In this video, we'll explore role based access control and scope based access control in OpenManage Enterprise. What is Role Based Access Control or RBAC? RBAC controls what users can do in OpenManage Enterprise. Instead of giving everyone full access, we assign roles. Each role decides what a user can see and do.
There are three built-in roles. First, the Administrator role. This one gives full access to all features and settings. Next, the Device Manager role. Users with this role can manage devices, but they don't have full system control. Finally, the Viewer role. This is read-only access. This role is perfect for users who just need to monitor without making changes.
You're not limited to these three roles. Administrators can create custom roles with specific privileges for more tailored access. Once the role is ready, they can assign it to a user during creation, giving that user a custom role. Now, let’s talk about Scope Based Access Control, or SBAC. SBAC builds on RBAC by adding another layer of control It limits which device groups a user can access.
This means a Device Manager or a custom role user only sees the devices they need to manage. SBAC also ensures isolation. Even if two users share the same scope, they can't see each other's templates, baselines or profiles. So, user one and user two might both manage devices in group one, but their configuration assets remain private.
This keeps your environment secure and prevents accidental changes. When creating or editing a local user with Device Manager or a custom role, an administrator can select one or more device groups that define the user’s scope. For example, if a user is assigned to group one, they can only access devices within group one.
If a device manager or custom role user is given scope to all devices, they keep full operational access as defined by their RBAC privileges. SBAC isn’t just for local users. It also applies to Active Directory and LDAP users in OpenManage Enterprise. When importing or editing AD or LDAP groups administrators can assign scopes to those groups along with roles like Device Manager or Custom Role.”
This way, access control works consistently across both local and directory-based users. Let’s look at some important rules for AD and LDAP users If a user belongs to multiple Active Directory groups, their effective scope is the union of all scopes from those groups. For example, a user is assigned in two AD groups, group one and group two. Each group has a different scope.
So, DM one scope becomes the combined set of both device groups. When a user is part of multiple Active Directory groups with different roles, the role with the highest level of access takes precedence. The order is Administrator first, then Custom Role, then Device Manager, and finally Viewer.
For OIDC users, scope assignment doesn’t happen inside OpenManage Enterprise. Instead, you assign scopes at the OIDC provider during user configuration. When the user logs in with their OIDC credentials the role and scope information is passed to OpenManage Enterprise automatically. For more details on configuring roles and scopes, check out the OpenManage Enterprise User Guide on: Dell.com/Support.
