StoreFabric Switches
cancel
Showing results for 
Search instead for 
Did you mean: 

permission user and VF

 
Highlighted
francisco82
Occasional Advisor

permission user and VF

hi comunity, i loggin in the SW SAN whith the Active Directory User.. but when i try to change the VF the SW show my the fallowing messeg:


FID128:User_Prueba> setcontext 3
VF Permission for fid 3 is denied

is necesary add any permission in the SW SAN to this user?

 

2 REPLIES 2
Yeskay
HPE Pro

Re: permission user and VF

Hi francisco82,

I see that you are trying to login as active directory user on switch with Virtual Fabric enabled and while login to one of the VF, you are getting an error VF Permission for fid is denied.

This happens when the admin privilege was not granted to the admin accounts on the VF level on the Active Directory server. That was why those accounts did not have the admin privilege when logged in into the Virtual Fabric.

To resolve this issue you will need to grant the admin privilege to the user accounts at the VF level. Add the user’s Administrative Domains or Virtual Fabrics to the CN_list by either editing the adminDescription value or adding the "brcdAdVfData" attribute to the existing Active Directory schema. This action maps the Admin Domains or Virtual Fabrics to the user name. Multiple Admin Domains can be added as a string value separated by the underscore character ( _ ). Virtual Fabrics are added as a string value separate by a comma ( , ) and entered as a range.

Adding an Admin Domain or Virtual Fabric list:

1. From the Windows Start menu, select Programs > Administrative Tools > ADSI.msc.

ADSI is a Microsoft Windows Resource Utility. This utility must be installed to proceed with the rest of the setup. For Windows 2003, this utility comes with Service Pack 1 or you can download this utility from the Microsoft website.

2. Go to CN=Users.
3. Select Properties. Click the Attribute Editor tab.
4. Double-click the adminDescription attribute.

The String Attribute Editor dialog box displays.

NOTE: The attribute can be added to user objects only.

5. Perform the appropriate action based on whether you are using Admin Domains or Virtual Fabrics:

• If you are using Admin Domains, enter the values of the Admin Domains separated by an underscore ( _ ) into the Value field.

Example for adding Admin Domains:

adlist_0_10_200_endAd

Home Admin Domain (homeAD) for the user will be the first value in the adlist (Admin Domainlist). If a user has no values assigned in the adlist attribute, then the homeAD "0" will be the default administrative domain for the user.

• If you are using Virtual Fabrics, enter the values of the logical fabrics separated by a semi-colon( ; ) into the Value field.

Example for adding Virtual Fabrics:

HomeLF=10;LFRoleList=admin:128,10;ChassisRole=admin

In this example, the logical switch that would be logged in to by default is 10. If 10 is not available,then the lowest FID available will be chosen. You would have permission to enter logical switch 128 and 10 in an admin role and you would also have the chassis role permission of admin.

Adding attributes to the Active Directory schema

To create a group in Active Directory, refer to www.microsoft.com or Microsoft documentation. You must:

• Add a new attribute brcdAdVfData as Unicode String.
• Add brcdAdVfData to the person’s properties.

The attributes for configuring account privilege at the VF level on the AD server can be found in the Fabric OS Administrators Guide. Please refer to appropriate FOS Admin guide according to the FOS version on the switch.

Thank You!
I am a HPE employee

Accept or Kudo

francisco82
Occasional Advisor

Re: permission user and VF

hi  thank very much for yo comment .. let me apply this steps and i comnet you letter  the result

 

 

thank