Example: Determine the best fit HPE OneView role

The Corporate IT Server administrator, Network administrator, and Storage administrator functions align well with the rights defined by the similarly named HPE OneView roles. Corporate IT Senior technologists have complete access rights to the appliance. The access rights assigned to the Corporate IT administrators are not restricted by scope.

The corporate IT users are granted the following permissions:
Department Function Permission Role Permission Scope
Corporate IT Senior technologists Infrastructure administrator All resources
Corporate IT Server administrators Server administrator All resources
Corporate IT Network administrators Network administrator All resources
Corporate IT Storage administrators Storage Administrator All resources

The VM Cloud IT administrators have experience managing the HPE OneView resources. As with Corporate IT, the VM Cloud IT Server administrator and Network administrator functions align well with the rights defined in the similarly named HPE OneView roles. Rights assigned to the Cloud IT administrators are restricted to resources assigned to the VM Cloud.

Corporate IT identified a few additional considerations:
  • Data centers, racks, power delivery devices and unmanaged devices are not restricted by scope. The Server administrator role grants Create, Read, Update and Delete rights to each of the above resources categories. For this pilot, neither the power delivery devices nor unmanaged devices are managed by HPE OneView. Changes to data center and rack resources are considered low impact. Corporate IT discussed this with VM Cloud IT management. They agreed to take responsibility for ensuring that their users to do not modify the data center or rack resources.
  • SAN managers, SANs, and storage systems are considered shared resources and managed exclusively by the Corporate IT. The VM Cloud IT users must not be granted Storage administrator rights.
  • The VM Cloud IT administrators are only allowed to create volumes using volume templates created by the Corporate IT. This requirement can be enforced using scopes. When creating a volume, the user must select either a volume template or storage pool. As the VM Cloud IT permissions are restricted by scope, the Use check only allows the selection of volume templates and storage pools in the VM Cloud scope. Only approved volume templates are placed in the VM Cloud scope. No storage pools are assigned to the VM Cloud scope.

The VM Cloud IT users are granted the following permissions:
Department Function Permission Role Permission Scope
VM Cloud IT Server administrators Server administrator VM Cloud
VM Cloud IT Network administrators Network administrator VM Cloud

The SRV Cloud IT administrators have less experience with HPE OneView. As a result, Corporate IT retains responsibility for managing the SRV Cloud enclosures. However, SRV Cloud IT is responsible for the SRV Cloud provisioning and reservation process.

A high-level overview of the SRV Cloud reservation process is shown here.

The illustration depicts the following:
  1. A department (for example, Finance) user submits a request to the SRV Cloud IT for a new server.

  2. A member of SRV IT uses HPE OneView to create a server profile using an available server assigned to the SRV Cloud scope.

  3. A member of SRV IT assigns the server profile and physical server to the department requesting the server.

  4. The department user is now allowed to use HPE OneView to manage the server.

As depicted in the flow, SRV Cloud IT needs Create, Delete and Update rights to the server profiles. They have also requested the right to create, delete and update server profile templates. For this pilot, SRV Cloud servers only use local storage. They should not be allowed to create volumes.

Corporate IT analyzed the HPE OneView role definitions and determined that the Server profile architect role was the best fit. The Server profile architect role grants the following rights:
Category Rights Analysis
Labels Create, Read, Update, Delete Allows SRV IT users to assign labels to any resource in a category granted Update rights by the role (for example, assign a label to any server hardware). As labels are not used to control IT, VM IT Cloud or SRV IT Cloud operations, granting users this right was not viewed as an issue.
Network Sets Create, Read, Update, Delete Allows SRV IT to create network sets in the SRV Cloud scope.
Server Hardware Read, Update Aligned with desired privileges.
Server Profile Templates Create, Read, Update, Delete Aligned with desired privileges.
Server Profiles Create, Read, Update, Delete Aligned with desired privileges.
Volumes Create, Read, Update, Delete Scope can be used to prevent SRV IT from managing volumes. For SRV IT to create a volume, either a volume template or storage pool must be assigned to the SRV Cloud scope. To update or delete a volume, the volume must be assigned to the SRV Cloud scope.
SRV Cloud IT also needs to assign the SRV Cloud resources to the Human Resources and Finance scopes. The Scope operator role grants users the rights to assign resources to scopes. This right must be restricted to the SRV Cloud resources. SRV Cloud IT users are granted both permissions.
Department Function Permission Role Permission Scope
SRV Cloud IT Server Cloud administrators Server profile architect SRV Cloud
SRV Cloud IT Server Cloud administrators Scope operator SRV Cloud

Finance and Human Resources users are only allowed to update the servers and server profiles assigned to their department.

Server profile operator rights align well with the desired Finance and Human Resources rights. The following table describes the results of an analysis performed by Corporate IT.
Category Rights Analysis
Labels Create, Read, Update, Delete Operations on labels are not restricted by scope. The ability to add or remove labels to resources that are not in the user's authorized scope is not viewed as a risk.
Server Hardware Read, Update Aligned with desired privileges.
Server Profiles Read, Update Aligned with desired privileges.
Human Resources and Finance users are granted the following permissions:
Department Function Permission Role Permission Scope
Finance OS/Application administrators Server profile operator Finance
Human Resources OS/Application administrators Server profile operator Human Resources