Exam 300-620 topic 1 question 8 discussion

Shouldn't this be B?

I agree to D. The Cisco AV Pair (Attribute-Value Pair) is used in RADIUS to communicate attributes about a user. In the context of Cisco ACI, the AV Pair is used to assign roles and permissions to users. When a RADIUS user authenticates, the Cisco AV Pair determines the user's role and permissions. These roles map to specific managed object classes within the Cisco ACI framework, allowing the user to access and interact with the corresponding objects in the APIC.

Took some back and forth to understand what the ask was. The AV Pairs are carrying with them the privileges and roles(grouped privileges). The privileges are managed objects that you can't custom create, however you can regroup them in many ways to create a suitable access level. The key to the answer is understanding what the whole string has. It does somewhat confuse a lot because of the word Security Domains on the beginning of the string, security domains are part of the structure as Tags or tenants etc. https://bestpath.io/cisco-aci-rbac/

shell:domains = SecurityDomainA/writeRole1|writeRole2|writeRole3/readRole1|readRole2, SecurityDomainB/writeRole1|writeRole2|writeRole3/readRole1|readRole2

based on the link in the comment I saw that: Roles and Privileges A privilege controls access to a particular function within the system. The ACI fabric manages access privileges at the managed object (MO) level. so for me it is D

AV Pair on the External Authentication Server The Cisco APIC requires that an administrator configure a Cisco AV Pair on an external authentication server. The Cisco AV pair specifies the APIC required RBAC roles and privileges for the user. The Cisco AV Pair format is the same for RADIUS, LDAP, or TACACS+. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/basic-configuration/Cisco-APIC-Basic-Configuration-Guide-42x/Cisco-APIC-Basic-Configuration-Guide-42x_chapter_011.html For each of the defined roles in Cisco APIC, the APIC Roles and Privileges Matrix shows which managed object classes can be written and which can be read. https://www.cisco.com/c/dam/en/us/td/docs/Website/datacenter/apicroles/roles.html https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/Security_config/b_Cisco_APIC_Security_Configuration_Guide/b_Cisco_APIC_Security_Guide_chapter_01000.html

The ACI fabric manages access privileges at the managed object (MO) level. Answer is D

managed object class is an object ; security domain is a tag

B is the answer Based on the following link https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/5x/basic-configuration/cisco-apic-basic-configuration-guide-51x/m_aaa.html

The ACI fabric manages access privileges at the managed object (MO) level. A privilege is an MO that enables or restricts access to a particular function within the system. For example, fabric-equipment is a privilege bit. This bit is set by the Application Policy Infrastructure Controller (APIC) on all objects that correspond to equipment in the physical fabric. A role is a collection of privilege bits. For example, because an “admin” role is configured with privilege bits for “fabric-equipment” and “tenant-security,” the “admin” role has access to all objects that correspond to equipment of the fabric and tenant security.

Should be "D" A security domain is a tag associated with a certain subtree in the ACI MIT object hierarchy. For example, the default tenant “common” has a domain tag common. Similarly, the special domain tag all includes the entire MIT object tree. An administrator can assign custom domain tags to the MIT object hierarchy. For example, an administrator could assign the “solar” domain tag to the tenant named solar. Within the MIT, only certain objects can be tagged as security domains. For example, a tenant can be tagged as a security domain but objects within a tenant cannot. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/security/b-Cisco-APIC-Security-Configuration-Guide-421/b-Cisco-APIC-Security-Configuration-Guide-421_chapter_011.html

B is correct

Agreed, should be B