Example: Define permission scopes

In the previous step, Corporate IT identified ten permissions. Six permissions are restricted by four distinct scopes. Corporate IT needs to create four scopes: VM Cloud, SRV Cloud, Human Resources and Finance.
Department Function Permission Role Permission Scope
Corporate IT Senior technologists Infrastructure administrator All resources
Corporate IT Server administrators Server administrator All resources
Corporate IT Network administrators Network administrator All resources
Corporate IT Storage administrators Storage administrator All resources
Finance OS/Application administrators Server profile operator Finance
Human Resources OS/Application administrators Server profile operator Human Resources
SRV Cloud IT Server Cloud administrators Server profile architect SRV Cloud
SRV Cloud IT Server Cloud administrators Scope operator SRV Cloud
VM Cloud IT Server administrators Server administrator VM Cloud
VM Cloud IT Network administrators Network administrator VM Cloud
VM Cloud IT is responsible for managing their enclosures. The following table summarizes the results of the analysis performed by Corporate IT to determine the resources that must be assigned to the VM Cloud scope.
Operation Analysis
Create networks Created by VM Cloud IT and automatically added to the VM Cloud scope. SANs are considered as shared resources and not restricted by scope. VM Cloud IT is allowed to assign SANs to Fibre Channel (FC) and Fibre Channel over Ethernet (FCoE) networks.
Create network sets Created by VM Cloud IT and automatically added to the VM Cloud scope. VM Cloud IT is only allowed to assign networks created by VM Cloud IT to the VM Cloud network sets.
Create logical interconnect groups Created by VM Cloud IT and automatically added to the VM Cloud scope. VM Cloud IT is only allowed to assign networks created by VM Cloud to the uplink sets.
Create enclosure groups Created by VM Cloud IT and automatically added to the VM Cloud scope. VM Cloud IT is only allowed to assign logical interconnect groups created by VM Cloud IT to enclosure groups.
Create logical enclosures Created by VM Cloud IT and automatically added to the VM Cloud scope. The logical interconnects created during this operation are automatically added to the VM Cloud scope. VM Cloud IT needs access to the enclosures assigned to the VM Cloud pilot. Corporate IT must assign the three enclosures to the VM Cloud scope. As the firmware bundles are restricted by scope, VM Cloud IT needs access to approved firmware bundles. Corporate IT must assign the authorized firmware bundles to the VM Cloud scope.
Power on/off/Refresh interconnects To allow VM Cloud IT to manage the VM Cloud interconnects, Corporate IT must assign the interconnects in the VM Cloud enclosures to the VM Cloud scope.
Power on/off/Refresh drive enclosures To allow VM Cloud IT to manage the drive enclosures in the VM Cloud enclosures, Corporate IT must assign the drive enclosures to the VM Cloud scope.
Launch console/Power on/off/Reset/Refresh server hardware Corporate IT must assign the blades in the VM Cloud enclosures to the VM Cloud scope.
Create server profile templates Created by VM Cloud IT and automatically added to the VM Cloud scope. In order to assign resources to the server profile templates, VM Cloud IT needs access to firmware bundles, networks, network sets and volume templates. Corporate IT must assign the authorized volume templates to the VM Cloud scope. Image Streamer is not configured for this pilot. Therefore, access to the OS deployment plans is not required.
Create server profiles Created by VM Cloud IT and automatically added to the VM Cloud scope. In addition to rights granted above, VM Cloud IT needs access to the server hardware.
Corporate IT performed a similar analysis for the SRV Cloud scope. SRV Cloud IT users are only allowed to perform server-related operations. The following table summarizes the results:
Operation Analysis
Launch console/Power on/off/Reset/Refresh server hardware Corporate IT needs to assign the blades in the SRV Cloud enclosures to the SRV Cloud scope.
Create server profile templates Created by SRV Cloud IT and automatically added to the SRV Cloud scope. In order to assign resources to server profile templates, SRV Cloud IT needs access to firmware bundles, networks and network sets.

Corporate IT must assign firmware bundles, networks and network sets to the SRV Cloud scope.

Create server profiles Created by SRV Cloud IT and automatically added to the SRV Cloud scope. In addition to rights granted above, SRV Cloud IT needs access to server hardware.
Assign SRV Cloud resources to Human Resources and Finance scopes Both an Update and Use authorization check are performed when assigning a resource to a scope. For example, to assign a blade to the Human Resources scope, SRV Cloud IT needs Update rights on the Human Resources scope and Use rights on the server hardware. Additionally, both the Human Resources scope and the blade must be assigned to the SRV Cloud scope. SRV Cloud IT is only allowed to update the Human Resources and Finance scopes. When assigning a resource to a scope there is no concept of a hierarchy. Assigning a scope to a scope restricts operations that can be performed on the scope; it does not affect access to resources assigned to either scope.

Corporate IT must assign the Human Resources and Finance scope instances to the SRV Cloud scope.

Finally, Corporate IT completes the analysis of the Human Resources and Finance scopes.
Operation Analysis
Launch console/Power on/off/Reset/Refresh server hardware SRV Cloud IT is responsible for assigning SRV Cloud server hardware to the Human Resources and Finance scopes.
Update server profiles SRV Cloud IT is responsible for assigning SRV Cloud server profiles to the Human Resources and Finance scopes. SRV Cloud IT is also allowed to assign SRV Cloud firmware bundles to the Human Resources and Finance scopes. SRV Cloud IT is still debating on whether or not Human Resources and Finance users are allowed to update server firmware.
To summarize, the authentication model for the pilot defines four permission scopes and nine directory group accounts with associated permissions.
Permission Scope Resources explicitly assigned to the scope by Corporate IT
Finance None
Human Resources None
SRV Cloud

The blades contained in the two enclosures dedicated to the SRV Cloud pilot.

The firmware bundles approved for use by SRV Cloud IT.

The networks approved for use by SRV Cloud IT.

The Finance and Human Resources scope resource instance. This is required to allow SRV Cloud IT to assign SRV Cloud resources to the Finance and Human Resources scopes.

VM Cloud

The three enclosures dedicated to the VM Cloud pilot.

The blades contained in the three enclosures.

The interconnects contained in the three enclosures.

The drive enclosures contained in the three enclosures.

The firmware bundles approved for use by VM Cloud IT.

The volume templates approved for use by VM Cloud IT.

Directory Group Permissions
CorpIT-FULL (Infrastructure administrator, All resources)
CorpIT-NA (Network administrator, All resources)
CorpIT-SA (Server administrator, All resources)
CorpIT-StA (Storage administrator, All resources)
Finance-Admins (Server profile operator, Finance)
HR-Admins (Server profile operator, Human Resources)
SRVCloudIT-Admins (Server profile architect, SRV Cloud); (Scope operator, SRV Cloud)
VMCloudIT-SA (Server administrator, VM Cloud)
VMCloudIT-NA (Network administrator, VM Cloud)