Applying SOD Using RBAC "Role-based access control"

Dears,

I would like clarify our main targets, so please let me present it in the following points :-

1. We are applying SOD (Segregation Of Duties) on AIX environment, to separate between system admin tasks and security admin tasks (Main target), and let me inform you that we are working on already existing up and running environment.
2. During applying SOD (using RBAC) we are sticky to provide only required privileges “least-privilege principle “to the user (IBM recommendation).
3. We are separated each of the following predefined roles (isso, sa) into two roles, one of them for the system admin tasks (issosys, sasys), and the other one for security admin tasks (issosec, sasec). “Note: The separation done based on IBM supplied description”.
4. After applying SOD and tested it we found that all “system level commands” worked normally without any issues, on the other hand at the “Cluster level commands” we cannot perform or execute most of related commands.
5. To overcome Cluster Commands issue, IBM Support recommended to use federated security which will enable us to execute all Cluster commands using RBAC default roles for PowerHA (ha_admin, ha_op, ha_mon, ha_view).

- After configuring LDAP successfully and using RBAC default roles for PowerHA, we still facing the same issue that we cannot execute most of clustering commands.


Note:
we are looking to avoid adding any PowerHA commands manually on cl_rbac_cmds.sh.