Determine the role that best aligns with the desired rights

Once you have identified the users and groups, do the following:
  1. For each class of users, determine the HPE OneView role that most closely matches the desired privileges. Your goal should be to find the least privileged role that grants the required privileges. Action privileges for user roles provides details on the rights granted by each role.

  2. Determine if the rights granted by the role must be restricted by scope.

  3. For each class of users, describe the actions the users can perform. Focus on actions that require create, delete or update rights.

  4. Identify the HPE OneView resource categories the user should be able to manage.

  5. Consider the actions a user must not be allowed to perform.

Role definitions grant rights to a variety of secondary resource categories. Within a role definition, the rights assigned to the secondary resource categories are defined to be consistent with the rights assigned to the main resource categories. Focus on the categories listed in the HPE OneView main menu. The following table provides the mapping:
HPE OneView main menu Related role category names
Firmware Bundles

firmware-drivers

Interconnects

interconnects, sas-interconnects

Logical Interconnect Groups

logical-interconnect-groups, sas-logical-interconnect-groups

Logical Interconnects

logical-interconnects, sas-logical-interconnects

Networks

ethernet-networks, fcoe-networks, fc-networks

Power Delivery Devices

power-devices

SAN Managers

fc-device-managers

SANs

fc-sans

Settings

appliance

Users and Groups

users, grouptorolemappings

Volume Sets

storage-volume-sets

Volume Templates

storage-volume-templates

Volumes

storage-volumes

A role might need to be excluded from consideration if it grants a user the right to perform an action you do not want to allow. But, do not exclude the role from consideration yet. If the category supports scope, it might be possible to use scope restrictions to prevent the user from performing the action (with the exception of Create).

More information

Scope-based access control example: Scenario overview

Example: Determine the best fit HPE OneView role