About AAA RBAC and Roles
The Application Policy Infrastructure Controller (APIC) provides access according to a user's role through role-based access control (RBAC). A Cisco Application Centric Infrastructure (ACI) fabric user is associated with the following role components:
A set of roles
For each role, a privilege type: no access, read-only, or read-write
One or more security domain tags that identify the portions of the management information tree (MIT) that a user can access
The ACI fabric manages access privileges at the managed object (MO) level. A privilege is an MO that enables or restricts access to a particular function within the system. For example, fabric-equipment is a privilege bit. This bit is set by the APIC on all objects that correspond to equipment in the physical fabric.
A role is a collection of privilege bits. For example, because an "admin" role is configured with privilege bits for "fabric-equipment" and "tenant-security," the "admin" role has access to all objects that correspond to equipment of the fabric and tenant security.
A security domain is a tag that is associated with a certain subtree in the ACI MIT object hierarchy. For example, the default tenant "common" has a domain tag "common." Similarly, a special domain tag "all" includes the entire MIT object tree. An admin user can assign custom domain tags to the MIT object hierarchy. For example, a "solar" domain tag is assigned to the tenant solar. Within the MIT, only certain objects can be tagged as security domains. For example, a tenant can be tagged as a security domain, but objects within a tenant cannot.
If a virtual machine management (VMM) domain is tagged as a security domain, the users contained in the security domain can access the correspondingly tagged VMM domain. For example, if a tenant named "solar" is tagged with the security domain called "sun" and a VMM domain is also tagged with the security domain called "sun," then users in the solar tenant can access the VMM domain according to their access rights.