5 controlling access for authorized users, 1 specifying user accounts and roles, 6 protecting credentials – HP OneView User Manual
Page 48: 7 understanding the audit log
3.5 Controlling access for authorized users
Access to the appliance is controlled by roles, which describe what an authenticated user is
permitted to do on the appliance. Each user must be associated with at least one role.
3.5.1 Specifying user accounts and roles
User login accounts on the appliance must be assigned a role, which determines what the user
has permission to do.
The appliance provides the following roles:
•
The Infrastructure administrator has full access to view, create, edit, or remove any resources
managed by the appliance, including management of the appliance itself.
The Infrastructure administrator can also manage information provided by the appliance in
the form of activities, events, notifications, and logs.
All privileges are granted to this role so that the Infrastructure administrator can perform any
action on the appliance, including management of deployment content (operating system
build plans and scripts).
•
The Server administrator can manage server profiles and templates, enclosures, firmware
drivers, and interconnects; access the Onboard Administrator, physical servers, and vSphere
vCenter registration; and view connections, networks, racks, power, activities, logs, and
notifications.
The Server administrator cannot manage user accounts.
•
The Network administrator manages networks, network sets, connections, uplinks, and firmware
drivers; and views activities, logs, and notifications.
The Network administrator cannot manage user accounts.
•
The Backup administrator role is provided for scripts using REST APIs to log in to the appliance.
By using this role for backup scripts, you do not expose the Infrastructure administrator
credentials for backup operations.
The Backup administrator cannot restore the appliance from a backup file.
•
Users with the Read only role can only view appliance information, such as network settings.
For information on how to add, delete, and edit user accounts, see the online help.
3.6 Protecting credentials
Local user account passwords are stored using a salted hash; that is, they are combined with a
random string, and then the combined value is stored as a hash. A hash is a one-way algorithm
that maps a string to a unique value so that the original string cannot be retrieved from the hash.
Passwords are masked in the browser. When transmitted between appliance and the browser over
the network, passwords are protected by SSL.
Local user account passwords must be a minimum of eight characters, with at least one uppercase
character. The appliance does not enforce additional password complexity rules. Password strength
and expiration are dictated by the site security policy (see
“Best practices for maintaining a secure
). If you integrate an external authentication directory service (also known
as an enterprise directory) with the appliance, the directory service enforces password strength
and expiration.
3.7 Understanding the audit log
The audit log contains a record of actions performed on the appliance, which you can use for
individual accountability.
48
Understanding the security features of the appliance