Creating roles to follow organizational structure, Using existing groups, Using multiple roles – HP Integrated Lights-Out 2 User Manual

Directory” (page 140)

, and

“Directory services for eDirectory” (page 149)

. In general, you can

use the HP provided snap-ins to create objects. It is useful to give the LOM device objects
meaningful names, such as the device network address, DNS name, host server name, or
serial number.

•

Configure the Lights-Out management devices

Every LOM device that uses the directory service to authenticate and authorize users must be
configured with the appropriate directory settings. For details on the specific directory settings,
see

“Configuring directory settings” (page 51)

. In general, you can configure each device

with the appropriate directory server address, LOM object distinguished name, and any user
contexts. The server address is either the IP address or DNS name of a local directory server
or, for more redundancy, a multi-host DNS name.

Creating roles to follow organizational structure

Often, the administrators within an organization are placed into a hierarchy in which subordinate
administrators must assign rights independently of ranking administrators. In this case, it is useful
to have one role that represents the rights assigned by higher-level administrators and to allow the
subordinate administrators to create and manage their own roles.

Using existing groups

Many organizations have users and administrators arranged into groups. In many cases, the
organizations can use the existing groups and associate the groups with one or more Lights-Out
Management role objects. When the devices are associated with the role objects, the administrator
controls access to the Lights-Out devices associated with the role by adding or deleting members
from the groups.

When using Microsoft Active Directory, it is possible to place one group within another or nested
groups. Role objects are considered groups and can include other groups directly. Add the existing
nested group directly to the role, and assign the appropriate rights and restrictions. New users
can be added to either the existing group or the role.

Novell eDirectory does not allow nested groups. In eDirectory, any user that can read a role is
considered a member of that role. When adding an existing group, organizational unit or
organization to a role, add the object as a read trustee of the role. All the members of the object
are considered members of the role. New users can be added to either the existing object or the
role.

When using trustee or directory rights assignments to extend role membership, users must be able
to read the LOM object representing the LOM device. Some environments require the same trustees
of a role to also be read trustees of the LOM object to successfully authenticate users.

Using multiple roles

Most deployments do not require the same user to be in multiple roles managing the same device.
However, these configurations are useful for building complex rights relationships. When building
multiple-role relationships, users receive all the rights assigned by every applicable role. Roles can
only grant rights, never revoke them. If one role grants a user a right, then the user has the right,
even if the user is in another role that does not grant that right.

Typically, a directory administrator creates a base role with the minimum number of rights assigned
and then creates additional roles to add additional rights. These additional rights are added under
specific circumstances or to a specific subset of the base role users.

For example, an organization can have two types of users, administrators of the LOM device or
host server and users of the LOM device. In this situation, it makes sense to create two roles, one
for the administrators and one for the users. Both roles include some of the same devices but grant
different rights. Sometimes, it is useful to assign generic rights to the lesser role and include the
LOM administrators in that role, as well as the administrative role.

Directory-enabled remote management

157