CHAPTER
Send documentation comments to mdsfeedback-doc@cisco.com.
25-1
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
25
Users and Common Roles
Fabric Manager provides the capability to configure and manage several different types of security for
MDS 9000 switches.
This chapter includes the following sections:
•Role-Based Authorization, page 25-1
•Configuring Common Roles, page 25-2
•Configuring User Accounts, page 25-4
•Configuring SSH Services, page 25-6
Role-Based Authorization
Switches in the Cisco MDS 9000 Family perform authentication based on roles. Role-based
authorization limits access to switch operations by assigning users to roles. This kind of authentication
restricts you to management operations based on the roles to which you have been added.
When you execute a command, perform command completion, or obtain context sensitive help, the
switch software allows the operation to progress if you have permission to access that command.
Each role can contain multiple users and each user can be part of multiple roles. For example, if role1
users are only allowed access to configuration commands, and role2 users are only allowed access to
debug commands, then if Joe belongs to both role1 and role2, he can access configuration as well as
debug commands.
Note If you belong to multiple roles, you can execute a union of all the commands permitted by these roles.
Roles are cumulative. Access to a command takes priority over being denied access to a command. For
example, suppose you belong to a TechDocs group and you were denied access to configuration
commands. However, you also belong to the engineering group and have access to configuration
commands. In this case, you will have access to configuration commands.
Tip Any role, when created, does not allow access to the required commands immediately. The administrator
must configure appropriate rules for each role to allow access to the required commands.