- Notes, cautions, and warnings
- Preface
- Overview
- Deployment
- Getting started
- System configuration
- Configure network settings
- Manage users, roles, and scopes
- Ending user sessions
- Directory services integration
- Login using OIDC providers
- Security certificates
- Manage console settings
- Set the login security properties
- Customize the alert display
- Configure SMTP, SNMP, and Syslog
- Manage incoming alerts
- Manage warranty settings
- Configure remote commands and scripts
- OpenManage Mobile settings
- Enable or disable alert notifications for OpenManage Mobile
- Enable or disable OpenManage Mobile subscribers
- Delete an OpenManage Mobile subscriber
- View the alert notification service status
- Notification service status
- View information about OpenManage Mobile subscribers
- OpenManage Mobile subscriber information
- Troubleshooting OpenManage Mobile
- Discovering devices
- Server-initiated discovery
- Create a device discovery job
- Protocol support matrix for discovering devices
- View device discovery job details
- Edit a device discovery job
- Run a device discovery job
- Stop a device discovery job
- Discover multiple devices by .csv import
- Global exclusion of ranges
- Specify a discovery mode for server discovery
- Create a custom discovery job for servers
- Specify discovery mode for chassis discovery
- Create a custom discovery job for the chassis
- Specify discovery mode for Dell storage discovery
- Specify discovery mode for network switch discovery
- Create a custom discovery job for HTTPS storage devices
- Create a custom discovery job for SSH devices
- Create a custom discovery job for SNMP devices
- Specify the discovery mode for multiple discovery jobs
- Delete a device discovery job
- Managing devices and device groups
- Organize devices into groups
- Create a custom static or query group
- Create a static device group
- Create a query device group
- Edit a static group
- Edit a query group
- Rename a static or query group
- Delete a static or query device group
- Clone a static or query group
- Add devices to a new group
- Add devices to existing group
- Refresh health on group
- All Devices screen device list
- All Devices screen actions
- Delete devices from OpenManage Enterprise
- Exclude devices from OpenManage Enterprise
- Run inventory on devices
- Update the device firmware and drivers by using baselines
- Refresh the device health of a device group
- Refresh health on devices
- Roll back an individual device's firmware version
- Export the single device inventory
- Performing more actions on chassis and servers
- Hardware information displayed for MX7000 chassis
- Export data
- View and configure individual devices
- Run and download diagnostic reports
- Extract and download a Services report
- Managing individual device hardware logs
- Run remote commands on managed devices
- Launch the iDRAC device management application
- Launch the virtual console
- Attaching iDRAC virtual media
- Refresh device inventory of a single device
- View installed and available licenses on a device
- Organize devices into groups
- Managing device inventory
- Managing device firmware and drivers
- Managing device deployment templates
- Create a deployment template from a reference device
- Create a deployment template by importing a template file
- View a deployment template information
- Edit a server deployment template
- Edit a chassis deployment template
- Edit IOA deployment template
- Edit network properties of a deployment template
- Deploy device deployment templates
- Deploy IOA deployment templates
- Clone deployment templates
- Export a deployment template
- Delete deployment templates
- Auto deploy device configuration before discovery
- Create auto deployment targets
- Delete auto deployment targets
- Export auto deployed target details
- Overview of stateless deployment
- Define networks
- Edit or delete a configured network
- Export VLAN definitions
- Import network definitions
- Managing device warranty
- Managing alerts
- Managing MIB files
- Configuring profiles
- Configuration compliance
- Managing licenses
- Using jobs for device control
- Monitoring audit logs
- Monitoring reports
- Back up, restore, or migrate
- Updating the console and plugins
- Managing plugins
- Troubleshooting
- Troubleshooting connectivity
- Firmware and DSU requirements for HTTPS
- Firmware schedule reference
- Firmware baseline field definitions
- Supported and unsupported actions on proxied sleds
- Schedule job field definitions
- Alert categories after EEMI relocation
- Token substitution in remote scripts and alert policy
- Catalog Management field definitions
- Devices with unknown compliance status
- Device rediscovery running for a long time after deleting iDRAC service account
- Dell Connectivity Service : Failed with exception: Unable to get access token from DCS
OpenManage Enterprise 4.1.x User's Guide
Role and scope-based access
Role-Based Access Control (RBAC) defines the user privileges into three categories: Administrator, Device Manager, and Viewer. Scope-Based Access Control (SBAC) enables administrators to limit the device groups that a device manager can access. The following topics further explain the RBAC and SBAC features.
Role-based access control (RBAC) privileges
Users are assigned roles that determine their level of access to the appliance settings and device management features. This feature is termed as Role-Based Access Control (RBAC). The console enforces the privilege that is required for a certain action before allowing the action. For more information about managing users in OpenManage Enterprise, see Manage OpenManage Enterprise users.
The table below lists the privileges of each role.
| Privilege | Description | User roles | |||
|---|---|---|---|---|---|
| Backup Administrator | Administrator | Device Manager | Viewer | ||
| Backup, restore, and migration | Back up, restore, and migrate appliance. | Yes | No | No | No |
| Appliance setup | Global appliance settings involving the setting up of the appliance | Yes | Yes | No | No |
| Security setup | Appliance security settings | Yes | Yes | No | No |
| Alert management | Alerts actions or management | Yes | Yes | No | No |
| Fabric management | Fabric actions or management | Yes | Yes | No | No |
| Network management | Network actions or management | Yes | Yes | No | No |
| Group management | Create, read, update, and delete for static and dynamic groups. | Yes | Yes | No | No |
| Discovery management | Create, read, update, and delete for discovery tasks and run discovery tasks. | Yes | Yes | No | No |
| Inventory management | Create, read, update, and delete for inventory tasks and run inventory tasks. | Yes | Yes | No | No |
| Trap management | Import MIB, Edit trap | Yes | Yes | No | No |
| Auto-deploy management | Manage auto-deploy configuration operations. | Yes | Yes | No | No |
| Monitoring setup | Alerting policies, forwarding, Services (formerly SupportAssist), and so on. | Yes | Yes | Yes | No |
| Power control | Reboot or cycle device power | Yes | Yes | Yes | No |
| Device configuration | Device configuration, application of templates, manage or migrate I/O identity, storage mapping (for storage devices), and so on. | Yes | Yes | Yes | No |
| Operating system deployment | Deploy the operating system, map to LUN, and so on. | Yes | Yes | Yes | No |
| Device update | Device firmware update, application of updated baselines, and so on | Yes | Yes | Yes | No |
| Template management | Create or manage templates. | Yes | Yes | Yes | No |
| Baseline management | Create, manage firmware, and configuration baseline policies. | Yes | Yes | Yes | No |
| Power management | Set power budgets | Yes | Yes | Yes | No |
| Job management | Job execution or management. | Yes | Yes | Yes | No |
| Report management | Create, read, update, and delete operations on reports. | Yes | Yes | Yes | No |
| Report run | Run reports | Yes | Yes | Yes | Yes |
| View | View all data, report execution or management, and so on. | Yes | Yes | Yes | Yes |
| License management | Retrieve licenses from Dell Digital Locker, bind entitlements with devices, deploy licenses to devices, and remove licenses from a device. You can also view, import, and export licenses. | Yes | Yes | Yes | No |
| License delete | Delete licenses from OpenManage Enterprise. | Yes | Yes | No | No |
| License management device configuration | Bind and deploy licenses. | Yes | Yes | Yes | No |
Scope-based access control (SBAC)
Scope-Based Access Control (SBAC) is an extension of Role-Based Access Control (RBAC). With RBAC, administrators assign roles while creating users. These roles define the user's access level to appliance settings and device management features. SBAC further refines this by allowing administrators to restrict a Device Manager role to a specific subset of device groups, known as a scope.
Assigning scopeWhen creating or updating a device manager, administrators can assign a scope to limit the operational access of the Device Manager to specific system groups, custom groups, and plug-in groups. However, Administrator and Viewer roles have unrestricted scope, meaning they have operational access to all devices and group entities as specified by their RBAC privileges.
Administrator can assign the scope while creating a Device Manager user or at a later time by editing the user. Scopes can be implemented as follows:
- Go to Application Settings.
- Create or edit a user.
- Assign a Device Manager role.
- Assign a scope to restrict operational access.
For more information about managing users, see Manage users, roles, and scopes.
Restricted viewWith SBAC, administrators can implement a Restricted View feature. With Restricted View, Device Managers can only see:
- Groups (therefore, the devices in those groups) in their scope.
- Entities that they own (such as jobs, firmware templates, configuration templates, and baselines, alert policies, profiles, and so on).
- Community entities such as Identity Pools and VLANs which are not restricted to specific users and can be used by everyone accessing the console.
- Built-in entities of any kind.
If a Device Manager's scope is unrestricted, they can view all devices and groups. However, they can only see entities owned by them, such as jobs, alert policies, baselines, and so on along with the community and built-in entities of any kind.
When a Device Manager with an assigned scope logs in, they can see and manage only the devices within their scope. They can also see and manage entities associated with scoped devices, but only if they own the entity (i.e., they created it or were assigned ownership). For more information about the entities a Device Manager can create, see Role-Based Access Control (RBAC) privileges in OpenManage Enterprise User's Guide.
ExamplesBy clicking , Device Manager users can view the default and custom templates they own. They can also perform other tasks on owned templates as permitted by their RBAC privileges.
By clicking , Device Manager users can see all the identities created by an administrator or the Device Manager user. The Device Manager can also perform actions on those identities as specified by RBAC privilege. However, the Device Manager can only see the usage of those identities that are associated with the devices under the Device Manager's scope.
Similarly, by clicking , Device Manager users can see all the VLANs created by the admin and export them. The Device Manager cannot perform any other operations. If they have a template, they can edit the template to use the VLAN networks, but it cannot edit the VLAN network.
In OpenManage Enterprise, the scope can be assigned while creating a local user or importing an AD or LDAP user. Scope assignment for OIDC users can only be done on Open ID Connect (OIDC) providers.
SBAC for local users- While creating or editing a local user with Device Manager role, an admin can select one or more device groups that defines the scope for the Device Manager. For example, if you (as an administrator) create a Device Manager user named dm1 and assign to group g1 present under custom groups, then dm1 can only access devices within g1. The user dm1 cannot access any other groups or entities that are related to any other devices.
- Furthermore, with SBAC, dm1 can only view entities they own. If dm1 and dm2 are both assigned to group g1, dm1 cannot see entities created by dm2, and vice versa. For example, you (as an administrator) create another Device Manager user with a name dm2 and assign the same group g1 present under custom groups. If dm2 creates configuration template, configuration baselines, or profiles for the devices in g1, then dm1 cannot access to those entities and vice-versa.
- A Device Manager with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities that are owned by the Device Manager.
While importing or editing AD and LDAP groups, administrators can assign scopes to user groups with the Device Manager role. If a user is a member of multiple AD groups, each with a Device Manager role, and each AD group has distinct scope assignments, then the scope of the user is the union of the scopes of those AD groups.
For example:
- User dm1 is a member of two AD groups (RR5-Floor1-LabAdmins and RR5-Floor3-LabAdmins). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups are as follows: RR5-Floor1-LabAdmins gets ptlab-servers and RR5-Floor3-LabAdmins gets smdlab-servers. Now the scope of the Device Manager dm1 is the union of ptlab-servers and smdlab-servers.
- User dm1 is a member of two AD groups (adg1 and adg2). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups as follows: adg1 is given access to g1 and adg2 is given access to g2. If g1 is the superset of g2, then the scope of dm1 is the larger scope (g1, all its child groups, and all leaf devices).
When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the order Administrator, Device Manager, and Viewer).
A Device Manager with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.
SBAC for OIDC users:Scope assignment for OIDC users does not happen within the OpenManage Enterprise console. You can assign scopes for OIDC users at an OIDC provider during user configuration. When the user logs in with OIDC provider credentials, the role and scope assignment is available to OpenManage Enterprise. For more information about configuring user roles and scopes, see Configure OIDC login using PingFederate.
NOTE:If PingFederate is being used as the OIDC provider, then only administrator roles can be used. For more information, see
Configure OIDC login using PingFederate and the Release Notes at
Dell Support.
: The administrator can transfer owned resources from a device manager (source) to another device manager. For example, an administrator can transfer all the resources assigned from a source dm1 to dm2. A device manager with owned entities such as firmware and configuration baselines, configuration templates, alert policies, and profiles are considered an eligible source user. Transfer of ownership transfers only the entities and not the device groups (scope) owned by a device manager to another. For more information see, Transfer of ownership of device manager entities.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\