- Notes, cautions, and warnings
- Revision history
- Preface
- About OpenManage Enterprise
- Security features in OpenManage Enterprise
- Install OpenManage Enterprise
- Installation prerequisites and minimum requirements
- Deploy OpenManage Enterprise on VMware vSphere
- Deploy OpenManage Enterprise on Hyper-V 2012 R2 and earlier host
- Deploy OpenManage Enterprise on Hyper-V 2016 host
- Deploy OpenManage Enterprise on Hyper-V 2019 or Windows 2022 host
- Deploy OpenManage Enterprise by using Kernel-based Virtual Machine
- Deploy OpenManage Enterprise programmatically
- Get started with OpenManage Enterprise
- Log in to OpenManage Enterprise
- Configure OpenManage Enterprise by using Text User Interface
- Configure OpenManage Enterprise
- Recommended scalability and performance settings for optimal usage of OpenManage Enterprise
- Supported protocols and ports in OpenManage Enterprise
- Use case links for the supported protocols and ports in OpenManage Enterprise
- OpenManage Enterprise Graphical User Interface overview
- OpenManage Enterprise Home portal
- Discovering devices for monitoring or management
- Discover servers automatically by using the server-initiated discovery feature
- Create a device discovery job
- Protocol support matrix for discovering devices
- View device discovery job details
- Edit a device discovery job
- Run a device discovery job
- Stop a device discovery job
- Specify multiple devices by importing data from the .csv file
- Global exclusion of ranges
- Specify discovery mode for creating a server discovery job
- Create customized device discovery jobs for servers
- Specify discovery mode for creating a chassis discovery job
- Create customized device discovery jobs for chassis
- Specify discovery mode for creating a Dell storage discovery job
- Specify discovery mode for creating a network switch discovery job
- Create customized device discovery jobs for HTTPS storage devices
- Create customized device discovery jobs for SSH devices
- Create customized device discovery jobs for SNMP devices
- Specify discovery mode for creating multiple discovery jobs
- Delete a device discovery job
- Manage devices and device groups
- Organize devices into groups
- Create a custom group (Static or Query)
- Create a Static device group
- Create a Query device group
- Edit a static group
- Edit a query group
- Rename a static or query group
- Delete a static or query device group
- Clone a static or query group
- Add devices to a new group
- Add devices to existing group
- Refresh health on group
- Devices list
- All Devices page — device list actions
- Delete devices from OpenManage Enterprise
- Exclude devices from OpenManage Enterprise
- Run inventory on devices
- Update the device firmware and drivers by using baselines
- Refresh the device health of a device group
- Refresh health on devices
- Roll back an individual device's firmware version
- Export the single device inventory
- Performing more actions on chassis and servers
- Hardware information displayed for MX7000 chassis
- Export all or selected data
- View and configure individual devices
- Organize devices into groups
- Managing device inventory
- Manage the device firmware and drivers
- Manage device deployment templates
- Create a deployment template from a reference device
- Create a deployment template by importing a template file
- View a deployment template information
- Edit a server deployment template
- Edit a chassis deployment template
- Edit IOA deployment template
- Edit network properties of a deployment template
- Deploy device deployment templates
- Deploy IOA deployment templates
- Clone deployment templates
- Auto deployment of configuration on yet-to-be-discovered servers or chassis
- Create auto deployment targets
- Delete auto deployment targets
- Export auto deployment target details to different formats
- Overview of stateless deployment
- Define networks
- Edit or delete a configured network
- Export VLAN definitions
- Import network definitions
- Manage Profiles
- Managing the device configuration compliance
- Monitor and Manage device alerts
- Monitor audit logs
- Using jobs for device control
- Manage the device warranty
- Reports
- Managing MIB files
- Troubleshoot connections
- Managing OpenManage Enterprise appliance settings
- Configure OpenManage Enterprise network settings
- Manage OpenManage Enterprise users
- Role and scope-based access control in OpenManage Enterprise
- Add and edit OpenManage Enterprise local users
- Edit OpenManage Enterprise user properties
- Enable OpenManage Enterprise users
- Disable OpenManage Enterprise users
- Delete OpenManage Enterprise users
- Import AD and LDAP groups
- Transfer of ownership of Device Manager entities
- Ending user sessions
- Directory services integration in OpenManage Enterprise
- OpenManage Enterprise login using OpenID Connect providers
- Add an OpenID Connect provider to OpenManage Enterprise
- Configure an OpenID Connect provider policy in PingFederate for role-based access to OpenManage Enterprise
- Configure an OpenID Connect provider policy in Keycloak for role-based access to OpenManage Enterprise
- Test the registration status of OpenManage Enterprise with the OpenID Connect provider
- Edit an OpenID Connect provider details in OpenManage Enterprise
- Enable OpenID Connect providers
- Delete OpenID Connect providers
- Disable OpenID Connect providers
- Security Certificates
- Manage Console preferences
- Set the login security properties
- Customize the alert display
- Configure SMTP, SNMP, and Syslog alerts
- Manage incoming alerts
- Manage warranty settings
- Check and update the version of the OpenManage Enterprise and the available plugins
- Execute remote commands and scripts
- OpenManage Mobile settings
- Enable or disable alert notifications for OpenManage Mobile
- Enable or disable OpenManage Mobile subscribers
- Delete an OpenManage Mobile subscriber
- View the alert notification service status
- Notification service status
- View information about OpenManage Mobile subscribers
- OpenManage Mobile subscriber information
- Troubleshooting OpenManage Mobile
- Other references and field descriptions
- Firmware and DSU requirement for HTTPS
- Schedule Reference
- Firmware baseline field definitions
- Supported and unsupported actions on 'Proxied' sleds
- Schedule job field definitions
- Alert categories after EEMI relocation
- Token substitution in remote scripts and alert policy
- Field service debug workflow
- Unblock the FSD capability
- Install or grant a signed FSD DAT.ini file
- Invoke FSD
- Disable FSD
- Catalog Management field definitions
- Firmware/driver compliance baseline reports— devices with 'Unknown' compliance status
- PowerEdge server naming conventions
Dell EMC OpenManage Enterprise 3.9 User's Guide
Role and scope-based access control in OpenManage Enterprise
OpenManage Enterprise has Role Based Access Control (RBAC) that clearly defines the user privileges for the three built-in roles—Administrator, Device Manager, and Viewer. Additionally, using the Scope-Based Access Control (SBAC) an administrator can limit the device groups that a device manager has access to. The following topics further explain the RBAC and SBAC features.
Role-Based Access Control (RBAC) privileges in OpenManage Enterprise
Users are assigned roles which determine their level of access to the appliance settings and device management features. This feature is termed as Role-Based Access Control (RBAC). The console enforces the privilege required for a certain action before allowing the action. For more information about managing users on OpenManage Enterprise, see Manage OpenManage Enterprise users.
This table lists the various privileges that are enabled for each role.
| OpenManage Enterprise features | Privilege Description | User levels for accessing OpenManage Enterprise | ||
|---|---|---|---|---|
| Admin | Device Manager | Viewer | ||
| Appliance setup | Global appliance settings involving setting up of the appliance. | Y | N | N |
| Security setup | Appliance security settings | Y | N | N |
| Alert management | Alerts actions / management | Y | N | N |
| Fabric management | Fabric actions / management | Y | N | N |
| Network management | Network actions / management | Y | N | N |
| Group management | Create, read, update and delete (CRUD) for static and dynamic groups | Y | N | N |
| Discovery management | CRUD for discovery tasks, run discovery tasks | Y | N | N |
| Inventory management | CRUD for inventory tasks, run inventory tasks | Y | N | N |
| Trap management | Import MIB, Edit trap | Y | N | N |
| Auto-deploy management | Manage auto-deploy configuration operations | Y | N | N |
| Monitoring setup | Alerting policies, forwarding, Services (formerly SupportAssist ), and so on. | Y | Y | N |
| Power control | Reboot / cycle device power | Y | Y | N |
| Device configuration | Device configuration, application of templates, manage/migrate IO identity, storage mapping (for storage devices), and so on. | Y | Y | N |
| Operating system deployment | Deploy operating system, map to LUN, and so on. | Y | Y | N |
| Device update | Device firmware update, application of updated baselines, and so on. | Y | Y | N |
| Template management | Create / manage templates | Y | Y | N |
| Baseline management | Create / manage firmware / configuration baseline policies | Y | Y | N |
| Power management | Set power budgets | Y | Y | N |
| Job management | Job execution / management | Y | Y | N |
| Report management | CRUD operations on reports | Y | Y | N |
| Report run | Run reports | Y | Y | Y |
| View | View all data, report execution /management, and so on. | Y | Y | Y |
Scope-Based Access Control (SBAC) in OpenManage Enterprise
With the use of Role-Based Access Control (RBAC) feature, administrators can assign roles while creating users. Roles determine their level of access to the appliance settings and device management features. Scope-based Access Control (SBAC) is an extension of the RBAC feature that allows an administrator to restrict a Device Manager role to a subset of device groups called scope.
While creating or updating a Device Manager (DM) user, administrators can assign scope to restrict operational access of DM to one or more system groups, custom groups, and / or plugin groups.
Administrator and Viewer roles have unrestricted scope. That means they have operational access as specified by RBAC privileges to all devices and groups entities.
Scope can be implemented as follows:
- Create or Edit User
- Assign DM role
- Assign scope to restrict operational access
For more information about managing users, see Manage OpenManage Enterprise users.
A natural outcome of the SBAC functionality is the Restricted View feature. With Restricted View, particularly the Device Managers will see only the following:
- Groups (therefore, the devices in those groups) in their scope.
- Entities that they own (such as jobs, firmware or configuration templates and baselines, alert policies, profiles, and so on).
- Community entities such as Identity Pools and VLANs which are not restricted to specific users and can be used by everyone accessing the console.
- Built-in entities of any kind.
When a Device Manager (DM) user with an assigned scope logs in, the DM can see and manage scoped devices only. Also, the DM can see and manage entities such as jobs, firmware or configuration templates and baselines, alert policies, profiles and so on associated with scoped devices, only if the DM owns the entity (DM has created that entity or is assigned ownership of that entity). For more information about the entities a DM can create, see Role-Based Access Control (RBAC) privileges in OpenManage Enterprise.
For example, by clicking , a DM user can view the default and custom templates owned by the DM user. Also, the DM user can perform other tasks as privileged by RBAC on owned templates.
By clicking , a DM user can see all the identities created by an administrator or the DM user. The DM can also perform actions on those identities specified by RBAC privilege. However, the DM can only see the usage of those identities that are associated to the devices under the DM's scope.
Similarly, by clicking , the DM can see all the VLANs created by the admin and export them. The DM cannot perform any other operations. If the DM has a template, it can edit the template to use the VLAN networks, but it cannot edit the VLAN network.
In OpenManage Enterprise, scope can be assigned while creating a local or importing AD/LDAP user. Scope assignment for OIDC users can be done only on Open ID Connect (OIDC) providers.
SBAC for Local users:While creating or editing a local user with DM role, admin can select one or more device groups that defines the scope for the DM.
For example, you (as an administrator) create a DM user named dm1 and assign group g1 present under custom groups. Then dm1 will have operational access to all devices in g1 only. The user dm1 will not be able to access any other groups or entities related to any other devices.
Furthermore, with SBAC, dm1 will also not be able to see the entities created by other DMs (let's say dm2) on the same group g1. That means a DM user will only be able to see the entities owned by the user.
For example, you (as an administrator) create another DM user named dm2 and assign the same group g1 present under custom groups. If dm2 creates configuration template, configuration baselines, or profiles for the devices in g1, then dm1 will not have access to those entities and vice versa.
A DM with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities owned by the DM.
SBAC for AD/LDAP users:
While importing or editing AD/LDAP groups, administrators can assign scopes to user groups with DM role. If a user is a member of multiple AD groups, each with a DM role, and each AD group has distinct scope assignments, then the scope of the user is the union of the scopes of those AD groups.
For example,
- User dm1 is a member of two AD groups (RR5-Floor1-LabAdmins and RR5-Floor3-LabAdmins). Both AD groups have been assigned the DM role, with scope assignments for the AD groups are as follows: RR5-Floor1-LabAdmins gets ptlab-servers and RR5-Floor3-LabAdmins gets smdlab-servers. Now the scope of the DM dm1 is the union of ptlab-servers and smdlab-servers.
- User dm1 is a member of two AD groups (adg1 and adg2). Both AD groups have been assigned the DM role, with scope assignments for the AD groups as follows: adg1 is given access to g1 and adg2 is given access to g2. If g1 is the superset of g2, then the scope of dm1 is the larger scope (g1, all its child groups, and all leaf devices).
When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the order Administrator, DM, Viewer).
A DM with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.
SBAC for OIDC users:
Scope assignment for OIDC users does not happen within the OME console. You can assign scopes for OIDC users at an OIDC provider during user configuration. When the user logs in with OIDC provider credentials, the role and scope assignment will be available to OME. For more information about configuring user roles and scopes, see Configure an OpenID Connect provider policy in PingFederate for role-based access to OpenManage Enterprise.
NOTE If PingFederate is being used as the OIDC provider, then only administrator roles can be used. For more information, see
Configure an OpenID Connect provider policy in PingFederate for role-based access to OpenManage Enterprise and the Release Notes at
https://www.dell.com/support/home/en-yu/product-support/product/dell-openmanage-enterprise/docs.
Transfer ownership : The administrator can transfer owned resources from a device manager (source) to another device manager. For example, an administrator can transfer all the resources assigned from a source dm1 to dm2. A device manager with owned entities such as firmware and/or configuration baselines, configuration templates, alert policies, and profiles is considered an eligible source user. Transfer of ownership transfers only the entities and not the device groups (scope) owned by a device manager to another. For more information see, Transfer of ownership of Device Manager entities.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\