S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m .
Configuring Users and Common Roles
The CLI and SNMP use common roles in all switches in the Cisco MDS 9000 Family. You can use CLI
to modify a role that was created using SNMP and vice versa.
Users, passwords, and roles for all CLI and SNMP users are the same.
This chapter includes the following sections:
•
•
•
•
•
•
Role-Based Authorization
Switches in the Cisco MDS 9000 Family perform authentication based on roles. Role-based
authorization limits access to switch operations by assigning users to roles. This kind of authentication
restricts you to management operations based on the roles to which you have been added.
When you execute a command, perform command completion, or obtain context sensitive help, the
switch software allows the operation to progress if you have permission to access that command.
Each role can contain multiple users and each user can be part of multiple roles. For example, if role1
users are only allowed access to configuration commands, and role2 users are only allowed access to
debug commands, then if Joe belongs to both role1 and role2, he can access configuration as well as
debug commands.
If you belong to multiple roles, you can execute a union of all the commands permitted by these roles.
Note
Access to a command takes priority over being denied access to a command. For example, suppose you
belong to a TechDocs group and you were denied access to configuration commands. However, you also
belong to the engineering group and have access to configuration commands. In this case, you will have
access to configuration commands.
OL-6973-03, Cisco MDS SAN-OS Release 2.x
Role-Based Authorization, page 26-1
Configuring Common Roles, page 26-9
Configuring User Accounts, page 26-10
Configuring SSH Services, page 26-13
Recovering the Administrator Password, page 26-17
Default Settings, page 26-19
C H A P T E R
Cisco MDS 9000 Family Configuration Guide
26
26-1