HP iLO 3 User Guide

ManualsBrandsHP ManualsComputer AccessoriesHP Integrated Lights-Out 3 (iLO 3) Firmware for ProLiant G7 Servers

191

192

193

194

195

196

197

198

199

200

Creating multiple restrictions and roles

The most useful application of multiple roles is restricting one or more roles so that rights do not

apply in all situations. Other roles provide different rights under different constraints. Using multiple

restrictions and roles enables the administrator to create arbitrary, complex rights relationships

with a minimum number of roles.

For example, an organization might have a security policy in which LOM administrators are allowed

to use the LOM device from within the corporate network, but can reset the server only after regular

business hours.

Directory administrators might be tempted to create two roles to address this situation, but extra

caution is required. Creating a role that provides the required server reset rights and restricting it

to after hours might allow administrators outside the corporate network to reset the server, which

is contrary to most security policies.

In the example shown in Figure 107 (page 195), security policy dictates that general use is restricted

to clients in the corporate subnet, and server reset capability is restricted to after hours.

Figure 107 Creating restrictions and roles

User

General Use

Role

Reset Role

Assigns Login Right

IP Restrictions:

DENY except to corporate subnet

Server

Assigns Server Reset Right

Time Restriction: Denied Monday

through Friday, 8 a.m. to 5 p.m.

Alternatively, the directory administrator might create a role that grants the login right and restrict

it to the corporate network, and then create another role that grants only the server reset right and

restrict it to after-hours operation. This configuration is easier to manage but more dangerous

because ongoing administration might create another role that grants the login right to users from

addresses outside the corporate network. This role might unintentionally grant the LOM administrators

in the server Reset role the ability to reset the server from anywhere, if they satisfy the role's time

constraints.

The previous configuration (Figure 107) meets corporate security requirements. However, adding

another role that grants the login right can inadvertently grant server reset privileges from outside

the corporate subnet after hours. A more manageable solution would be to restrict the Reset role

and the General Use role, as shown in Figure 108 (page 195).

Figure 108 Restricting the Reset and General Use roles

User

General Use

Role

Reset Role

Assigns Login Right

IP Restrictions: DENY except to corporate

subnet

Server

Assigns Server Reset Right AND Login Right

Time Restriction: Denied Monday through

Friday, 8 a.m. to 5 p.m.

IP Restriction: DENY except to corporate

subnet

Directory-enabled remote management 195