HP Virtual Connect Enterprise Manager 6.3 CLI Guide

ManualsBrandsHP ManualsSoftwareHP Virtual Connect Enterprise Manager BLc3000 24x7 Support No Media 1-encl Lic

Table 2 RBAC privileges (continued)

VCEM User

(read only)

VCEM

Group

Limited

Operator

VCEM

Group

Operator

VCEM

Group

Administrator

VCEM

AdministratorCommand line options

xxx-set iscsi-boot-param

xxx-remove iscsi-boot-param

xxxxx-show job

xxxxx-show version

VCEMCLI commands for read operations require minimum VCEM privilege, whereas write operations

require full privilege to the affected resource. You can set up the VCEM privilege from the System

Insight Manager Options→Security→Users and Authorizations. If the minimum RBAC is not met,

VCEMCLI reports an error. The error message contains a description of the reason for the failure.

RBAC Best Practices

In configurations where VCEM is used in conjunction with a upper-level manager such as Logical

Server Manager or Insight Dynamics-VSE, ensure that operations invoked through VCEMCLI do

not disrupt the functioning of the upper-level manager. The VCEM User Interface warns the

administrator when it detects the risk of conflict, however VCEMCLI will not. See “Using VCEM

commands” (page 18) for more information on which commands can cause disruption of upper-level

managers.

You can configure SIM using role-based access control to prevent conflicts between VCEM and

upper-level managers by not allowing changes to resources which would disrupt the upper-level

manager.

To prevent conflicts:

• Define specific SIM users for VCEM and VCEMCLI.

• Define additional SIM users for upper-level managers.

• If needed, roles can be removed from the VCEM users to prevent conflict with upper-level

managers.

• Set permissions on VC Domain Groups so only specific SIM users can access them.

• Confirm that the scripts specify the correct username and password credentials to ensure that

they are granted only the appropriate level of permissions.

• Ensure that NTFS permissions are set on the scripts on the CMS so that they are accessible

only to the CMS users who are authorized to run them.

Working with server profiles

VCEMCLI provides the most commonly used profile operations including:

• Server profile creation or update

• Server profile assignment or un-assignment

For more information on server profiles and the available server profile operations, see the HP

Virtual Connect Enterprise Manager 6.3 User Guide

Creating a server profile

Server profiles are defined in a multi-step process to reduce the number of arguments required in

a single VCEMCLI command. In the first step the server profile is created as unassigned and with

12 Using VCEMCLI