- Notes, cautions, and warnings
- Revision history
- Preface
- Overview
- Deployment
- Getting started
- System configuration
- Configure network settings
- Manage users, roles, and scopes
- Ending user sessions
- Directory services integration
- Login using OIDC providers
- Security certificates
- Manage console settings
- Set the login security properties
- Customize the alert display
- Configure SMTP, SNMP, and Syslog
- Manage incoming alerts
- Manage warranty settings
- Configure remote commands and scripts
- OpenManage Mobile settings
- Enable or disable alert notifications for OpenManage Mobile
- Enable or disable OpenManage Mobile subscribers
- Delete an OpenManage Mobile subscriber
- View the alert notification service status
- Notification service status
- View information about OpenManage Mobile subscribers
- OpenManage Mobile subscriber information
- Troubleshooting OpenManage Mobile
- Discovering devices
- Server-initiated discovery
- Create a device discovery job
- Protocol support matrix for discovering devices
- View device discovery job details
- Edit a device discovery job
- Run a device discovery job
- Stop a device discovery job
- Discover multiple devices by .csv import
- Global exclusion of ranges
- Specify a discovery mode for server discovery
- Create a custom discovery job for servers
- Specify discovery mode for chassis discovery
- Create a custom discovery job for the chassis
- Specify discovery mode for Dell storage discovery
- Specify discovery mode for network switch discovery
- Create a custom discovery job for HTTPS storage devices
- Create a custom discovery job for SSH devices
- Create a custom discovery job for SNMP devices
- Specify the discovery mode for multiple discovery jobs
- Delete a device discovery job
- Managing devices and device groups
- Organize devices into groups
- Create a custom static or query group
- Create a static device group
- Create a query device group
- Edit a static group
- Edit a query group
- Rename a static or query group
- Delete a static or query device group
- Clone a static or query group
- Add devices to a new group
- Add devices to existing group
- Refresh health on group
- All Devices screen device list
- All Devices screen actions
- Delete devices from OpenManage Enterprise
- Exclude devices from OpenManage Enterprise
- Run inventory on devices
- Update the device firmware and drivers by using baselines
- Refresh the device health of a device group
- Refresh health on devices
- Roll back an individual device's firmware version
- Export the single device inventory
- Performing more actions on chassis and servers
- Hardware information displayed for MX7000 chassis
- Export data
- View and configure individual devices
- Organize devices into groups
- Managing device inventory
- Managing device firmware and drivers
- Managing device deployment templates
- Create a deployment template from a reference device
- Create a deployment template by importing a template file
- View a deployment template information
- Edit a server deployment template
- Edit a chassis deployment template
- Edit IOA deployment template
- Edit network properties of a deployment template
- Deploy device deployment templates
- Deploy IOA deployment templates
- Clone deployment templates
- Auto deploy device configuration before discovery
- Create auto deployment targets
- Delete auto deployment targets
- Export auto deployed target details
- Overview of stateless deployment
- Define networks
- Edit or delete a configured network
- Export VLAN definitions
- Import network definitions
- Managing device warranty
- Managing alerts
- Managing MIB files
- Configuring profiles
- Configuration compliance
- Using jobs for device control
- Monitoring audit logs
- Monitoring reports
- Back up, restore, or migrate
- Updating the console and plugins
- Managing plugins
- Troubleshooting
- Troubleshooting connectivity
- Firmware and DSU requirements for HTTPS
- Firmware schedule reference
- Firmware baseline field definitions
- Supported and unsupported actions on proxied sleds
- Schedule job field definitions
- Alert categories after EEMI relocation
- Token substitution in remote scripts and alert policy
- Catalog Management field definitions
- Devices with unknown compliance status
- Device rediscovery running for a long time after deleting iDRAC service account
- Dell Connectivity Service : Failed with exception: Unable to get access token from DCS
OpenManage Enterprise 4.0.x User's Guide
Role and scope-based access
Role-Based Access Control (RBAC) defines the user privileges into three categories: Administrator, Device Manager, and Viewer. Scope-Based Access Control (SBAC) enables administrators to limit the device groups that a device manager can access. The following topics further explain the RBAC and SBAC features.
Role-based access control (RBAC) privileges
Users are assigned roles that determine their level of access to the appliance settings and device management features. This feature is termed as Role-Based Access Control (RBAC). The console enforces the privilege that is required for a certain action before allowing the action. For more information about managing users in OpenManage Enterprise, see Manage OpenManage Enterprise users.
The table below lists the privileges of each role.
| Privilege | Description | User roles | |||
|---|---|---|---|---|---|
| Backup Administrator | Administrator | Device Manager | Viewer | ||
| Backup, restore, and migration | Back up, restore, and migrate appliance. | Y | N | N | N |
| Appliance setup | Global appliance settings involving the setting up of the appliance | Y | Y | N | N |
| Security setup | Appliance security settings | Y | Y | N | N |
| Alert management | Alerts actions or management | Y | Y | N | N |
| Fabric management | Fabric actions or management | Y | Y | N | N |
| Network management | Network actions or management | Y | Y | N | N |
| Group management | Create, read, update, and delete for static and dynamic groups. | Y | Y | N | N |
| Discovery management | Create, read, update, and delete for discovery tasks and run discovery tasks. | Y | Y | N | N |
| Inventory management | Create, read, update, and delete for inventory tasks and run inventory tasks. | Y | Y | N | N |
| Trap management | Import MIB, Edit trap | Y | Y | N | N |
| Auto-deploy management | Manage auto-deploy configuration operations. | Y | Y | N | N |
| Monitoring setup | Alerting policies, forwarding, Services (formerly SupportAssist), and so on. | Y | Y | Y | N |
| Power control | Reboot or cycle device power | Y | Y | Y | N |
| Device configuration | Device configuration, application of templates, manage or migrate I/O identity, storage mapping (for storage devices), and so on. | Y | Y | Y | N |
| Operating system deployment | Deploy the operating system, map to LUN, and so on. | Y | Y | Y | N |
| Device update | Device firmware update, application of updated baselines, and so on | Y | Y | Y | N |
| Template management | Create or manage templates. | Y | Y | Y | N |
| Baseline management | Create, manage firmware, and configuration baseline policies. | Y | Y | Y | N |
| Power management | Set power budgets | Y | Y | Y | N |
| Job management | Job execution or management. | Y | Y | Y | N |
| Report management | Create, read, update, and delete operations on reports. | Y | Y | Y | N |
| Report run | Run reports | Y | Y | Y | Y |
| View | View all data, report execution or management, and so on. | Y | Y | Y | Y |
Scope-based access control (SBAC)
Using Role-Based Access Control (RBAC) administrators can assign roles while creating users. Roles determine their level of access to the appliance settings and device management features. Scope-based Access Control (SBAC) is an extension of the RBAC feature that allows an administrator to restrict a Device Manager role to a subset of device groups called scope.
While creating or updating a device manager, administrators can assign scope to restrict operational access of Device Manager to one or more system groups, custom groups, and plug-in groups.
Administrator and Viewer roles have unrestricted scope. That means they have operational access as specified by RBAC privileges to all devices and groups entities.
The scope can be implemented as follows:
- Click Create or Edit User.
- Assign a Device Manager role.
- Assign scope to restrict operational access.
For more information about managing users, see Manage users, roles, and scopes.
Using SBAC administrators can implement an Restricted View feature. With Restricted View, the Device Managers only see the following:
- Groups (therefore, the devices in those groups) in their scope.
- Entities that they own (such as jobs, firmware templates, configuration templates, and baselines, alert policies, profiles, and so on).
- Community entities such as Identity Pools and VLANs which are not restricted to specific users and can be used by everyone accessing the console.
- Built-in entities of any kind.
If the scope of a Device Manager is 'unrestricted', then that Device Manager can view all the devices and groups, however, would only be able to see the entities owned by the user such as jobs, alert policies, baselines, and so on along with the community and built-in entities of any kind.
When a Device Manager with an assigned scope logs in, the Device Manager can see and manage scoped devices only. Also, the Device Manager can see and manage entities such as jobs, firmware templates, configuration templates and baselines, alert policies, profiles, and so on, associated with scoped devices, only if the Device Manager owns the entity (Device Manager has created that entity or is assigned ownership of that entity). For more information about the entities a Device Manager can create, see Role-Based Access Control (RBAC) privileges in OpenManage Enterprise User's Guide.
For example, by clicking , a Device Manager user can view the default and custom templates owned by the Device Manager user. Also, the Device Manager user can perform other tasks as privileged by RBAC on owned templates.
By clicking , a Device Manager user can see all the identities created by an administrator or the Device Manager user. The Device Manager can also perform actions on those identities specified by RBAC privilege. However, the Device Manager can only see the usage of those identities that are associated to the devices under the Device Manager's scope.
Similarly, by clicking , the Device Manager can see all the VLANs created by the admin and export them. The Device Manager cannot perform any other operations. If the Device Manager has a template, it can edit the template to use the VLAN networks, but it cannot edit the VLAN network.
In OpenManage Enterprise, the scope can be assigned while creating a local or importing AD or LDAP user. Scope assignment for OIDC users can be done only on Open ID Connect (OIDC) providers.
SBAC for local users- While creating or editing a local user with Device Manager role, admin can select one or more device groups that defines the scope for the Device Manager. For example, you (as an administrator) create a Device Manager user with a name dm1 and assign group g1 present under custom groups. Then dm1 will have operational access to all devices in g1 only. The user dm1 cannot access any other groups or entities that are related to any other devices.
- Furthermore, with SBAC, dm1 cannot view the entities created by other Device Managers (say dm2) on the same group g1. That means a Device Manager user can view the entities that are owned by the user. For example, you (as an administrator) create another Device Manager user with a name dm2 and assign the same group g1 present under custom groups. If dm2 creates configuration template, configuration baselines, or profiles for the devices in g1, then dm1 can access to those entities and vice-versa.
A Device Manager with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities that are owned by the Device Manager.
SBAC for AD and LDAP usersWhile importing or editing AD and LDAP groups, administrators can assign scopes to user groups with Device Manager the role. If a user is a member of multiple AD groups, each with a Device Manager role, and each AD group has distinct scope assignments, then the scope of the user is the union of the scopes of those AD groups.
For example:
- User dm1 is a member of two AD groups (RR5-Floor1-LabAdmins and RR5-Floor3-LabAdmins). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups are as follows: RR5-Floor1-LabAdmins gets ptlab-servers and RR5-Floor3-LabAdmins gets smdlab-servers. Now the scope of the Device Manager dm1 is the union of ptlab-servers and smdlab-servers.
- User dm1 is a member of two AD groups (adg1 and adg2). Both AD groups have been assigned the Device Manager role, with scope assignments for the AD groups as follows: adg1 is given access to g1 and adg2 is given access to g2. If g1 is the superset of g2, then the scope of dm1 is the larger scope (g1, all its child groups, and all leaf devices).
When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the order Administrator, Device Manager, Viewer).
A Device Manager with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.
SBAC for OIDC users:Scope assignment for OIDC users does not happen within the OpenManage Enterprise console. You can assign scopes for OIDC users at an OIDC provider during user configuration. When the user logs in with OIDC provider credentials, the role and scope assignment is available to OpenManage Enterprise. For more information about configuring user roles and scopes, see Configure OIDC login using PingFederate.
NOTE:If PingFederate is being used as the OIDC provider, then only administrator roles can be used. For more information, see
Configure OIDC login using PingFederate and the Release Notes at
Dell EMC OpenManage Enterprise support site.
: The administrator can transfer owned resources from a device manager (source) to another device manager. For example, an administrator can transfer all the resources assigned from a source dm1 to dm2. A device manager with owned entities such as firmware and configuration baselines, configuration templates, alert policies, and profiles are considered an eligible source user. Transfer of ownership transfers only the entities and not the device groups (scope) owned by a device manager to another. For more information see, Transfer of ownership of device manager entities.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\