Technical Whitepaper Scope Based Access Control with OpenManage Enterprise 3.6 Abstract With OME 3.6, scope restriction for Device Managers is possible. A scope restricted user only sees what belongs to them. Read on for details. August 2021 Revisions Date Description August 2021 Initial release Acknowledgements Authored by: OpenManage Enterprise (OME) Engineering Pushkala Iyer, Reg Stumpe, Gabe Stern Scope Based Access Control with OpenManage Enterprise 3.
The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any software described in this publication requires an applicable software license. Copyright © August 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
Table of contents Revisions.............................................................................................................................................................................1 Acknowledgements .............................................................................................................................................................1 Table of contents ....................................................................................................................
Executive summary OpenManage Enterprise has built-in Role Based Access Control, with three built-in roles – Administrator, Device Manager, and Viewer. Each role differs in the privileges the role has. In OME 3.6 and later, Scope Based Access Control is implemented. This feature enables an Administrator to restrict the scope of a Device Manager user to one or more groups. Read on to understand how SBAC can be enforced with OME and what a scope restricted user sees.
1 Scope Based Access Control This technical whitepaper describes the new Scope Based Access Control feature implemented in OME 3.6 and how it can be used to limit what a user sees. 1.1 What is Scope Based Access Control? The reader is likely familiar with Role Based Access Control (RBAC) built into OME. With RBAC, there are built-in (pre-defined) roles, with specific sets of privileges for each role. OME comes with three built-in roles: the Administrator, Device Manager, and Viewer.
Administrator creates a new Device Manager user. By default, scope is unrestricted – set to “All Devices”. Scope Based Access Control with OpenManage Enterprise 3.
The Administrator can “scope restrict” the Device Manager by clicking Select Groups and then selecting one or more groups. Scope Based Access Control with OpenManage Enterprise 3.
Scope restriction for directory users – once a directory group has been assigned to Device Manager role, access can be restricted to one or more groups as shown via the Assign Scope button. 1.3 Restricted View A scope restricted Device Manager only sees the following: - Groups (therefore, devices in those groups) in their scope.
1. User dm1 is a member of 2 AD groups (RR5-Floor1-LabAdmins, RR5-Floor3-LabAdmins). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups are as follows: RR5-Floor1-LabAdmins is assigned ptlab-servers, RR5-Floor3-LabAdmins is assigned smdlabservers. Now the scope of the Device Manager dm1 is the union of ptlab-servers and smdlab-servers. 2. User dm1 is a member of 2 AD groups (adg1, adg2).
“All Devices” view for a Device Manager user, whose scope is restricted to a static group, s1. Other than devices and groups, there are multiple other kinds of entities in the console such as Alert Policies, Jobs, Baselines and so on. The table below lists the different pages in OME, and what should be expected for a scope restricted Device Manager. Pages with actions (such as Discovery or Application Settings) that are not available to a Device Manager are not listed.
The user will see the hierarchy from “All Devices” to the groups that have been granted to the Device Manager. The Device Manager will not see the hierarchy from “All Devices” to other built-in / custom / plugin groups, to which access has not been granted. Configuration: Firmware (FW) / Driver compliance: Catalog Management No changes. FW Catalogs are treated as community entities. Configuration: FW / Driver compliance: Baselines Yes. Device Managers can see only the baselines that they own.
Configuration: Configuration compliance: Template Management Yes. Device Managers can see only the compliance templates they own. Configuration: Configuration Compliance: Baselines Yes. Device Managers can see only the compliance baselines they own. Configuration: Configuration Compliance: Compliance Report No changes. Given a set of targets, make compliant should only run for those targets that are in the Device Manager’s scope. Configuration: Identity Pools Minor changes.
only runs on the targets in that Device Manager’s scope. Monitor: Warranty Yes. Device Managers see only the Warranty information from Devices in their scope. Monitor: Reports Yes. Device Managers see built-in Reports and any reports they own. “Edit / Copy / Delete” are not available for built-in reports. When any report is run, the results are pertinent to the user’s scope / ownership. Global Search Yes. Search results are pertinent to the user’s scope / ownership.
Picking source and target users for transfer of ownership. Confirmation that entities have been successfully transferred. If Device Managers do not own any entities, then Transfer of Ownership does not apply to them (they cannot be chosen for a source user in Figure 6). A.1 Related resources OME 3.6 API Guide : Dell Technologies Developer Portal. OME 3.6 User’s Guide : OME support sites Scope Based Access Control with OpenManage Enterprise 3.
