Send documentation comments to mdsfeedback-doc@cisco.com.
25-3
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 25 Users and Common Roles
Configuring Common Roles

Editing Rules For Common Roles in Device Manager

Up to 16 rules can be configured for each role. The user-specified rule number determines the order in
which the rules are applied. For example, rule 1 is applied before rule 2, which is applied before rule 3,
and so on. A user not belonging to the network-admin role cannot perform commands related to roles.
Note The order of rule placement is important. If you place a more permissive policy after a restrictive policy,
the permissive policy may have priority over the permissive policy.
To edit the rules for a common role in Device Manager, follow these steps.
Step 1 Choose Security > Roles. You see the Common Roles dialog box.
Step 2 Click the common role that you want to edit the rules for.
Step 3 Click Rules to view the rules for the role. You see the Rules dialog box. It may take a few minutes to
display.
Step 4 Edit the rules you want to enable or disable for the common role.
Step 5 Click Apply to apply the new rules and close the Rules dialog, or click Close to close the Rules dialog
without applying the rules.

Deleting Common Roles

To delete a common role, follow these steps:
Step 1 In Fabric Manager, choose Switches > Security > SNMP from the Physical Attributes pane and click
the Roles tab in the Information pane.
In Device Manager, choose Security > Common Roles. You see the Common Roles dialog box i
Step 2 Click the common role you want to delete.
Step 3 Click the Delete Row icon in Fabric Manager or Delete in Device Manager to delete the common role.

Configuring the VSAN Policy

Configuring the VSAN policy or VSAN scope requires the ENTERPRISE_PKG license . See Chapter 9,
“Obtaining and Installing Licenses.”
You can configure a role so that it only allows tasks to be performed for a selected set of VSANs. By
default, the VSAN scope for any role is disabled. That is, the roles allow tasks to be performed in all
VSANs. To configure a role to selectively allow tasks in a subset of VSANs, you must enable the VSAN
scope and then list the appropriate VSANs in the VSAN list.