe

  19      permit  read-write  feature             port-security

  18      permit  read-write  feature             copy

  17      permit  read-write  feature             rmon

  16      permit  read-write  feature             rscn

  15      permit  read-write  feature             fspf

  14      permit  read-write  feature             fdmi

  13      permit  read-write  feature             fcsp

  12      permit  read-write  feature             fcns

  11      permit  read-write  feature             span

  10      permit  read-write  feature             zone

  9       permit  read-write  feature             wwnm

  8       permit  read-write  feature             vsan

  7       permit  read-write  feature             vsanIfvsan

  6       permit  read-write  feature             fabric-binding

  5       permit  read-write  feature             interface

  4       permit  read-write  feature             trapRegEntry

  3       permit  read-write  feature             snmpTargetAddrEntry

  2       permit  read-write  feature             snmpTargetParamsEntry

  1       permit  read-write  feature             snmp

Role: priv-14

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm    Type        Scope               Entity

  -------------------------------------------------------------------

  1       permit  read-write

Role: priv-13

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-12

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-11

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-10

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-9

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-8

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-7

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-6

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-5

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-4

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-3

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-2

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-1

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

Role: priv-0

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm    Type        Scope               Entity

  -------------------------------------------------------------------

  10      permit  command                         traceroute6 *

  9       permit  command                         traceroute *

  8       permit  command                         telnet6 *

  7       permit  command                         telnet *

  6       permit  command                         ping6 *

  5       permit  command                         ping *

  4       permit  command                         ssh6 *

  3       permit  command                         ssh *

  2       permit  command                         enable *

  1       permit  read

Role: priv-15

  Description: This is a system defined privilege role.

  vsan policy: permit (default)

  Vlan policy: permit (default)

  Interface policy: permit (default)

  Vrf policy: permit (default)

  -------------------------------------------------------------------

  Rule    Perm    Type        Scope               Entity

  -------------------------------------------------------------------

permit  read-write


	Using the Predefined SAN Administrator Role
	Download this chapter Using the Predefined SAN Administrator Role Feedback Table Of Contents Using the Predefined SAN Administrator Role Information About the Predefined SAN Administrator Role SAN Administrator Role Role-Feature Mapping Examples Configuring a User with the SAN Administrator Role Verifying the SAN Administrator Role Configuration Enabling the FCoE Feature for the SAN Administrator User Modifying the SAN Administrator Default Role Verifying the New SAN Administrator Role Configuration Displaying the User Role Configurations Using the Predefined SAN Administrator Role This chapter describes how to use the predefined SAN administrator (san-admin) role on the Cisco Nexus 5000 Series devices. This chapter includes the following sections: •Information About the Predefined SAN Administrator Role •Examples Information About the Predefined SAN Administrator Role The current Role-Based Access Control (RBAC) model in the Cisco Nexus 5000 Series device allows you to configure custom access roles that are based on rules. A rule can permit or deny access to a certain feature, interface, or command. For more information about RBAC, see the Cisco Nexus 5000 Series NX-OS System Management Configuration Guide, Release 5.x. Limitations with the RBAC implementation previous to Release 5.2(1)N1(1) prompted the creation of a predefined SAN administrator role. These limitations were as follows: •Some RBAC features that could be used for rule creation were not defined. This restriction caused the user to have to configure multiple rules for permitting or denying access to a certain feature. •Mapping between the System Network Management Protocol (SNMP) object ID and the RBAC feature was missing for certain storage-area network (SAN) features. This restriction blocked SNMP management even if the role was configured to allow it. •There was no role separation between LAN and SAN administrators. To allow separation between SAN and local-area network (LAN) administrator responsibility, a new predefined SAN administrator role, called san-admin, has been created. You cannot modify this role, but you can use it to create your own custom role with custom defined rules that are appropriate for your specific organization. The RBAC model has also been enhanced and some new RBAC features have been defined to make rule creation easier. SAN Administrator Role The SAN administrator (san-admin) role allows a separation of SAN and LAN administrative tasks. With this role you can perform only Fibre Channel (FC) and Fibre Channel over Ethernet (FCoE) configuration tasks using SNMP or the command line interface (CLI), without impact any Ethernet capabilities. With the san-admin role, you can do the following tasks: •Configure all interfaces. There is no restriction to only Fibre Channel (FC) interfaces. •Configure all attributes of FC unified ports other than creating or deleting ports •Configure all virtual SAN (VSAN) information, including database and membership •Map preconfigured virtual LANs (VLANs) for FCoE to VSANs •Configure zoning •Configure and manage the following SAN features: – FC-SP – FC-PORT-SECURITY – FCoE – FCoE-NPV – FPORT-CHANNEL-TRUNK – PORT-TRACK – FABRIC-BINDING •Configure SNMP-related parameters, except SNMP community and SNMP users. •Save the entire running configuration, including FC/FCoE, Ethernet interface, and other non-default configurations. •View all other configurations (read-only privileges). Role-Feature Mapping The san-admin role has role-feature mapping capabilities that you can used to permit or deny access to that feature. The features that can be mapped are as follows: •copy (copy-related commands) •trapRegEntry (SNMP trap registry command) •snmpTargetAddrEntry (SNMP trap target command) •snmpTargetParamsEntry (SNMP trap target parameters command) •fcfe (FC fe related commands) •fcoe (FCoE related commands) •trunk (FC port channel trunk related commands) •fcmgmt (FC management related commands) •port-track (Port-track related commands) •port-security (FC port security related commands) •fabric-binding (Fabric binding commands) Examples The examples in the following sections show you how to perform various tasks for the SAN administrator role: •Configuring a User with the SAN Administrator Role •Verifying the SAN Administrator Role Configuration •Enabling the FCoE Feature for the SAN Administrator User •Modifying the SAN Administrator Default Role •Verifying the New SAN Administrator Role Configuration •Displaying the User Role Configurations Configuring a User with the SAN Administrator Role This example shows how to create a new user-id called "mynewuser" and assign that user to the san-admin role. switch# configuration terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# username mynewuser role san-admin password cisco123 switch(config)# show user-account user:admin this user account has no expiry date roles:network-admin user:mynewuser this user account has no expiry date roles:san-admin Verifying the SAN Administrator Role Configuration This example shows how to verify the "mynewuser" SAN administrator role. It also shows this user's restricted command list, compared with the default command list. Nexus 5000 Switch login: mynewuser Password: Bad terminal type: "xterm-256color". Will assume vt100. Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php switch# ? clear Reset functions configure Enter configuration mode copy Copy from one file to another debug Debugging functions show Show running system information end Go to exec mode exit Exit from command interpreter Enabling the FCoE Feature for the SAN Administrator User This example shows how to enable the FCoE feature for the "mynewuser" SAN administrator user. (You can enable only FC-related features for a SAN administrator user role.) switch# configuration terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# feature ? fcoe Enable/Disable FCoE/FC feature fcoe-npv Enable/Disable FCoE NPV feature switch(config)# feature fcoe FC license checked out successfully fc_plugin extracted successfully FC plugin loaded successfully FCoE manager enabled successfully FC enabled on all modules successfully Enabled FCoE QoS policies successfully Modifying the SAN Administrator Default Role The san-admin role is a predefined system-based role that cannot be modified. However, you can use it as a model to create a new SAN administrator role. This example shows how to create a new SAN administrator role, called "newsan-admin" and modify the role to allow the following capabilities: •Upgrade and downgrade of the Cisco NX-OS system and kickstart image. •Configuration of the 5548UP base ports to Ethernet or native FC type. (A reload of the module is still required to change the port-type assignment.) switch# configuration terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# role name newsan-admin switch(config-role)# rule 1 permit read-write feature snmp switch(config-role)# rule 2 permit read-write feature snmpTargetParamsEntry switch(config-role)# rule 3 permit read-write feature snmpTargetAddrEntry switch(config-role)# rule 4 permit read-write feature trapRegEntry switch(config-role)# rule 5 permit read-write feature interface switch(config-role)# rule 6 permit read-write feature fabric-binding switch(config-role)# rule 7 permit read-write feature vsanIfvsan switch(config-role)# rule 8 permit read-write feature vsan switch(config-role)# rule 9 permit read-write feature wwnm switch(config-role)# rule 10 permit read-write feature zone switch(config-role)# rule 11 permit read-write feature span switch(config-role)# rule 12 permit read-write feature fcns switch(config-role)# rule 13 permit read-write feature fcsp switch(config-role)# rule 14 permit read-write feature fdmi switch(config-role)# rule 15 permit read-write feature fspf switch(config-role)# rule 16 permit read-write feature rscn switch(config-role)# rule 17 permit read-write feature rmon switch(config-role)# rule 18 permit read-write feature copy switch(config-role)# rule 19 permit read-write feature port-security switch(config-role)# rule 20 permit read-write feature fcoe switch(config-role)# rule 21 permit read-write feature port-track switch(config-role)# rule 22 permit read-write feature fcfe switch(config-role)# rule 23 permit read-write feature fcmgmt switch(config-role)# rule 24 permit read-write feature trunk switch(config-role)# rule 25 permit read-write feature rdl switch(config-role)# rule 26 permit read-write feature fcdomain switch(config-role)# rule 27 permit read-write feature install switch(config-role)# rule 28 permit command configuration terminal; slot 1 switch(config-role)# rule 29 permit read Verifying the New SAN Administrator Role Configuration This example assumes that a new user was created called "newsanadmin" and it was assigned the newsan-admin role. This example shows how to verify the newsan-admin RBAC role using the newsanadmin user: Nexus 5000 Switch login: newsanadmin Password: Bad terminal type: "xterm-256color". Will assume vt100. Cisco Nexus Operating System (NX-OS) Software TAC support: http://www.cisco.com/tac Copyright (c) 2002-2012, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under license. Certain components of this software are licensed under the GNU General Public License (GPL) version 2.0 or the GNU Lesser General Public License (LGPL) Version 2.1. A copy of each such license is available at http://www.opensource.org/licenses/gpl-2.0.php and http://www.opensource.org/licenses/lgpl-2.1.php switch# configuration terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# slot 1 switch(config-slot)# port 16-32 type fc switch(config-slot)# copy running-config startup-config [########################################] 100% Copy complete, now saving to disk (please wait)... switch(config-slot)# install all kickstart bootflash:n5000-uk9-kickstart.5.2.1.N1.0.211.bin system bootflash:n5000-uk9.5.2.1.N1.0.211.bin Verifying image bootflash:/n5000-uk9-kickstart.5.2.1.N1.0.211.bin for boot variable "kickstart". [####################] 100% -- SUCCESS Verifying image bootflash:/n5000-uk9.5.2.1.N1.0.211.bin for boot variable "system". Displaying the User Role Configurations This example shows how to display the user roles and their configurations: switch# show role Role: network-admin Description: Predefined network admin role has access to all commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read-write Role: network-operator Description: Predefined network operator role has access to all read commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read Role: vdc-admin Description: Predefined vdc admin role has access to all commands within a VDC instance ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read-write Role: vdc-operator Description: Predefined vdc operator role has access to all read commands within a VDC instance ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read Role: san-admin Description: Predefined system role for san administrators. This role cannot be modified. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 27 permit read 26 permit read-write feature fcdomain 25 permit read-write feature rdl 24 permit read-write feature trunk 23 permit read-write feature fcmgmt 22 permit read-write feature fcfe 21 permit read-write feature port-track 20 permit read-write feature fcoe 19 permit read-write feature port-security 18 permit read-write feature copy 17 permit read-write feature rmon 16 permit read-write feature rscn 15 permit read-write feature fspf 14 permit read-write feature fdmi 13 permit read-write feature fcsp 12 permit read-write feature fcns 11 permit read-write feature span 10 permit read-write feature zone 9 permit read-write feature wwnm 8 permit read-write feature vsan 7 permit read-write feature vsanIfvsan 6 permit read-write feature fabric-binding 5 permit read-write feature interface 4 permit read-write feature trapRegEntry 3 permit read-write feature snmpTargetAddrEntry 2 permit read-write feature snmpTargetParamsEntry 1 permit read-write feature snmp Role: priv-14 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 1 permit read-write Role: priv-13 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-12 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-11 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-10 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-9 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-8 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-7 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-6 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-5 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-4 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-3 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-2 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-1 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-0 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 10 permit command traceroute6 * 9 permit command traceroute * 8 permit command telnet6 * 7 permit command telnet * 6 permit command ping6 * 5 permit command ping * 4 permit command ssh6 * 3 permit command ssh * 2 permit command enable * 1 permit read Role: priv-15 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- permit read-write
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks

Table Of Contents