Send documentation comments to mdsfeedback-doc@cisco.com.
25-4
Cisco MDS 9000 Family Fabric Manager Configuration Guide
OL-6965-03, Cisco MDS SAN-OS Release 2.x
Chapter 25 Users and Common Roles
Configuring User Accounts
Note Users configured in roles where the VSAN scope is enabled cannot modify the configuration for E ports.
They can only modify the configuration for F or FL ports (depending on whether the configured rules
allow such configuration to be made). This is to prevent such users from modifying configurations that
may impact the core topology of the fabric.
Tip Roles can be used to create VSAN administrators. Depending on the configured rules, these VSAN
administrators can configure MDS features (for example, zone, fcdomain, or VSAN properties) for their
VSANs without affecting other VSANs. Also, if the role permits operations in multiple VSANs, then the
VSAN administrators can change VSAN membership of F or FL ports among these VSANs.
Users belonging to roles in which the VSAN scope is enabled are referred to as VSAN-restricted users.
These users cannot perform tasks that require the startup configuration to be viewed or modified.

Modifying the VSAN Policy

To modify the VSAN policy or VSAN scope for an existing common role, follow these steps.
Step 1 In Fabric Manager, choose Switches > Security > SNMP from the Physical Attributes , and click the
Roles tab in the Information pane.
In Device Manager, choose Common Roles from the Security menu. You see the Common Roles dialog
box.
Step 2 Check the enable check box if you want to enable the VSAN scope and restrict this role to a subset of
VSANs.
Step 3 Enter the list of VSANs in the VSAN Scope > List field that you want to restrict this role to.
Step 4 Click Apply Changes in Fabric Manager or click Apply in Device Manager to save these changes. Click
Undo Changes in Fabric Manager or click Close in Device Manager to discard any unsaved changes.

Configuring User Accounts

Every Cisco MDS 9000 Family switch user has the account information stored by the system. Your
authentication information, user name, user password, password expiration date, and role membership
are stored in your user profile.
The tasks explained in this section enable you to create users and modify the profile of an existing
user.These tasks are restricted to privileged users as determined by your administrator.
Note Cisco SAN-OS does not support all numeric usernames, whether created with TACACS+ or RADIUS,
or created locally. Local users with all numeric names cannot be created. If an all numeric username
exists on an AAA server and is entered during login, the user is not logged in.