Creating roles to follow organizational structure, Using existing groups, Using multiple roles – HP Integrated Lights-Out 4 User Manual

objects meaningful names, such as the device network address, DNS name, host server name,
or serial number.

•

Configure Lights-Out management devices

Every LOM device that uses the directory service to authenticate and authorize users must be
configured with the appropriate directory settings. For information on the specific directory
settings, see

“Configuring authentication and directory server settings” (page 71)

. In general,

you can configure each device with the appropriate directory server address, LOM object
DN, and any user contexts. The server address is the IP address or DNS name of a local
directory server or, for more redundancy, a multihost DNS name.

Creating roles to follow organizational structure

Often, administrators in an organization are placed in a hierarchy in which subordinate
administrators must assign rights independently of ranking administrators. In this case, it is useful
to have one role that represents the rights assigned by higher-level administrators, and to allow
subordinate administrators to create and manage their own roles.

Using existing groups

Many organizations have users and administrators arranged in groups. In many cases, it is
convenient to use the existing groups and associate them with one or more Lights-Out Management
role objects. When the devices are associated with the role objects, the administrator controls
access to the Lights-Out devices associated with the role by adding or deleting members from the
groups.

When using Microsoft Active Directory, you can place one group within another (that is, use nested
groups). Role objects are considered groups and can include other groups directly. Add the existing
nested group directly to the role, and assign the appropriate rights and restrictions. You can add
new users to either the existing group or the role.

When you are using trustee or directory rights assignments to extend role membership, users must
be able to read the LOM object that represents the LOM device. Some environments require that
the trustees of a role also be read trustees of the object to successfully authenticate users.

Using multiple roles

Most deployments do not require that the same user be in multiple roles managing the same device.
However, these configurations are useful for building complex rights relationships. When users
build multiple-role relationships, they receive all rights assigned by every applicable role. Roles
can only grant rights, never revoke them. If one role grants a user a right, then the user has the
right, even if the user is in another role that does not grant that right.

Typically, a directory administrator creates a base role with the minimum number of rights assigned,
and then creates additional roles to add more rights. These additional rights are added under
specific circumstances or to a specific subset of the base role users.

For example, an organization can have two types of users: administrators of the LOM device or
host server, and users of the LOM device. In this situation, it makes sense to create two roles, one
for the administrators and one for the users. Both roles include some of the same devices but grant
different rights. Sometimes, it is useful to assign generic rights to the lesser role and include the
LOM administrators in that role, as well as the administrative role.

An Admin user gains the login right from the regular user role. Advanced rights are assigned
through the Admin role, which assigns the advanced rights Server Reset and Remote Console
(

Figure 149

).

Directory-enabled remote management

281