Hi @conf-t ,

I have some bad news.

You can't create a Physical Domain unless you have rights to do so - which typically means admin rights. Or more precisely, write privileges to the all security domain.

So if your user ID does not have such rights, you won't be able to create a Physical Domain.

To see what rights you have, click the user icon in the top-right hand corner and select View My Permissions

If you don't see that you have any Write Privileges for the Domain all, then you are out of luck - like this user

The problem with trying to create RBAC rules to allow someone to create an object of type physDomP is that you need rights to the parent object to be able to create child objects.

A quick look at the distinguished name of a physical domain shows that it is a child object of uni

apic1# moquery -c physDomP | grep ^dn
dn           : uni/phys-Common:SharedServices_PhysDom
dn           : uni/phys-mgmt:SharedServices_PhysDom
dn           : uni/phys-T10:MappedVLANs_PhysDom

so to give rights to someone to allow them to create physDomPs, you need write rights to uni - or in ACI terms - the security domain all

Later Edit

You don't HAVE to give users right ot the all security domain - BUT the alternative I'm about to describe essentially does the same thing.

1. Create a new security domain - say test
2. Create a new RBAC rule that allows Write access to the DN uni for the security domain test
   

    

3. Give your user write right to the admin role for the security domain test
   

    

Job done! But not a very satisfactory answer - and it's annoyed the hell out me too.