890
Fabric OS Command Reference
53-1001764-01
secPolicyAdd
22
secPolicyAdd
Adds members to an existing security policy.
SYNOPSIS
secpolicyadd
"
name
","
member
[;
member
...]"
DESCRIPTION
Use this command to add one or more members to an existing access policy.
Each policy corresponds to a management method. The list of members of a policy acts as an access
control list for that management method. Before a policy is created, there is no enforcement for that
management method; all access is granted. After a policy has been created and a member has been
added to the policy, that policy becomes closed to all access except from included members. If all
members are then deleted from the policy, all access is denied for that management method (the
DCC_POLICY is an exception).
Attempting to add a member to a policy that already is a member causes this command to fail.
In a Virtual Fabric Environment, when you create a DCC lockdown policy on a logical switch, the DCC
policy is created for each port in the chassis, even though the ports are not currently present in the local
logical switch. This is done to provision the DCC policy for the ports that may be moved later. If a policy
seems stale at any point, use
secPolicyDelete
to remove all stale DCC policies.
Fabric-wide consistency policies can be configured on per logical switch basis, which applies the FCS
policy to the corresponding fabric connecting to the logical switch. Automatic policy distribution for DCC,
SCC and FCS remains unchanged in Fabric OS v6.2.0 and can be configured on a per logical switch
basis.
NOTES
When an FCS policy is enabled, this command can be issued only from the Primary FCS switch. The
secpolicyadd
command can be issued on all switches for SCC and DCC policies as long as fabric-wide
consistency policy is not set for the particular policy.
Do not add the WWNs of front or translate (xlate) domains to the FCS policy if the edge fabric is
connected to an FC Router.
Backup FCS switches typically cannot modify the policy. However, if the Primary FCS switch in the policy
list is not reachable, then a backup FCS switch is allowed to modify the policy. If all the reachable backup
FCS switches are running pre-v5.3.0 versions of Fabric OS, a non-FCS v5.3.0 switch is allowed to
modify the policy so that a new switch can be added to the policy.
The execution of this command is subject to Virtual Fabric or Admin Domain restrictions that may be in
place. Refer to Chapter 1, "Using Fabric OS Commands" and Appendix A, "Command Availability" for
details.
OPERANDS
This command has the following operands:
"
name
"
Specify the name of an existing policy to which you want to add members. Valid
values for this operand include the following:
•
DCC_POLICY_
nnn
•
FCS_POLICY
•
SCC_POLICY
The specified policy name must be capitalized.
The DCC_POLICY_
nnn
name has the common prefix DCC_POLICY_ followed by
a string of user-defined characters. These characters do not have to be
capitalized like regular policy names, but they are case-sensitive.
Summary of Contents for Fabric OS v7.0.1
Page 1: ...53 1002447 01 15 December 2011 Fabric OS Command Reference Supporting Fabric OS v7 0 1 ...
Page 6: ...vi Fabric OS Command Reference 53 1002447 01 ...
Page 30: ...4 Fabric OS Command Reference 53 1002447 01 Using the command line interface 1 ...
Page 1132: ...1106 Fabric OS Command Reference 53 1002447 01 General Fabric OS commands and permissions A ...