Manualshelf

White Papers

ManualsBrandsDell ManualsActive System ManagerEMC OpenManage Enterprise
12345678910
Table Of Contents
Scope Based Access Control with OpenManage Enterprise 3.6|Document ID: 21396 P a g e | 5
1 Scope Based Access Control
This technical whitepaper describes the new Scope Based Access Control feature implemented in OME 3.6
and how it can be used to limit what a user sees.
1.1 What is Scope Based Access Control?
The reader is likely familiar with Role Based Access Control (RBAC) built into OME. With RBAC, there are
built-in (pre-defined) roles, with specific sets of privileges for each role. OME comes with three built-in roles:
the Administrator, Device Manager, and Viewer.
While RBAC distinguishes what users of a particular role can do vs. users of another role, it does not
discriminate on the targets of an action. In other words, Administrators, Device Managers, and Viewers are
restricted by privileges as to what actions they can perform, but they are not limited to which devices or
groups they can perform actions.
This is where Scope Based Access Control (SBAC) comes in.
With SBAC, an administrator can restrict a Device Manager role to a set of device groups which constitutes
their scope. This means that for a scope restricted Device Manager user, the privileges enabled by their role
can only be exercised against their allocated scope, the specific set of device groups. A scope restricted
Device Manager only sees content relevant to them in the UI, no other content is displayed. Scope restriction
is only available for the Device Manager role.
To summarize:
- Administrators can see and act on all devices / groups in the console.
- Viewers are read only users, who can see all devices / groups in the console.
- Device Managers, if scope restricted, can only see, and perform actions on devices / groups / other
entities in their scope.
1.2 Assigning Scope
Administrators can restrict the scope of Device Managers by assigning specific scope to them. Scope
assignment can be done while creating the Device Manager user or at a later point of time, by editing the
Device Manager user. For easy understanding, UI screens are included below.