Example: Determine the best fit HPE OneView role
The Corporate IT Server administrator, Network administrator, and Storage administrator functions align well with the rights defined by the similarly named HPE OneView roles. Corporate IT Senior technologists have complete access rights to the appliance. The access rights assigned to the Corporate IT administrators are not restricted by scope.
Department | Function | Permission Role | Permission Scope |
---|---|---|---|
Corporate IT | Senior technologists | Infrastructure administrator | All resources |
Corporate IT | Server administrators | Server administrator | All resources |
Corporate IT | Network administrators | Network administrator | All resources |
Corporate IT | Storage administrators | Storage Administrator | All resources |
The VM Cloud IT administrators have experience managing the HPE OneView resources. As with Corporate IT, the VM Cloud IT Server administrator and Network administrator functions align well with the rights defined in the similarly named HPE OneView roles. Rights assigned to the Cloud IT administrators are restricted to resources assigned to the VM Cloud.
- Data centers, racks, power delivery devices and unmanaged devices are not restricted by scope. The Server administrator role grants
Create
,Read
,Update
andDelete
rights to each of the above resources categories. For this pilot, neither the power delivery devices nor unmanaged devices are managed by HPE OneView. Changes to data center and rack resources are considered low impact. Corporate IT discussed this with VM Cloud IT management. They agreed to take responsibility for ensuring that their users to do not modify the data center or rack resources. - SAN managers, SANs, and storage systems are considered shared resources and managed exclusively by the Corporate IT. The VM Cloud IT users must not be granted Storage administrator rights.
The VM Cloud IT administrators are only allowed to create volumes using volume templates created by the Corporate IT. This requirement can be enforced using scopes. When creating a volume, the user must select either a volume template or storage pool. As the VM Cloud IT permissions are restricted by scope, the
Use
check only allows the selection of volume templates and storage pools in the VM Cloud scope. Only approved volume templates are placed in the VM Cloud scope. No storage pools are assigned to the VM Cloud scope.
Department | Function | Permission Role | Permission Scope |
---|---|---|---|
VM Cloud IT | Server administrators | Server administrator | VM Cloud |
VM Cloud IT | Network administrators | Network administrator | VM Cloud |
The SRV Cloud IT administrators have less experience with HPE OneView. As a result, Corporate IT retains responsibility for managing the SRV Cloud enclosures. However, SRV Cloud IT is responsible for the SRV Cloud provisioning and reservation process.
A high-level overview of the SRV Cloud reservation process is shown here.
A department (for example, Finance) user submits a request to the SRV Cloud IT for a new server.
A member of SRV IT uses HPE OneView to create a server profile using an available server assigned to the SRV Cloud scope.
A member of SRV IT assigns the server profile and physical server to the department requesting the server.
The department user is now allowed to use HPE OneView to manage the server.
As depicted in the flow, SRV Cloud IT needs
Create
,
Delete
and
Update
rights to the server profiles. They have also requested the right to create, delete and update server profile templates. For this pilot, SRV Cloud servers only use local storage. They should not be allowed to create volumes.
Category | Rights | Analysis |
---|---|---|
Labels | Create, Read, Update, Delete | Allows SRV IT users to assign labels to any resource in a category granted
Update rights by the role (for example, assign a label to any server hardware). As labels are not used to control IT, VM IT Cloud or SRV IT Cloud operations, granting users this right was not viewed as an issue.
|
Network Sets | Create, Read, Update, Delete | Allows SRV IT to create network sets in the SRV Cloud scope. |
Server Hardware | Read, Update | Aligned with desired privileges. |
Server Profile Templates | Create, Read, Update, Delete | Aligned with desired privileges. |
Server Profiles | Create, Read, Update, Delete | Aligned with desired privileges. |
Volumes | Create, Read, Update, Delete | Scope can be used to prevent SRV IT from managing volumes. For SRV IT to create a volume, either a volume template or storage pool must be assigned to the SRV Cloud scope. To update or delete a volume, the volume must be assigned to the SRV Cloud scope. |
Department | Function | Permission Role | Permission Scope |
---|---|---|---|
SRV Cloud IT | Server Cloud administrators | Server profile architect | SRV Cloud |
SRV Cloud IT | Server Cloud administrators | Scope operator | SRV Cloud |
Finance and Human Resources users are only allowed to update the servers and server profiles assigned to their department.
Category | Rights | Analysis |
---|---|---|
Labels | Create, Read, Update, Delete | Operations on labels are not restricted by scope. The ability to add or remove labels to resources that are not in the user's authorized scope is not viewed as a risk. |
Server Hardware | Read, Update | Aligned with desired privileges. |
Server Profiles | Read, Update | Aligned with desired privileges. |
Department | Function | Permission Role | Permission Scope |
---|---|---|---|
Finance | OS/Application administrators | Server profile operator | Finance |
Human Resources | OS/Application administrators | Server profile operator | Human Resources |