Scope-based access control authorization semantics

Multiple authorization checks might be required to authorize a single HPE OneView request. For example, an Update authorization check is always performed when an update request is received. In addition, if the Update request forms a new association (for example, assigns a server profile to a server hardware, assigns a network to a network set, or assigns a volume template to a server profile template), a Use check is required to authorize creation of the new association. While a single authorization check request is required to change the name of a server profile, a request to add a network and a volume to a server profile requires one Update and two Use authorization checks. For a single Create or Update request, these multiple Use checks can be authorized by different permissions.

The following table describes the five types of authorization checks HPE OneView performs:

Action Action semantic Authorization check semantics Example
Create Controls the right to create a resource. A permission must grant the user Create rights on the resource category. If a single scope-restricted permission grants Create, the resource is assigned to the permission scope. If multiple scoped permissions grant Create, the desired scope must be specified.
NOTE:

When resource creation is granted by one or more scoped permissions it must be assigned to one of the scopes in order for the user to be able to operate on it.

If a user is granted server administrator rights in the Test scope, that user is allowed to create server profiles in the Test scope only. If the user is granted server administrator rights in the Test and Production scopes, that user is only allowed to create server profiles in the Test and Production scopes.
Delete Controls the right to delete a resource. A permission must grant the user Delete rights on the resource category. If the permission is restricted by scope, the user is only allowed to delete resources assigned to the permission scope.
NOTE:

Unless explicitly noted in the API documentation as an exception, no further authorization checks are performed on a delete request. This includes actions performed by HPE OneView to bring the data model to a consistent state (for example, removing the definition of server hardware and interconnects when removing an enclosure). See the HPE OneView API Reference for more information.

If a user is granted Server administrator rights in the Test scope, that user is only allowed to delete server profiles assigned to the Test scope.

Update Controls the right to modify a resource. This includes changing the state of a resource. A permission must grant the user Update rights on the resource category. If the permission is restricted by scope, the user is only allowed to update resources assigned to the permission scope.

If a user is granted Server administrator rights in the Test scope, that user is only allowed to power on/off servers assigned to the Test scope.

Read Controls the right to view a resource. A permission must grant the user Read rights on the resource category. Read rights are not restricted by scope.  
Use Controls the right to associate one resource with another resource. Use rights are always checked in the context of a Create or Update operation. Use rights are not checked when a resource is unassigned.

Exception: Use rights are required to unassign a template (for example, server profile template or volume template) from its associated resource.

A permission must grant the user the following rights:
  • The role must have Create or Update rights to the request resource category.

  • The role must have Use rights on the associated resource category.

  • If the permission is restricted by scope, both the request resource and associated resource must be assigned to the permission scope.

NOTE:

The resource which is being assigned is referred to as the associated resource and the resource to which it is being assigned is referred to as the request resource.

If a user is granted Server administrator rights in the Test scope, that user is allowed to assign a server hardware to a server profile or assign a network to a network set in the Test scope only.

However, no Use checks are performed when you set the server hardware to unassigned in a server profile or remove a SAN storage volume.

More information

About permissions

Assign a resource to a scope from the Scopes page