Rbac best practices – HP Insight Management-Software User Manual
Page 12
Table 2 RBAC privileges (continued)
VCEM User
(read only)
VCEM
Group
Limited
Operator
VCEM
Group
Operator
VCEM
Group
Administrator
VCEM
Administrator
Command line options
x
x
x
x
-poweroff enclosurename
x
x
x
x
-poweron enclosurename
x
x
x
x
x
-show power-status
x
x
x
-set iscsi-boot-param
x
x
x
-remove iscsi-boot-param
x
x
x
x
x
-show job
x
x
x
x
x
-show version
x
x
x
x
x
-show vcem-status
x
x
-startvcdmaint
x
x
-cancelvcdmaint
x
x
-completevcdmaint
x
x
x
x
x
-export
VCEMCLI commands for read operations require minimum VCEM privilege, whereas write operations
require full privilege to the affected resource. You can set up the VCEM privilege from the Systems
Insight Manager Options
→Security→Users and Authorizations. If the minimum RBAC is not met,
VCEMCLI reports an error. The error message contains a description of the reason for the failure.
RBAC Best Practices
In configurations where VCEM is used in conjunction with an upper-level manager such as HP
Matrix Operating Environment or HP Matrix OE logical server management, ensure that operations
invoked through VCEMCLI do not disrupt the functioning of the upper-level manager. The VCEM
User Interface warns the administrator when it detects the risk of conflict, however VCEMCLI will
not. See
“Using VCEM commands” (page 18)
for more information on which commands can
cause disruption of upper-level managers.
You can configure Systems Insight Manager using role-based access control to prevent conflicts
between VCEM and upper-level managers by not allowing changes to resources which would
disrupt the upper-level manager.
To prevent conflicts:
•
Define specific Systems Insight Manager users for VCEM and VCEMCLI.
•
Define additional Systems Insight Manager users for upper-level managers.
•
If needed, roles can be removed from the VCEM users to prevent conflict with upper-level
managers.
•
Set permissions on VC Domain Groups so only specific Systems Insight Manager users can
access them.
•
Confirm that the scripts specify the correct username and password credentials to ensure that
they are granted only the appropriate level of permissions.
•
Ensure that NTFS permissions are set on the scripts on the CMS so that they are accessible
only to the CMS users who are authorized to run them.
12
Using VCEMCLI