4 authentication for appliance access, 5 controlling access for authorized users, 1 specifying user accounts and roles – HP OneView User Manual
Page 53: 6 protecting credentials, 7 understanding the audit log
3.4 Authentication for appliance access
Access to the appliance requires authentication using a user name and password. User accounts
are configured on the appliance or in an enterprise directory. All access (browser and REST APIs),
including authentication, occurs over SSL to protect the credentials during transmission over the
network.
3.5 Controlling access for authorized users
Access to the appliance is controlled by roles, which describe what an authenticated user is
permitted to do on the appliance. Each user must be associated with at least one role.
3.5.1 Specifying user accounts and roles
User login accounts on the appliance must be assigned a role, which determines what the user
has permission to do.
For information on each role, and the capabilities these roles provide, see
For information on how to add, delete, and edit user accounts, see the online help.
3.6 Protecting credentials
Local user account passwords are stored using a salted hash; that is, they are combined with a
random string, and then the combined value is stored as a hash. A hash is a one-way algorithm
that maps a string to a unique value so that the original string cannot be retrieved from the hash.
Passwords are masked in the browser. When transmitted between appliance and the browser over
the network, passwords are protected by SSL.
Local user account passwords must be a minimum of eight characters, with at least one uppercase
character. The appliance does not enforce additional password complexity rules. Password strength
and expiration are dictated by the site security policy (see
“Best practices for maintaining a secure
). If you integrate an external authentication directory service (also known
as an enterprise directory) with the appliance, the directory service enforces password strength
and expiration.
3.7 Understanding the audit log
The audit log contains a record of actions performed on the appliance, which you can use for
individual accountability.
You must have Infrastructure administrator privileges to download the audit log.
Monitor the audit logs because they are rolled over periodically to prevent them from getting too
large. Download the audit logs periodically to maintain a long-term audit history.
Each user has a unique logging ID per session, enabling you to follow a user’s trail in the audit
log. Some actions are performed by the appliance and might not have a logging ID.
A breakdown of an audit entry follows:
Description
Token
The date and time of the event
Date/time
The unique identifier of an internal component
Internal component
ID
The organization ID. Reserved for internal use
Reserved
The login domain name of the user
User domain
The user name
User name/ID
3.4 Authentication for appliance access
53