Fabric OS Encryption Administrator's Guide v6.4.0 (53-1001864-01, June 2010)
Fabric OS Encryption Administrator’s Guide 93
53-1001864-01
Command RBAC permissions and AD types
3
Command RBAC permissions and AD types
There are two RBAC roles that are permitted to perform Encryption operations.
1. Admin and SecurityAdmin
Users authenticated with the Admin and SecurityAdmin RBAC roles may perform cryptographic
functions assigned to the FIPS Crypto Officer including the following:
• Perform encryption node initialization.
• Enable cryptographic operations.
• Manage input/output functions of critical security parameters (CSPs).
• Zeroize encryption CSPs.
• Register and configure a key vault.
• Configure a recovery share policy.
• Create and register recovery share.
• Perform encryption group- and clustering-related operations.
• Manage keys, including creation, recovery, and archiving functions.
2. Admin and FabricAdmin
Users authenticated with the Admin and FabricAdmin RBAC roles may perform routine
Encryption Switch management functions including the following:
• Configure virtual devices and crypto LUNs.
• Configure LUN and tape associations.
• Perform re-keying operations.
• Perform firmware download.
• Perform regular Fabric OS management functions.
Refer to Table 4 for the RBAC permissions of the encryption configuration commands.
TABLE 4 Encryption command RBAC availability and admin domain type
1
Command name User Admin Operator Switch
Admin
Zone
Admin
Fabric
Admin
Basic
Switch
Admin
Security
Admin
Admin Domain
addgroupmember
NOMNNNO N OMDisallowed
addmembernode
NOMNNNO N OMDisallowed
addhaclustermember
NOMNNNOMN ODisallowed
addinitiator
NOMNNNOMN ODisallowed
addLUN
NOMNNNOMN ODisallowed
commit
NOMNNNOMN ODisallowed
createcontainer
NOMNNNOMN ODisallowed
createencgroup
NOMNNNO N OMDisallowed
createhacluster
NOMNNNOMN ODisallowed