How it Works
Dell
Loading...
N
O
Loading...
Loading...
OpenManage Essentials
How to Use
18 pgs406.7 Kb0
Installation Manual
19 pgs740.52 Kb0
Installation Manual
21 pgs568.11 Kb0
Owner's Manual
34 pgs216.45 Kb0
Owner's Manual
11 pgs387.9 Kb0
Owner's Manual
41 pgs842.94 Kb0
Owner's Manual
38 pgs231.34 Kb0
Owner's Manual
3 pgs411.1 Kb0
Setup Guide
17 pgs587.41 Kb0
Support Manual
23 pgs1.38 Mb0
Support Manual
12 pgs336.72 Kb0
Technical Information Note
5 pgs753.07 Kb0
Troubleshooting
46 pgs728.67 Kb0
User Manual
175 pgs4.74 Mb0
User Manual
224 pgs6.39 Mb0
User Manual
196 pgs3.83 Mb0
User Manual
252 pgs6.95 Mb0
User Manual
116 pgs2.31 Mb0
Web Client Guide
23 pgs895.23 Kb0
White Paper
10 pgs770.09 Kb0
White Paper
20 pgs625.66 Kb0
White Paper
37 pgs2.76 Mb0
Table of contents
Loading...

Dell OpenManage Essentials How to Use

Download
OME Engineering Team
Using Device Group Permissions in Dell OpenManage Essentials
This technical white paper describes how to use the device group permissions feature in OpenManage Essentials
Using Device Group Permissi on s in Dell OpenManage Essentials
This document is for informational purposes only and may contain typographical errors and tech nical inaccuracies. The content is provided as is, without express or implied warranties of any kind.
© 2013 Dell Inc. All rights reserved. Dell and its affiliates cannot be responsible for errors or omission s in typography or photography. Dell, the Dell logo, and PowerEdge are trademarks of Dell Inc. Intel and Xeon are registered trademarks of Intel Corporation in the U.S. and other countries. Microsoft, Windows, and Windows Server are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell disclaims proprietary interest in the marks and names of others.
June 2013| Version 1.0
ii
Using Device Group Permissi on s in Dell OpenManage Essentials
Contents
Executive Summary................................................................................................... 5
Introduction ........................................................................................................... 5
OpenManage Essentials Roles ....................................................................................... 6
OmeUsers ............................................................................................................. 6
OmePowerUsers ..................................................................................................... 6
OmeSiteAdministrators ............................................................................................. 6
Limitations of OmeSiteAdministrators ......................................................................... 6
OmeAdministrators .................................................................................................. 7
Device Group Permissions Port al ................................................................................... 7
Editing Members of OmeSiteAd ministrators ..................................................................... 7
Add New User ...................................................................................................... 7
Add/Remove Existing User ....................................................................................... 9
Add an OmeAdministrator ........................................................................................ 9
Assigning Device Groups to an Ome SiteAdministrator ........................................................ 10
Use Cases ............................................................................................................ 11
Assigning Users to Locatio n Based Device Groups ........................................................... 11
Assigning Users to Operati n g System Based Device Groups ................................................ 16
Promoting an OmeSiteAdministrator to an OmeAdministrator ............................................ 16
Summary .............................................................................................................. 17
FAQ .................................................................................................................... 17
Device Group Permissions Por tal ................................................................................. 17
Remote and System Update Tasks ............................................................................... 18
Custom Groups ...................................................................................................... 18
Figures
Figure 1. Edit Members of OmeSiteAdministrators ................................................................ 8
Figure 2. Edit members wizard ....................................................................................... 8
Figure 3. Select user in edit membe rs wizard ...................................................................... 9
Figure 4. Select user in OmeSiteAdministrators tree ............................................................. 10
Figure 5. (Un)select device group permissions .................................................................... 11
Figure 6. Create Austin Data Center Query ........................................................................ 12
Figure 7. Create Boston Data Cente r Query ....................................................................... 12
Figure 8. Select the Austin Data Center Query .................................................................... 13
iii
Using Device Group Permissi on s in Dell OpenManage Essentials
Figure 9. Select the Austin Data Center device group ........................................................... 14
Figure 10. UserA deployment task targets ......................................................................... 15
Figure 11. UserB deployment task targets ......................................................................... 15
Figure 12. Create Linux OS query ................................................................................... 16
iv
Using Device Group Permissi on s in Dell OpenManage Essentials

Executive Summary

This white paper describes t he process of assigning users to the OmeSiteAdministrator s role and assigning device group permissions to a user using OpenManage Essentials.
This document explains how to assign device group permissi on s to a user for targeting system update and remote tasks. OmeSiteAdministrators (a new role introduced in OpenManage Essentials v1.2) can only target device groups as signed to them. Using OpenManage Essentials, an ad ministrator can assign a user to a specific set of device gr oups for targeting system update and remote tasks, reducin g the impact and side effects a user can have in OpenManage Essentials.

Introduction

Several IT professionals can simult an eously use OpenManage Essentials. In many cases, the IT professionals divide responsibilities of devices. The responsibilities can be divided several ways. Devices are categorized and re sponsibilities divided based on geographi cal lo ca tion, device type, operating system, network se t up, and other factors. Custom device groups help users divide t heir devices.
Custom device groups separat e an d subset devices. Users can cre ate custom device groups in OpenManage Essentials. A custom device gr oup can be created from a query, a combination of other devices groups, a selection of devices, or a combination o f d e vice groups and device select ions. Creating a subset of devices (a cu stom device group) makes it easier to accurately target groups of devices throughout OpenManage Essentials.
Creating custom device groups is helpful when dividing responsibilities of devices, but all device groups and devices can be targeted by users. Unwanted behaviors of devices may occur if an overlap in targets or accidental targeting of device groups occurs while creating system update or remote tasks. A misused task or update can cause downtime, additional effort, and even an interruption of service.
To mitigate the risk of incorrectly targeted tasks, reduce the scope of select users and divide the responsibilities of management more easily, the device grou p p e rmissions portal and functionality was developed for the OpenManage Essentials v1.2 release. The portal configures the newly added OmeSiteAdministrators role and assigns device group permissions to members of the OmeSiteAdministrators role. The device group permissions portal’s purpose is to limit what a user can target when creating remote and system update tasks.
The device group permission s portal gives administrator s greater control over what users can target. An administrator can create custom groups tailored to the device responsibilities of users and assign users to the created custom device groups. For instan ce , an administrator can create a custom group based on the IP address range of a data ce n ter and assign the custom group t o the onsite administrator. Another possible scenario is cr eating custom device groups based on the operating system of the devices and assigning the device groups to the operating system management specialist.
The benefit of using the device gr oup permissions feature is that administrators have control over what targets are visible to a user. An ad ministrator can reduce the visibility of device groups to users that should not target all device groups and devices. Hiding target devices is especially beneficial when a subset of devices is mission crit ical and should not be targeted by most users.
5
Using Device Group Permissi on s in Dell OpenManage Essentials
This white paper explains the use of the device grou p p e r missions portal and how the device group permissions feature in Dell OpenManage Essentials can help mitigate risks of mistargeted tasks and over privileged users. This document includes:
Assigning users to the OmeSiteAdministrators role.
The limitations and constraints of an OmeSiteAdministrator.
Assigning device groups to a u se r .
How to use the device group permissions portal.
Use cases of common scenarios.
FAQ section about the device group permissions portal and OmeSiteAd ministrator restrictions.

OpenManage Essentials Roles

Users of OpenManage Essentials have one or several of the following roles. A role is a se t of permissions that determines what a user can and cannot do in OpenManage Essentials. A user can have multiple roles. When a user has multiple roles, the permissions are additive.
The following section is a brie f overview of the roles in OpenM anage Essentials. For further reading, please visit the OpenManage Essentials roles white paper:
http://en.community.dell.com/techcenter/extras/m/white_papers/20029260.aspx

OmeUsers

Read only privileges. An OmeUser cannot create or edit items in OpenManage Essentials (exce p tion is discovery and inventory). Cannot view or edit device group permissions.

OmePowerUsers

All read write privileges except for preferences (read only). Cannot view or edit device group permissions.

OmeSiteAdministrators

The OmeSiteAdministrator s r ole is a new role introduced in O p e nManage Essentials v1.2. The role is similar to the OmeAdminist r at ors role, but has several lim it ations. To read the limitations, please see the Limitations of OmeSiteAdministr at ors section below.
The OmeSiteAdministrator s r ole is a virtual user group that does not appear in the active di r e ct ory. It is managed completely by the OpenManage Essentials console.

Limitations of OmeSiteAdministrators

An OmeSiteAdministrator i s a limited user. An OmeSiteAdministrator does not have the sam e access level of an OmeAdministrator . The device group permission s p or tal is not visible to an OmeSiteAdministrator. To e n sure the security of the role in the OpenManage Essentials console, an OmeSiteAdministrator has the following limitations.
6
Using Device Group Permissi on s in Dell OpenManage Essentials
System Update and Remote Task Li mitations
o Can only target device groups assigned to the OmeSiteAdministrator. o Cannot edit remote tasks. o Cannot activate or deactivate remote tasks’ schedules. o Cannot clone remote or system upd at e task s. o Cannot target device queries. o Can only run and delete remote and system update tasks created by the site
administrator.
Custom Device Group Limitations
o Cannot edit custom groups. o Can only create custom groups un d e r All Devices.

OmeAdministrators

All read write privileges, no restrictions.

Device Group Permissions Porta l

The device group permission s portal configures the OmeS iteAdministrators role and assigns device group permissions to membe r s of the OmeSiteAdministrators role. The portal is only visible and editable for OmeAdministrat ors. The following sections are instructions on the use of the device group permissions portal.

Editing Members of OmeSiteAdministrators

The members of the OmeSiteAdministrators role have limited system update and remote tasks targets based on assigned device group s. This limits what device group s a user can target when creating an d executing system update and remote tasks. The following sections provide instructions on how to edit the members of the OmeSiteAdministrators role.

Add New User

An administrator can add users th at have never logged into OpenManage Essentials by using the device group permissions portal. T o ad d a new user that has not logged in to the OpenManage Essentials console, use the following st e p s.
1. Navigate to the device group permissions portal (under ‘Preferences’).
2. Click ‘Edit Members of OmeSiteAdministrators’.
7
Using Device Group Permissi on s in Dell OpenManage Essentials
Figure 1. Edit Members of OmeSiteAdministrators
3. Click ‘Domain’ and type the domain of the user. (See Figure 2. Edit members wizard below)
4. Click ‘Username’ and type the username of the user. (See Figure 2. Edit members wizard below)
5. Click ‘Add’. (See Figure 2. Edit members wizard below)
Figure 2. Edit members wizard
6. Select the added user in the users’ grid.
8
Using Device Group Permissi on s in Dell OpenManage Essentials
Figure 3. Select user in edit members wizard
7. Click ‘Ok’.

Add/Remove Existing User

An administrator can add and remove users from the OmeSiteAd ministrators role by using the device group permissions portal. T o ad d or remove a user that has logge d into the OpenManage Essentials console before, use the foll owing steps.
1. Navigate to the device group permissions portal (under ‘Preferences’).
2. Click ‘Edit Members of OmeSiteAdministrators’. See Figure 1. Edit Members of OmeSiteAdministrators.
3. Check a user to add him or her to the role. Uncheck to remove him or her from the role. See Figure 3. Select user in edit members wizard.
4. Click ‘Ok’.

Add an OmeAdministrator

An OmeAdministrator can become an OmeSiteAdministrator . However, to apply the limitations to the new OmeSiteAdministrator, he or sh e must be removed from any Window’s group that is a member of the OmeAdministrators user group. To add an OmeAdministrator t o t he OmeSiteAdministrators role, use the following steps.
1. Navigate to the device group permissions portal (under ‘Preferences’).
2. Click ‘Edit Members of OmeSiteAdministrators’. See Figure 1. Edit Members of OmeSiteAdministrators.
3. Check the user in the users’ grid. See Figure 3. Select user in edit members wizard.
9
Using Device Group Permissi on s in Dell OpenManage Essentials
4. Click ‘Ok’.
5. Click ‘Ok’ to the warning messa g e t hat appears. This message informs you that an OmeAdministrator has been selected, and that you must remove them from the OmeAdministrators user gr ou p f or the limitations to apply.
6. Navigate to the Local Users and Groups on the OpenManage Essen tials’ server (Server Manager Configuration Local Users and Gr oups) .
7. Navigate to the OmeAdministrators user group.
8. Remove the user from any user groups that are a member of the OmeAdministrat ors user group.

Assigning Device Groups to an OmeSite Adm inistrator

The device groups that are assigned to an OmeSiteAdministrat or determine what the user can target when creating a system update or remote task. Device groups c an only be assigned to a user that is a member of the OmeSiteAdministrators role. To add a user to the Ome SiteAdministrator role, please read the Add/Remove Existing User section. To assign device groups to an OmeSiteAdministrator, use the following steps.
1. Navigate to the device group permissions portal (under ‘Preferences’).
2. Select the user in the left hand users’ tree.
Figure 4. Select user in OmeSiteAdministrators tree
3. Check device groups that the user can target.
4. Uncheck device groups that the user should not target.
10
Using Device Group Permissi on s in Dell OpenManage Essentials
Figure 5. (Un)select device group permissions
5. Click ‘Apply’.

Use Cases

The following sections are e xamples of uses of the device group permissions portal.

Assigning Users to Location Based Device Groups

Objective: Assign all devices from a given data center location to an OmeSiteAdministrator . For this example:
1. UserA will be assigned to the Austin data center.
a. Austin data center is on IP range 123.45.6-7.*
2. UserB will be assigned to the Boston data center.
a. Boston data center is on IP range 65.43.20-21.*
Procedure:
1. Create queries based on location.
a. Create the ‘Austin Data Center Query’.
i. Navigate to the device search p or tal (Manage Device Search).
ii. Name the query ‘Austin Data Center Query’.
iii. In the ‘Where’ section, select ‘IP Address’ ‘Starts With’ and type ‘123.45.6.’.
iv. Click the left hand checkbox t o add an additional where clause .
v. Select the ‘OR’ clause.
11
Using Device Group Permissi on s in Dell OpenManage Essentials
vi. Repeat step iii using ‘123.45.7.’ as the IP address.
vii. Click ‘Save Query’.
Figure 6. Create Austin Data Center Query
b. Create the ‘Boston Data Center Query’.
i. Repeat step a using the IP addresses ’6 5.43.21.’ and ’65.43.20.’.
Figure 7. Create Boston Data Center Query
2. Create device groups from loc ation queries.
a. Create Austin Data Center device group.
i. Navigate to the Devices port al (Manage → Devices).
ii. Right click the ‘All Devices’ device group.
iii. Select ‘New Group’.
iv. Name the group ‘Austin Data Center’ and click ‘Next’.
v. Select the ‘Austin Data Center Query’ in the ‘Select a query’ drop down menu
and click ‘Next’.
12
Using Device Group Permissi on s in Dell OpenManage Essentials
Figure 8. Select the Austin Data Center Query
vi. Review and click ‘Finish’.
b. Create Boston Data Center device group.
i. Repeat step a using the device group name ‘Boston Data Center’ for step a.iv
and the ‘Boston Data Center Query’ for step a.v.
3. Assign the custom groups in step 1 to the users.
a. Navigate to the device group permissions portal ( P r e f e r e n ces → Device Group
Permissions).
b. Click ‘Edit Member s of OmeSiteAdministrators’ (see Figure 1. Edit Members of
OmeSiteAdministrators). c. Add/Select ‘UserA’ and ‘UserB’ and click ‘Ok’ (see Figure 2. Edit members wizard). d. Select ‘UserA’ in the left hand OmeSiteAdministrators’ tree.
i. Uncheck ‘All Devices’
ii. Check ‘Austin Data Center’
iii. Click ‘Apply’.
13
Using Device Group Permissi on s in Dell OpenManage Essentials
Figure 9. Select the Austin Data Center device group
e. Select ‘UserB’ in the left hand OmeSiteAdministrators’ tree.
i. Uncheck ‘All Devices’
ii. Check ‘Boston Data Center’
iii. Click ‘Apply.
Note: After completing the above procedure, the user must re-log into OpenManage Essentials to apply the changes.
Result: The following targets are available to ‘UserA’ when he or she cr e ates a deploy server administrator
task:
14
Using Device Group Permissi on s in Dell OpenManage Essentials
Figure 10. UserA deployment task targets
The following targets are available to ‘UserB’ when he or she cr e ates a deploy server administrator task:
Figure 11. UserB deployment task targets
15
Using Device Group Permissi on s in Dell OpenManage Essentials

Assigning Users to Operating System Based Device Groups

Objective: Assign all Linux base d machines to an OmeSiteAdministrator. Procedure:
1. Create a device group query to t ar g e t all devices with the Linux operat ing system. a. Navigate to the ‘Device Search’ p ortal (Manage Device Search). b. For simplicity, use ‘OS Name’ for the first parameter , ‘Contains’ for the second and
type ‘Linux’ for the third.
Figure 12. Create Linux OS query
c. Name the query and click ‘Save Query’.
2. Create a custom device group from the saved query. a. Navigate to Manage Devices. b. Right click the ‘All Devices’ group and select ‘New Group’. c. Name the group and click ‘Next’. d. Select the device group query saved in step 1 and click ‘Next’. e. Click ‘Finish’.
3. Assign the custom device group created in step 2 to the user using the device group permissions
portal (see Assigning Device Groups to an OmeSiteAdministrator for instructions on assigning device group permissions).
Note: After completing the above procedure, the user must re-log into OpenManage Essentials to apply the changes.

Promoting an OmeSiteAdministrator to an OmeAdministrator

Objective: Remove the restrictions of the OmeSiteAdmin istrator role and add a user to the OmeAdministrators role.
Procedure:
1. Remove the user from the OmeSite Administrators role. a. Navigate to the Device Group Permissions portal (under ‘P r e f e r ences’). b. Click ‘Edit Member s of OmeSiteAdministrators’ . c. Uncheck the promoted user.
16
Using Device Group Permissi on s in Dell OpenManage Essentials
d. Click ‘Ok’.
2. Add the user to the OmeAdministrators user group. a. Navigate to the Local Users and Groups on the OpenManage Essentials server (Server
Manager → Configuration → Local Users and Groups)
b. Add the promoted user to the OmeAdministrators user group, or add the promoted user
to a member user group of OmeAdministrators.
Note: After completing the above procedure, the promoted user must re-log into OpenManage Essentials to apply the changes.

Summary

The Device Group Permissions portal gives administrator s t he tools to restrict and limit the scope and impact of a user. Creating and assigning custom device groups allows administrators to tailor the devices available to a user based on the user’s responsibilit ies and expertise. An administrator can limit the target device groups of a user and mitigate the risk of a user unintentionally targeting and executing against devices and de vice groups.
An OmeSiteAdministrator i s a limited user. This type of user h as several restrictions and li mitations to ensure the security of assigned d e vice groups. An OmeSiteAdministrator can only target device groups assigned to them for system upd ate and remote tasks.
An administrator can assign d e v ice group permissions to users that have and have not previously l og ge d into the OpenManage Essentials console. An administrator can demote an adm inistrator or promote an OmeSiteAdministrator.
Using the device group permissions portal adds a layer of granularity to the security of the OpenMan age Essentials console. The device group permissions security reduces the risk of task execution side effects and helps administrators bet ter manage users of OpenManage E ssentials.
FAQ

Device Group Permissions Portal

1. Can I add a user group to the OmeS iteAdministrators role? a. No, in OpenManage Essentials v1. 2 we do not support adding a user gr oup to the
OmeSiteAdministrators role.
2. Can I add an administrator to t h e Ome SiteAdministrators role? a. Yes, you can add an OmeAdministrator to the OmeSiteAdministrators role. However,
you MUST remove the administrator from the OmeAdministrators user group.
3. Can I add a user that has not logged into OpenManage Essentials to the OmeSiteAdministrator s
role?
a. Yes, you can use the edit members wizard to add a user that has not logged in t o
OpenManage Essentials to th e OmeSiteAdministrators role.
4. What happens if a user is a power user and a site administrator? a. Roles and permissions are additive. The user will no longer have all of (but retain some
of) the restrictions of a sit e ad ministrator. The user will be ab le to perform edit actions
17
Using Device Group Permissi on s in Dell OpenManage Essentials
that the site administrator was not able to perf or m. Target security cannot be guaranteed for this type of user (they can edit groups assigned to them).
5. Can I promote an OmeSiteAdministrator to an OmeAdministrator? a. Yes, the user will have all rights and will be able to target all devices. It is suggested,
but not required, to remove th e u se r f rom the OmeSiteAdministra t or s role first.

Remote and System Update Tasks

1. What happens to a remote task’s targets if a site administrator ’s device group permissions
change?
a. The remote task’s targets are not affected by changes to device group permissions.
Remote tasks that were created in the past may have targets that the site administrator no longer has.
2. What should a site administrator do if he or she needs to edit a task ? a. If a site administrator is the owner of the task, he or she should delete the existing task
and create a new task.
3. Can a site administrator re-run a task? a. If a site administrator is th e cr e ator of a task, he or she can re-run the task.
4. Can a site administrator re-run a t ask after renaming a site administrator? a. No, a site administrator must re-cr eate tasks after being renamed.

Custom Groups

1. Can a site administrator delet e d e vices in any group? a. Just like a power user or admin istrator, the site administrator can delete devices in any
group.
2. Can a site administrator edit his or her created device groups? a. No, a site administrator cannot e d it groups or queries.
3. Can a site administrator delet e q u e r ie s and custom groups? a. Yes, a site administrator can d e lete queries and custom groups.
4. Can a site administrator add de v ices to a custom device group? a. No, a site administrator cannot e d it a group.
18
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use