Manualshelf

HP Integrity and HP 9000 iLO MP Operations Guide, Fifth Edition

ManualsBrandsHP ManualsServerHP 9000 rp3440-4 Server
121122123124125126127128129130
iLO MP device as a directory user, the iLO MP device attempts authentication to the directory
as that user, which means that address restrictions placed on the user account apply when
accessing the iLO MP device. However, because the user is proxied at the iLO MP device, the
network address of the authentication attempt is that of the iLO MP device, not that of the client
workstation.
Creating Multiple Restrictions and Roles
The most useful application of multiple roles includes restricting one or more roles so that rights
do not apply in all situations. Other roles provide different rights under different constraints.
Using multiple restrictions and roles enables you to create arbitrary, complex rights relationships
with a minimum number of roles.
For example, an organization might have a security policy in which iLO MP administrators are
allowed to use the iLO MP device from within the corporate network, but are only able to reset
the server outside of regular business hours.
Directory administrators might be tempted to create two roles to address this situation, but extra
caution is required. Creating a role that provides the required server reset rights and restricting
it to an after-hours application might allow administrators outside the corporate network to reset
the server, which is contrary to most security policies.
In Figure 7-24, security policy dictates that general use is restricted to clients within the corporate
subnet, and server reset capability is additionally restricted to after hours.
Figure 7-24 Multiple Restriction Roles
Alternatively, the directory administrator could create a role that grants the login right and
restrict it to the corporate network and create another role that grants only the server reset right
and restrict it to after-hours operation. This configuration is easier to manage but more dangerous
because ongoing administration can create another role that grants users from addresses outside
the corporate network the login right, which could unintentionally grant the iLO MP
administrators in the server Reset role the ability to reset the server from anywhere, provided
they satisfy the time constraints of that role.
The previous configuration satisfies corporate security policy. However, adding another role
that grants the login right can inadvertently grant server reset privileges from outside the corporate
subnet after hours. Figure 7-25 shows a more manageable solution that restricts the Reset role,
as well as the General Use role.
Directory-Enabled Management 123