Role-Based Access Control (RBAC) defines the user privileges into three categories: Administrator, Device Manager, and Viewer. Scope-Based Access Control (SBAC) enables administrators to limit the device groups that a device manager can access. The following topics further explain the RBAC and SBAC features.
Scope-based access control (SBAC)
Using Role-Based Access Control (RBAC) administrators can assign roles while creating users. Roles determine their level of access to the appliance settings and device management features. Scope-based Access Control (SBAC) is an extension of the RBAC feature that allows an administrator to restrict a Device Manager role to a subset of device groups called scope.
While creating or updating a device manager, administrators can assign scope to restrict operational access of Device Manager to one or more system groups, custom groups, and plug-in groups.
Administrator and Viewer roles have unrestricted scope. That means they have operational access as specified by RBAC privileges to all devices and groups entities.
The scope can be implemented as follows:
- Click
Create or
Edit User.
- Assign a Device Manager role.
- Assign scope to restrict operational access.
For more information about managing users, see
Manage users, roles, and scopes.
Using SBAC administrators can implement an Restricted View feature. With Restricted View, the Device Managers only see the following:
- Groups (therefore, the devices in those groups) in their scope.
- Entities that they own (such as jobs, firmware templates, configuration templates, and baselines, alert policies, profiles, and so on).
- Community entities such as Identity Pools and VLANs which are not restricted to specific users and can be used by everyone accessing the console.
- Built-in entities of any kind.
If the scope of a Device Manager is 'unrestricted', then that Device Manager can view all the devices and groups, however, would only be able to see the entities owned by the user such as jobs, alert policies, baselines, and so on along with the community and built-in entities of any kind.
When a Device Manager with an assigned scope logs in, the Device Manager can see and manage scoped devices only. Also, the Device Manager can see and manage entities such as jobs, firmware templates, configuration templates and baselines, alert policies, profiles, and so on, associated with scoped devices, only if the Device Manager owns the entity (Device Manager has created that entity or is assigned ownership of that entity). For more information about the entities a Device Manager can create, see Role-Based Access Control (RBAC) privileges in
OpenManage Enterprise User's Guide.
For example, by clicking
, a Device Manager user can view the default and custom templates owned by the Device Manager user. Also, the Device Manager user can perform other tasks as privileged by RBAC on owned templates.
By clicking
, a Device Manager user can see all the identities created by an administrator or the Device Manager user. The Device Manager can also perform actions on those identities specified by RBAC privilege. However, the Device Manager can only see the usage of those identities that are associated to the devices under the Device Manager's scope.
Similarly, by clicking
, the Device Manager can see all the VLANs created by the admin and export them. The Device Manager cannot perform any other operations. If the Device Manager has a template, it can edit the template to use the VLAN networks, but it cannot edit the VLAN network.
In OpenManage Enterprise, the scope can be assigned while creating a local or importing AD or LDAP user. Scope assignment for OIDC users can be done only on Open ID Connect (OIDC) providers.
SBAC for local users
- While creating or editing a local user with Device Manager role, admin can select one or more device groups that defines the scope for the Device Manager. For example, you (as an administrator) create a Device Manager user with a name dm1 and assign group
g1 present under custom groups. Then dm1 will have operational access to all devices in
g1 only. The user dm1 cannot access any other groups or entities that are related to any other devices.
- Furthermore, with SBAC, dm1 cannot view the entities created by other Device Managers (say dm2) on the same group
g1. That means a Device Manager user can view the entities that are owned by the user. For example, you (as an administrator) create another Device Manager user with a name dm2 and assign the same group
g1 present under custom groups. If dm2 creates configuration template, configuration baselines, or profiles for the devices in
g1, then dm1 can access to those entities and vice-versa.
A Device Manager with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities that are owned by the Device Manager.
SBAC for AD and LDAP users
While importing or editing AD and LDAP groups, administrators can assign scopes to user groups with Device Manager the role. If a user is a member of multiple AD groups, each with a Device Manager role, and each AD group has distinct scope assignments, then the scope of the user is the union of the scopes of those AD groups.
For example:
- User dm1 is a member of two AD groups (RR5-Floor1-LabAdmins and
RR5-Floor3-LabAdmins). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups are as follows:
RR5-Floor1-LabAdmins gets
ptlab-servers and
RR5-Floor3-LabAdmins gets
smdlab-servers. Now the scope of the Device Manager dm1 is the union of
ptlab-servers and
smdlab-servers.
- User dm1 is a member of two AD groups (adg1 and
adg2). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups as follows:
adg1 is given access to
g1 and
adg2 is given access to
g2. If
g1 is the superset of
g2, then the scope of dm1 is the larger scope (g1, all its child groups, and all leaf devices).
When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the order Administrator, Device Manager, Viewer).
A Device Manager with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.
SBAC for OIDC users:
Scope assignment for OIDC users does not happen within the OpenManage Enterprise console. You can assign scopes for OIDC users at an OIDC provider during user configuration. When the user logs in with OIDC provider credentials, the role and scope assignment is available to OpenManage Enterprise. For more information about configuring user roles and scopes, see
Configure OIDC login using PingFederate.
: The administrator can transfer owned resources from a device manager (source) to another device manager. For example, an administrator can transfer all the resources assigned from a source dm1 to dm2. A device manager with owned entities such as firmware and configuration baselines, configuration templates, alert policies, and profiles are considered an eligible source user. Transfer of ownership transfers only the entities and not the device groups (scope) owned by a device manager to another. For more information see,
Transfer of ownership of device manager entities.