Role-Based Access Control (RBAC) defines the user privileges into three categories: Administrator, Device Manager, and Viewer. Scope-Based Access Control (SBAC) enables administrators to limit the device groups that a device manager can access. The following topics further explain the RBAC and SBAC features.
Scope-based access control (SBAC)
Scope-Based Access Control (SBAC) is an extension of Role-Based Access Control (RBAC). With RBAC, administrators assign roles while creating users. These roles define the user's access level to appliance settings and device management features. SBAC further refines this by allowing administrators to restrict a Device Manager role to a specific subset of device groups, known as a scope.
Assigning scope
When creating or updating a device manager, administrators can assign a scope to limit the operational access of the Device Manager to specific system groups, custom groups, and plug-in groups. However, Administrator and Viewer roles have unrestricted scope, meaning they have operational access to all devices and group entities as specified by their RBAC privileges.
Administrator can assign the scope while creating a Device Manager user or at a later time by editing the user. Scopes can be implemented as follows:
- Go to
Application Settings.
- Create or edit a user.
- Assign a Device Manager role.
- Assign a scope to restrict operational access.
For more information about managing users, see
Manage users, roles, and scopes.
Restricted view
With SBAC, administrators can implement a Restricted View feature. With Restricted View, Device Managers can only see:
- Groups (therefore, the devices in those groups) in their scope.
- Entities that they own (such as jobs, firmware templates, configuration templates, and baselines, alert policies, profiles, and so on).
- Community entities such as Identity Pools and VLANs which are not restricted to specific users and can be used by everyone accessing the console.
- Built-in entities of any kind.
If a Device Manager's scope is unrestricted, they can view all devices and groups. However, they can only see entities owned by them, such as jobs, alert policies, baselines, and so on along with the community and built-in entities of any kind.
When a Device Manager with an assigned scope logs in, they can see and manage only the devices within their scope. They can also see and manage entities associated with scoped devices, but only if they own the entity (i.e., they created it or were assigned ownership). For more information about the entities a Device Manager can create, see Role-Based Access Control (RBAC) privileges in
OpenManage Enterprise User's Guide.
Examples
By clicking
, Device Manager users can view the default and custom templates they own. They can also perform other tasks on owned templates as permitted by their RBAC privileges.
By clicking
, Device Manager users can see all the identities created by an administrator or the Device Manager user. The Device Manager can also perform actions on those identities as specified by RBAC privilege. However, the Device Manager can only see the usage of those identities that are associated with the devices under the Device Manager's scope.
Similarly, by clicking
, Device Manager users can see all the VLANs created by the admin and export them. The Device Manager cannot perform any other operations. If they have a template, they can edit the template to use the VLAN networks, but it cannot edit the VLAN network.
In OpenManage Enterprise, the scope can be assigned while creating a local user or importing an AD or LDAP user. Scope assignment for OIDC users can only be done on Open ID Connect (OIDC) providers.
SBAC for local users
- While creating or editing a local user with Device Manager role, an admin can select one or more device groups that defines the scope for the Device Manager. For example, if you (as an administrator) create a Device Manager user named
dm1 and assign to group
g1 present under custom groups, then
dm1 can only access devices within
g1. The user
dm1 cannot access any other groups or entities that are related to any other devices.
- Furthermore, with SBAC,
dm1 can only view entities they own. If
dm1 and
dm2 are both assigned to group
g1,
dm1 cannot see entities created by
dm2, and vice versa. For example, you (as an administrator) create another Device Manager user with a name
dm2 and assign the same group
g1 present under custom groups. If
dm2 creates configuration template, configuration baselines, or profiles for the devices in
g1, then
dm1 cannot access to those entities and vice-versa.
- A Device Manager with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities that are owned by the Device Manager.
SBAC for AD and LDAP users
While importing or editing AD and LDAP groups, administrators can assign scopes to user groups with the Device Manager role. If a user is a member of multiple AD groups, each with a Device Manager role, and each AD group has distinct scope assignments, then the scope of the user is the union of the scopes of those AD groups.
For example:
- User dm1 is a member of two AD groups (RR5-Floor1-LabAdmins and
RR5-Floor3-LabAdmins). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups are as follows:
RR5-Floor1-LabAdmins gets
ptlab-servers and
RR5-Floor3-LabAdmins gets
smdlab-servers. Now the scope of the Device Manager
dm1 is the union of
ptlab-servers and
smdlab-servers.
- User dm1 is a member of two AD groups (adg1 and
adg2). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups as follows:
adg1 is given access to
g1 and
adg2 is given access to
g2. If
g1 is the superset of
g2, then the scope of
dm1 is the larger scope (g1, all its child groups, and all leaf devices).
When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the order Administrator, Device Manager, and Viewer).
A Device Manager with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.
SBAC for OIDC users:
Scope assignment for OIDC users does not happen within the OpenManage Enterprise console. You can assign scopes for OIDC users at an OIDC provider during user configuration. When the user logs in with OIDC provider credentials, the role and scope assignment is available to OpenManage Enterprise. For more information about configuring user roles and scopes, see
Configure OIDC login using PingFederate.
: The administrator can transfer owned resources from a device manager (source) to another device manager. For example, an administrator can transfer all the resources assigned from a source dm1 to dm2. A device manager with owned entities such as firmware and configuration baselines, configuration templates, alert policies, and profiles are considered an eligible source user. Transfer of ownership transfers only the entities and not the device groups (scope) owned by a device manager to another. For more information see,
Transfer of ownership of device manager entities.