Authorizations for assigning a server profile to a server or an enclosure bay

Authorization is checked at the time a user creates or edits a server profile. Depending on the server profile settings, HPE OneView responds to changes in the network environment without applying new authorization checks at that time. For more information, see Server Profiles.

A user with rights on a server profile can unassign the server profile from a server or from an empty server bay. No authorization checks are performed on a server nor its server bay.

When assigning a server profile to a server

To assign a server profile to a server hardware instance, the following conditions must be satisfied for at least one user permission:

  • The permission role grants create or update rights to server profiles
  • The permission role grants use rights to server hardware
  • The server hardware and server profile instance are in the permission scope. This implies that profile scopes include one or more of the scopes containing the server hardware.

Example 1
Mary is a Server administrator operating in the Production scope. The server hardware Blade1 and server profile SP1 are in the Production scope. She can assign server profile SP1 to server hardware Blade1.
NOTE:
  • The scope of the enclosure is not verified.
  • On discovery, the scope for a previously discovered blade is restored. A previously undiscovered blade will not be assigned to a scope.

Example 2

Tom is assigned Server administrator rights that are unrestricted by scope. As Tom's role is not restricted by scope, no SBAC check is performed. Tom can assign any server profile to any server hardware.

For more information, see Modeling Scope-based Access Control in HPE OneView.

When assigning a server profile to an empty bay

To assign a server profile to an empty server bay, the following conditions must be satisfied for at least one user permission:

  • The permission role grants create or update rights to server profiles
  • The permission role grants use rights to enclosures
  • The enclosure and server profile instance are in the permission scope. This implies that profile scopes include one or more of the scopes containing the enclosure.
NOTE:
  • If a blade is added to the bay after the profile assignment, no additional authorization checks are performed, and the profile is automatically applied to the inserted server.

Example 1

Mary is a Server administrator operating in the Production scope. A server profile SP4 and an enclosure Enclosure4 are in the Production scope. She can assign the server profile SP4 to an empty bay Bay4 in the enclosure Enclosure4.

Example 2

Tom is assigned Server administrator rights that are unrestricted by scope. As Tom's role is not restricted by scope, no SBAC check is performed. Tom can assign any server profile to any empty bay.

For more information, see Modeling Scope-based Access Control in HPE OneView.