User Guide
Table Of Contents
While creating or editing a local user with DM role, admin can select one or more device groups that defines the scope for the
DM.
For example, you (as an administrator) create a DM user named dm1 and assign group g1 present under custom groups. Then
dm1 will have operational access to all devices in g1 only. The user dm1 will not be able to access any other groups or entities
related to any other devices.
Furthermore, with SBAC, dm1 will also not be able to see the entities created by other DMs (let's say dm2) on the same group
g1. That means a DM user will only be able to see the entities owned by the user.
For example, you (as an administrator) create another DM user named dm2 and assign the same group g1 present under custom
groups. If dm2 creates configuration template, configuration baselines, or profiles for the devices in g1, then dm1 will not have
access to those entities and vice versa.
A DM with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities owned
by the DM.
SBAC for AD/LDAP users
While importing or editing AD/LDAP groups, administrators can assign scopes to user groups with DM role. If a user is a member
of multiple AD groups, each with a DM role, and each AD group has distinct scope assignments, then the scope of the user is
the union of the scopes of those AD groups.
For example,
● User dm1 is a member of two AD groups (RR5-Floor1-LabAdmins and RR5-Floor3-LabAdmins). Both AD groups have been
assigned the DM role, with scope assignments for the AD groups are as follows: RR5-Floor1-LabAdmins gets ptlab-servers
and RR5-Floor3-LabAdmins gets smdlab-servers. Now the scope of the DM dm1 is the union of ptlab-servers and smdlab-
servers.
● User dm1 is a member of two AD groups (adg1 and adg2). Both AD groups have been assigned the DM role, with scope
assignments for the AD groups as follows: adg1 is given access to g1 and adg2 is given access to g2. If g1 is the superset of
g2, then the scope of dm1 is the larger scope (g1, all its child groups, and all leaf devices).
When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the
order Administrator, DM, Viewer).
A DM with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.
SBAC for OIDC users:
Scope assignment for OIDC users does not happen within the OpenManage Enterprise console. You can assign scopes for OIDC
users at an OIDC provider during user configuration. When the user logs in with OIDC provider credentials, the role and scope
assignment will be available to OpenManage Enterprise. For more information about configuring user roles and scopes, see
Configure an OpenID Connect provider policy in PingFederate for role section in OpenManage Enterprise User's Guide.
Transfer ownership : The administrator can transfer owned resources from a device manager (source) to another device
manager. For example, an administrator can transfer all the resources assigned from a source dm1 to dm2. A device manager
with owned entities such as firmware and/or configuration baselines, configuration templates, alert policies, and profiles is
considered an eligible source user. Transfer of ownership transfers only the entities and not the device groups (scope) owned
by a device manager to another. For more information see, Transfer of ownership of Device Manager entities section in
OpenManage Enterprise User's Guide.
Data security
The data that is maintained by Power Manager is stored and secured in internal databases within the appliance and it cannot be
accessed from outside. The data that is transferred through Power Manager is secured by secure communication channel.
Cryptography
Sensitive data is encrypted and stored in an internal database. For more information, see the Security features in OpenManage
Enterprise section in OpenManage Enterprise User's Guide.
Product and Subsystem Security 13