Understanding the security features of HPE OneView > Controlling access for authorized users

  

 next

Controlling access for authorized users

Access to the appliance is controlled by roles, which describe what an authenticated user is permitted to do on the appliance. Each user must be associated with at least one role.

Specifying user accounts and roles

User login accounts on the appliance must be assigned a role, which determines what the user has permission to do.

For information on each role, and the capabilities these roles provide, see About user roles.

Mapping of SSO roles for iLO and OA

The appliance enables SSO (single sign-on) to iLO and OA (Onboard Administrator) without storing user-created iLO or OA credentials. The following table describes the mapping of roles between the appliance, iLO, and OA.

Appliance role SSO to iLO roles SSO to OA roles
Infrastructure administrator Admin Admin
Server administrator Admin Admin
Network administrator User User
Read only User User
Backup administrator None None
Storage administrator User User

Appliance roles

See About user roles.

iLO roles

  • Administrator privileges enable assigning all administrative rights for server reset, remote console, and login tasks.

  • User privileges have access restrictions, based on IP address, DNS name, or time.

OA roles

  • Administrator privileges enable creating or editing all user accounts on an enclosure.

  • Operator privileges enable full information access and control of bays to which you have permitted access to.
    [NOTE: ]

    NOTE: SSO cannot configure permitted bays.

  • User privileges enable full information access but no control capability.

Mapping appliance interactions with iLO, OA, and iPDU

The appliance performs configurations on the iLO, OA, and iPDU. The following table summarizes how the appliance interacts with these devices.

For firewall information, see Ports required for HPE OneView.

Protocol or interaction Description iLO OA iPDU
Use Configure Use Configure Use Configure
NTP Configures NTP        
SNMP Enables and configures SNMP to collect information
SNMP traps Enables and configures SNMP traps sent to appliance
HTTPS (RIBCL/SOAP/JSON)[a] Collects information (the specific protocol varies, but all use SSL)      
Remote Console Links from the UI to the iLO Remote Console          
SSH Not used            
Telnet Not used            
XML reply Collects generic system information        
SSO Enables and configures an SSO certificate for UI access. See Mapping of SSO roles for iLO and OA for the privileges that are granted.    
Appliance user account (_HPOneViewAdmin) Configures and manages the system using an administrator-level user account (and randomly generated password)    

[a] SSL encrypts traffic on the network, but does not authenticate the remote system's certificate.

prev

 

up

 next

Authentication for appliance access 

home

 Protecting credentials

Copyright © 2013-2016 Hewlett Packard Enterprise Development LP