- Notes, cautions, and warnings
- Revision history
- Introduction to Power Manager
- New features
- Compatibility matrix
- License requirements
- Scalability and performance
- Getting started with Power Manager
- Back up and restore Power Manager
- Create a device discovery job
- Monitor and manage Power Manager devices
- Rack management
- Manage data center during power reduction
- Quick access to Power Manager data
- View power and thermal history of Power Manager groups
- Add groups to the OpenManage Enterprise dashboard
- View top five energy consumers
- View ratio of devices discovered in OpenManage Enterprise to devices added in Power Manager
- View top ten power offenders
- View top ten temperature offenders
- View top ten underutilized racks for power and space
- View power and space headroom
- View power history of virtual machines and virtual machine groups
- View idle servers
- Maintain Power Manager
- Manage Power Manager plug-in
- Manage individual devices and static groups
- Manage physical groups
- Manage virtual machine groups
- Maintain alert thresholds
- Maintain policies
- Managing unmonitored devices
- Manage PDU and UPS devices
- Alerts
- Reports in Power Manager
- Frequently Asked Questions
- Troubleshooting
- Appendix
- Other information you may need
OpenManage Enterprise Power Manager Version 3.1 User’s Guide
Role and scope-based access
OpenManage Enterprise has Role Based Access Control (RBAC) that clearly defines the user privileges for the three built-in roles—Administrator, Device Manager, and Viewer. Additionally, using the Scope-Based Access Control (SBAC) an administrator can limit the device groups that a device manager has access to. The following topics further explain the RBAC and SBAC features.
Role-based access control (RBAC) privileges
Users are assigned roles which determine their level of access to the appliance settings and device management features. This feature is termed as Role-Based Access Control (RBAC). The console enforces the privilege required for a certain action before allowing the action.
This table lists the various privileges that are enabled for each role.
| Features | Administrator | Device Manager (scope for assigned groups) | Device Manager (scope for non-assigned groups) | Viewer |
|---|---|---|---|---|
| Install Power Manager | Yes | No | No | No |
| Upgrade Power Manager | Yes | No | No | No |
| Enable Power Manager | Yes | No | No | No |
| Disable Power Manager | Yes | No | No | No |
| Uninstall Power Manager | Yes | No | No | No |
| Add or remove supported devices from Power Manager | Yes | Yes | No | No |
| Add or remove static groups from Power Manager | Yes | Yes | No | No |
| Add or remove unmonitored devices from Power Manager | Yes | No | No | No |
| Add or remove Power Distribution Units (PDUs) from Power Manager | Yes | No | No | No |
| Monitor PDUs | Yes | Yes | No | Yes |
| Create, edit, or delete Physical Groups | Yes | No | No | No |
| Import physical groups through CSV file | Yes | No | No | No |
| Manage the devices in rack | Yes | No | No | No |
| Monitor metrics | Yes | Yes | No | Yes |
| Manage power policies for devices | Yes | Yes | No | No |
| Manage power policies for groups | Yes | Yes | No | No |
| Manage temperature-triggered policies for group | Yes | Yes | No | No |
| Manage alert thresholds for devices | Yes | Yes | No | No |
| Manage alert thresholds for groups | Yes | Yes | No | No |
| View alert thresholds in Power Manager | Yes | Yes | No | Yes |
| Modify Power Manager Settings | Yes | No | No | No |
| View Settings | Yes | Yes | Yes | Yes |
| Manage Power Manager Emergency Power Reduction (EPR) for devices | Yes | Yes | No | No |
| Manage EPR for groups | Yes | Yes | No | No |
| Run and view reports for devices and groups | Yes | Yes | No | Yes |
| Manage custom reports for devices | Yes | Yes | No | No |
| Manage custom reports for groups | Yes | Yes | No | No |
| View events | Yes | Yes | No | Yes |
| Dashboard | Yes | Yes | No | Yes |
| Create, edit, or delete VM Groups | Yes | No | No | No |
| Analyze usage metrics | Yes | Yes | No | Yes |
| Automatically create physical hierarchy | Yes | No | No | No |
| View maximum and minimum power consumption of VMs on the Overview page | Yes | Yes | No | Yes |
| Disable LCS Event-triggered EPR | Yes | No | No | No |
| Enable and disable Liquid cooling system alert policy | Yes | No | No | No |
| View maximum and minimum power consumption of VM groups on the Overview page | Yes | Yes | Yes | Yes |
| Update device location in device console | Yes | No | No | No |
| View idle servers | Yes | Yes | No | Yes |
| Add or remove Uninterruptible Power Supply (UPS) from Power Manager | Yes | No | No | No |
| Monitor UPS | Yes | Yes | No | Yes |
Scope-based access control (SBAC)
With the use of Role-Based Access Control (RBAC) feature, administrators can assign roles while creating users. Roles determine their level of access to the appliance settings and device management features. Scope-based Access Control (SBAC) is an extension of the RBAC feature that allows an administrator to restrict a Device Manager role to a subset of device groups called scope.
While creating or updating a Device Manager (DM) user, administrators can assign scope to restrict operational access of DM to one or more system groups, custom groups, and / or plugin groups.
Administrator and Viewer roles have unrestricted scope. That means they have operational access as specified by RBAC privileges to all devices and groups entities.
Scope can be implemented as follows:
- Create or Edit User
- Assign DM role
- Assign scope to restrict operational access
A natural outcome of the SBAC functionality is the Restricted View feature. With Restricted View, particularly the Device Managers will see only the following:
- Groups (therefore, the devices in those groups) in their scope.
- Entities that they own (such as jobs, firmware or configuration templates and baselines, alert policies, profiles, and so on).
- Community entities such as Identity Pools and VLANs which are not restricted to specific users and can be used by everyone accessing the console.
- Built-in entities of any kind.
When a Device Manager (DM) user with an assigned scope logs in, the DM can see and manage scoped devices only. Also, the DM can see and manage entities such as jobs, firmware or configuration templates and baselines, alert policies, profiles and so on associated with scoped devices, only if the DM owns the entity (DM has created that entity or is assigned ownership of that entity). For more information about the entities a DM can create, see Role-Based Access Control (RBAC) privileges in OpenManage Enterprise.
In OpenManage Enterprise, scope can be assigned while creating a local or importing AD/LDAP user. Scope assignment for OIDC users can be done only on Open ID Connect (OIDC) providers.
SBAC for local usersWhile creating or editing a local user with DM role, admin can select one or more device groups that defines the scope for the DM.
For example, you (as an administrator) create a DM user named dm1 and assign group g1 present under custom groups. Then dm1 will have operational access to all devices in g1 only. The user dm1 will not be able to access any other groups or entities related to any other devices.
Furthermore, with SBAC, dm1 will also not be able to see the entities created by other DMs (let's say dm2) on the same group g1. That means a DM user will only be able to see the entities owned by the user.
For example, you (as an administrator) create another DM user named dm2 and assign the same group g1 present under custom groups. If dm2 creates configuration template, configuration baselines, or profiles for the devices in g1, then dm1 will not have access to those entities and vice versa.
A DM with scope to All Devices has operational access as specified by RBAC privileges to all devices and group entities owned by the DM.
SBAC for AD/LDAP users
While importing or editing AD/LDAP groups, administrators can assign scopes to user groups with DM role. If a user is a member of multiple AD groups, each with a DM role, and each AD group has distinct scope assignments, then the scope of the user is the union of the scopes of those AD groups.
For example,
- User dm1 is a member of two AD groups (RR5-Floor1-LabAdmins and RR5-Floor3-LabAdmins). Both AD groups have been assigned the DM role, with scope assignments for the AD groups are as follows: RR5-Floor1-LabAdmins gets ptlab-servers and RR5-Floor3-LabAdmins gets smdlab-servers. Now the scope of the DM dm1 is the union of ptlab-servers and smdlab-servers.
- User dm1 is a member of two AD groups (adg1 and adg2). Both AD groups have been assigned the DM role, with scope assignments for the AD groups as follows: adg1 is given access to g1 and adg2 is given access to g2. If g1 is the superset of g2, then the scope of dm1 is the larger scope (g1, all its child groups, and all leaf devices).
When a user is a member of multiple AD groups that have different roles, the higher-functionality role takes precedence (in the order Administrator, DM, Viewer).
A DM with unrestricted scope has operational access as specified by RBAC privileges to all device and group entities.
SBAC for OIDC users:
Scope assignment for OIDC users does not happen within the OpenManage Enterprise console. You can assign scopes for OIDC users at an OIDC provider during user configuration. When the user logs in with OIDC provider credentials, the role and scope assignment will be available to OpenManage Enterprise. For more information about configuring user roles and scopes, see Configure an OpenID Connect provider policy in PingFederate for role section in OpenManage Enterprise User's Guide.
Transfer ownership : The administrator can transfer owned resources from a device manager (source) to another device manager. For example, an administrator can transfer all the resources assigned from a source dm1 to dm2. A device manager with owned entities such as firmware and/or configuration baselines, configuration templates, alert policies, and profiles is considered an eligible source user. Transfer of ownership transfers only the entities and not the device groups (scope) owned by a device manager to another. For more information see, Transfer of ownership of Device Manager entities section in OpenManage Enterprise User's Guide.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\