Rbac best practices – HP Virtual Connect Enterprise Manager Software User Manual
Page 14
Table 2 RBAC privileges (continued)
VCEM User
(Read Only)
VCEM
Domain
Group
Limited
Operator
VCEM
Domain
Group
Operator
VCEM Domain
Group
Administrator
VCEM
Administrator
Command-line option
x
x
x
x
x
-show version
, see
x
x
x
x
x
-show vcem-status
, see
x
x
-startvcdfwupdate
, see
x
x
-completevcdfwupdate
, see
“completevcdfwupdate” (page 78)
x
x
-startvcdmaint
, see
x
x
-cancelvcdmaint
, see
x
x
-completevcdmaint
, see
VCEMCLI commands for read operations require minimum VCEM privilege, whereas write operations
require full privilege to the affected resource. You can set up the VCEM privilege from the Systems
Insight Manager: Options
→Security→Users and Authorizations. If the minimum RBAC is not met,
the VCEMCLI reports an error. The error message contains a description of the reason for the
failure.
RBAC best practices
In configurations where VCEM is used in conjunction with an upper-level manager such as HP
Matrix Operating Environment or HP Matrix OE logical server management, make sure that
operations invoked through the VCEMCLI do not disrupt the functioning of the upper-level manager.
The VCEM user interface warns the administrator when it detects the risk of conflict, but the VCEMCLI
does not. For more information about which commands can cause disruption of upper-level
managers, see
“Using VCEM commands” (page 21)
.
You can configure Systems Insight Manager by using RBAC to prevent conflicts between VCEM
and upper-level managers by not allowing changes to resources that would disrupt the upper-level
managers.
To prevent conflicts:
•
Define specific Systems Insight Manager users for VCEM and the VCEMCLI.
•
Define additional Systems Insight Manager users for upper-level managers.
•
If needed, remove roles from the VCEM users to prevent conflict with upper-level managers.
•
Set permissions on VC domain groups so that only specific Systems Insight Manager users
can access them.
•
Confirm that the scripts specify the correct user-name and password credentials to ensure that
they are granted only the appropriate level of permissions.
•
Ensure that NTFS permissions are set on the scripts on the CMS so that they are accessible
only to the CMS users who are authorized to run them.
14
Using the VCEMCLI