Using multiple roles – HP Integrated Lights-Out User Manual
Page 167
Directory-enabled remote management 167
nested group directly to the role, and assign the appropriate rights and restrictions. New users can be
added to either the existing group or the role.
Novell eDirectory does not allow nested groups. In eDirectory, any user that can read a role is considered
a member of that role. When adding an existing group, organizational unit or organization to a role,
add the object as a read trustee of the role. All the members of the object are considered members of the
role. New users can be added to either the existing object or the role.
When using trustee or directory rights assignments to extend role membership, users must be able to read
the LOM object representing the LOM device. Some environments require the same trustees of a role to
also be read trustees of the LOM object to successfully authenticate users.
Using multiple roles
Most deployments do not require the same user to be in multiple roles managing the same device.
However, these configurations are useful for building complex rights relationships. When building
multiple-role relationships, users receive all the rights assigned by every applicable role. Roles can only
grant rights, never revoke them. If one role grants a user a right, then the user has the right, even if the
user is in another role that does not grant that right.
Typically, a directory administrator creates a base role with the minimum number of rights assigned and
then creates additional roles to add additional rights. These additional rights are added under specific
circumstances or to a specific subset of the base role users.
For example, an organization can have two types of users, administrators of the LOM device or host
server and users of the LOM device. In this situation, it makes sense to create two roles, one for the
administrators and one for the users. Both roles include some of the same devices but grant different
rights. Sometimes, it is useful to assign generic rights to the lesser role and include the LOM administrators
in that role, as well as the administrative role.
An admin user gains the login right from the regular user group. More advanced rights are assigned
through the Admin role, which assigns additional rights—Server Reset and Remote Console.
The Admin role assigns all admin rights—Server Reset, Remote Console, and Login.