How directory login restrictions are enforced, Restricting roles, Role time restrictions – HP Remote Insight Lights-Out Edition II Board User Manual
Page 105: Role address restrictions
Directory-enabled remote management 105
How directory login restrictions are enforced
Two sets of restrictions potentially limit a directory user's access to LOM devices. User access restrictions
limit a user's access to authenticate to the directory. Role access restrictions limit an authenticated user's
ability to receive LOM privileges based on rights specified in one or more Roles.
Restricting roles
Restrictions allow administrators to limit the scope of a role. A role only grants rights to those users that
satisfy the role's restrictions. Using restricted roles results in users with dynamic rights that change based
on the time of day or network address of the client.
For step-by-step instructions on how to create network and time restrictions on a role, refer to "Active
Directory Role Restrictions (on page
)" or "eDirectory Role Restrictions (on page
Role time restrictions
Administrators can place time restrictions on LOM roles. Users are granted the rights specified for the
LOM devices listed in the role, only if they are members of the role and meet the time restrictions for that
role.
LOM devices use local host time to enforce time restrictions. If the LOM device clock is not set, the role
time restriction fails unless no time restrictions are specified on the role.
Role-based time restrictions can only be satisfied if the time is set on the LOM device. The time is normally
set when the host is booted, and it is maintained by running the agents in the host operating system,
which allows the LOM device to compensate for leap year and minimize clock drift with respect to the
host. Events, such as unexpected power loss or flashing LOM firmware, can cause the LOM device clock
to not be set. Also, the host time must be correct for the LOM device to preserve time across firmware
flashes.
Role address restrictions
Role address restrictions are enforced by the LOM firmware, based on the client's IP network address.
When the address restrictions are met for a role, the rights granted by the role apply.
Address restrictions can be difficult to manage if access is attempted across firewalls or through network
proxies. Either of these mechanisms can change the apparent network address of the client, causing the
address restrictions to be enforced in an unexpected manner.