Users Guide
Table Of Contents
- Dell EMC OpenManage Enterprise Power Manager Version 2.0 User’s Guide
- Contents
- Introduction to Power Manager
- Revision history
- What is new in this release
- Compatibility matrix
- License requirements
- Scalability and performance
- Getting started with Power Manager
- Create a device discovery job
- Monitor and manage Power Manager devices
- Rack management
- Manage data center during power reduction
- Quick access to Power Manager data
- View power and thermal history of Power Manager groups
- View top five energy consumers
- View ratio of devices discovered in OpenManage Enterprise to devices added in Power Manager
- View top ten power offenders
- View top ten temperature offenders
- View top ten underutilized racks for power and space
- View power and space headroom
- Maintain Power Manager
- Alerts
- Reports in Power Manager
- Update Power Manager
- Frequently Asked Questions
- Troubleshooting
- Appendix
- Other information you may need
Scope-Based Access Control (SBAC) in OpenManage Enterprise
With the use of Role-Based Access Control (RBAC) feature, administrators can assign roles while creating users. Roles
determine their level of access to the appliance settings and device management features. Scope-based Access Control (SBAC)
is an extension of the RBAC feature that allows an administrator to restrict a Device Manager role to a subset of device groups
called scope.
While creating or updating a Device Manager (DM) user, administrators can assign scope to restrict operational access of DM to
one or more system groups, custom groups, and / or plugin groups.
Administrator and Viewer roles have unrestricted scope. That means they have operational access as specified by RBAC
privileges to all devices and groups entities.
Scope can be implemented as follows:
1. Create or Edit User
2. Assign DM role
3. Assign scope to restrict operational access
When a Device Manager (DM) user with an assigned scope logs in, the DM can see and manage scoped devices only. Also,
the DM can see and manage entities such as jobs, firmware or configuration templates and baselines, alert policies, profiles and
so on associated with scoped devices, only if the DM owns the entity (DM has created that entity or is assigned ownership
of that entity). For more information about the entities a DM can create, see Role-Based Access Control (RBAC) privileges in
OpenManage Enterprise.
In OpenManage Enterprise, scope can be assigned while creating a local or importing AD/LDAP user. Scope assignment for
OIDC users can be done only on Open ID Connect (OIDC) providers.
SBAC for Local users:
While creating or editing a local user with DM role, admin can select one or more device groups that defines the scope for the
DM.
For example, you (as an administrator) create a DM user named dm1 and assign group g1 present under custom groups. Then
dm1 will have operational access to all devices in g1 only. The user dm1 will not be able to access any other groups or entities
related to any other devices.
Furthermore, with SBAC, dm1 will also not be able to see the entities created by other DMs (let's say dm2) on the same group
g1. That means a DM user will only be able to see the entities owned by the user.
For example, you (as an administrator) create another DM user named dm2 and assign the same group g1 present under custom
groups. If dm2 creates configuration template, configuration baselines, or profiles for the devices in g1, then dm1 will not have
access to those entities and vice versa.
A DM with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities owned
by the DM.
SBAC for AD/LDAP users:
While importing or editing AD/LDAP groups, administrators can assign scopes to user groups with DM role. If a user is a member
of multiple AD groups, each with a DM role, and each AD group has distinct scope assignments, then the scope of the user is
the union of the scopes of those AD groups.
For example,
● User dm1 is a member of two AD groups (RR5-Floor1-LabAdmins and RR5-Floor3-LabAdmins). Both AD groups have been
assigned the DM role, with scope assignments for the AD groups are as follows: RR5-Floor1-LabAdmins gets ptlab-servers
and RR5-Floor3-LabAdmins gets smdlab-servers. Now the scope of the DM dm1 is the union of ptlab-servers and smdlab-
servers.
● User dm1 is a member of two AD groups (adg1 and adg2). Both AD groups have been assigned the DM role, with scope
assignments for the AD groups as follows: adg1 is given access to g1 and adg2 is given access to g2. If g1 is the superset of
g2, then the scope of dm1 is the larger scope (g1, all its child groups, and all leaf devices).
When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the
order Administrator, DM, Viewer).
A DM with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.
NOTE:
Post upgrade of OpenManage Enterprise from versions 3.5 or earlier, the AD/LDAP and OIDC (PingFederate or
KeyCloak) device managers would need to recreate all the previous-version entities as these entities are only available
to the administrators post upgrade. For more information, see the Release Notes at https://www.dell.com/support/home/
en-yu/product-support/product/dell-openmanage-enterprise/docs.
14 Compatibility matrix