"Infra" security domain does not exist

conf-t · ‎06-14-2023

"Infra" security domain does not exist! I don't know why..

APIC version 4.2, cluster with one apic.

Robert Burns · ‎06-14-2023

That's expected, there is no "infra" security domain by default. There's only the 'infra' tenant.

Robert

conf-t · ‎06-14-2023

Even for infra tenant, cannot find it as you see in the capture I shared.

Robert Burns · ‎06-14-2023

Your screenshot is showing security domains, not tenants. ... Show me "Tenants" > "All Tenants" screenshot while logged in with local admin account.

Robert

conf-t · ‎06-14-2023

By default, the ACI fabric includes two special pre-created domains:

All—allows access to the entire MIT
Infra— allows access to fabric infrastructure objects/subtrees, such as fabric access policies

I talk about this Infra domain not about infra tenant as cisco documentation mentioned!

Robert Burns · ‎06-14-2023

I think its just a doc error. That infra domain may have been present in earlier versions, but its not part of the more recent releases. The docs likely need updating as the only 'default' Domains are mgmt, common and all.

Robert

conf-t · ‎06-14-2023

So how can I manage security roles for Fabric Policies and Fabric Access Policies?

Robert Burns · ‎06-14-2023

Thanks @conft after I dug into this more I found we do indeed have a bug. There once was a default security domain called 'infra'. Even in the latest releases, though it doesn't exist, it's still referenced in other policies (RBAC Rules). Somewhere along the road it was removed. I'll get it added back unless engineering tells me there's a valid reason it was remove (but still referenced by other policies)

So we'll need to fix that missing 'infra' default Security Domain (I'll handle that). For now, go ahead and create a Security Domain named 'infra'. That will automatically give you access to the infra tenant (Infra tenant already associated with an 'infra' secDom). Next if you want a non-admin level user to have access to Access Policies, then you need to create an RBAC rule using the DN=uni/infra. If you want more granularity, you'll need to further create specific RBAC rules against the objects in question.

Should look something like this:

Then associate your User account with that Security Domain and privilege:
infa - admin + R/W
all - admin + R/O

This should accomplish what you need, and you can tweak/adjust it as needed from here.

Robert

conf-t · ‎09-01-2023

Hi Robert,

How can I create Physical Domain with non-admin user?

find attached a capture with the error

RedNectar · ‎09-01-2023

Hi @conf-t ,

This looks like a new question, not a contribution to the original question. How about you start a new thread?

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.

conf-t · ‎09-01-2023

Hi RedNectar,

Ok I will do.

conf-t · ‎06-15-2023

Thank you for your response !