User Guide

ManualsBrandsDell ManualsSecurity ConfigurationDELL OpenManage Enterprise Power Manager 3.1 Security Configuration

Table Of Contents

Table 1. Role-based user privileges for Power Manager (continued)

Features Administrator Device Manager

(scope for assigned

groups)

Device Manager (scope

for non-assigned groups)

Viewer

Enable and disable

Liquid cooling system

alert policy

Yes No No No

View maximum and

minimum power

consumption of VM

groups on the

Overview page

Yes Yes Yes Yes

Update device

location in device

console

Yes No No No

View idle servers Yes Yes No Yes

Add or remove

Uninterruptible Power

Supply (UPS) from

Power Manager

Yes No No No

Monitor UPS Yes Yes No Yes

Scope-based access control (SBAC)

With the use of Role-Based Access Control (RBAC) feature, administrators can assign roles while creating users. Roles

determine their level of access to the appliance settings and device management features. Scope-based Access Control (SBAC)

is an extension of the RBAC feature that allows an administrator to restrict a Device Manager role to a subset of device groups

called scope.

While creating or updating a Device Manager (DM) user, administrators can assign scope to restrict operational access of DM to

one or more system groups, custom groups, and / or plugin groups.

Administrator and Viewer roles have unrestricted scope. That means they have operational access as specified by RBAC

privileges to all devices and groups entities.

Scope can be implemented as follows:

1. Create or Edit User

2. Assign DM role

3. Assign scope to restrict operational access

A natural outcome of the SBAC functionality is the Restricted View feature. With Restricted View, particularly the Device

Managers will see only the following:

● Groups (therefore, the devices in those groups) in their scope.

● Entities that they own (such as jobs, firmware or configuration templates and baselines, alert policies, profiles, and so on).

● Community entities such as Identity Pools and VLANs which are not restricted to specific users and can be used by everyone

accessing the console.

● Built-in entities of any kind.

It should be noted that if the scope of a Device Manager is 'unrestricted', then that Device Manager can view all the devices

and groups, however, would only be able to see the entities owned by him/her such as jobs, alert policies, baselines, and so on

along with the community and built-in entities of any kind.

When a Device Manager (DM) user with an assigned scope logs in, the DM can see and manage scoped devices only. Also,

the DM can see and manage entities such as jobs, firmware or configuration templates and baselines, alert policies, profiles and

so on associated with scoped devices, only if the DM owns the entity (DM has created that entity or is assigned ownership

of that entity). For more information about the entities a DM can create, see Role-Based Access Control (RBAC) privileges in

OpenManage Enterprise.

In OpenManage Enterprise, scope can be assigned while creating a local or importing AD/LDAP user. Scope assignment for

OIDC users can be done only on Open ID Connect (OIDC) providers.

SBAC for local users

12 Product and Subsystem Security