Brocade: User Management on optical switches

In the Fabric OS (FOS) operating system of Brocade switches, user account management is performed using the "userConfig" command, which supports the following roles for the chassis and logical fabrics (LF):
admin - full access to all commands;
user - read-only, minimal privileges;
switchadmin - switch management, but not zoning;
zoneadmin - zoning management;
fabricadmin - fabric service management;
basicswitchadmin - limited switch management;
operator - extended rights (port management, but not configuration);
securityadmin - security policy management.

For example, to create an account with read-only privileges, the role "user" is used.
For a more detailed view of a role, run:
roleconfig --show <role>


To view user accounts, use the following commands:

Show all users:
userconfig --show -a
Show a specific user:
userconfig --show <username>
Show users with a specific role:
userconfig --show -r <role>


To create a new user:

userconfig --add <username> -r <LF_role> -l <LF_ID_list> [-h <home_LF>] [-c <chassis_role>] [-p <password>] [-d <description>]

Example of creating a read-only user "monitor":
userconfig --add monitor -l 1-128 -h 128 -r user -c user -p 'mypassword' -d "Monitoring account"

where
-r user — role inside logical fabrics (read-only);
-l 1-128 — access to all LFs from 1 to 128;
-h 128 — home LF (defaults to FID 128);
-c user — chassis-level role (also read-only);
-p — password;
-d — account description.

Important: for read-only access, be sure to specify "-c user" and "-r user". Without "-c user" the user may not have access to the global configuration.


To modify parameters of an existing user, use the "userconfig --change" command, which allows changing the role, LF list, home LF, lock status, description, and password:

userconfig --change <username> [-l <LF_list> -r <LF_role>] [-h <home_LF>] [-c <chassis_role>] [-e yes|no] [-x] [-u] [-d <description>] [-at <HH:MM-HH:MM>]

Example of changing the role of user "monitor" to admin:
userconfig --change monitor -l 1-128 -h 128 -r admin -c admin

Example of changing a user's description:
userconfig --change monitor -d "New description"

Example of setting the home LF to 10:
userconfig --change monitor -h 10

Example of unlocking an account (after several failed attempts):
userconfig --change monitor -u

Force a user to change their password at next login:
userconfig --change monitor -x

Example of disabling an account (without deletion):
userconfig --change monitor -e no

Example of enabling an account:
userconfig --change monitor -e yes

Change password (interactively):
passwd monitor

Example of setting a time‑based access restriction (from 9:00 to 18:00):
userconfig --change monitor -at 09:00-18:00

Example of removing a time‑based access restriction:
userconfig --change monitor -at 00:00-00:00


To manage access to logical fabrics:

To add access to additional LFs, use the command:
userconfig --addlf <username> -l <LF_list> -r <LF_role> [-h <home_LF>] [-c <chassis_role>]

Example of adding access to LF 10 with the user role for user "monitor":
userconfig --addlf monitor -l 10 -r user

To remove access to specific LFs:
userconfig --deletelf <username> -l <LF_list>

Example of removing access to LF 10:
userconfig --deletelf monitor -l 10


To delete a user, use the "userconfig --delete" command:

userconfig --delete <username>

Example of deleting a user:
userconfig --delete monitor


To diagnose login problems, check the audit logs:

auditdump --show | grep -i <username>

Note: executing the commands --add, --change, --delete, --addlf, --deletelf requires administrator privileges (having the admin or securityadmin role).