HP Adaptive Infrastructure Solution Security for BladeSystem Matrix
demonstrate individual accountability. Therefore, the HP SIM audit log might be needed to provide
sufficient information for individual accountability, or you might have to view both the HP SIM audit
trail and the managed host audit trail to have a complete picture of the actions that have taken place.
In addition to the command line tools that leverage SSH, HP SIM also utilizes a web-based interface,
which enables you to manage systems through a graphical user interface, drilling down from the
HP SIM user interface to one provided directly from the managed device: iLO, OA, SMH, and more.
A single sign-on mechanism (SSO) is provided that enables a user to drill down into managed devices
without the need to supply their user name and password again (authenticate). SSO requires a
certificate-based trust to be set up so that the managed device trusts the CMS.
Managed device users who have been authenticated through SSO will have one of three roles on that
managed device. These roles are:
• Admin—Has privileges to perform all actions on the managed system, including changing security
settings.
• Operator—Has privileges to perform most actions on the managed system, but not change security
settings.
• User—Has primarily read-only tools on the managed system.
These roles can be given to HP SIM users through HP SIM authorizations. Each role has a
corresponding tool in HP SIM, and an authorization can be created to authorize specific users with a
given role on specific systems. Additional roles cannot be created.
When an HP SIM user attempts to drill down to a supported system (iLO, OA, or SMH host), HP SIM
processes the request, verifying the user’s authorization to determine whether or not the action is
permitted. If the action is allowed, HP SIM utilizes SSO to authenticate to the managed system. The
SSO mechanism passes to the managed device the name of the user and their role (Admin, Operator
or User). The managed device trusts HP SIM and maps the specified role to a set of rights/privileges
appropriate for the specific device. For example, when SSO is used from HP SIM to the iLO, the rights
for the user are defined by the HP SIM user role (iLO configuration rights). The iLO rights associated
with HP SIM roles can be configured at iLO.
The Capacity Advisor utility provides another example of how HP SIM role based authorization
services are used. HP SIM users can be given access to Capacity Advisor functionality at several
different levels, which includes:
• No access
• Access to historic data of any subset of servers
• The ability to create planning scenarios on any subset of servers
• The ability to modify the forecast and utilization limits of a given server
• The ability to mark historic data invalid
The HP SIM authorization mechanism helps to improve security in several ways. For instance, under
other circumstances the user might have to log in directly to the managed system as a privileged user
(such as root on UNIX or Administrator on Windows) to perform privileged actions. Under these
circumstances, the user is not limited to only the tasks that they need to perform. Instead they are able
to perform any privileged operation on the system. Further, a lack of individual accountability exists,
because multiple privileged users might need to share a single login. Such practices do not meet the
security policies of many organizations. Using HP SIM authentication ensures individual accountability
through the generation of appropriate and traceable audit records.
In an Active Directory environment, you can map domain groups to authorizations for use by
management applications. For example, using the directory is useful when managing groups of iLO
management processors. The mapping of group to permissions occurs inside the application. This
type of authorization mechanism supports a fine grained approach to carry out privileged tasks.
Additionally, this method ensures individual accountability.
16