Creating multiple restrictions and roles – HP Integrated Lights-Out 3 User Manual
Page 195
Creating multiple restrictions and roles
The most useful application of multiple roles is restricting one or more roles so that rights do not
apply in all situations. Other roles provide different rights under different constraints. Using multiple
restrictions and roles enables the administrator to create arbitrary, complex rights relationships
with a minimum number of roles.
For example, an organization might have a security policy in which LOM administrators are allowed
to use the LOM device from within the corporate network, but can reset the server only after regular
business hours.
Directory administrators might be tempted to create two roles to address this situation, but extra
caution is required. Creating a role that provides the required server reset rights and restricting it
to after hours might allow administrators outside the corporate network to reset the server, which
is contrary to most security policies.
In the example shown in
, security policy dictates that general use is restricted
to clients in the corporate subnet, and server reset capability is restricted to after hours.
Figure 107 Creating restrictions and roles
User
General Use
Role
Reset Role
Assigns Login Right
IP Restrictions:
DENY except to corporate subnet
Server
Assigns Server Reset Right
Time Restriction: Denied Monday
through Friday, 8 a.m. to 5 p.m.
Alternatively, the directory administrator might create a role that grants the login right and restrict
it to the corporate network, and then create another role that grants only the server reset right and
restrict it to after-hours operation. This configuration is easier to manage but more dangerous
because ongoing administration might create another role that grants the login right to users from
addresses outside the corporate network. This role might unintentionally grant the LOM administrators
in the server Reset role the ability to reset the server from anywhere, if they satisfy the role's time
constraints.
The previous configuration (
) meets corporate security requirements. However, adding
another role that grants the login right can inadvertently grant server reset privileges from outside
the corporate subnet after hours. A more manageable solution would be to restrict the Reset role
and the General Use role, as shown in
Figure 108 Restricting the Reset and General Use roles
User
General Use
Role
Reset Role
Assigns Login Right
IP Restrictions:
DENY except to corporate
subnet
Server
Assigns Server Reset Right
AND Login Right
Time Restriction: Denied Monday through
Friday, 8 a.m. to 5 p.m.
IP Restriction:
DENY except to corporate
subnet
Directory-enabled remote management 195