This post is more than 5 years old
43 Posts
0
23660
Unexpected behaviours with OmeSiteAdministrators Role
I am currently working on testing the functionality of the OmeSiteAdministrator Role so we can use it in our organization. We are running OME 2.0.0.1926.
I went into Preferences - Device Group Permissions and added a new test user (Using the edit members of OmeSiteAdministrators common task.) I provided the correct domain and user name. Then I went to the Manage Device Group Permissions section and selected one group that this user should be able to deploy updates and remote tasks to.
When logging into the Console as this test user I was able to see ALL devices in Manage - Devices. When I went to Manage - System Update I was also able to see all devices in the uncompliant section and was able to select any device to bring up the System Update Task window for.
I looked at the test user's Roles (clicking on the user name in the top right corner) and saw he was an OmeSiteAdministrator and OmeUser. It looks like a clean install of OME adds the group BUILTIN\Users to the OmeUsers group. I removed BUILTIN\Users from the OmeUsers group and then the test user could only see members of the one specified group in Manage - System Update.
But When the test user next launched the OME console, they still could see ALL devices in Manage - System Update, even though the top of the window says "System Update: Filter by: . The specified group actually only contains one device, but the test user can see all devices.
I logged in as an OmeAdministrator, looked back at Device Group Permissions, and see an additional user.
In Edit Members of OmeSiteAdministrators I see the test user listed twice, both times with the correct domain and user name. But under Manage Device Group Permissions, there is the user DOMAIN/user that I added, but now also an UNKNOWN/user (domain is actually "UNKNOWN" and user is the test user name.)
It looks like the Filter does not always work (It only worked once for the test user. Every other time the test user opens the console it has shown all devices.) Also, Im not sure why there is the addition of the UNKNOWN/username user.
DELL-Rob C
2.8K Posts
0
November 25th, 2014 12:00
Also, please review the following whitepaper on delltechcenter.com/ome and see if it offers any help.
OpenManage Essentials Role Based Security and Implementation
Thanks,
Rob
DELL-Pupul M
1K Posts
0
November 25th, 2014 03:00
Your test user has privilege to run system update task on the group which you provided. But he can view all the other groups as well. When you try to create a system update task on a server belonging to any other group, then a pop should tell you that you will not be able to create task or something like you don't have permissions.
One thing to note is which group have you selected? Did you select the already existing group or created a custom group? If you have selected an already existing group then note that same device can be present in multiple groups.
So, yes the test user will be able to see all the devices but he does not have write privilege on all of them except the one for which you gave that user the required permission,
I don't think you need to really remove the user from OMEUSERS group because that group does not have any write privilege and it should not make any difference. Although, if refresh the browser after adding the users to OMEsiteadministrator group, that should suffice.
For the additional user part, can you please help us with a screenshot of how it shows in OME? Have you added only one domain user?
gnelson-UTexas
43 Posts
0
November 26th, 2014 08:00
I have created several custom groups, with membership based on device name starts with rules. I have viewed the group members and verified they are populated as expected.
When my test user opens OME, and goes to System Update it always says "System Update: Filtered By: Grou1, Group2." The odd thing is sometimes the filter works and only members of these two groups are shown -- but sometimes all devices are shown. So there is an inconsistency there that I am experiencing. When all devices are shown, I am able to click on the Apply Selected Updates button and the update task window appears. The only alert I receive is if I have selected a driver with the out of band update method, which is unsupported.
And just now I was trying to run a Discovery on a discovery range (as an admin) and it was not doing anything. I was not even getting the pop up alert that the discovery range was submitted for discovery. So I restarted the OME server and after that I was able initiate the discovery process.
After the restart of the OME server I opened the OME console as the test user and went to System Update. It still showed the header "filtered by group1, group 2" - but showed all devices for about 3-5 seconds then the table/grid refreshed itself to only show the filtered list as expected.
I closed and re-opened OME as the test user a second time, and once again saw all devices and then the table refreshed itself to only show the actual filtered list.
I have closed and re-opened OME as the test user an additional three times and now it is stuck again permanently showing All devices and will allow me to select and create a task to update devices not in the groups the test user has access to.
gnelson-UTexas
43 Posts
0
November 26th, 2014 09:00
I am attaching a screen shot. I have obscured our domain name and the user names for actual user accounts. I have left the test user account name visible as well as the one "unknown" domain entry.
You can see for DOMAIN/test457 there are four entries in "Edit Members of OmeSiteAdministrators (they all with the correct/same Domain name.)
In Manage Device Group Permissions this user shows up three times, twice with the correct Domain name and once with a Domain of Unknown. One of these listings for the user under Manage Device Group Permissions has the groups selected that I selected for the user. The other ones have no groups selected.
I have reviewed the whitepaper previously prior to attempting to test this functionality in OME.
DELL-Rob C
2.8K Posts
0
November 26th, 2014 11:00
Thanks for this extra detail. Can you let me know how many devices are being managed in this OME system?
We need to look and see if the problem you see happens for a new group that is static, or just for custom queries.
For the netmon crash, we'll need to collect logs. There is a service restart button, but we need to look at that.
I think we'll need a support ticket opened so we can review your system more closely and get you the best support. Can you do this?
Thanks much,
Rob
en.community.dell.com/.../20406560
mgelmer
3 Posts
0
December 10th, 2014 10:00
I'm having the same problem. Running v2.0.1.2222. Adding an account results in (3) entries, one with the 'Unknown' domain.
Was a root cause\fix identified?
gnelson-UTexas
43 Posts
0
December 10th, 2014 14:00
Rob,
We have 326 devices discovered in OME.
When I call Dell Tech Support, what do I need to tell them to get my support ticket routed to the OME team? I remember in the past having a difficult time trying to get routed to the correct group even when identifying it as relating to OpenManage Essentials.
thankx,
Geoff
DELL-Rob C
2.8K Posts
0
December 10th, 2014 14:00
If you have Pro Support you should just be able to give them a Service Tag of a system and mention you have an OME issue. That should get you to the right group to start with, and if they need help, they have other folks they can pull in.
You can reference this thread (and me), the role based security stuff is a bit less familiar to some folks, so it may need to be escalated. (800-945-3355)
Rob
DELL-Rob C
2.8K Posts
0
December 10th, 2014 15:00
Three entries doesn't sound right. Can you open a ticket so we can get a closer look and see what's up?
(800-945-3355)
Rob