User roles contain rules that define the operations allowed for the user who is assigned the role. Each user role can contain multiple rules, and each user can have multiple roles. For example, if role1 allows access only to configuration operations, and role2 allows access only to debug operations, users who belong to both role1 and role2 can access configuration and debug operations. You can also limit access to specific VSANs, VLANs, and interfaces.
If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the user also has RoleB, which has access to the configuration commands. In this case, the user has access to the configuration commands.
The Cisco MDS 9000 Series Switches provides the following default user roles:
network-admin (superuser): Complete read and write access to the entire switch.
network-operator: Complete read access to the switch. However, the network-operator role cannot run the show running-config and show startup-config commands.
server-admin: Predefined system role for server administrators.
Roles can be used to create VSAN administrators. Depending on the configured rules, these VSAN administrators can configure storage features (for example, zone, fcdomain, or VSAN properties) for their VSANs without affecting other VSANs. Also, if the role permits operations in multiple VSANs, the VSAN administrators can change VSAN membership of F or FL ports among these VSANs.
A custom role user with network-admin privileges is restricted to modify the account of other users. However, only the admin can modify all user accounts.
You can modify the user privileges by performing the following tasks:
1. Modify the role using console authentication.
If you set up the console authentication as local, log on using the local-admin user and modify the user.
2. Modify the role using remote authentication.
Turn off the remote authentication. Log on using the local-admin privileges and modify the user. Turn on remote authentication.
3. Modify the role using LDAP/AAA.
Create a group in LDAP/AAA and rename the group network-admin. Add the required users to this group. The users of this group will now have complete network-admin privileges.