Configuring Nexus SAN Admin Role

Mind Safe

If you’re in a company that uses Nexus 5Ks to run both LAN and SAN, and for some strange reason your SAN Administrator wants access to the 5Ks for zoning, just deny it.  Okay, okay, I guess that won’t fly, so let’s configure role-based access control (RBAC) to lock down what the SAN Administrator has access to.

Good thing about Nexus 5K is there is a built-in role called san-admin that we can use for this purpose.  Let’s take a look at the role privileges:

 N5K-2# sh role name san-admin Role: san-admin Description: Predefined system role for san administrators. This role cannot be modified. vsan policy: permit(default) Vlan policy: permit(default) Interface policy: permit(default) Vrf policy: permit(default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- 27 permit read 26 permit read-write feature fcdomain 25 permit read-write feature rdl 24 permit read-write feature trunk 23 permit read-write feature fcmgmt 22 permit read-write feature fcfe 21…

View original post 722 mots de plus

Par défaut