How directory login restrictions are enforced, Restricting roles, Role time restrictions – HP Integrated Lights-Out User Manual
Page 168
Directory-enabled remote management 168
How directory login restrictions are enforced
Two sets of restrictions potentially limit a directory user's access to LOM devices. User access restrictions
limit a user's access to authenticate to the directory. Role access restrictions limit an authenticated user's
ability to receive LOM privileges based on rights specified in one or more Roles.
Restricting roles
Restrictions allow administrators to limit the scope of a role. A role only grants rights to those users that
satisfy the role's restrictions. Using restricted roles results in users with dynamic rights that can change
based on the time of day or network address of the client.
IMPORTANT:
When directories are enabled, access to a particular iLO 2 is based on
whether the user has read access to a Role object that contains the corresponding iLO 2
object. This includes but is not limited to the members listed in the role object. If the Role is set
up to allow inheritable permissions to propagate from a parent, then members of the parent
which have read access privileges will also have access to iLO 2. To view the access control
list, navigate to Users and Computers, open the properties screen for the Role object and
select the Security tab.
For step-by-step instructions on how to create network and time restrictions on a role, refer to "Active
Directory Role Restrictions (on page
)" or "eDirectory Role Restrictions (on page
)" sections.
Role time restrictions
Administrators can place time restrictions on LOM roles. Users are granted the rights specified for the
LOM devices listed in the role, only if they are members of the role and meet the time restrictions for that
role.
LOM devices use local host time to enforce time restrictions. If the LOM device clock is not set, the role
time restriction fails unless no time restrictions are specified on the role.
Role-based time restrictions can only be satisfied if the time is set on the LOM device. The time is normally
set when the host is booted, and it is maintained by running the agents in the host operating system,
which allows the LOM device to compensate for leap year and minimize clock drift with respect to the