beautypg.com

Rbac best practices – HP Virtual Connect Enterprise Manager Software User Manual

Page 14

background image

Table 2 RBAC privileges (continued)

VCEM User
(Read Only)

VCEM
Domain
Group
Limited
Operator

VCEM
Domain
Group
Operator

VCEM Domain
Group
Administrator

VCEM
Administrator

Command-line option

x

x

x

x

x

-show version

, see

“show version”

(page 75)

x

x

x

x

x

-show vcem-status

, see

“show

vcem-status” (page 76)

x

x

-startvcdfwupdate

, see

“startvcdfwupdate” (page 77)

x

x

-completevcdfwupdate

, see

“completevcdfwupdate” (page 78)

x

x

-startvcdmaint

, see

“startvcdmaint” (page 79)

x

x

-cancelvcdmaint

, see

“cancelvcdmaint” (page 80)

x

x

-completevcdmaint

, see

“completevcdmaint” (page 81)

VCEMCLI commands for read operations require minimum VCEM privilege, whereas write operations
require full privilege to the affected resource. You can set up the VCEM privilege from the Systems
Insight Manager: Options

→Security→Users and Authorizations. If the minimum RBAC is not met,

the VCEMCLI reports an error. The error message contains a description of the reason for the
failure.

RBAC best practices

In configurations where VCEM is used in conjunction with an upper-level manager such as HP
Matrix Operating Environment or HP Matrix OE logical server management, make sure that
operations invoked through the VCEMCLI do not disrupt the functioning of the upper-level manager.
The VCEM user interface warns the administrator when it detects the risk of conflict, but the VCEMCLI
does not. For more information about which commands can cause disruption of upper-level
managers, see

“Using VCEM commands” (page 21)

.

You can configure Systems Insight Manager by using RBAC to prevent conflicts between VCEM
and upper-level managers by not allowing changes to resources that would disrupt the upper-level
managers.

To prevent conflicts:

Define specific Systems Insight Manager users for VCEM and the VCEMCLI.

Define additional Systems Insight Manager users for upper-level managers.

If needed, remove roles from the VCEM users to prevent conflict with upper-level managers.

Set permissions on VC domain groups so that only specific Systems Insight Manager users
can access them.

Confirm that the scripts specify the correct user-name and password credentials to ensure that
they are granted only the appropriate level of permissions.

Ensure that NTFS permissions are set on the scripts on the CMS so that they are accessible
only to the CMS users who are authorized to run them.

14

Using the VCEMCLI

This manual is related to the following products: