Using Device Group Permissions in Dell OpenManage Essentials This technical white paper describes how to use the device group permissions feature in OpenManage Essentials OME Engineering Team
Using Device Group Permissions in Dell OpenManage Essentials This document is for informational purposes only and may contain typographical errors and technical inaccuracies. The content is provided as is, without express or implied warranties of any kind. © 2013 Dell Inc. All rights reserved. Dell and its affiliates cannot be responsible for errors or omissions in typography or photography. Dell, the Dell logo, and PowerEdge are trademarks of Dell Inc.
Using Device Group Permissions in Dell OpenManage Essentials Contents Executive Summary................................................................................................... 5 Introduction ........................................................................................................... 5 OpenManage Essentials Roles ....................................................................................... 6 OmeUsers ........................................................................
Using Device Group Permissions in Dell OpenManage Essentials Figure 9. Select the Austin Data Center device group ........................................................... 14 Figure 10. UserA deployment task targets ......................................................................... 15 Figure 11. UserB deployment task targets ......................................................................... 15 Figure 12. Create Linux OS query ..................................................................
Using Device Group Permissions in Dell OpenManage Essentials Executive Summary This white paper describes the process of assigning users to the OmeSiteAdministrators role and assigning device group permissions to a user using OpenManage Essentials. This document explains how to assign device group permissions to a user for targeting system update and remote tasks. OmeSiteAdministrators (a new role introduced in OpenManage Essentials v1.2) can only target device groups assigned to them.
Using Device Group Permissions in Dell OpenManage Essentials This white paper explains the use of the device group permissions portal and how the device group permissions feature in Dell OpenManage Essentials can help mitigate risks of mistargeted tasks and over privileged users. This document includes: • Assigning users to the OmeSiteAdministrators role. • The limitations and constraints of an OmeSiteAdministrator. • Assigning device groups to a user.
Using Device Group Permissions in Dell OpenManage Essentials • System Update and Remote Task Limitations • Can only target device groups assigned to the OmeSiteAdministrator. Cannot edit remote tasks. Cannot activate or deactivate remote tasks’ schedules. Cannot clone remote or system update tasks. Cannot target device queries. Can only run and delete remote and system update tasks created by the site administrator. Custom Device Group Limitations o o o o o o o o Cannot edit custom groups.
Using Device Group Permissions in Dell OpenManage Essentials Figure 1. Edit Members of OmeSiteAdministrators 3. Click ‘Domain’ and type the domain of the user. (See Figure 2. Edit members wizard below) 4. Click ‘Username’ and type the username of the user. (See Figure 2. Edit members wizard below) 5. Click ‘Add’. (See Figure 2. Edit members wizard below) Figure 2. Edit members wizard 6. Select the added user in the users’ grid.
Using Device Group Permissions in Dell OpenManage Essentials Figure 3. Select user in edit members wizard 7. Click ‘Ok’. Add/Remove Existing User An administrator can add and remove users from the OmeSiteAdministrators role by using the device group permissions portal. To add or remove a user that has logged into the OpenManage Essentials console before, use the following steps. 1. Navigate to the device group permissions portal (under ‘Preferences’). 2. Click ‘Edit Members of OmeSiteAdministrators’.
Using Device Group Permissions in Dell OpenManage Essentials 4. Click ‘Ok’. 5. Click ‘Ok’ to the warning message that appears. This message informs you that an OmeAdministrator has been selected, and that you must remove them from the OmeAdministrators user group for the limitations to apply. 6. Navigate to the Local Users and Groups on the OpenManage Essentials’ server (Server Manager → Configuration → Local Users and Groups). 7. Navigate to the OmeAdministrators user group. 8.
Using Device Group Permissions in Dell OpenManage Essentials Figure 5. (Un)select device group permissions 5. Click ‘Apply’. Use Cases The following sections are examples of uses of the device group permissions portal. Assigning Users to Location Based Device Groups Objective: Assign all devices from a given data center location to an OmeSiteAdministrator. For this example: 1. UserA will be assigned to the Austin data center. a. Austin data center is on IP range 123.45.6-7.* 2.
Using Device Group Permissions in Dell OpenManage Essentials vi. Repeat step iii using ‘123.45.7.’ as the IP address. vii. Click ‘Save Query’. Figure 6. Create Austin Data Center Query b. Create the ‘Boston Data Center Query’. i. Repeat step a using the IP addresses ’65.43.21.’ and ’65.43.20.’. Figure 7. Create Boston Data Center Query 2. Create device groups from location queries. a. Create Austin Data Center device group. i. Navigate to the Devices portal (Manage → Devices). ii.
Using Device Group Permissions in Dell OpenManage Essentials Figure 8. Select the Austin Data Center Query vi. Review and click ‘Finish’. b. Create Boston Data Center device group. i. Repeat step a using the device group name ‘Boston Data Center’ for step a.iv and the ‘Boston Data Center Query’ for step a.v. 3. Assign the custom groups in step 1 to the users. a. Navigate to the device group permissions portal (Preferences → Device Group Permissions). b.
Using Device Group Permissions in Dell OpenManage Essentials Figure 9. Select the Austin Data Center device group e. Select ‘UserB’ in the left hand OmeSiteAdministrators’ tree. i. Uncheck ‘All Devices’ ii. Check ‘Boston Data Center’ iii. Click ‘Apply. Note: After completing the above procedure, the user must re-log into OpenManage Essentials to apply the changes.
Using Device Group Permissions in Dell OpenManage Essentials Figure 10. UserA deployment task targets The following targets are available to ‘UserB’ when he or she creates a deploy server administrator task: Figure 11.
Using Device Group Permissions in Dell OpenManage Essentials Assigning Users to Operating System Based Device Groups Objective: Assign all Linux based machines to an OmeSiteAdministrator. Procedure: 1. Create a device group query to target all devices with the Linux operating system. a. Navigate to the ‘Device Search’ portal (Manage → Device Search). b. For simplicity, use ‘OS Name’ for the first parameter, ‘Contains’ for the second and type ‘Linux’ for the third. Figure 12. Create Linux OS query c.
Using Device Group Permissions in Dell OpenManage Essentials d. Click ‘Ok’. 2. Add the user to the OmeAdministrators user group. a. Navigate to the Local Users and Groups on the OpenManage Essentials server (Server Manager → Configuration → Local Users and Groups) b. Add the promoted user to the OmeAdministrators user group, or add the promoted user to a member user group of OmeAdministrators.
Using Device Group Permissions in Dell OpenManage Essentials that the site administrator was not able to perform. Target security cannot be guaranteed for this type of user (they can edit groups assigned to them). 5. Can I promote an OmeSiteAdministrator to an OmeAdministrator? a. Yes, the user will have all rights and will be able to target all devices. It is suggested, but not required, to remove the user from the OmeSiteAdministrators role first. Remote and System Update Tasks 1.